Register & Demo Your Open Source Tool at The Black Hat Arsenal USA 2016
Black Hat Arsenal


Tools logo_cisofy

Published on March 21st, 2016 | by MaxiSoler

0

Lynis v2.2.0 Released

Lynis is a security auditing for UNIX derivatives like Linux, Mac OS X, BSD, and Solaris. It performs an in-depth security scan on the system itself, with the goal to detect issues and provide tips for further system hardening. It will also scan for general system information, vulnerable software packages, and possible configuration issues. Lynis is commonly used by people in the “blue team” to assess the security defenses of their systems.

Main goals:

  • Automated security auditing
  • Compliance testing (e.g. PCI-DSS, HIPAA)
  • Vulnerability detection

The software aims to also assist with:

  • Configuration management
  • Software patch management
  • System hardening
  • Penetration testing
  • Malware scanning
  • Intrusion detection

 

Changelog v2.2.0

Highlights

The biggest change in this release is the optimization of several functions. It allows for better detection, and dealing with the quirks, of every single operating system. Some functions were fortified to handle unexcepted results better, like missing a particular binary, or not returning the hostname.

This release also enables tests to be shorter, by adding new functions. Some functions were renamed or slightly changed, to provide more value to the tooling.
Another big change in this release is a wide set of optimizations and quality testing. Outdated pieces were removed, or rewritten, to support features seen in newer distributions.

In the area of compliance, adjustments have been made to start supporting more in-depth testing for this. Ideal for companies who have a particular compliance need, or want to test and enforce the system hardening levels of their systems.

Last but not least, many small changes make this software easier to use. On our website we added new guides to provide help and support.

We like to thank our contributors, in particular Kamil Boratyński, Steve Bosek, and Eric Light. Their contributions helped us greatly shaping this release.
Below are the changes per category:

Automation tools

  • Detection for CFEngine has been improved. Also additional logging and reporting of automation tools.

Authentication

  • Depending on the operating system, Lynis now tries to determine if failed logins are properly logged. This includes checking for /etc/login.defs file [AUTH-9408].
    Merged previous password check for Solaris into test AUTH-9228. User ids on AIX will be gathered and added to the report [AUTH-9234].
  • New plugin is introduced to analyze PAM settings. It including items like:
    – Two-factor authentication methods
    – Minimum password length, password strength and protection status against brute force cracking
    – Password history
  • Report option: auth_failed_logins_logged

Boot

  • Added detection for Mac OSX boot loader. Initial support to test UEFI settings, including Secure Boot option. Options boot_uefi_booted and boot_uefi_booted_secure added to report file

Compliance

  • This release prepares for upcoming extensions to assist with compliance testing. The profile has a new option, which can be used to define what standards should be tested for, if any test is available. The related option is: compliance_standards
  • Right now these standards can be selected:
  • – CIS benchmarks
  • – HIPAA
  • – ISO27001/ISO27002
  • – PCI DSS
  • Note that additional tests will be implemented in future releases and then tagged to these particular standards.

DNS and Name services

  • Support added for Unbound DNS caching tool [NAME-4034], including a configuration check [NAME-4036].
  • Record if a name caching utility is being used like nscd or Unbound. Also logging to report as field name_cache_used

Firewalls

  • Test for IPFW firewall on FreeBSD has been improved: status of pflogd will no longer be displayed, when pf is not available.
  • New test FIRE-4532 introduced for detection of the Mac OS X application firewall. Also, the status of application firewalls is audited now.
  • FIRE-4508 is another new test, which tests chains of iptables and their default policy (ACCEPT or DROP). This release also supports the upcoming nftables technology with new test FIRE-4536. It is expected that it will replace iptables later on, so this test will perform a status check. Additional FIRE-4548 will perform a version detection of the userland utility nft and determine if there are any rules configured.
  • Renamed FIRE-4511 to FIRE-4502.

File Integrity Monitoring

  • Test added to include osqueryd as a supported tool.

Hardware

  • Detection of firewire is enhanced (both ohci and core detected).

Logging

  • Extended the test syslog-ng logging to remote systems. The log Lynis itself produces is also enhanced, to be more detailed for several tests.

Malware

  • ESET and LMD (Linux Malware Detect) have been added. Discovered malware scanners are also logged to the report.

Mount points

  • FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags.

Networking

  • Best practices for IPv6 configuration on Linux are now collected. Also network interface names from most operating systems.

Operating systems

  • Improved support for Debian 8 systems, and displaying Gentoo for Gentoo-based systems. Detection of VMware release has been added. Boot loader exception is not longer displayed when only a subset of tests is performed. FreeBSD systems can now use service command to gather information about enabled services.
  • Several paths have been added to allow better detection on systems running FreeBSD and others.

Passwords

  • AUTH-9286 change has been extended to both capture minimum and password age.

Proxy support

  • A proxy can now be specified in the profile, to allow uploads via a HTTP or SOCKS proxy.

Service Managers

  • SystemV init is now detected.

Software and Packages

  • Now information will be logged when vulnerable software packages were found.
    Support for DNF (Dandified YUM) for Fedora systems has been added. This is done in several tests: PKGS-7350 (installed packages), PKGS-7352 (security notices), PKGS-7354 (integrity tests).

SSH

  • Multiple configuration tests of SSH are now merged into SSH-7408. This enables easier testing later on and reduces repetition.

Virtual machines and Containers

  • Detection of virtual machines has been extended in several ways. Now VMware tools (vmtoolsd) are detected and machine state is improved with tools like Puppet Facter, dmidecode, and lscpu. Properly detect Docker on CoreOS systems, where it before gave error as it found directory /usr/libexec/docker. Check file permissions for Docker files, like the socket file [CONT-8108].

Individual tests

  • [AUTH-9204] Exclude NIS entries to avoid false positives
  • [AUTH-9230] Removed test as it was merged into AUTH-9228
  • [AUTH-9234] Support for AIX added
  • [AUTH-9288] Test for expired passwords
  • [AUTH-9328] Show correct message when no umask is found in /etc/profile. It also includes improved logging, and support for other operating systems.
  • [BOOT-5104] Rewrote test to detect SysV init and other service managers
  • [BOOT-5106] New test to test boot loader on Mac OS X
  • [BOOT-5180] Only gets executed if runlevel 2 is found
  • [CONT-8108] New test to test for Docker file permissions
  • [DBS-1816] Removed suggestion
  • [FILE-6310] Add more details to test when a symlinked path has been found
  • [FILE-6410] Added /var/lib/locatedb as search path
  • [FINT-4338] Added osquery test
  • [FIRE-4508] Added chains test for iptables
  • [FIRE-4511] Renamed to FIRE-4502
  • [FIRE-4536] Support for nftables detection
  • [FIRE-4538] Basic configuration check for for nftables
  • [HOME-9310] Use POSIX compatible flags to avoid errors on BusyBox
  • [HTTP-6622] Determine Apache version and log to report
  • [HTTP-6624] Ignore wildcard and default entries as ServerName for Apache
  • [LOGG-2154] Additional support for log destinations for syslog-ng
  • [MALW-3278] New test to detect LMD (Linux Malware Detect)
  • [NAME-4406] Changed logic for localhost check and more detailed logging
  • [NETW-2600] IPv6 configuration check for Linux
  • [NETW-3032] Added ARP monitoring software test
  • [PKGS-7308] Split package name and version for RPM based package manager
  • [PKGS-7350] Support for installed packages via Fedora DNF package manager (Dandified YUM)
  • [PKGS-7352] Query security notices for DNF
  • [PKGS-7354] Perform integrity tests for package database (DNF)
  • [SHLL-6230] Test for umask values in shell configuration files (e.g. rc files)
  • [STRG-1842] New test for checking authorized USB devices
  • [TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured
  • [TIME-3170] New test to check NTP configuration files

Functions

  • [CreateTempFile] Create a temporary file
  • [DigitsOnly] New function to extract only numbers from a text string
  • [DisplayManual] New function to show text on screen without any markup
  • [ExitCustom] New function to allow program to exit with a different exit code, depending on outcome
  • [GetHostID] If no MAC address is found, use SSH keys for creation of a host identifier
  • [IsWordWritable] Changed return codes for easier usage of the function
  • [LogText] Replaces the older logtext function
  • [RandomString] Creates a random string of characters
  • [RemoveTempFiles] Remove any created temporary files
  • [Report] Replaces the older report function
  • [ReportSuggestion] Allows two additional parameters to store details (text and external reference to a solution)
  • [ReportWarning] Like ReportSuggestion() has additional parameters
  • [ShowComplianceFinding] Display compliance findings
  • [ShowSymlinkPath] Ensure readlink is available

General improvements

  • When using pentest mode, it will continue without any delays (=quick mode).
  • Plugins execution is improved, with improved logged and counting of active plugins.
  • Data uploads: provide help when self-signed certificates are used.
  • Improved output for tests which before showed results as a warning, instead of just as a suggestion.
  • Lynis now uses different exit codes, depending on errors or finding warnings. This helps with automation and any custom scripting you want to apply.
  • Preparations to allow compressing the Lynis report file and enhance uploads.
  • Added –config option to show what settings file or profile is used.
  • Tool tips are displayed, to make Lynis even easier to use.
  • Show a warning if the release is older than four months.
  • PID file has additional checks, including cleanups.

Plugins

  • [PAM] New plugin available in all versions of Lynis
  • [PLGN-2602] Replaced mktemp commands with CreateTempFile function
  • [PLGN-2804] Limit report output of EXT file systems to 1 item per line

 




Tags: , , ,


About the Author

ToolsWatcher. Collaborator of the Black Hat Arsenal Event.



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top ↑