lynis-3.0.8-bp155.1.6

- Update to 3.0.8:
  * Added
  - MALW-3274 - Detect McAfee VirusScan Command Line Scanner
  - PKGS-7346 Check Alpine Package Keeper (apk)
  - PKGS-7395 Check Alpine upgradeable packages
  - EOL for Alpine Linux 3.14 and 3.15
  * Changed
  - AUTH-9408 - Check for pam_faillock as well (replacement for pam_tally2)
  - FILE-7524 - Test enhanced to support symlinks
  - HTTP-6643 - Support ModSecurity version 2 and 3
  - KRNL-5788 - Only run relevant tests and improved logging
  - KRNL-5820 - Additional path for security/limits.conf
  - KRNL-5830 - Check for /var/run/needs_restarting (Slackware)
  - KRNL-5830 - Add a presence check for /boot/vmlinuz
  - PRNT-2308 - Bugfix that prevented test from storing values correctly
  - Extended location of PAM files for AARCH64
  - Some messages in log improved
- accepted upstream, removed additional_paths_security-limits.patch

- cover /usr/etc/security/limits.conf too (boo#1194446)
  added additional_paths_security-limits.patch

- Update to 3.0.7:
  * Added
  - MALW-3290 - Show status of malware components
  - OS detection for RHEL 6 and Funtoo Linux
  - Added service manager openrc
  * Changed
  - DBS-1804 - Added alias for MariaDB
  - FINT-4316 - Support for newer Ubuntu versions
  - MALW-3280 - Added Trend Micro malware agent
  - NETW-3200 - Allow unknown number of spaces in modprobe blacklists
  - PKGS-7320 - Support for Garuda Linux and arch-audit
  - Several improvements for busybox shell
  - Russian translation of Lynis extended
- replace 0x429A566FD5B79251 with 0x9DE922F1C2FDE6C4 in lynis.keyring
  according to https://packages.cisofy.com/
- update additional_module_blacklist_locations.patch

- Add additional_module_blacklist_locations.patch to check fo blacklisted
  modules under /usr/lib/modules.d

- Update to 3.0.6:
  * Added
  - OS detection: Artix Linux, macOS Monterey, NethServer, openSUSE MicroOS
  - Check for outdated translation files
  * Changed
  - DBS-1826 - Check if PostgreSQL is being used
  - DBS-1828 - Test multiple PostgreSQL configuration file(s)
  - KRNL-5830 - Sort kernels by version instead of modification date
  - PKGS-7410 - Don't show exception for systems using LXC
  - GetHostID function: fallback options added for Linux systems
  - Fix: show correct text when egrep is missing
  - Fix: variable name for PostgreSQL

- Changed tests_binary_rpath to subtract points for files found with RPATH set,
  not add points for files that are configured correctly. This resulted in a
  huge number of points that skewed the overal result

- fix SLE 12 build

- Update to 3.0.5
  * Added
  - OS detection of Arch Linux 32, BunsenLabs Linux, and Rocky Linux
  - CRYP-8006 - Check MemoryOverwriteRequest bit to protect against cold-boot
  attacks (Linux)
  * Changed
  - ACCT-9622 - Corrected typo
  - HRDN-7231 - When calling wc, use the short -l flag instead of --lines
    (Busybox compatibility)
  - PKGS-7320 - extended to Arch Linux 32
  - Generation of host identifiers (hostid/hostid2) extended
  - Linux host identifiers are now using ip as preferred input source
  - Improved logging in several areas

- Update to 3.0.4
  * Added
  - ACCT-9670 - Detection of cmd tooling
  - ACCT-9672 - Test cmd configuration file
  - BOOT-5140 - Check for ELILO boot loader presence
  - OS detection of AlmaLinux, Garuda Linux, Manjaro (ARM), and others
  * Changed
  - BOOT-5104 - Add service manager detection support for runit
  - FILE-6430 - Report suggestion only when at least one kernel module is not in the blacklist
  - FIRE-4540 - Corrected nftables empy ruleset test
  - LOGG-2138 - Do not check for klogd when metalog is being used
  - TIME-3185 - Improved support for Debian stretch
  - Corrected issue when Lynis is not executed directly from lynis directory

- Update to 3.0.3
  * Added
  - Check for registered non-native binary formats
  - OS detection of Parrot GNU/Linux
  * Changed
  - Force test to check only password authentication
  - Support for NetBSD
  * Fixed: command 'configure settings' did not work as intended

- Update to 3.0.2
  * Added
  - Scan for locked user accounts in /etc/passwd
  - Loghost configuration
  - Check for active Suricata daemon
  - OS detection of Flatcar, IPFire, Mageia, NixOS, ROSA Linux, SLES (extended), Void Linux, Zorin OS
  - OS detection of OpenIndiana (Hipster and Legacy), Shillix, SmartOS, Tribblix, and others
  - EOL dates for Alpine, macOS, Mageia, OmniosCE, and Solaris 11
  - Support for Solaris svcs (service manager)
  - Enumeration of Solaris services
  * Changed
  - Detect sysstat systemd unit
  - Only fail if both SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS are undefined
  - Support for Solaris
  - Improved reboot test by ignoring known bad values
  - Ignore rescue kernel such as on CentOS systems
  - Detection of Alpine Linux kernel
  - Compatibility change for hostname check
  - Support for Solaris
  - Don't show exception if no kernels were found on the disk
  - Supports now checking files at multiple locations (systemd)
  - ParseNginx function: Support include on absolute paths
  - ParseNginx function: Ignore empty included wildcards
  - Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux
  - HostID: Use first e1000 interface and break after match
  - Translations extended and updated
  - Test if pgrep exists before using it
  - Better support for busybox shell
  - Small code enhancements

- Add a Requires for net-tools-deprecated, as legacy binary binaries
  are still used by some of the custom lynis tests we ship. Later on
  I'll port them to use current binaries and remove this again

- Update to 3.0.1
  * Added
  - Detection of Alpine Linux
  - Detection of CloudLinux
  - Detection of Kali Linux
  - Detection of Linux Mint
  - Detection of macOS Big Sur (11.0)
  - Detection of Pop!_OS
  - Detection of PHP 7.4
  - Malware detection tool: Microsoft Defender ATP
  - New flag: --slow-warning to allow tests more time before showing a warning
  - Test TIME-3185 to check systemd-timesyncd synchronized time
  - rsh host file permissions
  * Changed
  - Added option for LOCKED accounts and bugfix for older bash versions
  - Presence check for grub.d added
  - Added support for certificates in DER format
  - Added data to report
  - Redirect errors (e.g. when swap is not encrypted)
  - Don't grep nonexistant modprobe.d files
  - Set initial firewall state
  - Corrected text on screen
  - Handle zipped kernel configuration correctly
  - Improved version detection for non-symlinked kernel
  - Extended detection of BitDefender
  - Find more time synchronization commands
  - Corrected detection of time peers
  - Fix: hostid generation routine would sometimes show too short IDs
  - Fix: language detection
  - Generic improvements for macOS
  - German translation updated
  - End-of-life database updated

- Update to 3.0.0
  * Security issues
  - CVE-2020-13882: incorrect Access Control because of a TOCTOU race condition (boo#1173141).
  - CVE-2019-13033: local disclosure of license key when data is uploaded (boo#1173142).
  * Breaking change: Non-interactive by default
  - Lynis now runs non-interactive by default, to be more in line with the Unix
    philosophy. So the previously used '--quick' option is now default, and the tool
    will only wait when using the '--wait' option.
  * Breaking change: Deprecated options
  - Option: -c
  - Option: --check-update/--info
  - Option: --dump-options
  - Option: --license-key
  * Breaking change: Profile options
  - The format of all profile options are converted (from key:value to key=value).
    You may have to update the changes you made in your custom.prf.
  * Security
  - An important focus area for this release is on security. We added several
    measures to further tighten any possible misuse.
  * New: DevOps, Forensics, and pentesting mode
  - This release adds initial support to allow defining a specialized type of audit
    Using the relevant options, the scan will change base on the intended goal.
- Further features, bug fixes and details about the release listed in
  https://raw.githubusercontent.com/CISOfy/lynis/3.0.0/CHANGELOG.md

- Update to 2.7.5
  Added:
  * Danish translation
  * Slackware end-of-life information
  * Detect BSD-style (rc.d) init in Linux systems
  * Detection of Bro and Suricata (IDS)
  Changed:
  * Corrected end-of-life entries for CentOS 5 and 6
  * Change name to check in /etc/passwd file for QNAP devices
  * AIX enhancement to use correct find statement
  * Filter on correct field for AIX
  * Set ss command as preferred option for Linux and changed output format
  * List of PHP ini file locations has been extended
  * Removed several pieces of the code as part of cleanup and code health
  * Extended help

- Add more false-positive packages to Dbus database: tuned, autofs, lightdm, geoglue2, snapper and ModemManager

- Add these common false-positive packages to Dbus database whitelist: FirewallD, SystemD and Wicked

- Update to 2.7.4
  Added
  * FILE-6324 - Discover XFS mount points
  * INSE-8000 - Installed inetd package
  * INSE-8100 - Installed xinetd package
  * INSE-8102 - Status of xinet daemon
  * INSE-8104 - xinetd configuration file
  * INSE-8106 - xinetd configuration for inactive daemon
  * INSE-8200 - Usage of TCP wrappers
  * INSE-8300 - Presence of rsh client
  * INSE-8302 - Presence of rsh server
  * Detect equery binary detection
  * New 'generate' command
  Changed
  * AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems
  * PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages
  * PKGS-7420 - Detect toolkit to automatically download and apply upgrades
  * PKGS-7328 - Added global Zypper option --non-interactive
  * PKGS-7386 - Only show warning when vulnerable packages were discovered
  * PKGS-7392 - Skip test for Zypper-based systems
  * Minor changes to improve text output, test descriptions, and logging
  * Changed CentOS identifiers in end-of-life database
  * AIX enhancement for IsRunning function
  * Extended PackageIsInstalled function
  * Improve text output on AIX systems
  * Corrected lsvg binary detection

- update to 2.7.3
  Added
  * Detection for Lynis being scheduled (e.g. cronjob)
  Changed
  * HTTP-6624 - Improved logging for test
  * KRNL-5820 - Changed color for default fs.suid_dumpable value
  * LOGG-2154 - Adjusted test to search in configuration file correctly
  * NETW-3015 - Added support for ip binary
  * SQD-3610 - Description of test changed
  * SQD-3613 - Corrected description in code
  * SSH-7408 - Increased values for MaxAuthRetries
  * Improvements to allow tailored tool tips in future
  * Corrected detection of blkid binary
  * Minor textual changes and cleanups

- update to 2.7.2
  * Added support for doas (OpenBSD)
  * Added test file permissions of doas configuration
  * Added support for systemd-boot boot loader
  * Added simplify service filter and allow multiple dots in service names
  * Added check OpenBSD boot daemons
  * Added test permissions for boot files and scripts
  * Added support for end-of-life detection of the operating system
  * Added new 'lynis show eol' command
  * Multiple changes and improvements

- update to 2.7.1
  * Improve support for Red Hat and clones
  * Additional support for Hands Off!, LuLu, and Radio Silence
  * Added MariaDB filter for deleted files (tested on CentOS)
  * Added /etc/bash.bashrc.local to umask check
  * Removed shift statement that did not work on all operating systems
  * Minor cleanups and enhancements
  * Small improvements to logging
  * Added translation for Slovak

- update to 2.7.0
  * added detection of TOMOYO binary (MACF-6240)
  * Status of TOMOYO framework updated (MACF-6242)
  * OpenSSH server version detected (SSH-7406)
  * Check active OSSEC analysis daemon (TOOL-5160)
  * Changed several warning labels on screen
  * More generic sulogin for systemd rescue (AUTH-9308)
  * OS detection now ignores quotes for getting the OS ID

- update to 2.6.9
  * Man page has been updated
  * Command 'lynis show options' provides up-to-date list
  * Option '--dump-options' is deprecated
  * Several options and commands have been extended with more examples
  * OS detection now supports openSUSE specific distribution names
  * Changed command output when using 'lynis audit system remote'
  * added /usr/local/redis/etc path and QNAP support
  * ignore exception when no vmlinuz file was discovered

- update to 2.6.1:
  * New group 'usb' for tests related to USB devices
  * Updated and enhanced tests
  * Many bug fixes
  * output and UI fixes

- Lynis 2.5.1:
  * Improved detection of SSL certificate files
  * Minor changes to improve logging and results
  * Firewall tests: Determine if CSF is in testing mode
- includes changes from Lynis 2.5.0:
  * CVE-2017-8108: symlink attack may have allowed arbitrary file
    overwrite or privilege escalation (bsc#1043463)
  * Deleted unused tests from database file
  * Additional sysctls are tested
  * Extended test with Symantec components
  * Snort detection
  * Snort configuration file

- Lynis 2.4.8 (Changelog from 2.4.1)
  * More PHP paths added
  * Minor changes to text
  * Show atomic test in report
  * Added FileInstalledByPackage function (dpkg and rpm supported)
  * Mark Arch Linux version as rolling release (instead of unknown)
  * Support for Manjaro Linux
  * Escape files when testing if they are readable
  * Code cleanups
  * Allow host alias to be specified in profile
  * Code readability enhancements
  * Solaris support has been improved
  * Fix for upload function to be used from profile
  * Reduce screen output for mail section, unless --verbose is used
  * Code cleanups and removed 'update release' command
  * Colored output can now be tuned with profile (colors=yes/no)
  * Allow data upload to be set as a profile option
  * Properly detect SSH daemon version
  * Generic code improvements
  * Improved the update check and display
  * Finish, Portuguese, and Turkish translation
  * Extended support and tests for DragonFlyBSD
  * Option to configure hostid and hostid2 in profile
  * Support for Trend Micro and Cylance (macOS)
  * Remove comments at end of nginx configuration
  * Used machine ID to create host ID when no SSH keys are available
  * Added detection of iptables-save to binaries
  Tests:
  BANN-7126 - Added more words to test for
  CUPS-2308 - Improve logging for CUPS configuration test, removed exception handler
  HTTP-6641 - Support detection for Apache module mod_reqtimeout
  PKGS-7388 - Minor change to detect security repositories
  CRYP-7902 - Test more certificates names, but only if they are not part of a package
  FILE-7524 - Reduce standard screen output for file permissions check
  MALW-3280 - Added Avira detection as a malware scanner
  NAME-4018 - Only perform name services test when resolv.conf file exists
  PKGS-7387 - Check all repositories if they use GPG signing
  SCHD-7704 - Permission checks
  TIME-3104 - Check permissions before open files
  AUTH-9328 - Add missing 0027 and 0077 umasks
  BOOT-5104 - Add initsplash and minor code enhancements
  DBS-1882 - Include Redis configuration file
  FIRE-4502 - Improved detection for iptables modules when using OpenVZ
  PKGS-7381 - Enhanced package audit for FreeBSD
  AUTH-9308 - Improved test for sulogin string (Debian systems)
  FILE-6372 - Properly deal with comment on lines in /etc/fstab
  MAIL-8817 - New test to check Postfix configuration for errors
  SSH-7408 - Corrected SSH check
  AUTH-9308 - Improved test for sulogin string
  MAIL-8818 - Test if Linux version is known before comparing in Postfix banner
  TIME-3116 - Skip stratum 16 items for time pools
  TIME-3148 - New test to detect TZ variable
  AUTH-9208 - Removed double logging
  AUTH-9222 - Improve logging for double groups
  AUTH-9226 - Improve logging for double groups
  BOOT-5177 - Sort systemctl unit files to make them unique
  DBS-1818 - New test to detect MongoDB
  DBS-1820 - New test for MongoDB authentication
  FIRE-4512 - Lowered minimum number of iptables firewall rules
  FIRE-4586 - Fix applied when searching for "-j LOG"
  HRDN-7222 - Changed reporting key of world executable compilers
  SSH-7408 - Added filtering for PermitRootLogin (prohibit-password, OpenSSH 7.0)
  FIRE-4586 - Check logging for firewall components
  KRNL-5788 - Remove exception and style improvements
  KRNL-5830 - Improved logging

- lynis 2.4.0
  * Mainly improved support for macOS users
  * Support for CoreOS
  * Support for clamconf utility
  * Support for chinese translation
  * More sysctl values in the default profile
  * New commands: "upload-only", "show hostids", "show environment", "show os"

- lynis 2.3.4 with various improvements, including:
  * Several tests have extended log details
  * Detection of nftables improved
  * Replaced cut, sed, tr and others commands with binary variable
    (for forensics and future intrusion checking capabilities)
  * OS detection improved

- lynis 2.3.3 with many improvements and updates

- lynis 2.2.0:
  * new features and tests, small enhancements
  * optimisation, better detection
  * dealing with OS quirks and unexcepted results
  * adjustments for supporting more compliance in-depth
  * Detection for CFEngine has been improved
  * now tries to determine if failed logins are properly logged
  * New plugin is introduced to analyze PAM settings
  * Initial support to test UEFI settings, including Secure Boot option.
  * Support added for Unbound DNS caching tool, configuration check
  * Record if a name caching utility is being used like nscd or Unbound.
  * Tests chains of iptables and their default policy (ACCEPT or DROP)
  * Support upcoming nftables technology (status check)
  * Test added to include osqueryd as a supported tool.
  * Detection of firewire is enhanced (both ohci and core detected).
  * Extended the test syslog-ng logging to remote systems.
  * ESET and LMD (Linux Malware Detect) have been added.
  * Discovered malware scanners are also logged to the report.
  * Eexpanded test for multiple common mount points and define best
    practice mount flags.
  * Best practices for IPv6 configuration on Linux are now collected.
  * Collect network interface names from most operating systems.
  * Password change test has been extended to both capture minimum and password age.
  * Add Proxu support
  * SystemV init is now detected.
  * Now information will be logged when vulnerable software packages were found.
  * Support for DNF (Dandified YUM) for Fedora systems has been added.
  * Multiple configuration tests of SSH merged.
  * Extend detection of virtual machines (VMware tools)
  * Machine state detection with Puppet, Facter, dmidecode, and lscpu
  * When using pentest mode, it will continue without any delays (=quick mode).
  * Improvements for automatic execution of Lynis
  * Upload improvements

- lynis 2.1.1:
  * performance improvements
  * additional support for Linux distributions and external utilities
  * Apache module directory /usr/lib64/apache has been added, which
    is used on openSUSE.
  * various other improvements and bug fixes
- update patches for contect changes:
  lynis_1.3.1_include_consts.diff, lynis_1.3.5_lynis.diff

- lynis 2.1.0:
  * Screen output has been improved to provide additional information.
  * Core dump check on Linux is extended to check for actual values as well.
  * Software:
    + McAfee detection has been extended by detecting a running cma binary.
    + Security patch checking with zypper extended.
  * Session timeout:
    + Tests to determine shell time out setting have been extended
    + determine also if variable is exported as a readonly variable.
    + Related compliance section PCI DSS 8.1.8 has been extended.
- includes changes from Lynis 2.0.0:
  * New feature: helpers
  * docker build file audit helper
  * Improved OS support
  * support systemd, docker, nftables
  * New parameters:
    + --dump-options (see all options)
    + --report-file (define a different location for the report file)
- use tarball supplied default.prf
- clean or silence rpmlint warnings

- lynis 1.6.4:
  * New:
    + Boot loader detection for AIX
    + Detection of getcap and lsvg binary
    + Added filesystem_ext to report
    + Detect rootsh
  * Changes:
    + Hide errors when RPM database is faulty and show suggestion instead
    + Allow OpenBSD to gather information on listening network ports
    + Don't trigger warning for Shellshock when doing segfault test
    + Do not run Apache test on OpenBSD and strip control chars
    + Extended AIDE test with configuration validation test
    + Improved Shellshock test regarding non-Linux support
    + Added support for gathering volume groups on AIX
    + Properly parse PAM lines and add them to report
    + Support for boot loader detection on OpenBSD
    + Added uptime detection for OpenBSD systems
    + Support for volume groups on AIX
    + Redirect errors when searching for readlink binary
- includes changes from 1.6.3:
  * New:
    + Added tests for Shellshock bash vulnerability
    + Added test to determine if Snoopy is used
    + New test for qdaemon configuration file
    + Test for GRUB boot loader password
    + New test for qdaemon printer jobs
    + Added ClamXav test for Mac OS X
    + Gentoo vulnerable packages test
    + New test for qdaemon status
    + Gentoo package listing
    + Running Lynis without root permissions will start non-privileged scan
    + Systemd service and timer example file added
    + Added grub2-install to binaries
  * Changes:
    + Adjustments so insecure SSL protocols are detected in nginx config
    + Directories will be skipped when searching for nginx log files
    + Only gather unique name servers from /etc/resolv.conf
    + Properly detect mod_evasive on Gentoo and others
    + Improved swap partition detection in /etc/fstab
    + Improvements to kernel detection (e.g. Gentoo)
    + Test for built-in security options in YUM
    + Improved boot loader detection for GRUB2
    + Split GRUB test into two tests
    + Added Mac OS uptime check
    + Improved GetHostID function for systems having only ip binary
    + Improved testing for symlinked binary directories
    + Minor adjustments to log output
    + Renamed dev directory to extras
- verify source signature
- adjust permissions of items in /usr/share/lynis/include/consts
  to match those requested by main executable
- run spec_cleaner

- fix bashisms in scripts

- Upgrade to version 1.6.2
- Remove files:
  * lynis_1.3.7_include-test-filesystem.diff( already fixed)
  * lynis-1.3.9.tar.gz

- updated to version 1.3.9
- removed patch
  * lynis_1.3.6_include-test-kernel.diff (fixed upstream)

- updated to version 1.3.7
- Changelog:
  * FileExists() and SearchItem() functions were added. The yum-security
    check and iptables binary check were improved, and the report was
    extended to show which tests have been executed or skipped
- updated patch
  * lynis_1.3.7_include-test-filesystem.diff

- updated to version 1.3.6
- Removed patches (obsolete):
  * lynis_1.3.5_include_binaries.diff
- Updated patches
  * lynis_1.3.6_include_osdetection.diff
  * lynis_1.3.6_include-test-kernel.diff

- updated to version 1.3.5
- Updated patches:
  o lynis_1.3.1_lynis.diff
  o lynis_1.3.1_include_binaries.diff
  o lynis_1.3.1_include-osdetection.diff
  o lynis_1.3.1_include-test-kernel.diff
- Removed patches (obsolete)
  o lynis_1.3.1_include-test-databases.diff
  o lynis_1.3.1_include-test-storage.diff
  o lynis_1.3.1_include-test-homedirs.diff

- fixed typo in prepare_for_suse.sh

- fixed log message for dbus test
- fixed bash variable incrementation that sneaked in the code

- fixed tests_network_allowed_ports to increment index vars
  and not loop forever

- fixed test_homedirs