Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package lynis for openSUSE:Factory checked
in at 2025-07-30 11:45:04
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/lynis (Old)
and /work/SRC/openSUSE:Factory/.lynis.new.13279 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lynis"
Wed Jul 30 11:45:04 2025 rev:60 rq:1296287 version:3.1.5
Changes:
--------
--- /work/SRC/openSUSE:Factory/lynis/lynis.changes 2025-01-28
17:06:02.148597666 +0100
+++ /work/SRC/openSUSE:Factory/.lynis.new.13279/lynis.changes 2025-07-30
11:46:08.812634343 +0200
@@ -1,0 +2,14 @@
+Tue Jul 29 07:33:22 UTC 2025 - Robert Frohl <rfr...@suse.com>
+
+- Update to 3.1.5
+ * Added
+ - Support for OpenWrt
+ - Bitdefender detection on Linux
+ - Detection of openSUSE Tumbleweed-Slowroll
+ * Changed
+ - Corrected detection of service manager SMF
+ - Extended GetHostID function to allow HostID and HostID2 creation on
OpenWrt
+ - Check modules also under /usr/lib/modules.d
+- Drop additional_module_blacklist_locations.patch: accepted upstream
+
+-------------------------------------------------------------------
@@ -1002 +1016 @@
-Tue Mar 17 2009 20:32 CET - mrd...@opensuse.org
+Tue Mar 17 20:32 CET 2009 - mrd...@opensuse.org
Old:
----
additional_module_blacklist_locations.patch
lynis-3.1.4.tar.gz
lynis-3.1.4.tar.gz.asc
New:
----
lynis-3.1.5.tar.gz
lynis-3.1.5.tar.gz.asc
----------(Old B)----------
Old: - Check modules also under /usr/lib/modules.d
- Drop additional_module_blacklist_locations.patch: accepted upstream
----------(Old E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ lynis.spec ++++++
--- /var/tmp/diff_new_pack.bm3rUF/_old 2025-07-30 11:46:09.608667272 +0200
+++ /var/tmp/diff_new_pack.bm3rUF/_new 2025-07-30 11:46:09.612667438 +0200
@@ -23,7 +23,7 @@
%define _pluginsdir %{_datadir}/lynis/plugins
%define _dbdir %{_datadir}/lynis/db
Name: lynis
-Version: 3.1.4
+Version: 3.1.5
Release: 0
Summary: Security and System auditing tool
License: GPL-3.0-only
@@ -49,8 +49,6 @@
# PATCH-OPENSUSE-FIX -- tho...@novell.com - modifying for openSUSE
Patch2: %{name}_1.3.1_include_consts.diff
Patch5: %{name}_1.3.6_include-osdetection.diff
-# https://github.com/CISOfy/lynis/pull/1215
-Patch6: additional_module_blacklist_locations.patch
BuildRequires: gcc-c++
BuildRequires: libxml2-devel
Requires: bash
@@ -78,7 +76,6 @@
%patch -P 0
%patch -P 2
%patch -P 5
-%patch -P 6 -p1
%build
++++++ lynis-3.1.4.tar.gz -> lynis-3.1.5.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/CHANGELOG.md new/lynis/CHANGELOG.md
--- old/lynis/CHANGELOG.md 2025-01-28 01:00:00.000000000 +0100
+++ new/lynis/CHANGELOG.md 2025-07-29 02:00:00.000000000 +0200
@@ -1,5 +1,19 @@
# Lynis Changelog
+## Lynis 3.1.5 (2025-07-29)
+
+### Added
+- Support for OpenWrt
+- Bitdefender detection on Linux
+- Detection of openSUSE Tumbleweed-Slowroll
+
+### Changed
+- Corrected detection of service manager SMF
+- Extended GetHostID function to allow HostID and HostID2 creation on OpenWrt
+- Check modules also under /usr/lib/modules.d
+
+---------------------------------------------------------------------------------
+
## Lynis 3.1.4 (2025-01-28)
### Changed
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/functions new/lynis/include/functions
--- old/lynis/include/functions 2025-01-28 01:00:00.000000000 +0100
+++ new/lynis/include/functions 2025-07-29 02:00:00.000000000 +0200
@@ -940,7 +940,7 @@
done
fi
- if [ ! "${SHA1SUMBINARY}" = "" -o ! "${OPENSSLBINARY}" = "" -o !
"${CSUMBINARY}" = "" ]; then
+ if [ ! "${SHA1SUMBINARY}" = "" -o ! "${SHA256SUMBINARY}" = "" -o !
"${OPENSSLBINARY}" = "" -o ! "${CSUMBINARY}" = "" ]; then
LogText "Info: found hashing tool, start generation of HostID"
case "${OS}" in
@@ -1068,7 +1068,12 @@
# Check if we found a MAC address to generate the HostID
if HasData "${FIND}"; then
LogText "Info: using hardware address '${FIND}' to
create HostID"
- HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{
print $1 }')
+ if [ -n "${SHA1SUMBINARY}" ]; then
+ HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{
print $1 }')
+ elif [ -n "${SHA256SUMBINARY}" ]; then
+ # Truncate hash to match SHA1 length
+ HOSTID=$(echo ${FIND} | ${SHA256SUMBINARY} | awk
'{ print $1 }' | head -c 40)
+ fi
LogText "Result: Found HostID: ${HOSTID}"
else
ReportException "GetHostID" "HostID could not be
generated"
@@ -1155,7 +1160,7 @@
fi
else
- ReportException "GetHostID" "Can't create HOSTID as there is no
SHA1 hash tool available (sha1, sha1sum, openssl)"
+ ReportException "GetHostID" "Can't create HOSTID as there is no
hash tool available (sha1, sha1sum, openssl, truncated sha256sum)"
fi
# Search machine ID
@@ -1198,10 +1203,9 @@
LogText "Info: start generation of HostID (version 2)"
FOUND=0
DATA_SSH=""
- # Use public keys
- SSH_KEY_FILES="ssh_host_ed25519_key.pub ssh_host_ecdsa_key.pub
ssh_host_dsa_key.pub ssh_host_rsa_key.pub"
if [ -d /etc/ssh ]; then
- for I in ${SSH_KEY_FILES}; do
+ SSH_PUBKEY_FILES="ssh_host_ed25519_key.pub
ssh_host_ecdsa_key.pub ssh_host_dsa_key.pub ssh_host_rsa_key.pub"
+ for I in ${SSH_PUBKEY_FILES}; do
if [ ${FOUND} -eq 0 ]; then
if [ -f /etc/ssh/${I} ]; then
LogText "Result: found file ${I} in /etc/ssh,
using that as candidate to create hostid2"
@@ -1210,8 +1214,20 @@
fi
fi
done
+ elif [ -d /etc/dropbear ]; then
+ SSH_KEY_FILES="dropbear_ed25519_host_key dropbear_rsa_host_key"
+ for I in ${SSH_KEY_FILES}; do
+ if [ ${FOUND} -eq 0 ]; then
+ if [ -f "/etc/dropbear/${I}" ]; then
+ LogText "Result: found file ${I} in /etc/dropbear,
using that as candidate to create hostid2"
+ # Dropbear stores both keys in one binary file
+ DATA_SSH=$(dropbearkey -y -f "/etc/dropbear/${I}"
| grep '^ssh')
+ FOUND=1
+ fi
+ fi
+ done
else
- LogText "Result: no /etc/ssh directory found, skipping"
+ LogText "Result: no /etc/ssh nor /etc/dropbear directory
found, skipping"
fi
STRING_TO_HASH=""
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/osdetection
new/lynis/include/osdetection
--- old/lynis/include/osdetection 2025-01-28 01:00:00.000000000 +0100
+++ new/lynis/include/osdetection 2025-07-29 02:00:00.000000000 +0200
@@ -397,6 +397,12 @@
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release |
awk -F= '{print $2}' | tr -d '"')
OS_NAME="openSUSE"
;;
+ "opensuse-slowroll")
+ LINUX_VERSION="openSUSE Tumbleweed-Slowroll"
+ # It's rolling release but has a snapshot version
(the date of the snapshot)
+ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release |
awk -F= '{print $2}' | tr -d '"')
+ OS_NAME="openSUSE"
+ ;;
"opensuse-leap")
LINUX_VERSION="openSUSE Leap"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release |
awk -F= '{print $2}' | tr -d '"')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_boot_services
new/lynis/include/tests_boot_services
--- old/lynis/include/tests_boot_services 2025-01-28 01:00:00.000000000
+0100
+++ new/lynis/include/tests_boot_services 2025-07-29 02:00:00.000000000
+0200
@@ -146,7 +146,7 @@
fi
;;
"Solaris")
- if [ -n "${ROOTDIR}usr/bin/svcs" ]; then
+ if [ -x "${ROOTDIR}usr/bin/svcs" ]; then
SERVICE_MANAGER="SMF (svcs)"
elif [ -d "${ROOTDIR}etc/init.d" ]; then
SERVICE_MANAGER="SysV Init"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_filesystems
new/lynis/include/tests_filesystems
--- old/lynis/include/tests_filesystems 2025-01-28 01:00:00.000000000 +0100
+++ new/lynis/include/tests_filesystems 2025-07-29 02:00:00.000000000 +0200
@@ -880,15 +880,22 @@
AddHP 3 3
if IsDebug; then Display --indent 6 --text "- Module ${FS}
not present in the kernel" --result OK --color GREEN; fi
fi
- FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
- if [ -n "${FIND}" ]; then
- FIND1=$(${GREPBINARY} -E "^blacklist[[:space:]]+${FS}$"
${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
- FIND2=$(${GREPBINARY} -E
"^install[[:space:]]+${FS}[[:space:]]+/bin/(true|false)$"
${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
- if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
- Display --indent 4 --text "- Module $FS is
blacklisted" --result "OK" --color GREEN
- LogText "Result: module ${FS} is blacklisted"
+
+ for SUBDIR in "${ROOTDIR}etc" "${ROOTDIR}usr/lib"; do
+ if [ -d "${SUBDIR}/modprobe.d" ]; then
+ LogText "Result: directory ${SUBDIR}/modprobe.d exists"
+ FIND=$(${LSBINARY} "${SUBDIR}/modprobe.d/*" 2>
/dev/null)
+ if [ -n "${FIND}" ]; then
+ FIND1=$(${GREPBINARY} -E
"^blacklist[[:space:]]+${FS}$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v
"#")
+ FIND2=$(${GREPBINARY} -E
"^install[[:space:]]+${FS}[[:space:]]+/bin/(true|false)$"
${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
+ if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
+ Display --indent 4 --text "- Module $FS is
blacklisted" --result "OK" --color GREEN
+ LogText "Result: module ${FS} is blacklisted"
+ break
+ fi
fi
- fi
+ fi
+ done
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Discovered kernel modules:
${AVAILABLE_MODPROBE_FS}"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_malware
new/lynis/include/tests_malware
--- old/lynis/include/tests_malware 2025-01-28 01:00:00.000000000 +0100
+++ new/lynis/include/tests_malware 2025-07-29 02:00:00.000000000 +0200
@@ -147,14 +147,14 @@
Report "malware_scanner[]=avira"
fi
- # Bitdefender (macOS)
- LogText "Test: checking process epagd"
- if IsRunning "bdagentd" || IsRunning "epagd"; then
+ # Bitdefender (macOS & Linux)
+ LogText "Test: checking process Bitdefender daemon"
+ if IsRunning "bdagentd" || IsRunning "epagd" || IsRunning "bdsecd";
then
FOUND=1
BITDEFENDER_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
- if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING}
Bitdefender agent" --result "${STATUS_FOUND}" --color GREEN; fi
+ if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING}
Bitdefender daemon" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Bitdefender security product"
Report "malware_scanner[]=bitdefender"
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/lynis new/lynis/lynis
--- old/lynis/lynis 2025-01-28 01:00:00.000000000 +0100
+++ new/lynis/lynis 2025-07-29 02:00:00.000000000 +0200
@@ -43,16 +43,16 @@
PROGRAM_WEBSITE="https://cisofy.com/lynis/";
# Version details
- PROGRAM_RELEASE_DATE="2025-01-28"
- PROGRAM_RELEASE_TIMESTAMP=1738061140
+ PROGRAM_RELEASE_DATE="2025-07-29"
+ PROGRAM_RELEASE_TIMESTAMP=1753773496
PROGRAM_RELEASE_TYPE="release" # pre-release or release
- PROGRAM_VERSION="3.1.4"
+ PROGRAM_VERSION="3.1.5"
# Source, documentation and license
PROGRAM_SOURCE="https://github.com/CISOfy/lynis";
PROGRAM_PACKAGE="https://packages.cisofy.com/";
PROGRAM_DOCUMENTATION="https://cisofy.com/docs/";
- PROGRAM_COPYRIGHT="2007-2024, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}"
+ PROGRAM_COPYRIGHT="2007-2025, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}"
PROGRAM_LICENSE="${PROGRAM_NAME} comes with ABSOLUTELY NO WARRANTY. This
is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software."
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/publiccode.yml new/lynis/publiccode.yml
--- old/lynis/publiccode.yml 1970-01-01 01:00:00.000000000 +0100
+++ new/lynis/publiccode.yml 2025-07-29 02:00:00.000000000 +0200
@@ -0,0 +1,49 @@
+publiccodeYmlVersion: "0.4"
+name: Lynis
+url: https://github.com/CISOfy/lynis
+releaseDate: 2025-01-28
+platforms:
+ - linux
+ - mac
+categories:
+ - cloud-management
+ - compliance-management
+ - fleet-management
+ - it-management
+ - it-security
+developmentStatus: stable
+softwareType: standalone/other
+description:
+ en:
+ shortDescription: Security auditing tool for Linux, macOS, and UNIX-based
systems
+ longDescription: Lynis is a security auditing tool for systems based on
UNIX
+ like Linux, macOS, BSD, and others. It performs an in-depth security scan
+ and runs on the system itself. The primary goal is to test security
+ defenses and provide tips for further system hardening. It will also scan
+ for general system information, vulnerable software packages, and
possible
+ configuration issues. Lynis was commonly used by system administrators
and
+ auditors to assess the security defenses of their systems. Besides the
+ "blue team," nowadays penetration testers also have Lynis in their
+ toolkit.
+ documentation: https://cisofy.com/documentation/lynis/
+ features:
+ - command-line
+ - perform security audit
+ - extensive log
+ - security hardening advice
+ - Linux security hardening
+legal:
+ license: AGPL-3.0-only
+maintenance:
+ type: community
+ contacts:
+ - name: Michael Boelen
+ email: michael.boe...@cisofy.com
+ phone: ""
+ affiliation: ""
+localisation:
+ localisationReady: true
+ availableLanguages:
+ - en
+ - es
+ - nl
