Introduction: From Reactive Defense to Proactive Security

In 2025, attacks on servers are becoming increasingly sophisticated, and reactive measures (firewall, Fail2Ban, CrowdSec) are no longer enough. The modern DevSecOps approach requires proactive hardening—strengthening the system—to minimize the attack surface before public exploits appear.

Lynis remains one of the key open-source security auditing tools for Unix systems, but today it is crucial to complement it with integration into security standards frameworks (CIS, SCAP) and automation in CI/CD pipelines.

What Lynis Is and How It Works

Lynis is a security scanner for Linux and BSD systems, performing over 2000 configuration checks. Its workflow consists of three stages:

• Scanning: checking the kernel, installed packages, network services, access permissions, cryptography, logging, update policies, and many other parameters.
• Analysis: generating a detailed report with categories (Authentication, Networking, Storage, File Permissions, etc.).
• Recommendations: providing a list of specific steps to improve security.

Example of running Lynis:

sudo lynis audit system

The report is available at /var/log/lynis-report.dat and contains the Hardening Index, showing the overall protection level of the system.

Modern Hardening Practices 2025+

1️⃣ Using CIS Benchmarks

CIS Benchmarks are industry security standards for Linux systems. Recommendation: run Lynis audits in parallel with cis-cat-lite or OpenSCAP to cover Level 1/2 requirements.

Example of running OpenSCAP:

oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis --results report.xml /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml

2️⃣ Automating Hardening (Ansible, Chef, Terraform)

Manually processing Lynis recommendations is time-consuming. Today’s best practice is automation:

• Integrate audits into CI/CD pipelines (Jenkins/GitLab CI → Ansible playbook → hardening).
• Use ready-made roles (e.g., devsec.hardening from Ansible Galaxy) for automatic configuration of SSH, sysctl, auditd.

Example playbook to apply Lynis recommendations:

- name: Apply security hardening
  hosts: all
  become: yes
  tasks:
    - name: Ensure password expiration is set
      lineinfile:
        path: /etc/login.defs
        regexp: '^PASS_MAX_DAYS'
        line: 'PASS_MAX_DAYS   90'

3️⃣ Integration with DevSecOps and Security-as-Code

Running Lynis as a container in the pipeline:

docker run --rm --privileged -v /:/mnt ghcr.io/cisofy/lynis audit system

Configuring regular runs via GitLab CI:

security_audit:
  stage: security
  image: ghcr.io/cisofy/lynis
  script:
    - lynis audit system

Using Lynis results to automatically create tasks in Jira or GitHub Issues.

4️⃣ Modern Focus Areas (2025)

• Kernel hardening: enabling kernel.unprivileged_bpf_disabled=1, dmesg_restrict=1.
• Systemd security: using SystemCallFilter, ProtectHome, ProtectKernelTunables.
• SSH: mandatory transition to Ed25519, passwordless authentication, use of FIDO2 keys.
• API hardening: if the server hosts APIs, apply rate-limiting, WAF (ModSecurity/Coraza).
• SIEM integration: connect Lynis to Elastic/Graylog for centralized analysis.

Limitations of Lynis

❌ No real-time protection — requires Fail2ban/CrowdSec. ❌ Does not fully cover containerized scenarios (Falco, Trivy are better for Kubernetes). ❌ Does not provide ready-made playbooks — expert interpretation of reports is still required.

Conclusion

Lynis remains a key tool for proactive hardening of Linux servers in 2025. However, its effectiveness is greatly increased when combined with:

• CIS Benchmarks / OpenSCAP for standards compliance.
• Automation via Ansible/Terraform.
• DevSecOps pipeline, ensuring continuous auditing and configuration control.

A modern security strategy should be built in 3 layers:

1. Basic perimeter: UFW, nftables, service minimization.
2. Active protection: Fail2ban, CrowdSec, WAF.
3. Proactive hardening: Lynis + OpenSCAP + automation via Ansible.

This approach helps achieve not only a high Hardening Index score but also real resilience to attacks, reducing the risk of exploitation before vulnerabilities even appear in CVE.