[grayhatter]

If auditors are going to use this, it would benefit even the most competent sysadmin to know what it's gonna say. The average compliance analyst isn't going to understand why some enumerable risk isn't actually a threat because; your threat model makes said issue actually impossible. Even if you can prove it, they're still gonna include it in their needless risk findings. I'd postulate (for fun) that most competent sysadmins would be more likely to have that problem, because they've already identified it, and are using it as a makeshift 'honeypot'.

[mboelen]

That is exactly why Lynis was created, to make it easier for both a sysadmin and auditor to validate things. At the same time, not every system needs the security level of a bank, so that is why it provides suggestions. Is something too strict for your needs? No problem, just disable the test. What I learned is that often auditors and system administrators like it when they an independent tool that helps to set some middle ground. The sysadmin benefits from a validation tool, while the auditor benefits from the fact that the sysadmin has the ability to validate their systems. IMHO that is better than auditors who force companies to use CIS benchmarks, simply because that is what they found and think was a good idea. Lynis does not enforce things, but allows both the sysadmin and auditor to implement things along the risk level and risk appetite. Disclaimer: I'm the author of the tool.