That is exactly why Lynis was created, to make it easier for both a sysadmin and auditor to validate things. At the same time, not every system needs the security level of a bank, so that is why it provides suggestions. Is something too strict for your needs? No problem, just disable the test. What I learned is that often auditors and system administrators like it when they an independent tool that helps to set some middle ground. The sysadmin benefits from a validation tool, while the auditor benefits from the fact that the sysadmin has the ability to validate their systems. IMHO that is better than auditors who force companies to use CIS benchmarks, simply because that is what they found and think was a good idea. Lynis does not enforce things, but allows both the sysadmin and auditor to implement things along the risk level and risk appetite. Disclaimer: I'm the author of the tool.
That is also why Lynis does not follow a specific set, but applies generic principles from multiple sources. Yes, some of the items may be default (now) in Linux distributions, but often they are still aren't. For example, most systemd services definitely can use more strict defaults. The distribution is typically not making the changes, to avoid breaking things for the end-user. This is where Lynis comes in, being independent of any big commercial organization (yes, looking at you Red Hat). While working on Lynis for 17 years now, I can say some things definitely improved in Linux distributions, but still so many things that could be much better secured out-of-the-box.
Lynis author here. While some defaults definitely became better, often due to the kernel itself being better protected, there is still a lot of room for improvement. The distribution often can't make things too strict, to prevent common issues. Keep also in mind that it is not just the OS itself, but especially the parts that get added over time (users, software, configuration file changes) that introduce the biggest flaws. The aim of Lynis is to do a regular health check, giving the sysadmin the chance to tighten things where needed or correct those things that got out of spec.
It almost does all that you ask. There is a big downside of the toolkit: it is filled with abbreviations, XML files, and binaries. For that reason, I still develop an alternative project focused on Linux, macOS, and Unix-derivatives. It is named Lynis and was founded in 2007.
This is Michael, a tool author myself. I created this project to have an up-to-date database source for Linux security topics. Starting with security tools and have them categorized and ranked. The goal is to allow people find the right security tool and information for the job, quick and easy.
Sharing the project here to ask for feedback and ideas on how to further improve it. Anything that you love to see?
Disclaimer: to ensure the project stays around and continues to receive development, we put in company resources (hence the footer and training). The paid training will help will fuel the development and pay for the hosting costs.
Most Linux distributions have to make a compromise between performance, easy of use, security, and more. In the end, you will have to do tuning, and that includes tuning for performance and security.
As one of the developers of Lynis, I can suggest picking up a auditors mindset. So just use the distribution you like the most, then become good in evaluating what can be improved. As you already discovered, automation is the key. A tool like Lynis will simplify that greatly: https://cisofy.com/lynis/
* Project description: security auditing tool for Linux, macOS, and UNIX-derivatives. The primary goal is to assist in security assessments and help with system hardening. Written in shell script and project is mature (almost 9 years).
* Upcoming goals: More application specific tests (like MongoDB, Redis, Tomcat, nginx), so we can provide more value as a project.
* Needed skills: application knowledge and able to write some basic shell script.
