This skill uses Lynis as an on-host auditing workflow for UNIX-like systems. Lynis runs locally, inspects system configuration and installed software, and returns findings, warnings, and hardening suggestions that help an agent understand whether a machine is drifting away from a sane baseline. The job-to-be-done is specific: audit a host before it becomes more exposed, then convert the output into a practical remediation queue.

Invoke this before exposing SSH on a new VPS, after changing base images, before a compliance review, after a round of package or configuration drift, or when a server “feels fine” but nobody has checked the hardening posture in a while. An agent can run ./lynis audit system, collect the high-signal warnings, group them by risk, and recommend the next changes to make, such as tightening SSH settings, reducing unnecessary packages, improving permissions, or addressing outdated software. Because Lynis is local-first, it is especially useful for private systems where you do not want to rely on an external scanner to enumerate the host.

The scope boundary is what keeps this skill shaped correctly. Lynis is not a SIEM, not a patch management platform, and not an active exploitation framework. It is a host audit and hardening assistant. Integration points include periodic cron audits, server build pipelines, security review checklists, package manager updates, and ticketing workflows that need actionable security findings tied to a specific host state.