[halz]

Really depends on the role of the system. Will it be multi-user/single-user? Hosting containers? Hosting virtual machines? Running as a virtual machine? Doing network magic? Each of these classifications will take hardening in different directions.

You can get a rough feel for the enthusiasm of your distro's desire to do 'hardened things' by checking its kernel config. Heres one such script that has consolidated some hardening guides; https://github.com/a13xp0p0v/kconfig-hardened-check and also spot check with http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Pro...

Then can also see if the distro is doing things to harden the binaries (relro, nx, canaries, aslr, pie, etc) ; https://www.trapkit.de/tools/checksec/ Also! you may be surprised to find which distros are comfortable with allowing unprivileged user namespaces (kernel.unprivileged_userns_clone=1)