[eyberg]

Might be a rhetorical question but are you on the cloud?

If so what language, apps are you running? I'd encourage you to take a look at https://ops.city && see if that is something that would work well for your use-case. It effectively turns your application into a server with no ability to run other programs on it and doesn't even have the notion of users or the ability to ssh in. The auditing requirements you are looking for go way down too as most of the things like "open a port", "log when rm -rf ~/.bash_history", or things like that simply don't happen. We actually measured the security controls from the the STIGs that are referenced in the other post and were seeing up to 70% reduction in them when deploying like this versus a deb/ubuntu instance, not to mention you don't have a half-dozen different interpreters, tens of users, thousands of shared libraries, etc.

Happy to answer any questions as I'm one of the authors/maintainers.