In my experience the moment you touch anything open source, or anything third party not explicitly designed from the ground up security-first, you are guaranteed to lose. You can try to harden Linux, but the whole architecture is designed for openness and extendibility, not for security. It also neglects one of the main principles of safe design: subtractive change (more often than not, a goal can be achieved by removing/refactoring a component,then by adding extra). To quote Gordon Bell
“The cheapest, fastest, and most reliable components are those that aren’t there.”
In my experience the moment you touch anything open source, or anything third party not explicitly designed from the ground up security-first, you are guaranteed to lose. You can try to harden Linux, but the whole architecture is designed for openness and extendibility, not for security. It also neglects one of the main principles of safe design: subtractive change (more often than not, a goal can be achieved by removing/refactoring a component,then by adding extra). To quote Gordon Bell
“The cheapest, fastest, and most reliable components are those that aren’t there.”