I have been looking at hardening *nix servers for my lab and maybe carry some of that over to work. CIS benchmarks are something I like doing but that’s barely scratching the surface. What do you do for your servers?

I have Lynis, systemd-analyze, Kernel self protection in mind but I’d love to hear your thoughts. Bonus points for the most paranoid setups!