Possible hardenings: - Mount flags on different partitions/subvolumes: noexec,nodev,nosuid (/tmp and /home, etc). - SSH options that lynis warns about (compression, Forwarding, etc.) - sysctl values for the network stack that lynis warns about (icmp redirects, etc.) It may also be an idea to provide some sort of "hardened" profile, for security-conscious people, where we can be more aggressive about defaults without having to fear to break common use cases.