Yes, I think it’s a good idea.
I don’t like the state of information available for hardening Debian. (Official) Resources are obsolete and blog articles are usually recipes with no background . Whonix wiki seems to be the only thing that’s relevant for general advice. Good job everyone!
- More restrictive Umask settings
- A metapackage to remove bloat and insecure packages [?]
- Non-permissive iptables settings [?] :would probably be wonky since use cases would be juggled between vanilla debian and Whonix, though
- More aggressive service disables in systemd[?]
- Make new services disabled-by-default instead of enabled-on-install