Since Tails is using most if not all of these configuration changes, shipping these in Whonix might be sustainble (not breaking too many things than current development manpower allows to triage, fix and user support).
The GitHub - Kicksecure/security-misc: Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings - https://www.kicksecure.com/wiki/Security-misc package looks like the right place to add these.
/etc/sysctl.d configs could be dropped here (maybe copy over from Tails verbatim as much as makes sense): https://github.com/Whonix/security-misc/tree/master/etc/sysctl.d
kernel boot parameters could be modified by shipping a configuration snippet similar to https://github.com/Whonix/grub-enable-apparmor/blob/master/etc/default/grub.d/30_apparmor.cfg (perhaps simpler) could be dropped into security-misc too. (One kernel boot parameter per one line if good.)
Users might manually do this as per Whonix Documentation but I don’t think this is sustainable for default installation in Whonix with current developer manpower since the package is not available from packages.debian.org, see also:
(Kernel is not an “app” but stuff written there applies here too.)