The System.map files should be removed. By default, /boot/System.map-* contains kernel symbols which could be useful to an attacker. Setting kernel.kptr_restrict=2 hides these from /proc/kallsyms but an attacker can just look at the System.map files to get the symbols anyway.
These could possibly be purged during the build or at boot with a systemd service.
Tails also removes these.
System.map files are only used for debugging or malware.
It may be useful to disable the SysRq key too. It allows anyone to use certain commands that the kernel will do regardless of what it’s currently doing. It can be disabled with sysctl using kernel.sysrq=0. I am not too sure about this one though.
See QA/Sysrq - Fedora Project Wiki. It doesn’t look too good.