We have created a Rudder policy that covers all OS that we support at our customers,
or that will be coming around (i.e. beta of a new version).
For our managed systems, it covers distro-/OS-specific settings with a generic rule
that “what makes sense everywhere, will be applied everywhere”.
For human eyes, it needs to have a clear design that eases understanding and maintenance.
A rough description how to approach building a hardening policy, anyway.