I'm writing this as my notes on hardening a Kali Linux system running kernel version 5.6.14. This is by no means an exhaustive list of everything that could be done
This is meant for general-purpose, daily-use Linux laptop. Most notably, this is a one-user system. I'm the only user here, so countermeasures for user-infighting are not taken here. I also do a lot of programming (and debugging), so some features such as the kernel Yama module are not turned to their most restrictive settings.
I'm skipping pre- and during-install procedures, such as disk encryption, secure boot, etc.. You should start this process with an already-completed fully-encrypted, passworded install. I'm also assuming some very basic knowledge, such as what constitutes a strong password, and how to edit files.
Almost all of these changes require a reboot to take effect. I'm leaving out how to apply changes on-the-fly here, but expect to reboot after major changes. The etckeeper package may be help