OpenNA should probably be included in discussions like this. My organization recently decided to standardize on it for all critical servers, especially ones with a public IP address.
It ships with quite paranoid policies. Root can only log in on the first virtual terminal -- all others must use sudo. I have been kicked off and denied access by doing things like attempting to mount an NFS partition. It insists that you set a password for GRUB to boot the system (which seems like a bad idea for servers). Most services are set to run in a chroot() jail, which is a good thing...something Red Hat and the others probably should have been doing from the beginning. It ships with the GIPTables firewall, a front-end to iptables with a relatively simple text-based config file. It's hardened in many other ways too, more than I can remember right now.
The 1.0 release has a few bugs, but they're being taken care of by updates. If you're used to Red Hat, you can expect to pull your hair out a few times while learning it. But if you want an ultra-paranoid distribution, it's worth looking into.
Oh, and it even ships XFree86 4.4! (In updates...the 1.0 CD ships with an RC.)
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds