As you're no doubt aware, security can not be considered an "on/off" type thing. And more often than not, there are usability issues raised if the screws are wound down too tight.

As such TurnKey aims to provide appliances that conform as closely as possible to general "best practice" with regards to security; whilst balancing usability as much as practically possible. Our appliances are all based on Debian. Debian mostly provides pretty sensible defaults which arguably conform to general "best practice", so we leverage that "off the bat".

Beyond Debian defaults, we do make some adjustments. Some of those could be considered "hardening" (and over the years, a few have later been adopted by Debian as improved defaults). Although as many of our users aren't particularly "Linux savy", it could be argued that some of our tweaks soften security a little. But as we're not recompiling anything, the settings can easily be adjusted by more experienced end users who know exactly what they want/need. We do hope to provide an easier way for not-so-knowledgeable users to adjust some of these settings in an on/off type way, but we're not there yet.

During a new major version's development cycle (typically not long before we release as stable) we run our appliances against Lynis (an auditing, system hardening and compliance testing tool). We then re-run them against Lynis periodically. We apply most of the suggested tweaks, although there have been a few occasions where we've needed to wind back specific hardening as it has caused too many issues for too many users...

With regards to specific third party applications, it very much depends on the application. At least initially, we try to follow the app developers recommendations. However if they don't provide any recommendations (or their recommendations are not adequate in our opinion) then we do a best effort to secure the application. Again there are some things that we have done in the past (e.g. on our WordPress appliance - we used to only allow the webserver user account limited write access) which we've wound back in the interests of end user ability to install updates via the web UI. It could be argued that locking it down is better security wise, but if the user then struggles to apply security updates, the value may well be limited...

FWIW we also host all of our appliances on Amazon, so they all also receive initial and periodic security scans there to ensure that they're compliant with Amazon's requirements. Occasionally that will bring up particular issues, but historically they've mostly they've been false positives.

Do you have any particular or specific requirements? If so please feel free to sahre and I can talk more specifically.