IME the checklists and guides can be a useful resource but are mostly “cover your a$$” documentation, often time falling into cargo cult suggestions just to add more check-boxes.
You must be using the wrong 'checklists' (they aren't checklists, they are implementation guidelines). CIS benchmarks and DISA STIGs provide concrete actions that lead to a more secure system. Sure some of them might not apply specifically to your environment, but in general they are an excellent starting point.
Some of the line items can be a bit arcane or not as relevant in cloud environments, etc... but that's a far cry from calling them CYA.
Nothing cargo cult about enabling SE Linux, restricting access with IP tables, configuring AuditD and AIDE.
> Nothing cargo cult about enabling SE Linux, restricting access with IP tables, configuring AuditD and AIDE.
These are great ways to massively overcomplicate your system. Generally speaking, having encountered these tools, do not use them unless you're willing to dedicate about 2x the time you would otherwise spend administering the system.
Just because you had difficulty does not mean you should give such advice to others. There is nothing difficult about configuring any of these systems if you know what you are doing.
If a single line item that seems irrelevant to you makes you think the whole process of security hardening is useless, you are a fool.
Frankly you sound like the tired BOFH trope, if you don't see the benefits of security hardening I hope you are never responsible for anything important infrastructure wise in your organization.
