add filesystem hardening (mounting external filesystems read-only, nosuid, and so on)