Hardening depends on your threat model and needs of the client. Have the system do what it is supposed to do nothing more or less. I pretty much use this as a guide line depending on client needs.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/pdf/security_guide/red_hat_enterprise_linux-7-security_guide-en-us.pdf