Hardened Gentoo with no doubt, GRSec, SELinux, fstack-protector-all, hardened toolchain, your binaries are different than everyone elses (USE flags), uClibc-ng/Musl support (uClibc-ng is stable in Gentoo while musl is experimental) which are quite far ahead in terms of security than glibc.


CFLAGS="-fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2" LDFLAGS="-Wl,-z,now -Wl,-z,relro"

Is the default build in Hardened Gentoo, memory based attacks can't do shit on this. Many people reported Dirty COW didn't even work on Hardened Gentoo.

Hardened Gentoo is the king of security atop a Linux Kernel.