Thank you both.
I have tried CentOS, and took a profound dislike to it (and most RHEL clones) for personal use; their use of SELinux, & gigabytes of upgrades which inevitably break things. I last fiddled with fedora which alone of them has the multimedia basics. They insist on making simple things difficult: NetorkManager, Systemd, to name but two. One is also scourged to configure everything through SELinux. Being hacked for me is merely an inconvenience. I have no email trove like Clinton or Weiner to hide, no fortune or state secrets, no database or dirty underwear. If something like CIH overwrote the BIOS, that's about the worst that could happen to me. CIH is particularly unlikely anyhow as I don't have windows installed.
I surfed there, hit 'find in page' and put in the word 'hardened.' No dice. I gather I can probably grab the source, patch or substitute hardened bits, and approach it that way; but it is lacking. From HLFS in my day, I know the most fundamental of mods were made in the compiler, adding Position Independent Code and other refinements. PIC is mainstreamed in gcc now.
It strikes me as simpler to patch a vanilla kernel with pax & grsecurity than go for the distro kit that is gentoo hardened.