Update README with comprehensive documentation improvements

[assisted-by-ai]

Summary

This PR updates the README.md documentation to reflect recent implementation changes, add missing feature documentation, and improve clarity on various security hardening features.

Key Changes

Documentation Updates

• Marked Speculative Return Stack Overflow (SRSO) mitigation as optional
• Added comprehensive documentation for kernel console output suppression during boot
• Added documentation for recovery mode restrictions
• Expanded Bluetooth configuration details with specific settings and rationale
• Added detailed faillock configuration documentation with specific parameters
• Updated SSH client/server hardening descriptions with specific cryptographic restrictions
• Added git configuration hardening documentation
• Added comprehensive USBGuard section documenting USB device authorization rules
• Added new "Systemd preset defaults" section documenting disabled-by-default services

File Path Updates

• Updated references from debian/security-misc.postinst to debian/security-misc-shared.postinst
• Updated systemd paths from /lib/systemd/ to /usr/lib/systemd/
• Updated permission-hardener paths from /etc/permission-hardener.d to /usr/lib/permission-hardener.d

New Features Documented

• Kernel console output suppression via loglevel=0 and quiet parameters
• Recovery mode restrictions preventing physical attacks
• Detailed Bluetooth controller restrictions and privacy settings
• Faillock configuration with 7-day failure tracking window and manual unlock requirement
• Emergency shutdown service with dracut module integration and udev rules
• Thunar file manager hardening (thumbnails, volume management, network bookmarks)
• Multiple new helper scripts and utilities:
  • virusforget for detecting unauthorized shell startup file changes
  • askpass for GUI password prompts
  • check-for-usb-controller for conditional USBGuard activation
  • pam_only_if_login and pam_only_if_su for PAM conditional helpers
  • block-unsafe-logins for privileged account protection
• AppArmor tunable for config-package-dev displaced files
• Custom sysinit-post.target for boot synchronization
• Systemd drop-in for sysfs supplementary group access
• LKRG VirtualBox compatibility management

Removed Content

• Removed "Access rights relaxations" section (pkexec/lxqt-sudo workaround) as it's no longer applicable

Notable Implementation Details

• Emergency shutdown service is disabled by default and requires manual enablement
• Default panic key sequence changed from Ctrl+Alt+Delete to Ctrl+Alt+End
• USBGuard uses implicit block policy with specific device class restrictions
• Multiple systemd services are explicitly disabled by default in the preset
• Faillock is skipped for remote services (sshd, dovecot) to prevent remote lockout attacks

https://claude.ai/code/session_0125G25dF8DVff618hmCMMNw

[ArrayBolt3]

Modified and integrated in ArrayBolt3@0e8f654.