I’ve been putting together a script to run after I build every CentOS 7 machine, to help reduce its attack surface and to implement “best practices” for security.
It is the embodiment of the Center for Internet Security’s CentOS 7 Benchmark. A lot of the configuration changes are already in place in a CentOS 7 Minimal installation, but I’ve still included them just in case that build changes over time.
I don’t recommend running this on an existing machine, as it can overwrite configuration files and break services. For example, the DCHP package is removed in the script, which isn’t exactly ideal for a DHCP server. It’s best to run this on a new installation, and then go about your normal build process afterwards.
And finally, this is just one piece to securing a machine. Common sense, experience and future audits are the only way to keep machines defended against attacks.
Feel free to submit contributions to it. If I get time I’m going try creating similar scripts for other OS’s.