Hardening arguably begins at OS installation (alright alright planning the installation :p ), it's tempting to perform a standard install of the OS and then install cPanel straight off or use a VM OS image provided by your host without properly checking it out.
Before proceeding to install cPanel, check out the rpms that are installed, yum list installed, yum grouplist, yum groupinfo "group name here". Remove any groups that aren't absolutely necessary. Similarly check the repos that are enabled, are there any extra ones you don't want?
If you're using an OS image provided by somebody else, are there any editor backup ~ files hanging around? This can sometimes give you a clue as to how the image was built and it's history.
find ./ -name '*~'
I do agree it would be good to have a wiki page or stickied thread here on these sorts of things. A fair bit of
HowTos/OS Protection - CentOS Wiki isn't appropriate directly to cPanel installs and some parts contradict the install instructions.
Steve Grubb suggests, and quite rightly so, that areas where users have write privileges be kept on their own partition. This allows you to prevent hard link privilege escalation attempts, prevent creative device additions, and other unsavory behavior.
At
Step 5: Configure Your Operating System a partition at root / that fills the disk is recommended. I'm guessing this is a symptom of people originally making partitions too small for their future needs in the projected life of the server and then moaning at the cPanel guys after, but it would be nice to have a comment next to the link to the advanced partitioning guide as to whether there is any security trade off and the difference to this trade off that cloudlinux / grcsec would make etc...
