When auditors visit your company for checking overall information security level they usually shower you with questions about vulnerability and patch management process. And if you haven't one of these processes well established - I'm dead sure you will get serious deficiency in the audit results.
But what about system hardening process ( it could part of configuration management ) - do you have such process established? Do yo have security configuration standards for all yours OS, DB and application well developed and updated? If you will start doing this from a scratch you gonna waste hell of a lot time. To save your time I propose you list of links to the well known library of security configuration guides:
- USA National Security Agency (NSA) - Security Configuration Guides
- USA National Institute of Standards and Technology (NIST) - National Checklist Program Repository
- USA Defense Information System Agency (DISA) - Security Technical Implementation Guides (STIGS)
- Community: the Center of Internet Security (CIS) - CIS Benchmarks
- Apple Mac OS X Security Configuration Guide
- Microsoft Security Configuration Guides and Wizards
- Apache community Security Tips
- Cisco IOS Security Configuration Guide
- Debian Linux Securing Debian Manual
- Famous tool for Solaris JASS (and old one for Solaris 8 YASSP)
- For Linux - Bastille Linux
PS. If you got more links and guides , pls add it in comments.
I do it myself:
Old one general Unix security checklist