HKUST CentOS 7 Hardening Guide V1.

04
Last updated: 20160722
CIS Rule ID (v1.1.0)
Description
Install Updates, Patches and Additional Security Software
1.2.3
Obtain Software Package Updates with yum
OS Services
2.1.1
Remove telnet-server
2.1.3
Remove rsh-server
2.1.4
Remove rsh
2.1.5
Remove NIS Client
2.1.6
Remove NIS Server
2.1.8
Remove tftp-server
2.1.9
Remove talk
2.1.10
Remove talk-server
2.1.12
Disable chargen-dgram
2.1.13
Disable chargen-stream
2.1.14
Disable daytime-dgram
2.1.15
Disable daytime-stream
2.1.16
Disable echo-dgram
2.1.17
Disable echo-stream
Special Purpose Services
3.2
Remove the X Window System
3.6
Configure Network Time Protocol (NTP)
3.10
Remove FTP Server
Network Configuration and Firewalls
4.7
Enable firewalld
Logging and Auditing
5.2.2
Enable auditd Service
5.2.3
Enable Auditing for Processes That Start Prior to auditd
5.2.8
Collect Login and Logout Events
5.2.14
Collect File Deletion Events by User
System Access, Authentication and Authorization
6.2.8
Disable SSH root login
6.3.2
Set Password Creation Requirement Parameters Using pam_pwquality
6.3.3
Set lockout for 5 failed password attempts
6.3.4
Prohibit reuse past 5 passwords
6.4
Restrict root Login to System Console
User Accounts and Environment
7.1.1
Set password expiration days to 90 days
7.1.3
Provide 7-day advance warning that a password will expire
System Maintenance
9.2.1
Ensure password fields are not empty
9.2.5
Verify No UID 0 Accounts Exist Other Than root
Reference

https://benchmarks.cisecurity.org/tools2/linux/CIS_CentOS_Linux_7_Benchmark_v1.1.0.pdf