Though the mentioned Bastion Host document is quite a good reference it is by now somewhat dated.
Meanwhile there have established more sophisticated methods to harden a server.
One more recent project is Bastille that aids you in hardening your system.
Originally a Linux spin off it is now also supported by HP
http://hp.sourceforge.net/ Then after you have hardened your system you could run Nessus checks against it.
http://www.nessus.org/ Also this has been ported by HP
http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1111 Yet a more stringent sandboxing is followed by Role Based Access Control (RBAC)
http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=AccessControl or projects like SELinux look very promising
http://www.nsa.gov/selinux/ SELinux is particularily well integrated in RedHat's Fedora or RHEL.
But it is still work in progress.
Added to the Discretionary Access Control (DAC) usual Unix systems offer comes Mandatory Access Control (MAC)
where one sets up a set of policies for every subject (e.g. process) that minutely detail what actions (e.g. opening files, appending to them, starting child procs etc.) may be taken on what objects (e.g. files, directories, other processes).
Madness, thy name is system administration
