Since alot of the clusters I work on are web servers or parallel computing servers (that still have access through to a network), I like to clear out any dirs and files that aren't needed, mount ro access to any dirs that shouldn't be written to, and do every other thing I do to lock down the server.
It's helped me before detect unauthorized files that contained malicious code.