The CIS benchmarks for Linux are a good start. There are some off the shelf tools that let you run those, notably linux-bench. Another tool in a similar fashion is lynis. You can also use eBPF tools like callander to examine your workload behaviour and help tighten your seccomp policies.

Once you’ve established a baseline for your system, you’ll next want to harden your environment. This means network scans, OWASP, etc. As far as off the shelf tools go, OpenVAS is quite popular even in Enterprise environments.

Finally there’s the continuous security tasks. Continuous package updates, runtime security, log analysis, etc. There are some free tools that cover part of this like Security Onion, but if the price is right a SaaS tool can save you a lot of time.