Given the amount of information available the best and worst answer IMHO is "
it depends". There are more than a few organizations that provide security documentation ranging from methodologies (
OSSTMM,
SOMAP) and policies (
SANS: Information Security Policy Templates) to
NIST guidelines and
CISecurity benchmarks and "Zen-like" mantra's like
OWASP's "proven application security principles" everyone should memorize. Also do not forget the distribution security documentation.
How you go about using available information to your advantage in practice depends on more than a few factors: for instance in some cases management considerations like time constraints (look for quick wins) might overrule extensive auditing while in other cases compliance with government or industry-mandated rules and regulations will be leading. It matters how heterogeneous your server park is in terms of OSes and services, if these setups are pristine or previously maintained, what their maintenance level is, what usage they saw and if non-standard components were added. Server security and maintenance is not only about "rootkits" and saying "everything is secured" but also taking into account the cost of (unexpected) downtime in terms of business loss for the company, knowing your (line of) business is susceptible to specific threats, if service level agreements are in place, knowing how to guarantee continuity et cetera.
The best way IMHO is to start not by doing stuff but by reading documents, gathering requirements, creating a plan and after that choosing your tools. If you post details wrt machine use and services and what your level of security knowledge is it could make making recommendations more efficient.
Assessing and auditing a server
