System hardening is only one part of a comprehensive security concept. The document that daphnissov has provided is a good starting point. But to secure your infrastructure and applications as whole, you also need to consider the physical network, access control, hardening of applications in the VMs, etc.
It doesn't help if the hypervisor is secured and someone can steal the whole server or hack the applications due to a bug in the web server software, for example.
I would therefore divide the entire infrastructure into different layers and implement security concepts for each layer.
Physical Devices --> Network --> Hypervisor --> VMs --> Operating Systems --> Applications