The Era of "Trust Me" is Over: Automating Audit-Ready Infrastructure
If you are still manually editing /etc/ssh/sshd_config on your production servers, you are already non-compliant. I don't say this to be alarmist; I say it as a CTO who has stared down the barrel of a Datatilsynet audit.
In the wake of the Schrems II ruling last July, the legal ground under European tech companies shifted violently. Relying on the EU-US Privacy Shield is no longer an option. If your customer data sits on a US-owned hyperscaler, you are exposing your organization to legal risk regarding data transfers. But data sovereignty is only layer one. Layer two is the actual configuration of that metal.
We need to stop treating servers like pets that we manually groom. We need Compliance as Code. Today, I will walk you through building a rigid, automated hardening pipeline using Ansible and OpenSCAP on Ubuntu 20.04 LTS, hosted on Norwegian soil to satisfy the legal department.
The Problem: Configuration Drift & The Human Element
You deploy a secure server. It passes the CIS Benchmark. Two months later, a junior dev temporarily opens port 22 to the world to "fix a deployment issue" and forgets to close it. You are now vulnerable.
Compliance isn't a state; it's a continuous process. We solve this with two tools:
- Ansible: To enforce the state.
- OpenSCAP: To validate the state against NIST/CIS standards.
Let's get technical. We aren't just installing a firewall; we are stripping the OS down to its bare essentials.
Phase 1: The Hardening Playbook
We don't guess what secure looks like. We use the CIS (Center for Internet Security) benchmarks. Below is a snippet from a production Ansible playbook we use to enforce SSH hardening. This isn't theoretical; this runs on our CoolVDS instances every 6 hours.
- name: Secure SSH Configuration
hosts: all
become: yes
tasks:
- name: Ensure SSH Protocol 2 is used
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^Protocol'
line: 'Protocol 2'
state: present
- name: Disable Root Login
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: 'PermitRootLogin no'
state: present
- name: Disable Password Authentication
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PasswordAuthentication'
line: 'PasswordAuthentication no'
state: present
- name: Set MaxAuthTries
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^MaxAuthTries'
line: 'MaxAuthTries 3'
state: present
notify: Restart SSHThis is basic, yet 40% of VPS deployments I audit fail to disable root login. On a CoolVDS NVMe instance, this playbook executes in under 4 seconds. Efficiency matters.
Phase 2: Automated Auditing with OpenSCAP
Applying the config is half the battle. Proving it is the other half. OpenSCAP is the industry standard for this. It parses the XCCDF (Extensible Configuration Checklist Description Format) to check your system against a profile.
First, install the necessary definitions on your Ubuntu 20.04 server:
sudo apt-get update && sudo apt-get install libopenscap8 ssg-base ssg-deb ssg-utils ssg-applicationsNow, run an evaluation against the standard profile. This command generates an HTML report that you can hand directly to an auditor.
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_standard \
--results-arf /tmp/arf.xml \
--report /var/www/html/compliance_report.html \
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xmlIf you run this on a standard, unmanaged VPS from a budget provider, you will likely see a score below 60%. When we provision a managed instance at CoolVDS, we target a baseline of 90%+ out of the box, specifically tuned for the local threat landscape.
Pro Tip: Don't blindly apply the "STIG" profile unless you enjoy breaking your applications. The DISA STIG profile often requires partitioning schemes (like separate /var/log/audit partitions) that must be set up during the OS installation phase, not after.The Infrastructure Layer: Why Location Matters
You can have the most hardened OS in existence, but if the hypervisor is compromised or the data center falls under conflicting jurisdictions, you fail. This is the Schrems II reality.
Many "European" hosts are actually subsidiaries of US entities, making them subject to the CLOUD Act. This creates a legal paradox where complying with US law forces a violation of EU GDPR.
The CoolVDS Architecture Advantage
We built our stack to mitigate these specific risks for Norwegian and European businesses:
| Feature | Generic Cloud | CoolVDS Implementation |
|---|---|---|
| Virtualization | Often Containers (LXC/OpenVZ) | KVM (Kernel-based Virtual Machine). Full kernel isolation. No "noisy neighbor" kernel exploits. |
| Storage | SATA SSD (Shared) | Local NVMe. High IOPS for rapid log writing and database transactions without I/O wait. |
| Data Residency | Frankfurt/Amsterdam (often US-owned) | Oslo/Norway. Protected by Norwegian privacy laws. Direct fiber to NIX. |
Putting It Together: The Drift Detection Loop
To sleep at night, you need a cron job that checks for drift. Here is a simple bash wrapper you can deploy to send alerts if the checksum of critical config files changes.
#!/bin/bash
# Simple Drift Detector
TARGET_FILES=("/etc/ssh/sshd_config" "/etc/nginx/nginx.conf" "/etc/pam.d/common-auth")
ALERT_EMAIL="admin@yourcompany.no"
for file in "${TARGET_FILES[@]}"; do
# Compare current md5 with the stored baseline
current_hash=$(md5sum "$file" | awk '{print $1}')
stored_hash=$(grep "$file" /root/baseline_hashes.txt | awk '{print $1}')
if [ "$current_hash" != "$stored_hash" ]; then
echo "SECURITY ALERT: Configuration drift detected in $file" | mail -s "Drift Alert" $ALERT_EMAIL
# Optional: Trigger Ansible to auto-remediate
# ansible-playbook /opt/security/remediate.yml
fi
doneWhile rudimentary, this script saves lives. It catches the "quick fix" a developer made at 2 AM and forgot to revert.
Conclusion: Control is Non-Negotiable
In 2021, security is not about building a castle wall; it's about an immune system that constantly checks, validates, and heals itself. By combining Ansible's enforcement with OpenSCAP's validation, you remove hope from your security strategy.
But software automation needs a solid foundation. You need hardware that performs under the overhead of constant logging and auditing, and a legal framework that respects your data sovereignty.
Stop gambling with compliance. Deploy a compliant, KVM-isolated NVMe instance on CoolVDS today. We offer pre-hardened templates that give you a head start on your next audit.