Automating GDPR Compliance on Linux Infrastructure: A 2019 Survival Guide
Let’s be honest: nobody entered the field of systems administration because they love reading legal texts. But if you are operating servers in Norway or dealing with European user data, the General Data Protection Regulation (GDPR) isn't just a suggestion—it's the law. And the Datatilsynet (Norwegian Data Protection Authority) has teeth.
I recently audited a setup for a mid-sized e-commerce client in Oslo. They had a decent CI/CD pipeline, solid code, and fast load times. But their infrastructure security was manual. A junior dev had spun up a staging VPS, disabled the firewall for "debugging," and left it running for three weeks. No patches, default root password. If that server had been breached, the fine could have been 4% of their global turnover.
Compliance cannot be manual. If it requires a human to remember to run a script, it will fail. This guide covers how to automate security baselines on Linux (specifically Ubuntu 18.04 LTS and CentOS 7) using tools available right now in 2019.
1. The Foundation: Infrastructure as Code (IaC)
You cannot secure what you cannot track. Stop SSH-ing into servers and running apt-get install by hand. We need a reproducible state.
At CoolVDS, we see a stark difference in stability between customers who treat servers like pets and those who treat them like cattle. For compliance, we use Ansible. It’s agentless, which means you don't need to install extra daemon software on your sensitive production nodes.
The "No-Root" Policy
The first step in any compliant environment is killing remote root login. It is the single most common attack vector we see in our network logs. Here is the requisite sshd_config setup you should be deploying automatically:
# /etc/ssh/sshd_config
# Disabling root login is non-negotiable for GDPR compliance checklists
PermitRootLogin no
# Enforce key-based authentication
PasswordAuthentication no
ChallengeResponseAuthentication no
# Whitelist allowed users
AllowUsers deployer sysadmin
# Use strong algorithms (Mozilla Modern spec)
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
Pro Tip: Don't just restart SSH after changing this. Verify the config first with sshd -t. If you break SSH on a remote VPS, you'll be using the CoolVDS VNC console to fix it, which—while reliable—is a walk of shame you want to avoid.
2. Automating the Firewall with Ansible
A static firewall script isn't enough. You need state enforcement. Below is an Ansible task snippet that ensures ufw (Uncomplicated Firewall) is configured correctly on Ubuntu 18.04. This ensures that even if someone manually disables the firewall, the next playbook run re-enables it.
---
- name: Secure the Firewall
hosts: all
become: yes
tasks:
- name: Install UFW
apt:
name: ufw
state: present
- name: Deny all incoming by default
ufw:
policy: deny
direction: incoming
- name: Allow SSH (Rate Limited)
ufw:
rule: limit
port: 22
proto: tcp
comment: 'Management Access'
- name: Allow HTTP/HTTPS
ufw:
rule: allow
port: '{{ item }}'
proto: tcp
with_items:
- 80
- 443
- name: Enable UFW
ufw:
state: enabled3. Audit Logging (The "Who Did What" Requirement)
GDPR Article 32 requires the ability to restore availability and access to personal data. To do that, you need to know what happened before a crash or breach. auditd is the Linux kernel audit framework. It is robust, but verbose.
Here is a configuration snippet to monitor unauthorized access attempts to key files, specifically /etc/passwd and /etc/shadow.
# /etc/audit/audit.rules
# Delete all existing rules
-D
# Set buffer size
-b 8192
# Panic on failure (0=ignore, 1=log, 2=panic)
-f 1
# Watch identity files
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
# Monitor system calls for file deletions
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k deleteOnce configured, restart the daemon: service auditd restart. These logs can be shipped to an ELK stack (Elasticsearch, Logstash, Kibana) for visualization. Remember, logs must be stored securely. If you are hosting on CoolVDS, our internal network throughput allows for rapid log shipping without saturating your public interface.
4. Automated Vulnerability Scanning
You can't manually check 2,000 packages for CVEs every day. Use Lynis. It’s a mature security auditing tool for Linux/Unix systems.
Run a non-privileged scan via cron daily:
0 3 * * * /usr/bin/lynis audit system --quick --cronjob > /var/log/lynis-report.logThis generates a report highlighting the hardening index. If your index drops below 70, your monitoring system should page you. Don't wait for the quarterly audit.
5. Data Residency and Physical Security
Automation handles the software layer, but GDPR also cares about where the data lives. The concept of "Data Sovereignty" is becoming critical in 2019.
Many providers claim "European presence" but route traffic through US-owned switches or store backups in cross-border buckets. This introduces legal ambiguity.
| Factor | Generic Cloud Provider | CoolVDS (Norway) |
|---|---|---|
| Data Center Location | Often Frankfurt or Amsterdam | Oslo, Norway |
| Jurisdiction | US Cloud Act applies (often) | Norwegian Law / EEA |
| Latency to Oslo | 25ms - 40ms | < 3ms |
| Storage Backend | Shared Network Storage (Ceph/Gluster) | Local NVMe RAID 10 |
For Norwegian businesses, hosting data physically in Norway simplifies the legal argument significantly. We use KVM virtualization on CoolVDS to ensure strict isolation. Unlike container-based VPS solutions (OpenVZ/LXC), KVM provides a dedicated kernel, meaning a neighbor's kernel panic or security breach cannot bleed into your memory space.
Conclusion
Compliance is not a product you buy; it's a process you automate. By strictly defining your SSH configs, enforcing firewalls via Ansible, and utilizing the Linux audit framework, you turn a terrifying yearly audit into a mundane checklist.
But software is only half the battle. You need hardware that respects data locality.
Ready to lock down your infrastructure? Deploy a GDPR-ready KVM instance on CoolVDS today. Local NVMe storage, strict isolation, and Oslo-based data residency.