The "Spreadsheet Audit" is a Lie
If your organization's strategy for GDPR compliance relies on a quarterly manual review of server configs, you are already non-compliant. I say this not to alarm you, but to reflect the reality of modern infrastructure. Between the time you fill out that Excel row confirming "SSH Root Login is disabled" and the time an auditor from Datatilsynet (The Norwegian Data Protection Authority) knocks on your door, a junior dev has likely enabled password authentication to debug a connection issue and forgot to revert it.
Configuration drift is inevitable. Compliance cannot be a snapshot; it must be a continuous state. As a CTO, my job isn't just to deploy code; it's to ensure that the infrastructure holding our customer data remains legally defensible 24/7.
In this post, we are ditching the manual checklists. We will look at how to implement the Security Content Automation Protocol (SCAP) using OpenSCAP and Ansible to automate compliance on your VPS instances. This is the exact architecture we recommend for clients running sensitive workloads on CoolVDS.
The Stack: OpenSCAP & CIS Benchmarks
In late 2019, the industry standard for automated hardening is the CIS (Center for Internet Security) Benchmark. It’s rigorous. It covers everything from partition mounting options to kernel parameter tweaks.
To check against this without spending weeks reading PDFs, we use OpenSCAP. It’s open-source, robust, and integrates into existing CI/CD pipelines.
1. Establishing the Baseline
First, install the scanner on your server. For this example, we are using a standard CentOS 7 instance (a common choice for enterprise workloads on CoolVDS due to its long lifecycle).
yum install openscap-scanner scap-security-guide
Once installed, you don't just "scan." You need to select a profile. A web server doesn't need the same hardening as a classified military database. For most GDPR-compliant setups, the standard profile is a good starting point, though many fintechs aim for pci-dss.
Here is how you run a scan to identify vulnerabilities:
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard \
--results scan-results.xml \
--report report.html \
/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml
This command does three things:
- Eval: Evaluates the system against the definition file.
- Results: Outputs machine-readable XML (for your dashboard).
- Report: Generates a human-readable HTML file (for the auditor).
If you run this on a fresh, unoptimized VPS from a generic provider, you will likely see a failure rate of 40-50%. On CoolVDS, because we provide clean KVM images without bloatware, your baseline is cleaner, but OS hardening is still your responsibility.
2. Remediation with Ansible
Knowing you are vulnerable is half the battle. Fixing it is the other half. Do not fix these manually. Manual fixes are not reproducible. Use Ansible.
We can generate an Ansible playbook directly from the OpenSCAP results to fix the failed rules. This is powerful.
oscap xccdf generate fix --fix-type ansible --result-id xccdf_org.ssgproject.content_profile_standard --output hard-hardening.yml scan-results.xml
However, I prefer writing bespoke playbooks for critical services to ensure we don't accidentally break application logic. Below is a snippet of a production-grade hardening playbook we use to secure SSH and Kernel parameters.
---
- name: Harden CentOS 7 Server
hosts: all
become: yes
tasks:
- name: Ensure SSH root login is disabled
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: 'PermitRootLogin no'
state: present
notify: restart sshd
- name: Ensure SSH Protocol is set to 2
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^Protocol'
line: 'Protocol 2'
state: present
notify: restart sshd
- name: Set IP forwarding to 0 (unless routing)
sysctl:
name: net.ipv4.ip_forward
value: '0'
state: present
reload: yes
handlers:
- name: restart sshd
service:
name: sshd
state: restartedRunning this playbook ensures that every node in your cluster is identical. If a node drifts, you just re-run the playbook.
Pro Tip: Be careful withnoexecon/tmppartitions. While CIS benchmarks recommend it to prevent script execution attacks, it often breaks Java applications and some update processes. Test this in a staging environment first. CoolVDS allows you to snapshot your VM instantly before applying these changes—use that feature.
The Importance of Data Residency
Automation handles the configuration side of compliance. But GDPR also cares about the physical side. Where do the bytes live?
Many US-based "cloud" providers operate under the US CLOUD Act, which can theoretically compel them to hand over data stored on European servers to US authorities. This creates a legal grey area for Norwegian companies handling sensitive personal data.
This is where local topology matters. Latency to NIX (Norwegian Internet Exchange) in Oslo is crucial for performance, but jurisdiction is crucial for survival. CoolVDS infrastructure is physically located in data centers subject to Norwegian and EEA law. We own the hardware. There is no ambiguous "availability zone" that might accidentally route your data through a non-compliant jurisdiction.
Database Encryption & I/O Performance
Encryption at rest is a requirement for many compliance standards. However, enabling LUKS (Linux Unified Key Setup) or database-level encryption (like InnoDB tablespace encryption in MySQL 5.7) introduces overhead.
If you are running on standard SATA SSDs or, god forbid, spinning rust, this encryption overhead can kill your application's response time. You need high IOPS to offset the CPU cycles spent decrypting data on the fly.
This is a trade-off we see constantly. A client turns on full-disk encryption to satisfy a security audit, and suddenly their Magento store takes 4 seconds to load.
The Fix: Use NVMe storage. The protocol reduction in latency compared to AHCI allows the drive to handle the encrypted I/O operations without the CPU wait times spiking. On our CoolVDS NVMe instances, we've benchmarked AES-256 encrypted volumes at speeds that still exceed standard SATA SSD unencrypted speeds.
Example: MySQL 5.7 Encryption Config
To enable encryption for data at rest in MySQL 5.7 (which is the current stable standard for many), add this to your my.cnf:
[mysqld]
early-plugin-load=keyring_file.so
keyring_file_data=/var/lib/mysql-keyring/keyring
innodb_default_encryption_key_id=1
innodb_undo_log_encrypt=ON
innodb_temp_tablespace_encrypt=ON
Conclusion
Compliance is not a document you sign; it is a codebase you maintain. By combining OpenSCAP for detection and Ansible for remediation, you create a self-healing infrastructure that satisfies both the auditors and your engineering standards.
But software automation only works if the underlying hardware is reliable and the jurisdiction is clear. Don't build a fortress on a foundation of sand.
Ready to audit your stack? Deploy a compliant-ready CentOS 7 instance on CoolVDS today and get root access in under 55 seconds.