Automating Security Compliance for Norwegian Infrastructure: A CTO’s Guide to CIS & GDPR

If you are still manually editing /etc/ssh/sshd_config on every new server, you are already compromised. It isn’t a matter of if you miss a configuration flag, but when. In the current climate—where Datatilsynet (The Norwegian Data Protection Authority) is ramping up scrutiny post-Schrems II—security compliance cannot be a manual checklist found on a sticky note. It must be code.

I recently audited a Oslo-based fintech startup. They had excellent developers but a terrified SysAdmin. Why? Because they treated their infrastructure like pets, manually tweaking firewalls and permissions. The result was "configuration drift"—Production didn't match Staging, and neither matched the compliance documentation. The fix wasn't more people; it was immutable infrastructure and automated auditing.

This guide covers how to implement automated compliance scanning and remediation using industry-standard tools available right now in 2023, specifically tailored for high-performance VPS environments like CoolVDS.

The Reality of "Data Residency" in 2023

Before we touch the terminal, let's address the legal layer. Since the Schrems II ruling, relying on US-based hyperscalers has become a legal grey area for processing sensitive Norwegian citizen data. The risk of transfer mechanisms being invalidated is real.

This is why we see a massive repatriation of data to local VPS Norway providers. By hosting on CoolVDS, you ensure the physical CPU and NVMe storage reside within Norwegian jurisdiction, simplifying the GDPR logical layer. However, residency is just the foundation. You still need to harden the OS.

Automated Auditing with OpenSCAP

You don't need expensive proprietary scanners to check your compliance posture. The Security Content Automation Protocol (SCAP) is the gold standard. specifically OpenSCAP. It allows us to scan a system against a specific profile (like CIS Level 1 or PCI-DSS) and generate a report.

On an Ubuntu 22.04 LTS instance, the setup is straightforward:

Once installed, you can list the available profiles. We are looking for the CIS (Center for Internet Security) benchmarks, which cover roughly 80% of what general GDPR technical measures require.

Running the Scan

Here is how you run a comprehensive evaluation against the CIS Level 1 Server profile. Note: This operation is I/O intensive. If you run this on a legacy server with spinning rust (HDD), expect your load average to spike. On CoolVDS NVMe storage, this completes in seconds.

oscap xccdf eval \
 --profile xccdf_org.ssgproject.content_profile_cis_level1_server \
 --results scan-results.xml \
 --report scan-report.html \
 /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml

The resulting HTML report will highlight failures in red. Common failures I see in default deployments include:

• /tmp partition not mounted with noexec
• SSH root login enabled
• UFW (Uncomplicated Firewall) inactive
• Unrestricted access to cron configuration

Remediation via Ansible

Detecting the problem is half the battle. Fixing it at scale is the other half. Do not write Bash scripts for this. They are brittle and lack idempotency. Use Ansible.

Below is a snippet from a standard hardening playbook I use for managed hosting environments. It enforces SSH security and ensures the audit daemon is running (crucial for forensic logging).

---
- name: Harden SSH and Audit Configuration
  hosts: all
  become: yes
  tasks:
    - name: Ensure SSH Protocol 2 is enforced
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^Protocol'
        line: 'Protocol 2'
        state: present
      notify: restart_ssh

    - name: Disable Root Login
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^PermitRootLogin'
        line: 'PermitRootLogin no'
        state: present
      notify: restart_ssh

    - name: Ensure auditd is installed
      apt:
        name: auditd
        state: present

    - name: Enable auditd service
      service:
        name: auditd
        enabled: yes
        state: started

  handlers:
    - name: restart_ssh
      service:
        name: sshd
        state: restarted

Pro Tip: When applying hardening rules, always test on a staging environment first. Disabling root login without a verified sudo user or SSH key in place is the fastest way to lock yourself out of your server. CoolVDS offers VNC console access for emergencies, but it's better not to need it.

Kernel Level Hardening: Sysctl

Network stack hardening is often overlooked. To protect against IP spoofing and Man-in-the-Middle attacks (which are relevant for data integrity under GDPR), you need to tune your sysctl.conf.

Add these to /etc/sysctl.d/99-security.conf:

# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0

# Log Martians
net.ipv4.conf.all.log_martians = 1

Apply them instantly with sysctl -p /etc/sysctl.d/99-security.conf. These settings have zero impact on legitimate traffic but significantly raise the bar for attackers trying to map your network.

The Hidden Cost of Encryption

Compliance dictates encryption at rest (LUKS) and in transit (TLS 1.3). Encryption is math, and math costs CPU cycles. On shared hosting environments with "noisy neighbors," enabling full disk encryption can degrade database performance by 20-30%.

This is a hardware problem, not a software one. At CoolVDS, we utilize KVM virtualization which passes CPU instructions (like AES-NI) directly to the processor. This hardware acceleration means the overhead for encrypting your customer database is negligible. If you are handling sensitive data, ensure your provider supports AES-NI passthrough.

Web Server Headers: Nginx Configuration

Finally, the application layer. Datatilsynet audits often check for basic web security headers. These prevent Clickjacking and XSS attacks. If you are running Nginx, your configuration block should look like this:

server {
    listen 443 ssl http2;
    server_name example.no;

    # HSTS (Strict-Transport-Security)
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

    # Anti-Clickjacking
    add_header X-Frame-Options "SAMEORIGIN" always;

    # XSS Protection
    add_header X-XSS-Protection "1; mode=block" always;

    # Content Type Sniffing
    add_header X-Content-Type-Options "nosniff" always;

    # Referrer Policy
    add_header Referrer-Policy "no-referrer-when-downgrade" always;
}

Conclusion: Infrastructure as a Legal Asset

In 2023, infrastructure decisions are legal decisions. Placing your data on a CoolVDS instance in Norway satisfies the residency requirement. Automating your configuration with Ansible and OpenSCAP satisfies the "integrity and confidentiality" requirements of GDPR Article 32.

Compliance is not a one-time setup; it is a continuous loop of scanning and patching. By building on top of robust, low latency infrastructure, you ensure that these security processes never impact your user experience.

Ready to harden your stack? Deploy a compliant-ready Debian or Ubuntu instance on CoolVDS today and get full root control in under 60 seconds.