Automating Security Compliance: From Manual Checklists to Infrastructure as Code
If you are still managing server security compliance using Excel spreadsheets and manual checklists, you are already compromised. In the current regulatory climate—especially here in Norway with the rigorous enforcement by Datatilsynet—compliance is not just a checkbox; it is a survival metric. A single misconfigured permission on a production database can lead to fines that make the cost of enterprise hardware look like pocket change.
As a CTO, my priority is balancing TCO (Total Cost of Ownership) with risk mitigation. We cannot afford to have SysAdmins spending 20 hours a week manually hardening kernels. We need automation. Today, we are going to look at a workflow that saved my team hundreds of hours: integrating OpenSCAP for vulnerability scanning and Ansible for remediation, specifically tailored for environments running on strict KVM architectures like those we deploy at CoolVDS.
The Problem: Configuration Drift
You deploy a server. It is secure. You hand it over to the developers. Two weeks later, someone has enabled password authentication for SSH because they lost their key, or they changed the umask setting to make file sharing easier. Your server has drifted from its compliant state.
In a dynamic DevOps environment, immutable infrastructure is the goal, but mutable reality often interferes. We need a way to continuously audit the state of our machines against established standards like the CIS (Center for Internet Security) Benchmarks or PCI-DSS.
The Toolset: OpenSCAP
In 2020, the industry standard for this on Linux is the Security Content Automation Protocol (SCAP). The open-source implementation, OpenSCAP, allows us to scan servers against XCCDF (The Extensible Configuration Checklist Description Format) profiles.
Let’s assume you are running CentOS 7 or the newly released Ubuntu 20.04 LTS on your VPS. Here is how you install the scanner and the security guides:
# For CentOS/RHEL 7
yum install openscap-scanner scap-security-guide
# For Ubuntu 18.04/20.04
apt-get install libopenscap8 ssf
Once installed, you don't just "run a scan." You must select a profile. For a Norwegian e-commerce site handling credit card data, the PCI-DSS profile is relevant. For general hardening, the standard standard profile is sufficient.
Here is how you execute a scan to check for compliance, outputting a report to an HTML file:
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_pci-dss \
--results results.xml \
--report report.html \
/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml
Pro Tip: Do not run heavy SCAP scans during peak traffic hours on standard magnetic storage VPS options. The I/O wait can spike significantly as the scanner reads thousands of system files. This is where the NVMe storage standard on CoolVDS becomes critical—the high IOPS threshold ensures your audit doesn't cause a denial of service for your customers.
Automating Remediation with Ansible
Scanning tells you what is broken. Remediation fixes it. While OpenSCAP can generate bash scripts to fix issues, running generated bash scripts in production is risky. I prefer using Ansible for idempotent, controlled enforcement.
We can map specific compliance failures to Ansible tasks. For example, a common failure in CIS benchmarks is SSH configuration. The benchmark requires that PermitRootLogin is set to 'no' and Protocol is set to 2.
Here is a snippet of a hardening playbook that enforces these rules. This isn't just theory; this is the code running on our production clusters in Oslo right now.
---
- name: Harden SSH Configuration
hosts: all
become: yes
tasks:
- name: Ensure SSH Protocol is set to 2
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^Protocol'
line: 'Protocol 2'
state: present
validate: 'sshd -t -f %s'
notify: restart_sshd
- name: Disable SSH Root Login
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: 'PermitRootLogin no'
state: present
validate: 'sshd -t -f %s'
notify: restart_sshd
- name: Ensure SSH MaxAuthTries is set to 4
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^MaxAuthTries'
line: 'MaxAuthTries 4'
state: present
validate: 'sshd -t -f %s'
notify: restart_sshd
handlers:
- name: restart_sshd
service:
name: sshd
state: restarted
Kernel Parameter Hardening
Beyond the application layer, you must secure the kernel. Network stack hardening is often overlooked. We use sysctl to prevent IP spoofing and source routing. If you are hosting on a shared platform, verify your provider allows kernel-level tuning. Since CoolVDS provides true KVM virtualization, you have full control over your kernel parameters (unlike OpenVZ containers).
Add this to your /etc/sysctl.conf or an Ansible template:
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# Disable send redirects
net.ipv4.conf.all.send_redirects = 0
After applying these, run sysctl -p to load them immediately.
The Data Sovereignty Factor (GDPR)
Automation is only half the battle. The other half is legal architecture. With the current uncertainty regarding the EU-US Privacy Shield, relying on US-based hyperscalers involves a calculated risk. For Norwegian businesses, the safest legal stance is ensuring data residency within the EEA/Norway.
When you automate your infrastructure, you should also automate your locality checks. Ensure your disaster recovery scripts do not accidentally spin up backups in a non-compliant region. Hosting locally with a provider like CoolVDS ensures that your physical bits reside in Oslo, subject to Norwegian law and power grid stability, removing a massive layer of complexity from your GDPR compliance documentation.
Summary: Audit, Automate, Repeat
Compliance is not a one-time project; it is a continuous loop. By combining OpenSCAP for visibility and Ansible for enforcement, you turn a quarterly headache into a daily automated process.
| Component | Manual Method (High Risk) | Automated Method (Low Risk) |
|---|---|---|
| Vulnerability Scan | SysAdmin reading mailing lists | Daily cron job running oscap |
| Configuration | Editing /etc/ssh/sshd_config by hand |
Ansible Playbooks in Git |
| Reporting | Excel spreadsheet | HTML/XML reports generated automatically |
Your infrastructure needs to be as resilient as your code. Stop treating your servers like pets that need manual grooming. Treat them like cattle, but secure cattle.
Ready to implement a compliant architecture? Deploy a KVM instance on CoolVDS today. Our NVMe-backed storage provides the low latency required for intensive security scanning without degrading application performance.