Automating Security Compliance: Surviving Schrems II with Ansible & OpenSCAP
If you represent a European company processing personal data in 2022 and you aren't losing sleep over Schrems II, you aren't paying attention. The days of spinning up a generic VPS, apt-get updating, and walking away are dead. They were killed by the realization that data sovereignty isn't just a buzzword—it's a legal minefield.
I recently audited a fintech startup in Oslo. They had brilliant code but terrible infrastructure hygiene. Their "compliance" strategy was a static Excel sheet checked once a quarter. Meanwhile, three development servers had SSH exposed to the world with default ports, and their database backups were being piped to a non-compliant US storage bucket. Had Datatilsynet (The Norwegian Data Protection Authority) knocked on their door, the fines would have erased their Series A funding.
Compliance cannot be manual. It must be code. In this guide, we will look at automating server hardening using Ansible and validating it with OpenSCAP, specifically tailored for infrastructure hosted within Norwegian borders.
The Architecture of Trust
Before we touch the config files, let's talk about the base layer. You can have the most hardened kernel in the world, but if your host over-provisions RAM or leaks side-channel data via shared CPU caches, you are vulnerable.
This is why, for mission-critical workloads, I lean heavily on KVM-based virtualization. Unlike container-based virtualization (like OpenVZ or LXC), KVM provides a stricter hardware-level isolation. At CoolVDS, we enforce this isolation strictly. When we say you have 4 vCPUs, they are yours. This isn't just about performance; it's about mitigating noisy neighbor attacks and ensuring that your encrypted data remains yours.
Pro Tip: Always verify your data residency. If your provider cannot guarantee that your volume snapshots stay within the EEA (European Economic Area), you are likely non-compliant with GDPR Article 44. CoolVDS storage arrays for our Oslo region are physically located in Norway, falling under Norwegian jurisdiction.
Step 1: Infrastructure as Code (Ansible Hardening)
We don't configure servers by hand. We define a state. Below is a foundational Ansible task list for hardening an Ubuntu 22.04 LTS server (released earlier this year). This snippet focuses on SSH, the most common attack vector.
The Playbook: hardening.yml
- name: Secure SSH Configuration
hosts: all
become: yes
tasks:
- name: Ensure SSH protocol 2 is used
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^Protocol'
line: 'Protocol 2'
state: present
- name: Disable Root Login
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: 'PermitRootLogin no'
state: present
- name: Disable Password Authentication
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PasswordAuthentication'
line: 'PasswordAuthentication no'
state: present
- name: Ensure specific AllowUsers
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^AllowUsers'
line: 'AllowUsers deploy_user'
state: present
notify: Restart SSH
handlers:
- name: Restart SSH
service:
name: sshd
state: restarted
This is basic but essential. By enforcing PermitRootLogin no and PasswordAuthentication no, you eliminate brute-force password attacks immediately. We assume you have already distributed your SSH keys.
Step 2: Continuous Auditing with OpenSCAP
Applying a configuration is one thing; proving it is another. OpenSCAP (Security Content Automation Protocol) allows us to scan our servers against established industry benchmarks, such as the CIS (Center for Internet Security) benchmarks.
First, install the necessary tools on your CoolVDS instance:
sudo apt-get update
sudo apt-get install libopenscap8 ssg-base ssg-deb ssg-modules ssg-utilsNow, run a scan against the standard profile. Note that generating the HTML report is heavy on I/O. This is where high-performance NVMe storage becomes critical. On spinning rust, this scan can take minutes. On CoolVDS NVMe instances, it completes in seconds.
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis_level1_server \
--results-arf arf.xml \
--report report.html \
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xmlThis command generates a report.html that you can present to an auditor. It outlines exactly where your system passes or fails against the CIS Level 1 Server benchmark.
Step 3: Network Level Defense (Nginx & TLS)
If you are serving web traffic, your SSL/TLS configuration is the next line of defense. As of late 2022, TLS 1.0 and 1.1 are deprecated and dangerous. You must enforce TLS 1.2 and 1.3.
Here is a production-ready snippet for your nginx.conf used to handle high-traffic loads while maintaining an A+ rating on SSL Labs:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (Strict-Transport-Security)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 valid=300s;
resolver_timeout 5s;Notice the OCSP stapling configuration. This reduces the burden on the Certificate Authority and speeds up the handshake for your users. Low latency isn't just about ping times; it's about handshake efficiency.
The "CoolVDS" Factor: Why Base Infrastructure Matters
You can automate your OS hardening, but you cannot automate the physical layer. This is where the choice of provider becomes a security decision, not just a procurement one.
When we designed the CoolVDS stack, we chose to host our primary nodes in Tier III+ facilities in Norway. Why? Because the latency to NIX (Norwegian Internet Exchange) is negligible, often under 2ms for local traffic. But more importantly, it aligns with the "Pragmatic CTO" philosophy: Minimize Risk.
| Feature | Generic Cloud | CoolVDS |
|---|---|---|
| Data Location | Opaque (EU Region often means "somewhere in Europe") | Strictly Norway (Oslo) |
| Virtualization | Often shared kernel (Containers) | Full KVM Isolation |
| DDoS Protection | Usually an expensive add-on | Integrated L3/L4 filtering |
Conclusion
Security is a process, not a product. However, the product you build that process upon determines your ceiling. By combining Ansible for consistency, OpenSCAP for verification, and a sovereign host like CoolVDS for the foundation, you build an architecture that satisfies both the hackers and the lawyers.
Don't wait for a data breach or an audit letter to take infrastructure seriously. Spin up a hardened, compliant instance on CoolVDS today and keep your data where it belongs.