Automating the Fortress: Infrastructure Compliance as Code

If you are still hardening your servers by manually editing /etc/ssh/sshd_config and restarting services by hand, you have already failed the audit. In the current landscape of 2020, manual security is not just inefficient—it is a liability. Human error is the single largest vector for security breaches, and when the Datatilsynet (Norwegian Data Protection Authority) comes knocking regarding a GDPR inquiry, "I forgot to disable password auth on that one node" is not a valid legal defense.

We need to stop treating servers like pets that we groom individually. They are cattle. They should be hardened by design, instantiated with code, and audited automatically. Whether you are running a high-traffic Magento shop or a critical API endpoint in Oslo, the baseline requirement is identical: consistency.

This guide walks through automating CIS (Center for Internet Security) Level 1 benchmarks on Linux infrastructure using Ansible and verifying it with OpenSCAP. We will look at why hosting jurisdiction matters now more than ever, and how to implement this on CoolVDS KVM instances without killing your I/O performance.

The Jurisdiction Trap: Why "Cloud" Isn't Enough

Before we touch a single config file, we must address the physical layer. In early 2020, the legal frameworks governing data transfer (like the Privacy Shield) are under immense scrutiny. While the lawyers argue, the pragmatic engineering decision is simple: Data Residency.

If your customer data never leaves Norway, your compliance burden drops significantly. This is why we architect systems on CoolVDS. Their datacenters are physically located in Oslo, governed by Norwegian law, and shielded from the opaque data requests common with US-owned hyper-scalers. You get low latency to the Norwegian Internet Exchange (NIX) as a performance bonus, but the real value is the legal peace of mind.

Step 1: The Base Hardening (Ansible Approach)

We do not use shell scripts for hardening. They are brittle and lack idempotency. We use Ansible. The goal is to enforce CIS Benchmark standards. These are globally recognized best practices that cover everything from file permissions to kernel parameters.

Pro Tip: Always run your hardening playbooks against a staging environment first. Applying CIS Level 2 hardening blindly can and will lock you out of your own server by disabling necessary protocols or root access mechanisms.

Hardening SSH Configuration

The SSH daemon is your front door. It needs to be a bank vault, not a screen door. We disable root login, enforce Protocol 2, and ban empty passwords. Here is an Ansible snippet to enforce this state:

- name: Secure SSH Configuration
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
    state: present
    validate: 'sshd -t -f %s'
  with_items:
    - { regexp: '^PermitRootLogin', line: 'PermitRootLogin no' }
    - { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no' }
    - { regexp: '^PermitEmptyPasswords', line: 'PermitEmptyPasswords no' }
    - { regexp: '^Protocol', line: 'Protocol 2' }
    - { regexp: '^MaxAuthTries', line: 'MaxAuthTries 3' }
    - { regexp: '^ClientAliveInterval', line: 'ClientAliveInterval 300' }
    - { regexp: '^ClientAliveCountMax', line: 'ClientAliveCountMax 0' }
  notify: restart sshd

Step 2: Kernel Parameter Optimization

Network stack hardening prevents a class of attacks including IP spoofing and man-in-the-middle redirects. These settings go into /etc/sysctl.conf. On a CoolVDS instance, because you have full KVM virtualization (unlike OpenVZ where the kernel is shared), you have the authority to modify these parameters.

Here is the configuration required to mitigate ICMP redirects and syn floods:

# /etc/sysctl.d/99-security.conf

# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0

# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Log Martians
net.ipv4.conf.all.log_martians = 1

Apply these changes immediately with:

Step 3: Automated Auditing with OpenSCAP

How do you prove to an auditor that your server is secure? You don't show them config files; you show them a scan report. OpenSCAP is the industry standard tool for this. It compares your system against the XCCDF (eXtensible Configuration Checklist Description Format) profiles.

On CentOS 7 or 8, you can install the scanner and the security guides easily:

Once installed, you can run a scan against the PCI-DSS or CIS profile. This command evaluates the system and generates a user-friendly HTML report:

oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_pci-dss \
  --results /var/www/html/scan-report.xml \
  --report /var/www/html/scan-report.html \
  /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml

If you see red on that report, you have work to do. This loop—Harden (Ansible) -> Verify (OpenSCAP) -> Report—is the heart of automated compliance.

The Performance Trade-off: Encryption and I/O

Security is not free. Enabling audit logging (auditd), strict firewalling, and encrypted-at-rest filesystems (LUKS) consumes CPU cycles and I/O operations. In a shared hosting environment, enabling full audit logging can sometimes bring a server to its knees due to the sheer volume of disk writes.

This is where infrastructure choice becomes critical. You need high IOPS. We benchmarked CoolVDS NVMe instances against standard SATA-based VPS providers in the Nordic region. The difference is stark when auditd is pushing thousands of events per second.

When you turn on aggressive logging for GDPR compliance, you are essentially turning your disk into a bottleneck. NVMe storage isn't just a luxury for gamers; it is a requirement for compliant, high-performance production environments.

Conclusion: Trust Code, Not Promises

In 2020, security compliance in Norway is about more than just checking boxes. It is about data sovereignty and verifiable technical controls. By combining the raw power and local presence of CoolVDS with the automation of Ansible and OpenSCAP, you build a fortress that is easy to manage and legally robust.

Don't wait for a data breach to take this seriously. Spin up a fresh CentOS 8 instance on CoolVDS, clone your hardening repo, and sleep better knowing your infrastructure is as solid as the bedrock in Oslo.