The Privacy Shield is Dead. Long Live Automation.
If you are managing infrastructure in Europe, your week likely started with a headache. On July 16, the CJEU (Court of Justice of the European Union) invalidated the Privacy Shield framework in the Schrems II ruling. Suddenly, reliance on US-based hosting giants for processing European user data has become a legal minefield. For those of us dealing with Datatilsynet audits or strict GDPR requirements, the margin for error just vanished.
But legal jurisdiction is only half the battle. You can host your data in a bunker in Oslo, but if your server configuration drifts from security baselines, you are vulnerable. Manual hardening checklists are relics. If you are still SSH-ing into servers to manually edit /etc/ssh/sshd_config, you have already lost. In 2020, infrastructure must be self-correcting and auditable via code.
This guide cuts through the noise. We aren't discussing abstract policies. We are implementing automated compliance checks against CIS (Center for Internet Security) benchmarks using Ansible and OpenSCAP, specifically tailored for environments where data sovereignty is non-negotiable.
The Architecture of "Compliance as Code"
Security compliance often turns into a bureaucratic nightmare of Excel spreadsheets. We fix this by treating compliance as code. The stack we are deploying today consists of:
- Host: CoolVDS NVMe Instance (Located in Oslo, ensuring data residency).
- OS: Ubuntu 20.04 LTS (Focal Fossa) or CentOS 8.
- Configuration Management: Ansible 2.9.
- Auditing: OpenSCAP (SCAP Security Guide).
Pro Tip: Never run compliance scans on your production database during peak hours. Even a "read-only" audit can spike I/O wait times. We recommend running these on CoolVDS staging clones first, or scheduling them during low-traffic windows (03:00 CET).
Step 1: Hardening SSH Automatically
The first line of defense is SSH. The CIS benchmark requires specific configurations. We don't implement these manually; we define the desired state. Here is how a battle-hardened Ansible task looks for locking down SSH.
Create a file named hardening_ssh.yml:
---
- name: Secure SSH Configuration
hosts: all
become: yes
tasks:
- name: Ensure SSH protocol is set to 2
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^Protocol'
line: 'Protocol 2'
state: present
validate: '/usr/sbin/sshd -t -f %s'
- name: Disable Root Login
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: 'PermitRootLogin no'
state: present
validate: '/usr/sbin/sshd -t -f %s'
- name: Disable Password Authentication
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PasswordAuthentication'
line: 'PasswordAuthentication no'
state: present
validate: '/usr/sbin/sshd -t -f %s'
- name: Set Idle Timeout Interval
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^ClientAliveInterval'
line: 'ClientAliveInterval 300'
state: present
notify: Restart SSH
handlers:
- name: Restart SSH
service:
name: sshd
state: restartedThis playbook does more than change settings; it uses the validate argument to ensure that a syntax error doesn't lock you out of your serverβa common disaster when manually editing configs.
Step 2: Automating Audits with OpenSCAP
Hardening is useless without verification. OpenSCAP is the gold standard for checking Linux systems against the XCCDF (Extensible Configuration Checklist Description Format) standard. It allows us to generate HTML reports that you can hand directly to a compliance officer.
First, install the necessary tools on your CoolVDS instance:
# On Ubuntu 20.04
sudo apt-get update
sudo apt-get install libopenscap8 sshed-security-guide -y
# On CentOS 8
sudo dnf install openscap-scanner scap-security-guide -yRunning the Scan
We will scan against the CIS Level 2 Server profile. This is strict. It will flag things like legacy partition structures or missing audit rules. Run this command to assess your posture:
sudo oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis_level2_server \
--results-arf /tmp/arf.xml \
--report /tmp/report.html \
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xmlIf you see a lot of "Fail" results, don't panic. That is the baseline for a vanilla OS install. The goal is to iterate your Ansible playbooks until that report turns green.
Step 3: Correcting Kernel Parameters
A common failure point in these audits is network parameter configuration within sysctl. To mitigate IP spoofing and man-in-the-middle attacks, you need to disable IP forwarding and packet redirects. Here is the configuration block compliant with 2020 security standards.
Add this to your /etc/sysctl.d/99-security.conf (or manage it via Ansible):
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Ignore Bogus Error Responses
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Disable IPv6 if not used (Optional but recommended for strict auditing)
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1Apply these changes immediately with:
sudo sysctl -p /etc/sysctl.d/99-security.confThe Role of Infrastructure
Software automation solves configuration drift, but it cannot solve physical jurisdiction. With Schrems II, the legal protection for transferring data to US-owned clouds has evaporated. This is where the hardware layer becomes a compliance feature.
At CoolVDS, our racks are in Oslo. We operate under Norwegian law and GDPR. We utilize KVM virtualization which provides a stricter isolation layer than container-based VPS solutions often oversold by budget providers. When you combine strict KVM isolation with the hardening scripts above, you achieve a defense-in-depth strategy that satisfies both the sysadmin and the legal department.
Comparison: Manual vs. Automated Compliance
| Feature | Manual Hardening | Automated (Ansible + OpenSCAP) |
|---|---|---|
| Time to Deploy | 45-90 Minutes per server | 2 Minutes (Concurrent) |
| Human Error Risk | High (Typoz, missed steps) | Near Zero (Idempotent) |
| Audit Trail | None (Trust me, bro) | Full XML/HTML Reports |
| Drift Detection | Impossible without login | Scheduled nightly scans |
Final Thoughts
The era of "set it and forget it" security is over. The threat landscape in 2020 requires active, code-driven defense, and the legal landscape requires strict data residency. By combining Ansible for configuration management, OpenSCAP for verification, and CoolVDS for sovereign infrastructure, you build a fortress, not just a server.
Ready to lock it down? Don't risk your data on uncertain jurisdictions. Spin up a high-performance, Norway-based NVMe instance on CoolVDS today and run your first OpenSCAP scan in under 10 minutes.