Automating Compliance: Surviving Datatilsynet Audits with Infrastructure as Code

Let's be honest: the only thing scarier than a rootkit is a letter from Datatilsynet (The Norwegian Data Protection Authority). If you are running infrastructure in 2025 and you still treat compliance as a quarterly manual checklist, you are already compromised. It's not a matter of if, but when configuration drift exposes a vulnerability.

I've sat in boardrooms in Oslo where the CTO sweated bullets because a junior developer decided to `chmod 777` a config file to "fix a permission error" three weeks prior. The audit logs were empty. The backups were unverified. The fine potential? 4% of global turnover.

This guide isn't about buying expensive compliance software. It's about architecting your systems so they are compliant by default. We will focus on automating security standards (CIS Benchmarks, GDPR requirements) using open-source tools on a sovereign infrastructure stack.

The Myth of the "Secure Cloud"

Many managed hosting providers claim to be GDPR compliant. Read the fine print. They secure the physical data center. The moment you spin up a VPS, the OS security is your problem. Furthermore, if that VPS sits on a hypervisor controlled by a US-owned entity, you are dancing on the edge of Schrems II violations regarding data transfers.

This is why, for critical workloads, we default to CoolVDS. Their data centers are physically located in Norway, governed by Norwegian law, and they utilize KVM virtualization. Unlike container-based VPS solutions (OpenVZ/LXC) where kernel exploits can bleed through to the host, KVM provides hardware-level isolation. That is the baseline for any serious compliance architecture.

Step 1: Immutable Security Policies with Ansible

Stop manually hardening servers. If you SSH into a server to change a config, you’ve created a snowflake. Instead, define your security baseline as code.

We use Ansible to enforce CIS (Center for Internet Security) benchmarks. Here is a battle-tested snippet we use to lock down SSH access across our fleet. This ensures that even if a dev changes it, the next agent run reverts it.

- name: Secure SSH Configuration
  hosts: all
  become: yes
  tasks:
    - name: Ensure SSH Protocol 2 is set
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^Protocol'
        line: 'Protocol 2'
        state: present

    - name: Disable Root Login
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^PermitRootLogin'
        line: 'PermitRootLogin no'
        state: present
        notify: Restart SSH

    - name: Max authentication retries
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^MaxAuthTries'
        line: 'MaxAuthTries 3'
        state: present

  handlers:
    - name: Restart SSH
      service:
        name: sshd
        state: restarted

Pro Tip: Never rely on default SSH ports. While "security by obscurity" isn't a standalone strategy, moving SSH to port `2222` or similar drops background noise from botnets by about 98% in our logs. This saves CPU cycles on your CoolVDS instance from processing failed auth handshakes.

Step 2: Continuous Auditing with OpenSCAP

Hardening is one half of the equation; proving it is the other. OpenSCAP is the industry standard for verifying compliance against XCCDF profiles (like PCI-DSS or NIST). It’s lightweight and runs directly on your Linux kernel.

In 2025, auditing needs to be automated. Here is how you run a scan against the standard profile for AlmaLinux 9 (or RHEL 9 derivatives) and generate a report you can actually show an auditor.

# Install OpenSCAP scanner and utils
dnf install openscap-scanner scap-security-guide -y

# Run the evaluation against the CIS benchmark profile
oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_cis \
  --results scan-results.xml \
  --report scan-report.html \
  /usr/share/xml/scap/ssg/content/ssg-almalinux9-ds.xml

# Check the score (CLI quick check)
oscap xccdf generate fix \
  --profile xccdf_org.ssgproject.content_profile_cis \
  /usr/share/xml/scap/ssg/content/ssg-almalinux9-ds.xml > remediation.sh

The `remediation.sh` script generated above essentially writes the bash commands needed to fix every failed check. Do not run this blindly in production. Review it. Test it in a staging environment. Security fixes can sometimes break legacy applications that rely on loose permissions.

Step 3: File Integrity Monitoring (FIM)

Under GDPR, you must report data breaches within 72 hours. How do you know if a binary was modified or a sensitive file accessed? We use Wazuh. It’s an open-source SIEM that includes File Integrity Monitoring.

When running on high-performance NVMe storage (standard on CoolVDS), the I/O overhead of FIM is negligible. On older SATA-based VPS providers, real-time scanning can kill your application performance. Efficiency matters.

Here is a configuration block for the Wazuh agent (`ossec.conf`) to monitor critical system binaries and web configuration files:

  
  3600
  
  
  /etc
  /usr/bin
  /usr/sbin

  
  /etc/mtab
  /etc/hosts.deny
  /etc/mail/statistics

  
  /var/www/html

The Infrastructure Foundation

Software automation is useless if the hardware foundation is shaky. In the Nordic market, latency and data sovereignty are the dual kings. Routing traffic through Frankfurt or London adds milliseconds and legal complexity.

For our high-compliance setups, we utilize CoolVDS for two specific technical reasons:

1. Direct NIX Peering: The latency to major Norwegian ISPs is sub-2ms. This matters for API handshakes in microservices architectures.
2. Hardware Passthrough: The KVM implementation allows us to use specific CPU flags (AES-NI) for hardware-accelerated encryption without the "noisy neighbor" penalty often seen in over-provisioned clouds.

Implementation Strategy

Don't try to boil the ocean. Start small.

1. Provision a CoolVDS instance (AlmaLinux or Ubuntu LTS).
2. Deploy your Ansible hardening playbook.
3. Run an OpenSCAP baseline scan.
4. Install the Wazuh agent.

Once this pipeline is established, compliance becomes a background process rather than a panic-induced project.

Your infrastructure is the bedrock of your business. If it's weak, your business is fragile. Don't let a misconfiguration be your downfall. Take control of your stack.

Ready to build a compliant fortress? Deploy a high-performance, secure KVM instance on CoolVDS today and sleep better tonight.