Ken godee wrote:
wow, seems like quite a lot.
Heh. When I was working for the company, I had a guy who sat in easy earshot who was one of their folks who dealt with questions from companies and businesses. The *easiest* one, the lowest level, was 60 or 63 questions. The serious, highest one was over 220, and really required people on at least our level to answer some of them.
mark
What "level" of PCI/DSS compliance are you going for?
The only other thing I might add....
Are you hosting the hardware? If it's hosted else where then the "facility" that's hosting the hardware needs to be PCI/DSS complaint.
On 5/25/2012 10:22 AM, Arun Khan wrote:
I have a client project to implement PCI/DSS compliance.
The PCI/DSS auditor has stipulated that the web server, application middleware (tomcat), the db server have to be on different systems. In addition the auditor has also stipulated that there be a NTP server, a "patch" server,
The Host OS on all of the above nodes will be CentOS 6.2.
Below is a list of things that would be necessary.
- Digital Certificates for each host on the PCI/DSS segment
- SELinux on each Linux host in the PCI/DSS network segment
- Tripwire/AIDE on each Linux host in the PCI/DSS segment
- OS hardening scripts (e.g. Bastille Linux)
- Firewall
- IDS (Snort)
- Central “syslog” server
However, beyond this I would appreciate any comments/feedback / suggestion if you or your organization has undergone a PCI/DSS audit and what are the gotchas that you encountered, especially with respect to CentOS/ open source stack.
I came across this which kind of brings out issues between the implementer and the PCI/DSS auditor. http://webmasters.stackexchange.com/questions/15098/pci-dss-compliance-for-a-vps-using-centos
Thanks very much.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos