2012/5/25 Arun Khan knura9@gmail.com:
I have a client project to implement PCI/DSS compliance.
The PCI/DSS auditor has stipulated that the web server, application middleware (tomcat), the db server have to be on different systems.
requirement "one primary function per server".
In addition the auditor has also stipulated that there be a NTP server, a "patch" server,
true also.
The Host OS on all of the above nodes will be CentOS 6.2.
Below is a list of things that would be necessary.
- Digital Certificates for each host on the PCI/DSS segment
Usually needed, if you use https or similar protocols.
- SELinux on each Linux host in the PCI/DSS network segment
SELinux is not usually needed.
- Tripwire/AIDE on each Linux host in the PCI/DSS segment
Ossec (www.ossec.net) can do this.
- OS hardening scripts (e.g. Bastille Linux)
Some hardening needed.
- Firewall
Hardware and software firewall on each network segment with nat enabled.
- IDS (Snort)
Ossec can do this
- Central “syslog” server
Ossec server with samhain is good solution for that.
However, beyond this I would appreciate any comments/feedback / suggestion if you or your organization has undergone a PCI/DSS audit and what are the gotchas that you encountered, especially with respect to CentOS/ open source stack.
-- Eero