wow, seems like quite a lot.
What "level" of PCI/DSS compliance are you going for?
The only other thing I might add....
Are you hosting the hardware? If it's hosted else where then the "facility" that's hosting the hardware needs to be PCI/DSS complaint.
On 5/25/2012 10:22 AM, Arun Khan wrote:
I have a client project to implement PCI/DSS compliance.
The PCI/DSS auditor has stipulated that the web server, application middleware (tomcat), the db server have to be on different systems. In addition the auditor has also stipulated that there be a NTP server, a "patch" server,
The Host OS on all of the above nodes will be CentOS 6.2.
Below is a list of things that would be necessary.
- Digital Certificates for each host on the PCI/DSS segment
- SELinux on each Linux host in the PCI/DSS network segment
- Tripwire/AIDE on each Linux host in the PCI/DSS segment
- OS hardening scripts (e.g. Bastille Linux)
- Firewall
- IDS (Snort)
- Central “syslog” server
However, beyond this I would appreciate any comments/feedback / suggestion if you or your organization has undergone a PCI/DSS audit and what are the gotchas that you encountered, especially with respect to CentOS/ open source stack.
I came across this which kind of brings out issues between the implementer and the PCI/DSS auditor. http://webmasters.stackexchange.com/questions/15098/pci-dss-compliance-for-a-vps-using-centos
Thanks very much.