Re: [CentOS] PCI/DSS compliance on CentOS

Arun Khan wrote:

I have a client project to implement PCI/DSS compliance.

The PCI/DSS auditor has stipulated that the web server, application middleware (tomcat), the db server have to be on different systems. In addition the auditor has also stipulated that there be a NTP server, a "patch" server,

The Host OS on all of the above nodes will be CentOS 6.2.

Below is a list of things that would be necessary.

1. Digital Certificates for each host on the PCI/DSS segment
2. SELinux on each Linux host in the PCI/DSS network segment
3. Tripwire/AIDE on each Linux host in the PCI/DSS segment
4. OS hardening scripts (e.g. Bastille Linux)
5. Firewall
6. IDS (Snort)
7. Central “syslog” server

However, beyond this I would appreciate any comments/feedback /

<snip> I had a short-term contract with a company that a) did managed security, and b) was a root CA. I *think* the auditor missed one thing: as I understand it, if the three servers aren't hardwired to each other, *all* communications must be encrypted between them.

mark