wow, seems like quite a lot. What "level" of PCI/DSS compliance are you going for? The only other thing I might add.... Are you hosting the hardware? If it's hosted else where then the "facility" that's hosting the hardware needs to be PCI/DSS complaint. On 5/25/2012 10:22 AM, Arun Khan wrote: > I have a client project to implement PCI/DSS compliance. > > The PCI/DSS auditor has stipulated that the web server, application > middleware (tomcat), the db server have to be on different systems. > In addition the auditor has also stipulated that there be a NTP > server, a "patch" server, > > The Host OS on all of the above nodes will be CentOS 6.2. > > Below is a list of things that would be necessary. > > 1. Digital Certificates for each host on the PCI/DSS segment > 2. SELinux on each Linux host in the PCI/DSS network segment > 3. Tripwire/AIDE on each Linux host in the PCI/DSS segment > 4. OS hardening scripts (e.g. Bastille Linux) > 5. Firewall > 6. IDS (Snort) > 6. Central “syslog” server > > However, beyond this I would appreciate any comments/feedback / > suggestion if you or your organization has undergone a PCI/DSS audit > and what are the gotchas that you encountered, especially with respect > to CentOS/ open source stack. > > I came across this which kind of brings out issues between the > implementer and the PCI/DSS auditor. > <http://webmasters.stackexchange.com/questions/15098/pci-dss-compliance-for-a-vps-using-centos> > > Thanks very much. >