On Fri, 25 May 2012 13:47:12 -0400 m.roth at 5-cent.us wrote: > Arun Khan wrote: > > I have a client project to implement PCI/DSS compliance. > > > > The PCI/DSS auditor has stipulated that the web server, application > > middleware (tomcat), the db server have to be on different systems. > > In addition the auditor has also stipulated that there be a NTP > > server, a "patch" server, > > > > The Host OS on all of the above nodes will be CentOS 6.2. > > > > Below is a list of things that would be necessary. > > > > 1. Digital Certificates for each host on the PCI/DSS segment > > 2. SELinux on each Linux host in the PCI/DSS network segment > > 3. Tripwire/AIDE on each Linux host in the PCI/DSS segment > > 4. OS hardening scripts (e.g. Bastille Linux) > > 5. Firewall > > 6. IDS (Snort) > > 6. Central “syslog” server > > > > However, beyond this I would appreciate any comments/feedback / > <snip> > I had a short-term contract with a company that a) did managed > security, and b) was a root CA. I *think* the auditor missed one > thing: as I understand it, if the three servers aren't hardwired to > each other, *all* communications must be encrypted between them. It's always a matter of risk based analysis. Were that three servers on the same network segment (logical and physical)? Do you have good and restrictive firewalls around them, and so on. It's not good security or a good audit result if you just throb all the nobs. Rui