[CentOS] PCI/DSS compliance on CentOS
Rui Miguel Silva Seabra
rms at 1407.org
Sat May 26 07:47:35 UTC 2012
On Fri, 25 May 2012 13:47:12 -0400
m.roth at 5-cent.us wrote:
> Arun Khan wrote:
> > I have a client project to implement PCI/DSS compliance.
> >
> > The PCI/DSS auditor has stipulated that the web server, application
> > middleware (tomcat), the db server have to be on different systems.
> > In addition the auditor has also stipulated that there be a NTP
> > server, a "patch" server,
> >
> > The Host OS on all of the above nodes will be CentOS 6.2.
> >
> > Below is a list of things that would be necessary.
> >
> > 1. Digital Certificates for each host on the PCI/DSS segment
> > 2. SELinux on each Linux host in the PCI/DSS network segment
> > 3. Tripwire/AIDE on each Linux host in the PCI/DSS segment
> > 4. OS hardening scripts (e.g. Bastille Linux)
> > 5. Firewall
> > 6. IDS (Snort)
> > 6. Central “syslog” server
> >
> > However, beyond this I would appreciate any comments/feedback /
> <snip>
> I had a short-term contract with a company that a) did managed
> security, and b) was a root CA. I *think* the auditor missed one
> thing: as I understand it, if the three servers aren't hardwired to
> each other, *all* communications must be encrypted between them.
It's always a matter of risk based analysis.
Were that three servers on the same network segment (logical and
physical)? Do you have good and restrictive firewalls around them, and
so on.
It's not good security or a good audit result if you just throb all the
nobs.
Rui
More information about the CentOS
mailing list