[CentOS] PCI/DSS compliance on CentOS

Fri May 25 17:57:55 UTC 2012
Ken godee <ken at perfect-image.com>

wow, seems like quite a lot.

What "level" of PCI/DSS compliance are you going for?

The only other thing I might add....

Are you hosting the hardware? If it's
hosted else where then the "facility" that's
hosting the hardware needs to be PCI/DSS complaint.

On 5/25/2012 10:22 AM, Arun Khan wrote:
> I have a client project to implement PCI/DSS compliance.
>
> The PCI/DSS auditor has stipulated that the web server, application
> middleware (tomcat), the db server have to be on different systems.
> In addition the auditor has also stipulated that there be a NTP
> server, a "patch" server,
>
> The Host OS on all of the above nodes will be CentOS 6.2.
>
> Below is a list of things that would be necessary.
>
> 1. Digital Certificates for each host on the PCI/DSS segment
> 2. SELinux on each Linux host in the PCI/DSS network segment
> 3. Tripwire/AIDE on each Linux host in the PCI/DSS segment
> 4. OS hardening scripts (e.g. Bastille Linux)
> 5. Firewall
> 6. IDS (Snort)
> 6. Central “syslog” server
>
> However, beyond this I would appreciate any comments/feedback /
> suggestion if you or your organization has undergone a PCI/DSS audit
> and what are the gotchas that you encountered, especially with respect
> to CentOS/ open source stack.
>
> I came across this which kind of brings out issues between the
> implementer and the PCI/DSS auditor.
> <http://webmasters.stackexchange.com/questions/15098/pci-dss-compliance-for-a-vps-using-centos>
>
> Thanks very much.
>