2012/5/25 Arun Khan <knura9 at gmail.com>: > I have a client project to implement PCI/DSS compliance. > > The PCI/DSS auditor has stipulated that the web server, application > middleware (tomcat), the db server have to be on different systems. requirement "one primary function per server". > In addition the auditor has also stipulated that there be a NTP > server, a "patch" server, true also. > > The Host OS on all of the above nodes will be CentOS 6.2. > > Below is a list of things that would be necessary. > > 1. Digital Certificates for each host on the PCI/DSS segment Usually needed, if you use https or similar protocols. > 2. SELinux on each Linux host in the PCI/DSS network segment SELinux is not usually needed. > 3. Tripwire/AIDE on each Linux host in the PCI/DSS segment Ossec (www.ossec.net) can do this. > 4. OS hardening scripts (e.g. Bastille Linux) Some hardening needed. > 5. Firewall Hardware and software firewall on each network segment with nat enabled. > 6. IDS (Snort) Ossec can do this > 6. Central “syslog” server Ossec server with samhain is good solution for that. > > However, beyond this I would appreciate any comments/feedback / > suggestion if you or your organization has undergone a PCI/DSS audit > and what are the gotchas that you encountered, especially with respect > to CentOS/ open source stack. -- Eero