2012/5/25 Arun Khan <knura9@xxxxxxxxx>:
> I have a client project to implement PCI/DSS compliance.
>
> The PCI/DSS auditor has stipulated that the web server, application
> middleware (tomcat), the db server have to be on different systems.
requirement "one primary function per server".
> In addition the auditor has also stipulated that there be a NTP
> server, a "patch" server,
true also.
>
> The Host OS on all of the above nodes will be CentOS 6.2.
>
> Below is a list of things that would be necessary.
>
> 1. Digital Certificates for each host on the PCI/DSS segment
Usually needed, if you use https or similar protocols.
> 2. SELinux on each Linux host in the PCI/DSS network segment
SELinux is not usually needed.
> 3. Tripwire/AIDE on each Linux host in the PCI/DSS segment
Ossec (www.ossec.net) can do this.
> 4. OS hardening scripts (e.g. Bastille Linux)
Some hardening needed.
> 5. Firewall
Hardware and software firewall on each network segment with nat enabled.
> 6. IDS (Snort)
Ossec can do this
> 6. Central “syslog” server
Ossec server with samhain is good solution for that.
>
> However, beyond this I would appreciate any comments/feedback /
> suggestion if you or your organization has undergone a PCI/DSS audit
> and what are the gotchas that you encountered, especially with respect
> to CentOS/ open source stack.
--
Eero
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
