That is the last piece. We use SAMHAIN as a FIM, of course Tripwire is there also as a secondary FIM.

My Webservers are behind a Firewall, load balancers, a caching (squid) reverse proxy, a Web Application Firewall, another Apache Proxy server for Static content and then a modperl webserver. Then on anything that deals with CHD, our APIs won't even work with anything intercepting the info... as the data has to be "blessed properly and pure" and only over SSL.

The APIs are behind three firewalls, behind two layers of NAT, three layers of ACL and have to prove they are whom they say they are every time.

Auditors and external scanners jobs are to help us get through the scan remediation and to get things taken care of satisfactorily.

Our current auditor is an idiot to the extreme, with no ability to communicate. He can help if he pays attention, but seriously... we are 6 months out of compliance with out AoC, but we have had a "pending" one for 6 months. Which while its good enough for temporary use, one bank in Canada is about ready to start fining us.

I got the last, last, last, last, last, task of the ever moving task list done Friday.

I only added about 400 IPTables rules and 17 chains related to them. GRAH! Our IPTables was only 300 rules to begin with and caused no problems. "Spirit of the regulations" are what is expected... not "Letter of the Regulations".

Anyway, this is a serious OOOGA-BOOOOGA, since we don't even have install-able compilers available to the machines the web-servers live on.