Does anyone have any good compensating controls to work around 10.5.5 (file integrity monitoring)? I have read some information about implement file system level logging to alert administrators and security staff if an event log is authorized manually by a user account. But I'm not quite sure what this all entails. I'm thinking that one could use a combination of file system ACLs and strict controls around the root account as a compensating control, but I think more controls may need to be used. Thanks!

You are right. Strict ACLs and strict controls over administrator/root access are just the start.

You will also need centralized logging and some sort of log review, preferably automated, that monitors the logs 24x7 for any 'anomalous' entries that might indicate a security issue. This log monitoring should also look for any changes to the ACLs, changes to privileges of accounts, etc. Essentially, any change in the security posture of the system.

In addition to using the logging system to monitor the server in question, it should also monitor the network as a whole looking for any changes in the security posture of routers, firewalls, switches. other systems, etc. This is key to make sure that someone doesn't use another system to gain access to PCI systems.

The bottom line is that file monitoring via Tripwire or similar might just be as easy and as expensive as the compensating control. Unless, you already have the centralized logging solution implemented.