nanog mailing list archives

Re: Need trusted NTP Sources

From: Nick Hilliard <nick () foobar org>
Date: Thu, 06 Feb 2014 12:09:24 +0000

On 06/02/2014 11:46, Notify Me wrote:

We're a redhat shop, and we  use redhat auth which by default uses redhat
NTP sources. Sounds odd to me too. They claim this is what PCI DSS demands.


PCI DSS states:

10.4.3 Time settings are received from industry-accepted time sources.


The default RHEL time servers are defined as X.rhel.ntp.org.  Many people
would consider ntp.org as industry-accepted, and there are several PCI-DSS
auditing companies out there who explicitly recommend using pool.ntp.org
for this purpose.

If that's not good enough, the PCI DSS standards explicitly state in the
NTP interpretation section:

More information on NTP can be found at www.ntp.org, including
information about time, time standards, and servers.


So, if PCI themselves view ntp.org as being authoritative about NTP I can't
see any reason why the time servers they publish wouldn't pass an audit.

Nick

Current thread:

Need trusted NTP Sources Notify Me (Feb 06)
- Re: Need trusted NTP Sources Nick Hilliard (Feb 06)
  - Re: Need trusted NTP Sources Notify Me (Feb 06)
    - Re: Need trusted NTP Sources Nick Hilliard (Feb 06)
  - Re: Need trusted NTP Sources Chris Adams (Feb 06)
- Message not available
  - Re: Need trusted NTP Sources Notify Me (Feb 06)
    - Re: Need trusted NTP Sources Aled Morris (Feb 06)
    - Re: Need trusted NTP Sources Mark Milhollan (Feb 06)
    - Re: Need trusted NTP Sources Jay Ashworth (Feb 06)
    - Re: Need trusted NTP Sources Saku Ytti (Feb 07)
    - Re: Need trusted NTP Sources Jimmy Hess (Feb 07)
    - Re: Need trusted NTP Sources Jay Ashworth (Feb 08)
    - Re: Need trusted NTP Sources Roy (Feb 07)
    - RE: Need trusted NTP Sources Matthew Huff (Feb 07)

(Thread continues...)