Hi Alexander, I think you or your consultant may have an overly strict reading of the PCI documents. Looking at section 10.4 of PCI DSS 3.0, and from having gone through PCI a few times... If you have your PCI hosts directly going against ntp.org or similar, then you are not in compliance.
My understanding is that you need to: A) Run a local set of NTP servers - these are your 'trusted' servers, under your control, properly managed/secured, fully meshed, etc. These in turn (section 10.4.3) can get their time from 'industry-accepted time sources'. B) The rest of your PCI infrastructure in turn uses these NTP servers and only these NTP servers. - Michael DeMan On Feb 6, 2014, at 2:27 AM, Alexander Maassen <outsi...@scarynet.org> wrote: > www.pool.ntp.org > > -------- Oorspronkelijk bericht -------- > Van: Notify Me <notify.s...@gmail.com> > Datum: > Aan: "nanog@nanog.org list" <nanog@nanog.org>,af...@afnog.org > Onderwerp: Need trusted NTP Sources > > Hi ! > > I'm trying to help a company I work for to pass an audit, and we've > been told we need trusted NTP sources (RedHat doesn't cut it). Being > located in Nigeria, Africa, I'm not very knowledgeable about trusted > sources therein. > > Please can anyone help with sources that wouldn't mind letting us sync > from them? > > Thanks a lot! >
