I've never heard of insisting about requiring systems maintain the same NTP host. It's completely undoable in many cases, between latency and network firewalls.
All that should matter is that you are connected to a low stratum NTP host on each side, consistently and reliably. It's also increasing your attack surface area -- if you are using a single NTP host, and you lose one datacenter, both sides go down. If he refuses to budge for reasons that involve "justifying his job," A compromise might be that Server 1 has the NTP server for server2 as his third choice, and the opposite for server2. On 25 September 2015 at 08:54, Matt Butch <apple4e...@me.com> wrote: > Anybody here know about PCI and Time servers? I'm fighting a battle with > our security guy about it. > > Background: we have two e-commerce datacenters (active/failover type) > located on opposite sides of the country that host our web stack, and two > corporate offices near each other that host the business stack (ie email, > file server, AD, warehouse/shipping database system). We also have a host > of stores and warehouses. > > PCI requires that "Critical systems have the correct and consistent time." > (10.4.1). However the testing procedures in that section say "Only the > designated central time server(s) receives time signals from external > sources". He is hung up on that "central" part. > > I want to put time servers in the two e-commerce datacenters as well as > the two corporate offices and peer all of them together, and point our > servers to all of them. He wants to only put them in the two corporate > offices. His argument is that they are then central there. Mine is that > they aren't central to the web stack, and that the web stack will not > maintain correct and consistent time. > > Thoughts? > > -Matt > > -- > > I follow the System Administrators' Code of Ethics: > https://lopsa.org/CodeOfEthics > LOPSA Member > > _______________________________________________ > Tech mailing list > Tech@lists.lopsa.org > https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ > > -- ---------------------------- Regards, Michael Shulman michael.shul...@gmail.com Never attribute to malice that which can be adequately explained by stupidity.
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
