We're a redhat shop, and we use redhat auth which by default uses redhat NTP sources. Sounds odd to me too. They claim this is what PCI DSS demands. On Feb 6, 2014 11:43 AM, "Nick Hilliard" <nick@foobar.org> wrote:
On 06/02/2014 10:03, Notify Me wrote:
I'm trying to help a company I work for to pass an audit, and we've been told we need trusted NTP sources (RedHat doesn't cut it).
So presuming that your company is using RH or Fedora or CentOS something, the auditors are claiming that Red Hat, Inc is trusted enough to provide a precompiled based operating system with no feasible means of proving its reliability, but that they're not trustworthy enough to provide a clock synchronisation service?
My head spins.
Get new auditors. Your current ones are stupid.
Nick