[ntp:questions] ntpdate

Danny Mayer mayer at ntp.org
Wed Jun 17 16:03:02 UTC 2009

tglassey wrote:
> Danny Mayer wrote:
>> Todd Glassey CISM CIFI wrote:
>>> Danny Mayer wrote:
>>>> Todd Glassey CISM CIFI wrote:
>>>>> Danny Mayer wrote:
>>>>>> tglassey wrote:
>>>>>>> Danny Mayer wrote:
>>>>>>>> Scott Haneda wrote:
>>>>>>>>> On Jun 15, 2009, at 8:59 AM, Todd Glassey CISM CIFI wrote:
>>>>>>>>>>> You should be running ntpd as a daemon. That will keep the
>>>>>>>>>>> clock in
>>>>>>>>>>> synch and you never have to touch it.
>>>>>>>>>> Which creates an audit issue and security profile which always
>>>>>>>>>> needs
>>>>>>>>>> to be watched. NTPD is not the answer for everyone Danny.
>>>>>>>>> Can you elaborate on this?  I see that ntpdate and ntpd can
>>>>>>>>> both be
>>>>>>>>> made
>>>>>>>>> to do the same thing in my case, which is a non daemonized single
>>>>>>>>> instance setting of time.
>>>>>>>>> If I do not plan on making a daemon, and just running it once a
>>>>>>>>> hour on
>>>>>>>>> schedule, as well as in a reboot of the machine after the
>>>>>>>>> interfaces are
>>>>>>>>> up, what would my concerns be?
>>>>>>>>> If I do decide to run ntpd as a daemon, what audit/secuirty issues
>>>>>>>>> should I be looking into?
>>>>>>>>> Thank you Todd.
>>>>>>>> He's just blowing fud.
>>>>>>>> Danny
>>>>>>> No Danny I was speaking from an audit perspective. No FUD here -
>>>>>>> just
>>>>>>> reality.
>>>>>> There are no audit requirements here. That's the reality.
>>>>> No Danny that is your reality - the commercial users of NTP are the
>>>>> ones
>>>>> who need the audit process.
>>>> He's not a commercial user and most commercial users don't need
>>>> audit in
>>>> the way you assert.
>>> Danny  ALL commercial users do need to apply evidence grade reality to
>>> their time management practices. That this bothers you is understandable
>>> - being accountable is a pain in the arse eh?
>> Not at all. We have SOX processes everywhere at work. 
> yes and since your auditor's decided what was and was not in scope they
> decided that since time management was such a pain in the ass they would
> sidestep it.  That doesnt mean that AS-6 or the other IIA audit
> practices dont mandate proper time control.

You neither know them nor what is important for the business. The
requirement is causality and making sure that only the authorized people
did what was needed. There is no need to require that the timestamps be
even within a minute never mind within a second and the logging is

>> None of them
>> require accurate time since they are not needed. 
> Until you get to OATS and DSS compliance.

We know what's needed and none of this applies.

>> What is needed is a
>> clear audit trail of what did what.
> Without that proper synchronization there is no comparability to records
> created on or in other frameworks or sites.
>> Don't try to read into something that I didn't say.
> I didn't read anything into the commentary you put out there Danny
> except that you dont like being wrong especially when its me slamming
> you back into reality.

You are the one without a grip on reality. Just because you have a
hammer doesn't mean that everything is a nail.


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the questions mailing list