← Rules Catalog
mediumservicesverified rollback-safe

Ensure chrony runs as non-root user

chrony-user · RHEL ≥ 8 · 1 impl

Description

The chronyd daemon should run as the chrony user, not as root. Running time synchronization services as a non-privileged user limits the impact of potential vulnerabilities.

Rationale

Running network-facing services as root increases the attack surface. If chronyd is compromised, running as a non-root user limits the attacker's ability to affect the rest of the system.

Check → Remediate

Checkcommand
if pgrep -x chronyd >/dev/null 2>&1; then
  # Check actual running user (operational verification)
  ps -o user= -C chronyd 2>/dev/null | head -1 | grep -qx 'chrony'
else
  # Service not running - check if config specifies user
  # RHEL 9+ runs as chrony by default, so also check if no override exists
  grep -E '^OPTIONS=.*-u chrony' /etc/sysconfig/chronyd 2>/dev/null || \
  grep -E '^\s*user\s+chrony' /etc/chrony.conf 2>/dev/null || \
  ! grep -E '^\s*user\s+' /etc/chrony.conf 2>/dev/null
fi
expected_exit:
0
Remediateconfig_set
path:
/etc/sysconfig/chronyd
key:
OPTIONS
value:
"-u chrony"
separator:
=
restart:
chronyd

Framework references

CIS

rhel9 2.3.3rhel10 2.3.3rhel8 2.3.3

NIST 800-53

AC-6CM-6

Live verification

rhel10:checkrhel8:checkrhel9:check
#service#chrony#time#privilege