mediumservicesverified ✓rollback-safe
Ensure chrony runs as non-root user
chrony-user · RHEL ≥ 8 · 1 impl
Description
The chronyd daemon should run as the chrony user, not as root. Running time synchronization services as a non-privileged user limits the impact of potential vulnerabilities.
Rationale
Running network-facing services as root increases the attack surface. If chronyd is compromised, running as a non-root user limits the attacker's ability to affect the rest of the system.
Check → Remediate
Checkcommand
if pgrep -x chronyd >/dev/null 2>&1; then # Check actual running user (operational verification) ps -o user= -C chronyd 2>/dev/null | head -1 | grep -qx 'chrony' else # Service not running - check if config specifies user # RHEL 9+ runs as chrony by default, so also check if no override exists grep -E '^OPTIONS=.*-u chrony' /etc/sysconfig/chronyd 2>/dev/null || \ grep -E '^\s*user\s+chrony' /etc/chrony.conf 2>/dev/null || \ ! grep -E '^\s*user\s+' /etc/chrony.conf 2>/dev/null fi
- expected_exit:
- 0
Remediateconfig_set
- path:
- /etc/sysconfig/chronyd
- key:
- OPTIONS
- value:
- "-u chrony"
- separator:
- =
- restart:
- chronyd
Framework references
CIS
rhel9 2.3.3rhel10 2.3.3rhel8 2.3.3
NIST 800-53
AC-6CM-6
Live verification
rhel10:checkrhel8:checkrhel9:check
#service#chrony#time#privilege