Profile Applicability:
• Level 1
Description:
Chrony is a network time protocol (NTP) client and server used to synchronize system clocks. Running chrony as the root user increases security risks if the service is compromised. Running it under a less privileged user minimizes potential damage.
Rationale:
Running chrony with reduced privileges limits the impact of potential exploits or vulnerabilities, improving overall system security.
Impact:
Pros:
Reduces risk associated with running services as root.
Limits scope of damage if chrony is compromised.
Cons:
Requires proper configuration and testing to ensure chrony runs correctly under a non-root user.
Default Value:
Chrony typically runs as root by default on many systems.
Pre-requisites:
Root or sudo privileges to modify service configurations.
Remediation:
Test Plan:
Using Linux command line:
- Check the user running chrony service:
ps -ef | grep chronyd
Verify chrony is not running as root.
Implementation Plan:
Using Linux command line:
1. Modify chrony service configuration to run as a non-root user, for example:
2. Create a dedicated user (if not existing):
useradd -r -s /sbin/nologin chrony
3. Edit /etc/systemd/system/chronyd.service or relevant service file to include:
User=chrony Group=chrony
4. Reload systemd and restart chrony:
systemctl daemon-reload systemctl restart chronyd
5. Verify the service runs under the non-root user.
Backout Plan:
Using Linux command line:
Revert service configuration to run as root by removing or commenting out the User directive.
Reload systemd and restart chrony service.
Verify chrony runs as root again.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
Chrony Documentation
Systemd Service Files