I've been doing a lot of STIG and CIS compliance and they both check for the "OPTIONS=-u chrony" in /etc/sysconfig/chronyd file.
I realize that (at least on newer RHEL and variants) that the chrony daemon does run as the chrony user but the vendors don't check for the process owner and trying to convince them to change the ruleset to pass the rule/audit is extremely difficult.
I recommend that the /etc/sysconfig/chronyd be managed as it's easier to manage this file (in order to pass CIS/STIG tests) than it is to convince the vendors to change their rules. In addition, the file is part of the Red Hat RPM package and probably should be managed anyway.
I've been doing a lot of STIG and CIS compliance and they both check for the "OPTIONS=-u chrony" in /etc/sysconfig/chronyd file.
I realize that (at least on newer RHEL and variants) that the chrony daemon does run as the chrony user but the vendors don't check for the process owner and trying to convince them to change the ruleset to pass the rule/audit is extremely difficult.
I recommend that the /etc/sysconfig/chronyd be managed as it's easier to manage this file (in order to pass CIS/STIG tests) than it is to convince the vendors to change their rules. In addition, the file is part of the Red Hat RPM package and probably should be managed anyway.