RHEL9-CIS/tasks/section_2/cis_2.3.x.yml

---

- name: "2.3.1 | PATCH | Ensure time synchronization is in use"
  when:
    - rhel9cis_rule_2_3_1
    - not system_is_container
  tags:
    - level1-server
    - level1-workstation
    - patch
    - NIST800-53R5_AU-3
    - NIST800-53R5_AU-12
    - rule_2.3.1
  ansible.builtin.package:
    name: chrony
    state: present

- name: "2.3.2 | PATCH | Ensure chrony is configured"
  when:
    - rhel9cis_rule_2_3_2
    - not system_is_container
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_2.3.2
    - NIST800-53R5_AU-3
    - NIST800-53R5_AU-12
  ansible.builtin.template:
    src: etc/chrony.conf.j2
    dest: /etc/chrony.conf
    owner: root
    group: root
    mode: '0644'

- name: "2.3.3 | PATCH | Ensure chrony is not run as the root user"
  when:
    - rhel9cis_rule_2_3_3
    - not system_is_container
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_2.3.3
  ansible.builtin.lineinfile:
    path: /etc/sysconfig/chronyd
    regexp: '^OPTIONS="(?!.* -u chrony.*)(.*)"'
    line: OPTIONS="\1 -u chrony"
    create: true
    backrefs: true
    mode: '0644'