{{%- set ok_by_default = false %}}
{{%- if product in ["ol7", "ol8", "ol9", "fedora"] or 'rhel' in product %}}
{{%- set ok_by_default = true %}}
{{%- endif %}}


{{%- if ok_by_default %}}
<def-group oval_version="5.11">
    <definition class="compliance" id="{{{ rule_id }}}" version="1">
    {{{ oval_metadata("Ensure that no other user than chrony is configured to run the chrony service", rule_title=rule_title) }}}

      <criteria comment="chronyd enabled and multiple remote servers specified" operator="AND">
        <criterion comment="The default chrony user hasn't been overridden" test_ref="test_no_user_override" />
      </criteria>

  </definition>

  <ind:textfilecontent54_test id="test_no_user_override"
    comment="The default chrony user hasn't been overridden"
    check_existence="none_exist" check="all" version="1">
    <ind:object object_ref="obj_user_override" />
  </ind:textfilecontent54_test>

  <ind:textfilecontent54_object id="obj_user_override" version="1">
    <ind:behaviors singleline="true" />
    <ind:filepath>/etc/sysconfig/chronyd</ind:filepath>
    <ind:pattern operation="pattern match">^\s*OPTIONS=.*[\s'"]-u(?!\s*chrony\b).*</ind:pattern>
    <ind:instance datatype="int" operation="greater than or equal">0</ind:instance>
  </ind:textfilecontent54_object>

</def-group>
{{%- elif 'ubuntu' in product -%}}
{{{ oval_check_config_file(path='/etc/chrony/chrony.conf', prefix_regex='^[ \\t]*', parameter='user', separator_regex='[[:space:]]', value='_chrony', missing_parameter_pass=true, missing_config_file_fail=false, rule_id=rule_id, rule_title=rule_title) }}}
{{%- else -%}}
{{{ oval_check_config_file(path='/etc/sysconfig/chronyd', prefix_regex='^[ \\t]*', parameter='OPTIONS', separator_regex='=', value='["]?.*-u[\s]*chrony.*["]?', missing_parameter_pass=ok_by_default, missing_config_file_fail=true, rule_id=rule_id, rule_title=rule_title) }}}
{{%- endif %}}