Guide to the Secure Configuration of Google Chromium

with profile Upstream STIG for Google Chromium
This profile is developed under the DoD consensus model and DISA FSO Vendor STIG process, serving as the upstream development environment for the Google Chromium STIG. As a result of the upstream/downstream relationship between the SCAP Security Guide project and the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO content. For official DISA FSO STIG content, refer to http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx. While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note that commercial support of this SCAP content is NOT available. This profile is provided as example SCAP content with no endorsement for suitability or production readiness. Support for this profile is provided by the upstream SCAP Security Guide community on a best-effort basis. The upstream project homepage is https://www.open-scap.org/security-policies/scap-security-guide/.

This guide presents a catalog of security-relevant configuration settings for Google Chromium. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for Google Chromium, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.
Profile TitleUpstream STIG for Google Chromium
Profile IDxccdf_org.ssgproject.content_profile_stig-chromium-upstream

Revision History

Current version: 0.1.34

  • draft (as of 2017-06-29)

Platforms

  • cpe:/a:google:chromium-browser

Table of Contents

  1. Chromium

Checklist

contains 37 rules

Chromium   [ref]group

Chromium is an open-source web browser, powered by WebKit (Blink), and developed by Google. Web browsers such as Chromium are used for a number of reasons. This section provides settings for configuring Chromium policies to meet compliance settings for Chromium running on Red Hat Enterprise Linux systems. Refer to

  • https://www.chromium.org/administrators/policy-list-3
for a list of currently supported Chromium policies. Refer to
  • https://www.chromium.org/administrators/policy_templates
for pre-created Chromium JSON policy files.

contains 37 rules

Ensure the Chromium Policy Configuration File Exists   [ref]rule

Chromium can be configured with numerous policies and settings. These settings can be set so that a user is unable to edit or change them. To prevent users from setting or changing Chromium settings, a JavaScript Object Notation (JSON) file (contains the .json extension) must exist in /etc/chromium/policies/managed.

  • Refer to https://www.chromium.org/administrators/policy-list-3 for a list of currently supported Chromium policies.
  • Refer to https://www.chromium.org/administrators/policy_templates for pre-created Chromium JSON policy files.

Warning:  If the .json file in /etc/chromium/policies/managed is not formatted correctly, no policies will be configured or set correctly.
Rationale:

The Chromium policy file must exist as this file contains configuration settings set by the System's Administrator to meet organization and/or security requirements.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"

if [ ! -d ${CHROME_POL_DIR} ] ; then
   mkdir -p -m 755 ${CHROME_POL_DIR}
fi

if [ ! -f ${CHROME_POL_DIR}/${CHROME_POL_FILE} ] ; then
   touch ${CHROME_POL_DIR}/${CHROME_POL_FILE}
   chmod 644 ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

grep -q -E '^\{' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
if ! [ $? -eq 0 ] ; then
   if [ -s ${CHROME_POL_DIR}/${CHROME_POL_FILE} ] ; then
      sed -i '1s/^/\{\n/' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
   else
      echo -e "{" >> ${CHROME_POL_DIR}/${CHROME_POL_FILE}
   fi
fi

tail -1 ${CHROME_POL_DIR}/${CHROME_POL_FILE} | grep -q -E '^\}'
if ! [ $? -eq 0 ] ; then
   echo -e "}" >> ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi 

Disable Chromium's Ability to Traverse Firewalls   [ref]rule

Chromium has the ability to bypass and ignore the system firewall. This ability should be disabled. To disable this setting, set RemoteAccessHostFirewallTraversal to false in the Chromium policy file.

Rationale:

Remote connections should never be allowed to bypass the system firewall as there is no way to verify if they can be trusted.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="RemoteAccessHostFirewallTraversal"
POL_SETTING_VAL="false"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Prevent Desktop Notifications   [ref]rule

Chromium by default allows websites to display notifications on the desktop. To disable this setting, set DefaultNotificationsSetting to 2 in the Chromium policy file.

Rationale:

Disabling Chromium's ability to display notifications on the desktop helps prevent malicious websites from controlling desktop notifications or fooling users into clicking on a potentially compromised notification.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="DefaultNotificationsSetting"
POL_SETTING_VAL="2"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Disable Popups   [ref]rule

Chromium allows you to manage whether or not unwanted pop-up windows appear. To disable pop-ups, set DefaultPopupsSetting to 2 in the Chromium policy file.

Rationale:

Pop-up windows should be disabled to prevent malicious websites from controlling pop-up windows or fooling users into clicking on the wrong window.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="DefaultPopupsSetting"
POL_SETTING_VAL="2"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Disable Location Tracking   [ref]rule

Location tracking is enabled by default and can track user's browsing habits. Location tracking should be disabled by setting DefaultGeolocationSetting to 2 in the Chromium policy file.

Rationale:

Website tracking is the practice of gathering information as to which websites were accesses by a browser. The common method of doing this is to have a website create a tracking cookie on the browser. If the information of what sites are being accessed is made available to unauthorized persons, this violates confidentiality requirements, and over time poses a significant OPSEC issue.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="DefaultGeolocationSetting"
POL_SETTING_VAL="2"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Disable All Extensions by Default   [ref]rule

Extensions are developed by third party sources and are designed to extend Google Chromium's functionality. As an extension can be made by anyone, all extensions should be blacklisted from installation by default. To blacklist all extensions, set the ExtensionInstallBlacklist to * in the Chromium policy file.

Rationale:

Extensions can access almost anything on a system. This means they pose a high risk to any system that would allow all extensions to be installed by default.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="ExtensionInstallBlacklist"
POL_SETTING_VAL="\[\"*\"\]"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Enable Only Approved Extensions   [ref]rule

An organization might need to use an internal or third party developed extension. Any organizationally approved extenstion should be enabled. To enable approved extensions, set ExtensionInstallWhitelist to oiigbmnaadbkfbmpbfijlflahbdbdgdf in the Chromium policy file. If there are no approved extensions, ExtensionInstallWhitelist should be set to oiigbmnaadbkfbmpbfijlflahbdbdgdf.

Rationale:

The whitelist should only contain organizationally approved extensions. This is to prevent a user from accidently whitelisitng a malicious extension.

Severity:  low

Remediation Shell script:   (show)

populate var_extension_whitelist

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="ExtensionInstallWhitelist"
POL_SETTING_VAL=$(echo ${var_extension_whitelist} | sed 's/\//\\\/\\/')

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": "'${var_extension_whitelist}'",' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'\".*/\"'${POL_SETTING}'\": \"'${POL_SETTING_VAL}'\",/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Set the Default Search Provider's URL   [ref]rule

Specifies the URL of the default search provider that is to be used. To set the URL of the default search provider, set DefaultSearchProviderName to (N/A) in the Chromium policy file.

Rationale:

When doing internet searches, it is important to set an organizationally approved search provider as well as use an encrypted connection via https.

Severity:  low

Remediation Shell script:   (show)

populate var_default_search_provider_name

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="DefaultSearchProviderName"
POL_SETTING_VAL=$(echo ${var_default_search_provider_name} | sed 's/\//\\\/\\/')

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": "'${var_default_search_provider_name}'",' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'\".*/\"'${POL_SETTING}'\": \"'${POL_SETTING_VAL}'\",/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Enable Encrypted Searching   [ref]rule

Specifies the URL of the search engine used when doing a default search. The URL should contain the string {searchTerms}. To set the URL of the search engine, set DefaultSearchProviderSearchURL to https://www.google.com/#q={searchTerms} in the Chromium policy file.

Rationale:

When doing internet searches, it is important to use an encrypted connection via https.

Severity:  low

Remediation Shell script:   (show)

populate var_enable_encrypted_searching

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="DefaultSearchProviderSearchURL"
POL_SETTING_VAL=$(echo ${var_enable_encrypted_searching} | sed 's/\//\\\/\\/')

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": "'${var_enable_encrypted_searching}'",' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's;\"'${POL_SETTING}'\".*;\"'${POL_SETTING}'\": \"'${POL_SETTING_VAL}'\",;g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Enable the Default Search Provider   [ref]rule

By default users, can change search provider settings. To disable this, set DefaultSearchProviderEnabled to true in the Chromium policy file.

Rationale:

A default search is performed when the user types text in the omnibox that is not a URL. This should be organizationally defined and not allowed to be changed by a user.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="DefaultSearchProviderEnabled"
POL_SETTING_VAL="true"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Disable Use of Cleartext Passwords   [ref]rule

Chromium allows users to import and store passwords in cleartext. This should be disabled by setting PasswordManagerAllowShowPasswords to false in the Chromium policy file.

Rationale:

Cleartext passwords would allow another individual to see password via shoulder surfing.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="PasswordManagerAllowShowPasswords"
POL_SETTING_VAL="false"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Disable Chromium Password Manager   [ref]rule

Chromium Password Manager allows the saving and using of passwords in Chromium. This should be disabled by setting PasswordManagerEnabled to false in the Chromium policy file.

Rationale:

Enables saving passwords and using saved passwords in Google Chromium. Malicious sites may take advantage of this feature by using hidden fields gain access to the stored information.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="PasswordManagerEnabled"
POL_SETTING_VAL="false"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Set Chromium's HTTP Authentication Scheme   [ref]rule

To set the default Chromium's HTTP Authentication Scheme, set AuthSchemes to (N/A) in the Chromium policy file.

Rationale:

Specifies which HTTP Authentication schemes are supported by Google Chromium.

Severity:  low

Remediation Shell script:   (show)

populate var_auth_schemes

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="AuthSchemes"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": "'${var_auth_schemes}'",' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": \"'${var_auth_schemes}'\",/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Disable Outdated Plugins   [ref]rule

Outdated plugins should be disabled by setting AllowOutdatedPlugins to false in the Chromium policy file.

Rationale:

Running outdated plugins could lead to system compromise through the use of known exploits. Having plugins updated to the most current version ensures the smallest attack surfuce possible.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="AllowOutdatedPlugins"
POL_SETTING_VAL="false"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Require Outdated Plugins to be Authorized   [ref]rule

Chromium should prompt users for authorization to run outdated plugins. This can be enabled by setting AlwaysAuthorizePlugins to false in the Chromium policy file.

Rationale:

Outdated plugins can compromise security and should request authorization from the user before running.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="AlwaysAuthorizePlugins"
POL_SETTING_VAL="false"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Disable 3rd Party Cookies   [ref]rule

Third party cookies should be be enabled. To disable third party cookies, set BlockThirdPartyCookies to true in the Chromium policy file.

Rationale:

Third party cookies are cookies which can be set by web page elements that are not from the domain that is in the browser's address bar. This prevents cookies from being set by web page elements that are not from the domain that is in the browser's address bar.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="BlockThirdPartyCookies"
POL_SETTING_VAL="true"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Disable Background Processing   [ref]rule

Chromium can be set to run at all times and process in the background. This should be disabled by setting BackgroundModeEnabled to false in the Chromium policy file.

Rationale:

There is two reasons that this is not wanted. First, it can tie up system resources that might otherwise be needed. Second, it does not make it obvious to the user that it is running and poorly written extensions could cause instability on the system.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="BackgroundModeEnabled"
POL_SETTING_VAL="false"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Disable the 3D Graphics APIs   [ref]rule

Chromium uses WebGL to render graphics using the GPU which allows website access to the GPU. This should be disabled by setting Disable3DAPIs to true in the Chromium policy file.

Rationale:

This setting prevents web pages from accessing the graphics processing unit (GPU). Specifically, web pages cannot access the WebGL API and plugins cannot use the Pepper 3D API in order to reduce the attack surface.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="Disable3DAPIs"
POL_SETTING_VAL="true"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Disable Data Synchronization to Google   [ref]rule

SyncDisabled to true in the Chromium policy file.

Rationale:

Google Sync is used to sync information between different user devices, this data is then stored on Google owned servers. The synced data may consist of information such as email, calendars, viewing history, etc. This feature must be disabled because the organization does not have control over the servers the data is stored on.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="SyncDisabled"
POL_SETTING_VAL="true"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Disable Insecure And Obsolete Protocol Schemas   [ref]rule

Each access to a URL is handled by the browser according to the URL's "scheme". The "scheme" of a URL is the section before the ":". The term "protocol" is often mistakenly used for a "scheme". The difference is that the scheme is how the browser handles a URL and the protocol is how the browser communicates with a service. To disable insecure and obsolete protocol schema, set URLBlacklist to javascript://* in the Chromium policy file.

Rationale:

If a scheme or its associated protocol used by a browser is insecure or obsolete, vulnerabilities can be exploited resulting in exposed data or unrestricted access to the browser's system.

Severity:  low

Remediation Shell script:   (show)

populate var_url_blacklist

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="URLBlacklist"
POL_SETTING_VAL=$(echo ${var_url_blacklist}| sed 's/\//\\\/\\/')

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": \["'${var_url_blacklist}'"\],' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": \[\"'${POL_SETTING_VAL}'\"\],/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Disable the AutoFill Feature   [ref]rule

The AutoFill feature suggests possible matches when users are filling in forms. To disable the AutoFill feature, set AutoFillEnabled to false in the Chromium policy file.

Rationale:

It is possible with the AutoFill feature that it will cache sensitive data and store it in the user's profile, where it might not be protected as rigorously as required by organizational policy.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="AutoFillEnabled"
POL_SETTING_VAL="false"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Disable Cloud Print Sharing   [ref]rule

Chromium has cloud sharing capabilities including sharing printers connected to the system. This is done via a proxy. To disable printer sharing, set CloudPrintProxyEnabled to false in the Chromium policy file.

Rationale:

Google Chromium has the capability to act as a proxy between Google Cloud Print and legacy printers connected to the machine. Users can then enable the cloud print proxy by authentication with their Google account.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="CloudPringProxyEnabled"
POL_SETTING_VAL="false"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Disable Network Prediction   [ref]rule

To disable the network prediction feature, set DnsPrefetchingEnabled to false in the Chromium policy file.

Rationale:

This controls not only DNS prefetching but also TCP and SSL preconnection and prerendering of web pages.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="DnsPrefetchingEnabled"
POL_SETTING_VAL="false"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Disable Metrics Reporting   [ref]rule

Whenever Chromium crashes, it sends its usage and crash-related data to Google. This should be disabled by setting MetricsReportingEnabled to false in the Chromium policy file.

Rationale:

Anonymous reporting of usage and crash-related data is sent to Google. A crash report could contain sensitive information from the computer's memory.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="MetricsReportingEnabled"
POL_SETTING_VAL="false"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Disable Search Suggestion   [ref]rule

Chromium tries to guess what users are searching for when users enter search data in the search Omnibox. This should be disabled by setting SearchSuggestEnabled to false in the Chromium policy file.

Rationale:

Search suggestion should be disabled as it could lead to searches being conducted that were never intended to be made.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="SearchSuggestEnabled"
POL_SETTING_VAL="false"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Disable Saved Passwords   [ref]rule

Disable by setting ImportSavedPasswords to false in the Chromium policy file.

Rationale:

Importing of saved passwords should be disabled as it could lead to unencrypted account passwords stored on the system from another browser to be viewed.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="ImportSavedPasswords"
POL_SETTING_VAL="false"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Disable Incognito Mode   [ref]rule

Incognito Mode allows users to browse in private which prevents monitoring and validating user browsing habits. This capability should be disabled by setting IncognitoModeAvailability to 1 in the Chromium policy file.

Rationale:

Incognito mode allows the user to browse the Internet without recording their browsing history/activity. From a forensics perspective, this is unacceptable. Best practice requires that browser history is retained.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="IncognitoModeAvailability"
POL_SETTING_VAL="false"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Disable All Plugins by Default   [ref]rule

Plugins are developed internally or by third party sources and are designed to extend Google Chromium's functionality. All plugins should be blacklisted from installation by default. To blacklist all plugins set DisabledPlugins to * in the Chromium policy file.

Rationale:

Plugins can access almost anything on a system and users can enable or install them at will. This means they pose a high risk to any system that would allow all plugins to be installed by default.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="DisabledPlugins"
POL_SETTING_VAL="\[\"*\"\]"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Enable Only Approved Plugins   [ref]rule

An organization might need to use an internal or third party developed plugins. Any organizationally approved plugin should be enabled. To enable approved plugins, set EnabledPlugins to the list of organizationally approved plugins in the Chromium policy file.

Rationale:

The whitelist should only contain organizationally approved plugins. This is to prevent a user from accidently whitelisitng a malicious plugin.

Severity:  low

Remediation Shell script:   (show)

populate var_enable_approved_plugins

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="EnabledPlugins"
POL_SETTING_VAL=$(echo ${var_enable_approved_plugins} | sed 's/\//\\\/\\/')

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": \['${var_enable_approved_plugins}'\],' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'\".*/\"'${POL_SETTING}'\": \['${POL_SETTING_VAL}'\],/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Disable Automatic Search And Installation of Plugins   [ref]rule

Chromium will automatically detect, search, and install plugins as required. This should be disabled by setting DisablePluginFinder to true in the Chromium policy file.

Rationale:

The automatic search and installation of missing or not installed plugins should be disabled as this can cause significant risk if a unapproved or vulnerable plugin were to be installed without proper permissions or authorization.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="DisablePluginFinder"
POL_SETTING_VAL="true"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Enable Online OCSP/CRL Certificate Checks   [ref]rule

Certificates can become compromised, and Chromium should check that the certificates in its store are valid by setting EnableOnlineRevocationChecks to true in the Chromium policy file.

Rationale:

Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="EnableOnlineRevocationChecks"
POL_SETTING_VAL="true"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Enable the Safe Browsing Feature   [ref]rule

Chromium has the capability to check URLs for known malware and phishing associated with websites through the Safe Browsing Feature. This can be enabled by setting SafeBrowsingEnabled to true in the Chromium policy file.

Rationale:

Safe browsing uses a signature database to test sites when they are be loaded to ensure that sites do not contain any known malware.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="SafeBrowsingEnabled"
POL_SETTING_VAL="true"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Enable Saving the Browser History   [ref]rule

Users can enable or disable the saving of browser history in Chromium. Browser history should be retained by setting SavingBrowserHistoryDisabled to false in the Chromium policy file.

Rationale:

Best practice requires that browser history is retained.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="SavingBrowserHistoryDisabled"
POL_SETTING_VAL="false"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Block Plugins by Default   [ref]rule

By default, websites are allowed to automatically run plugins. Users should be prompted to allow plugins to execute plugins by setting DefaultPluginsSetting to 3 in the Chromium policy file.

Rationale:

Websites should not be allowed to automatically run plugins as the plugins may be outdated or compromised.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="DefaultPluginsSetting"
POL_SETTING_VAL="3"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Disable Session Cookies   [ref]rule

To disable session only cookies sites, set CookiesSessionOnlyForUrls to none in the Chromium policy file.

Rationale:

Cookies should only be allowed per session and only for approved URLs as permanently stored cookies can be used for malicious intent.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="CookiesSessionOnlyForUrls"
POL_SETTING_VAL="none"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": \["'${POL_SETTING_VAL}'"\],' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": \[\"'${POL_SETTING_VAL}'\"\],/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Set the Default Home Page   [ref]rule

When a browser is started the first web page displayed is the "home page". While the home page can be selected by the user, the default home page needs to be defined to display an approved page. To set the default home page, set HomepageLocation to about:blank in the Chromium policy file.

Rationale:

If no home page is defined then there is a possibility that a URL to a malicious site may be used as a home page which could effectively cause a denial of service to the browser.

Severity:  low

Remediation Shell script:   (show)

populate var_trusted_home_page

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="HomepageLocation"
POL_SETTING_VAL=$(echo ${var_trusted_home_page} | sed 's/\//\\\/\\/')

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": "'${var_trusted_home_page}'",' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'\".*/\"'${POL_SETTING}'\": \"'${POL_SETTING_VAL}'\",/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Enable Plugins for Only Approved URLs   [ref]rule

In some cases, plugins utilized by organizationally approved websites may be allowed to be used by those websites, configure the approved URLs allowed to run plugins by setting PluginsAllowedForUrls to organizationally approved URLs in the Chromium policy file. If there are no approved URLs, this should be set to none

Rationale:

Only approved plugins for approved sites should be allowed to be utilized.

Severity:  low

Remediation Shell script:   (show)

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"
POL_SETTING="PluginsAllowedForUrls"
POL_SETTING_VAL="none"

grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE}

if ! [ $? -eq 0 ] ; then
   sed -i -e '/{/a \  "'${POL_SETTING}'": "'${POL_SETTING_VAL}'",' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
else
   sed -i -e 's/\"'${POL_SETTING}'\".*/\"'${POL_SETTING}'\": \"'${POL_SETTING_VAL}'\",/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi
Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.