Guide to the Secure Configuration of Chromium

with profile Upstream STIG for Google Chromium
This profile is developed under the DoD consensus model and DISA FSO Vendor STIG process, serving as the upstream development environment for the Google Chromium STIG. As a result of the upstream/downstream relationship between the SCAP Security Guide project and the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO content. For official DISA FSO STIG content, refer to https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Cbrowser-guidance. While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note that commercial support of this SCAP content is NOT available. This profile is provided as example SCAP content with no endorsement for suitability or production readiness. Support for this profile is provided by the upstream SCAP Security Guide community on a best-effort basis. The upstream project homepage is https://www.open-scap.org/security-policies/scap-security-guide/.
The SCAP Security Guide Project
https://www.open-scap.org/security-policies/scap-security-guide
This guide presents a catalog of security-relevant configuration settings for Chromium. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for Chromium, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleUpstream STIG for Google Chromium
Profile IDxccdf_org.ssgproject.content_profile_stig

CPE Platforms

  • cpe:/a:google:chromium-browser

Revision History

Current version: 0.1.68

  • draft (as of 2023-06-15)

Table of Contents

  1. Chromium

Checklist

Group   Guide to the Secure Configuration of Chromium   Group contains 1 group and 37 rules
Group   Chromium   Group contains 37 rules
[ref]   Chromium is an open-source web browser, powered by WebKit (Blink), and developed by Google. Web browsers such as Chromium are used for a number of reasons. This section provides settings for configuring Chromium policies to meet compliance settings for Chromium running on Red Hat Enterprise Linux systems. Refer to
  • https://www.chromium.org/administrators/policy-list-3
for a list of currently supported Chromium policies. Refer to
  • https://www.chromium.org/administrators/policy_templates
for pre-created Chromium JSON policy files.

Rule   Disable All Extensions by Default   [ref]

Extensions are developed by third party sources and are designed to extend Google Chromium's functionality. As an extension can be made by anyone, all extensions should be blacklisted from installation by default. To blacklist all extensions, set the ExtensionInstallBlacklist to * in the Chromium policy file.
Rationale:
Extensions can access almost anything on a system. This means they pose a high risk to any system that would allow all extensions to be installed by default.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_blacklist_extension_installation
Identifiers and References

References:  DTBC0006








if ! grep -q ExtensionInstallBlocklist /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'ExtensionInstallBlocklist'": '[ "*" ]',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'ExtensionInstallBlocklist'.*/\"'ExtensionInstallBlocklist'\": '[ "*" ]',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Prevent Desktop Notifications   [ref]

Chromium by default allows websites to display notifications on the desktop. To disable this setting, set DefaultNotificationsSetting to 2 in the Chromium policy file.
Rationale:
Disabling Chromium's ability to display notifications on the desktop helps prevent malicious websites from controlling desktop notifications or fooling users into clicking on a potentially compromised notification.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_block_desktop_notifications
Identifiers and References

References:  DTBC0003








if ! grep -q DefaultNotificationsSetting /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'DefaultNotificationsSetting'": '2',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'DefaultNotificationsSetting'.*/\"'DefaultNotificationsSetting'\": '2',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Enable Online OCSP/CRL Certificate Checks   [ref]

Certificates can become compromised, and Chromium should check that the certificates in its store are valid by setting EnableOnlineRevocationChecks to true in the Chromium policy file.
Rationale:
Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_check_cert_revocation
Identifiers and References

References:  DTBC0037








if ! grep -q EnableOnlineRevocationChecks /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'EnableOnlineRevocationChecks'": 'true',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'EnableOnlineRevocationChecks'.*/\"'EnableOnlineRevocationChecks'\": 'true',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Block Plugins by Default   [ref]

By default, websites are allowed to automatically run plugins. Users should be prompted to allow plugins to execute plugins by setting DefaultPluginsSetting to 3 in the Chromium policy file.
Rationale:
Websites should not be allowed to automatically run plugins as the plugins may be outdated or compromised.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_default_block_plugins
Identifiers and References

References:  DTBC0040








if ! grep -q DefaultPluginsSetting /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'DefaultPluginsSetting'": '3',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'DefaultPluginsSetting'.*/\"'DefaultPluginsSetting'\": '3',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Enable the Default Search Provider   [ref]

By default users, can change search provider settings. To disable this, set DefaultSearchProviderEnabled to true in the Chromium policy file.
Rationale:
A default search is performed when the user types text in the omnibox that is not a URL. This should be organizationally defined and not allowed to be changed by a user.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_default_search_provider
Identifiers and References

References:  DTBC0009








if ! grep -q DefaultSearchProviderEnabled /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'DefaultSearchProviderEnabled'": 'true',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'DefaultSearchProviderEnabled'.*/\"'DefaultSearchProviderEnabled'\": 'true',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Set the Default Search Provider's URL   [ref]

Specifies the URL of the default search provider that is to be used. To set the URL of the default search provider, set DefaultSearchProviderName to https://www.google.com in the Chromium policy file.
Rationale:
When doing internet searches, it is important to set an organizationally approved search provider as well as use an encrypted connection via https.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_default_search_provider_name
Identifiers and References

References:  DTBC0007



var_default_search_provider_name='https://www.google.com'


var_default_search_provider_name_modified="$(echo ${var_default_search_provider_name} | sed 's/\//\\\/\\/')"




if ! grep -q DefaultSearchProviderName /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'DefaultSearchProviderName'": '${var_default_search_provider_name}',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'DefaultSearchProviderName'.*/\"'DefaultSearchProviderName'\": '${var_default_search_provider_name_modified}',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Disable the 3D Graphics APIs   [ref]

Chromium uses WebGL to render graphics using the GPU which allows website access to the GPU. This should be disabled by setting Disable3DAPIs to true in the Chromium policy file.
Rationale:
This setting prevents web pages from accessing the graphics processing unit (GPU). Specifically, web pages cannot access the WebGL API and plugins cannot use the Pepper 3D API in order to reduce the attack surface.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_disable_3d_graphics_api
Identifiers and References

References:  DTBC0019








if ! grep -q Disable3DAPIs /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'Disable3DAPIs'": 'true',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'Disable3DAPIs'.*/\"'Disable3DAPIs'\": 'true',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Disable the AutoFill Feature   [ref]

The AutoFill feature suggests possible matches when users are filling in forms. To disable the AutoFill feature, set AutoFillEnabled to false in the Chromium policy file.
Rationale:
It is possible with the AutoFill feature that it will cache sensitive data and store it in the user's profile, where it might not be protected as rigorously as required by organizational policy.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_disable_autocomplete
Identifiers and References

References:  DTBC0022








if ! grep -q AutoFillEnabled /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'AutoFillEnabled'": 'false',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'AutoFillEnabled'.*/\"'AutoFillEnabled'\": 'false',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Disable Automatic Search And Installation of Plugins   [ref]

Chromium will automatically detect, search, and install plugins as required. This should be disabled by setting DisablePluginFinder to true in the Chromium policy file.
Rationale:
The automatic search and installation of missing or not installed plugins should be disabled as this can cause significant risk if a unapproved or vulnerable plugin were to be installed without proper permissions or authorization.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_disable_automatic_installation
Identifiers and References

References:  DTBC0036








if ! grep -q DisablePluginFinder /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'DisablePluginFinder'": 'true',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'DisablePluginFinder'.*/\"'DisablePluginFinder'\": 'true',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Disable Background Processing   [ref]

Chromium can be set to run at all times and process in the background. This should be disabled by setting BackgroundModeEnabled to false in the Chromium policy file.
Rationale:
There is two reasons that this is not wanted. First, it can tie up system resources that might otherwise be needed. Second, it does not make it obvious to the user that it is running and poorly written extensions could cause instability on the system.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_disable_background_processing
Identifiers and References

References:  DTBC0017








if ! grep -q BackgroundModeEnabled /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'BackgroundModeEnabled'": 'false',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'BackgroundModeEnabled'.*/\"'BackgroundModeEnabled'\": 'false',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Disable Use of Cleartext Passwords   [ref]

Chromium allows users to import and store passwords in cleartext. This should be disabled by setting PasswordManagerAllowShowPasswords to false in the Chromium policy file.
Rationale:
Cleartext passwords would allow another individual to see password via shoulder surfing.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_disable_cleartext_passwords
Identifiers and References

References:  DTBC0010








if ! grep -q PasswordManagerAllowShowPasswords /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'PasswordManagerAllowShowPasswords'": 'false',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'PasswordManagerAllowShowPasswords'.*/\"'PasswordManagerAllowShowPasswords'\": 'false',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Disable Cloud Print Sharing   [ref]

Chromium has cloud sharing capabilities including sharing printers connected to the system. This is done via a proxy. To disable printer sharing, set CloudPrintProxyEnabled to false in the Chromium policy file.
Rationale:
Google Chromium has the capability to act as a proxy between Google Cloud Print and legacy printers connected to the machine. Users can then enable the cloud print proxy by authentication with their Google account.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_disable_cloud_print_sharing
Identifiers and References

References:  DTBC0023








if ! grep -q CloudPringProxyEnabled /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'CloudPringProxyEnabled'": 'false',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'CloudPringProxyEnabled'.*/\"'CloudPringProxyEnabled'\": 'false',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Disable Chromium's Ability to Traverse Firewalls   [ref]

Chromium has the ability to bypass and ignore the system firewall. This ability should be disabled. To disable this setting, set RemoteAccessHostFirewallTraversal to false in the Chromium policy file.
Rationale:
Remote connections should never be allowed to bypass the system firewall as there is no way to verify if they can be trusted.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_disable_firewall_traversal
Identifiers and References

References:  DTBC0001








if ! grep -q RemoteAccessHostFirewallTraversal /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'RemoteAccessHostFirewallTraversal'": 'false',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'RemoteAccessHostFirewallTraversal'.*/\"'RemoteAccessHostFirewallTraversal'\": 'false',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Disable Data Synchronization to Google   [ref]

SyncDisabled to true in the Chromium policy file.
Rationale:
Google Sync is used to sync information between different user devices, this data is then stored on Google owned servers. The synced data may consist of information such as email, calendars, viewing history, etc. This feature must be disabled because the organization does not have control over the servers the data is stored on.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_disable_google_sync
Identifiers and References

References:  DTBC0020








if ! grep -q SyncDisabled /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'SyncDisabled'": 'true',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'SyncDisabled'.*/\"'SyncDisabled'\": 'true',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Disable Incognito Mode   [ref]

Incognito Mode allows users to browse in private which prevents monitoring and validating user browsing habits. This capability should be disabled by setting IncognitoModeAvailability to 1 in the Chromium policy file.
Rationale:
Incognito mode allows the user to browse the Internet without recording their browsing history/activity. From a forensics perspective, this is unacceptable. Best practice requires that browser history is retained.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_disable_incognito_mode
Identifiers and References

References:  DTBC0030








if ! grep -q IncognitoModeAvailability /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'IncognitoModeAvailability'": 'false',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'IncognitoModeAvailability'.*/\"'IncognitoModeAvailability'\": 'false',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Disable Metrics Reporting   [ref]

Whenever Chromium crashes, it sends its usage and crash-related data to Google. This should be disabled by setting MetricsReportingEnabled to false in the Chromium policy file.
Rationale:
Anonymous reporting of usage and crash-related data is sent to Google. A crash report could contain sensitive information from the computer's memory.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_disable_metrics_reporting
Identifiers and References

References:  DTBC0026








if ! grep -q MetricsReportingEnabled /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'MetricsReportingEnabled'": 'false',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'MetricsReportingEnabled'.*/\"'MetricsReportingEnabled'\": 'false',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Disable Network Prediction   [ref]

To disable the network prediction feature, set DnsPrefetchingEnabled to false in the Chromium policy file.
Rationale:
This controls not only DNS prefetching but also TCP and SSL preconnection and prerendering of web pages.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_disable_network_prediction
Identifiers and References

References:  DTBC0025








if ! grep -q DnsPrefetchingEnabled /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'DnsPrefetchingEnabled'": 'false',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'DnsPrefetchingEnabled'.*/\"'DnsPrefetchingEnabled'\": 'false',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Disable Outdated Plugins   [ref]

Outdated plugins should be disabled by setting AllowOutdatedPlugins to false in the Chromium policy file.
Rationale:
Running outdated plugins could lead to system compromise through the use of known exploits. Having plugins updated to the most current version ensures the smallest attack surfuce possible.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_disable_outdated_plugins
Identifiers and References

References:  DTBC0013








if ! grep -q AllowOutdatedPlugins /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'AllowOutdatedPlugins'": 'false',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'AllowOutdatedPlugins'.*/\"'AllowOutdatedPlugins'\": 'false',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Disable Chromium Password Manager   [ref]

Chromium Password Manager allows the saving and using of passwords in Chromium. This should be disabled by setting PasswordManagerEnabled to false in the Chromium policy file.
Rationale:
Enables saving passwords and using saved passwords in Google Chromium. Malicious sites may take advantage of this feature by using hidden fields gain access to the stored information.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_disable_password_manager
Identifiers and References

References:  DTBC0011








if ! grep -q PasswordManagerEnabled /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'PasswordManagerEnabled'": 'false',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'PasswordManagerEnabled'.*/\"'PasswordManagerEnabled'\": 'false',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Disable All Plugins by Default   [ref]

Plugins are developed internally or by third party sources and are designed to extend Google Chromium's functionality. All plugins should be blacklisted from installation by default. To blacklist all plugins set DisabledPlugins to * in the Chromium policy file.
Rationale:
Plugins can access almost anything on a system and users can enable or install them at will. This means they pose a high risk to any system that would allow all plugins to be installed by default.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_disable_plugin_blacklist
Identifiers and References

References:  DTBC0034








if ! grep -q DisabledPlugins /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'DisabledPlugins'": '[ "*" ]',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'DisabledPlugins'.*/\"'DisabledPlugins'\": '[ "*" ]',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Disable Popups   [ref]

Chromium allows you to manage whether or not unwanted pop-up windows appear. To disable pop-ups, set DefaultPopupsSetting to 2 in the Chromium policy file.
Rationale:
Pop-up windows should be disabled to prevent malicious websites from controlling pop-up windows or fooling users into clicking on the wrong window.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_disable_popups
Identifiers and References

References:  DTBC0004








if ! grep -q DefaultPopupsSetting /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'DefaultPopupsSetting'": '2',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'DefaultPopupsSetting'.*/\"'DefaultPopupsSetting'\": '2',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Disable Insecure And Obsolete Protocol Schemas   [ref]

Each access to a URL is handled by the browser according to the URL's "scheme". The "scheme" of a URL is the section before the ":". The term "protocol" is often mistakenly used for a "scheme". The difference is that the scheme is how the browser handles a URL and the protocol is how the browser communicates with a service. To disable insecure and obsolete protocol schema, set URLBlacklist to javascript://* in the Chromium policy file.
Rationale:
If a scheme or its associated protocol used by a browser is insecure or obsolete, vulnerabilities can be exploited resulting in exposed data or unrestricted access to the browser's system.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_disable_protocol_schemas
Identifiers and References

References:  DTBC0021



var_url_blacklist='javascript://*'


var_url_blacklist_modified="$(echo ${var_url_blacklist}| sed 's/\//\\\/\\/')"




if ! grep -q URLBlacklist /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'URLBlacklist'": '\[${var_url_blacklist}\]',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'URLBlacklist'.*/\"'URLBlacklist'\": '\[${var_url_blacklist_modified}\]',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Disable Saved Passwords   [ref]

Disable by setting ImportSavedPasswords to false in the Chromium policy file.
Rationale:
Importing of saved passwords should be disabled as it could lead to unencrypted account passwords stored on the system from another browser to be viewed.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_disable_saved_passwords
Identifiers and References

References:  DTBC0029








if ! grep -q ImportSavedPasswords /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'ImportSavedPasswords'": 'false',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'ImportSavedPasswords'.*/\"'ImportSavedPasswords'\": 'false',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Disable Search Suggestion   [ref]

Chromium tries to guess what users are searching for when users enter search data in the search Omnibox. This should be disabled by setting SearchSuggestEnabled to false in the Chromium policy file.
Rationale:
Search suggestion should be disabled as it could lead to searches being conducted that were never intended to be made.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_disable_search_suggestions
Identifiers and References

References:  DTBC0027








if ! grep -q SearchSuggestEnabled /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'SearchSuggestEnabled'": 'false',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'SearchSuggestEnabled'.*/\"'SearchSuggestEnabled'\": 'false',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Disable Session Cookies   [ref]

To disable session only cookies sites, set CookiesSessionOnlyForUrls to none in the Chromium policy file.
Rationale:
Cookies should only be allowed per session and only for approved URLs as permanently stored cookies can be used for malicious intent.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_disable_session_cookies
Identifiers and References

References:  DTBC0045








if ! grep -q CookiesSessionOnlyForUrls /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'CookiesSessionOnlyForUrls'": '\[none\]',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'CookiesSessionOnlyForUrls'.*/\"'CookiesSessionOnlyForUrls'\": '\[none\]',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Disable 3rd Party Cookies   [ref]

Third party cookies should be be enabled. To disable third party cookies, set BlockThirdPartyCookies to true in the Chromium policy file.
Rationale:
Third party cookies are cookies which can be set by web page elements that are not from the domain that is in the browser's address bar. This prevents cookies from being set by web page elements that are not from the domain that is in the browser's address bar.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_disable_thirdparty_cookies
Identifiers and References

References:  DTBC0015








if ! grep -q BlockThirdPartyCookies /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'BlockThirdPartyCookies'": 'true',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'BlockThirdPartyCookies'.*/\"'BlockThirdPartyCookies'\": 'true',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Disable Location Tracking   [ref]

Location tracking is enabled by default and can track user's browsing habits. Location tracking should be disabled by setting DefaultGeolocationSetting to 2 in the Chromium policy file.
Rationale:
Website tracking is the practice of gathering information as to which websites were accesses by a browser. The common method of doing this is to have a website create a tracking cookie on the browser. If the information of what sites are being accessed is made available to unauthorized persons, this violates confidentiality requirements, and over time poses a significant OPSEC issue.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_disallow_location_tracking
Identifiers and References

References:  DTBC0002








if ! grep -q DefaultGeolocationSetting /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'DefaultGeolocationSetting'": '2',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'DefaultGeolocationSetting'.*/\"'DefaultGeolocationSetting'\": '2',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Enable Only Approved Plugins   [ref]

An organization might need to use an internal or third party developed plugins. Any organizationally approved plugin should be enabled. To enable approved plugins, set EnabledPlugins to the list of organizationally approved plugins in the Chromium policy file.
Rationale:
The whitelist should only contain organizationally approved plugins. This is to prevent a user from accidently whitelisitng a malicious plugin.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_enable_approved_plugins
Identifiers and References

References:  DTBC0035



var_enable_approved_plugins='
        '


# set var to empty string if None
if [ "$var_enable_approved_plugins" = "None" ]; then
    var_enable_approved_plugins=""
fi

var_enable_approved_plugins_modified="$(echo ${var_enable_approved_plugins} | sed 's/\//\\\/\\/')"




if ! grep -q EnabledPlugins /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'EnabledPlugins'": '\[${var_enable_approved_plugins}\]',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'EnabledPlugins'.*/\"'EnabledPlugins'\": '\[${var_enable_approved_plugins_modified}\]',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Enable Saving the Browser History   [ref]

Users can enable or disable the saving of browser history in Chromium. Browser history should be retained by setting SavingBrowserHistoryDisabled to false in the Chromium policy file.
Rationale:
Best practice requires that browser history is retained.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_enable_browser_history
Identifiers and References

References:  DTBC0039








if ! grep -q SavingBrowserHistoryDisabled /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'SavingBrowserHistoryDisabled'": 'false',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'SavingBrowserHistoryDisabled'.*/\"'SavingBrowserHistoryDisabled'\": 'false',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Enable Encrypted Searching   [ref]

Specifies the URL of the search engine used when doing a default search. The URL should contain the string {searchTerms}. To set the URL of the search engine, set DefaultSearchProviderSearchURL to https://www.google.com/#q={searchTerms} in the Chromium policy file.
Rationale:
When doing internet searches, it is important to use an encrypted connection via https.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_enable_encrypted_searching
Identifiers and References

References:  DTBC0008



var_enable_encrypted_searching='https://www.google.com/#q={searchTerms}'


var_enable_encrypted_searching_modified="$(echo ${var_enable_encrypted_searching} | sed 's/\//\\\/\\/')"




if ! grep -q DefaultSearchProviderSearchURL /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'DefaultSearchProviderSearchURL'": '${var_enable_encrypted_searching}',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'DefaultSearchProviderSearchURL'.*/\"'DefaultSearchProviderSearchURL'\": '${var_enable_encrypted_searching_modified}',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Enable the Safe Browsing Feature   [ref]

Chromium has the capability to check URLs for known malware and phishing associated with websites through the Safe Browsing Feature. This can be enabled by setting SafeBrowsingEnabled to true in the Chromium policy file.
Rationale:
Safe browsing uses a signature database to test sites when they are be loaded to ensure that sites do not contain any known malware.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_enable_safe_browsing
Identifiers and References

References:  DTBC0038








if ! grep -q SafeBrowsingEnabled /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'SafeBrowsingEnabled'": 'true',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'SafeBrowsingEnabled'.*/\"'SafeBrowsingEnabled'\": 'true',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Enable Only Approved Extensions   [ref]

An organization might need to use an internal or third party developed extension. Any organizationally approved extenstion should be enabled. To enable approved extensions, set ExtensionInstallWhitelist to oiigbmnaadbkfbmpbfijlflahbdbdgdf in the Chromium policy file. If there are no approved extensions, ExtensionInstallWhitelist should be set to oiigbmnaadbkfbmpbfijlflahbdbdgdf.
Rationale:
The whitelist should only contain organizationally approved extensions. This is to prevent a user from accidently whitelisitng a malicious extension.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_extension_whitelist
Identifiers and References

References:  DTBC0003



var_extension_whitelist='oiigbmnaadbkfbmpbfijlflahbdbdgdf'


var_extension_whitelist_modified="$(echo ${var_extension_whitelist} | sed 's/\//\\\/\\/')"




if ! grep -q ExtensionInstallWhitelist /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'ExtensionInstallWhitelist'": '${var_extension_whitelist}',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'ExtensionInstallWhitelist'.*/\"'ExtensionInstallWhitelist'\": '${var_extension_whitelist_modified}',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Set Chromium's HTTP Authentication Scheme   [ref]

To set the default Chromium's HTTP Authentication Scheme, set AuthSchemes to negotiate in the Chromium policy file.
Rationale:
Specifies which HTTP Authentication schemes are supported by Google Chromium.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_http_authentication
Identifiers and References

References:  DTBC0012



var_auth_schema='negotiate'







if ! grep -q AuthSchemes /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'AuthSchemes'": '${var_auth_schema}',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'AuthSchemes'.*/\"'AuthSchemes'\": '${var_auth_schema}',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Require Outdated Plugins to be Authorized   [ref]

Chromium should prompt users for authorization to run outdated plugins. This can be enabled by setting AlwaysAuthorizePlugins to false in the Chromium policy file.
Rationale:
Outdated plugins can compromise security and should request authorization from the user before running.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_plugins_require_authorization
Identifiers and References

References:  DTBC0014








if ! grep -q AlwaysAuthorizePlugins /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'AlwaysAuthorizePlugins'": 'false',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'AlwaysAuthorizePlugins'.*/\"'AlwaysAuthorizePlugins'\": 'false',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Ensure the Chromium Policy Configuration File Exists   [ref]

Chromium can be configured with numerous policies and settings. These settings can be set so that a user is unable to edit or change them. To prevent users from setting or changing Chromium settings, a JavaScript Object Notation (JSON) file (contains the .json extension) must exist in /etc/chromium/policies/managed.

  • Refer to https://www.chromium.org/administrators/policy-list-3 for a list of currently supported Chromium policies.
  • Refer to https://www.chromium.org/administrators/policy_templates for pre-created Chromium JSON policy files.

Warning:  If the .json file in /etc/chromium/policies/managed is not formatted correctly, no policies will be configured or set correctly.
Rationale:
The Chromium policy file must exist as this file contains configuration settings set by the System's Administrator to meet organization and/or security requirements.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_policy_file
Identifiers and References

CHROME_POL_FILE="chrome_stig_policy.json"
CHROME_POL_DIR="/etc/chromium/policies/managed/"

if [ ! -d ${CHROME_POL_DIR} ] ; then
   mkdir -p ${CHROME_POL_DIR}
   chmod 755 ${CHROME_POL_DIR}
fi

if [ ! -f ${CHROME_POL_DIR}/${CHROME_POL_FILE} ] ; then
   touch ${CHROME_POL_DIR}/${CHROME_POL_FILE}
   chmod 644 ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

grep -q -E '^\{' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
if ! [ $? -eq 0 ] ; then
   if [ -s ${CHROME_POL_DIR}/${CHROME_POL_FILE} ] ; then
      sed -i '1s/^/\{\n/' ${CHROME_POL_DIR}/${CHROME_POL_FILE}
   else
      echo -e "{" >> ${CHROME_POL_DIR}/${CHROME_POL_FILE}
   fi
fi

tail -1 ${CHROME_POL_DIR}/${CHROME_POL_FILE} | grep -q -E '^\}'
if ! [ $? -eq 0 ] ; then
   echo -e "}" >> ${CHROME_POL_DIR}/${CHROME_POL_FILE}
fi

Rule   Set the Default Home Page   [ref]

When a browser is started the first web page displayed is the "home page". While the home page can be selected by the user, the default home page needs to be defined to display an approved page. To set the default home page, set HomepageLocation to about:blank in the Chromium policy file.
Rationale:
If no home page is defined then there is a possibility that a URL to a malicious site may be used as a home page which could effectively cause a denial of service to the browser.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_trusted_home_page
Identifiers and References

References:  DTBC0048



var_trusted_home_page='about:blank'


var_trusted_home_page_modified="$(echo ${var_trusted_home_page} | sed 's/\//\\\/\\/')"




if ! grep -q HomepageLocation /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'HomepageLocation'": '${var_trusted_home_page}',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'HomepageLocation'.*/\"'HomepageLocation'\": '${var_trusted_home_page_modified}',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Rule   Enable Plugins for Only Approved URLs   [ref]

In some cases, plugins utilized by organizationally approved websites may be allowed to be used by those websites, configure the approved URLs allowed to run plugins by setting PluginsAllowedForUrls to organizationally approved URLs in the Chromium policy file. If there are no approved URLs, this should be set to none
Rationale:
Only approved plugins for approved sites should be allowed to be utilized.
Severity: 
unknown
Rule ID:xccdf_org.ssgproject.content_rule_chromium_whitelist_plugin_urls
Identifiers and References

References:  DTBC0051








if ! grep -q PluginsAllowedForUrls /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'PluginsAllowedForUrls'": 'none',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'PluginsAllowedForUrls'.*/\"'PluginsAllowedForUrls'\": 'none',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi
Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.