Guide to the Secure Configuration of Google Chromium
with profile Upstream STIG for Google ChromiumThis profile is developed under the DoD consensus model and DISA FSO Vendor STIG process, serving as the upstream development environment for the Google Chromium STIG. As a result of the upstream/downstream relationship between the SCAP Security Guide project and the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO content. For official DISA FSO STIG content, refer to http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx. While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note that commercial support of this SCAP content is NOT available. This profile is provided as example SCAP content with no endorsement for suitability or production readiness. Support for this profile is provided by the upstream SCAP Security Guide community on a best-effort basis. The upstream project homepage is https://www.open-scap.org/security-policies/scap-security-guide/.
scap-security-guide
package which is developed at
https://www.open-scap.org/security-policies/scap-security-guide.
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for Google Chromium, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Profile Title | Upstream STIG for Google Chromium |
---|---|
Profile ID | xccdf_org.ssgproject.content_profile_stig-chromium-upstream |
Revision History
Current version: 0.1.31
- draft (as of 2017-02-12)
Platforms
- cpe:/a:google:chromium-browser
Table of Contents
Checklist
contains 37 rules | ||||||||
Chromium [ref]groupChromium is an open-source web browser, powered by WebKit (Blink), and developed by Google. Web browsers such as Chromium are used for a number of reasons. This section provides settings for configuring Chromium policies to meet compliance settings for Chromium running on Red Hat Enterprise Linux systems. Refer to
JSON policy files.
| ||||||||
contains 37 rules | ||||||||
Ensure the Chromium Policy Configuration File Exists [ref]rule
Chromium can be configured with numerous policies and settings. These
settings can be set so that a user is unable to edit or change them.
To prevent users from setting or changing Chromium settings, a
warning
If the .json file in
/etc/chromium/policies/managed is not formatted correctly,
no policies will be configured or set correctly.The Chromium policy file must exist as this file contains configuration settings set by the System's Administrator to meet organization and/or security requirements. identifiers: DISA FSO references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Disable Chromium's Ability to Traverse Firewalls [ref]rule
Chromium has the ability to bypass and ignore the system firewall. This
ability should be disabled. To disable this setting, set
Remote connections should never be allowed to bypass the system firewall as there is no way to verify if they can be trusted. identifiers: DISA FSO DTBC0001 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Prevent Desktop Notifications [ref]rule
Chromium by default allows websites to display notifications on the desktop.
To disable this setting, set Disabling Chromium's ability to display notifications on the desktop helps prevent malicious websites from controlling desktop notifications or fooling users into clicking on a potentially compromised notification. identifiers: DISA FSO DTBC0003 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Disable Popups [ref]rule
Chromium allows you to manage whether or not unwanted pop-up windows appear.
To disable pop-ups, set Pop-up windows should be disabled to prevent malicious websites from controlling pop-up windows or fooling users into clicking on the wrong window. identifiers: DISA FSO DTBC0004 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Disable Location Tracking [ref]rule
Location tracking is enabled by default and can track user's browsing habits.
Location tracking should be disabled by setting Website tracking is the practice of gathering information as to which websites were accesses by a browser. The common method of doing this is to have a website create a tracking cookie on the browser. If the information of what sites are being accessed is made available to unauthorized persons, this violates confidentiality requirements, and over time poses a significant OPSEC issue. identifiers: DISA FSO DTBC0002 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Disable All Extensions by Default [ref]rule
Extensions are developed by third party sources and are designed to extend
Google Chromium's functionality. As an extension can be made by anyone, all extensions
should be blacklisted from installation by default. To blacklist all extensions, set the
Extensions can access almost anything on a system. This means they pose a high risk to any system that would allow all extensions to be installed by default. identifiers: DISA FSO DTBC0006 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Enable Only Approved Extensions [ref]rule
An organization might need to use an internal or third party developed extension. Any
organizationally approved extenstion should be enabled. To enable approved extensions,
set The whitelist should only contain organizationally approved extensions. This is to prevent a user from accidently whitelisitng a malicious extension. identifiers: DISA FSO DTBC0003 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Set the Default Search Provider's URL [ref]rule
Specifies the URL of the default search provider that is to be used. To set the
URL of the default search provider, set When doing internet searches, it is important to set an organizationally approved search provider as well as use an encrypted connection via https. identifiers: DISA FSO DTBC0007 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Enable Encrypted Searching [ref]rule
Specifies the URL of the search engine used when doing a default search.
The URL should contain the string When doing internet searches, it is important to use an encrypted connection via https. identifiers: DISA FSO DTBC0008 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Enable the Default Search Provider [ref]rule
By default users, can change search provider settings. To disable this, set
A default search is performed when the user types text in the omnibox that is not a URL. This should be organizationally defined and not allowed to be changed by a user. identifiers: DISA FSO DTBC0009 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Disable Use of Cleartext Passwords [ref]rule
Chromium allows users to import and store passwords in cleartext. This should be
disabled by setting Cleartext passwords would allow another individual to see password via shoulder surfing. identifiers: DISA FSO DTBC0010 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Disable Chromium Password Manager [ref]rule
Chromium Password Manager allows the saving and using of passwords in Chromium. This
should be disabled by setting Enables saving passwords and using saved passwords in Google Chromium. Malicious sites may take advantage of this feature by using hidden fields gain access to the stored information. identifiers: DISA FSO DTBC0011 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Set Chromium's HTTP Authentication Scheme [ref]rule
To set the default Chromium's HTTP Authentication Scheme, set
Specifies which HTTP Authentication schemes are supported by Google Chromium. identifiers: DISA FSO DTBC0012 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Disable Outdated Plugins [ref]rule
Outdated plugins should be disabled by setting Running outdated plugins could lead to system compromise through the use of known exploits. Having plugins updated to the most current version ensures the smallest attack surfuce possible. identifiers: DISA FSO DTBC0013 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Require Outdated Plugins to be Authorized [ref]rule
Chromium should prompt users for authorization to run outdated plugins. This
can be enabled by setting Outdated plugins can compromise security and should request authorization from the user before running. identifiers: DISA FSO DTBC0014 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Disable 3rd Party Cookies [ref]rule
Third party cookies should be be enabled. To disable third party cookies,
set Third party cookies are cookies which can be set by web page elements that are not from the domain that is in the browser's address bar. This prevents cookies from being set by web page elements that are not from the domain that is in the browser's address bar. identifiers: DISA FSO DTBC0015 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Disable Background Processing [ref]rule
Chromium can be set to run at all times and process in the background. This
should be disabled by setting There is two reasons that this is not wanted. First, it can tie up system resources that might otherwise be needed. Second, it does not make it obvious to the user that it is running and poorly written extensions could cause instability on the system. identifiers: DISA FSO DTBC0017 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Disable the 3D Graphics APIs [ref]rule
Chromium uses WebGL to render graphics using the GPU which allows website
access to the GPU. This should be disabled by setting This setting prevents web pages from accessing the graphics processing unit (GPU). Specifically, web pages cannot access the WebGL API and plugins cannot use the Pepper 3D API in order to reduce the attack surface. identifiers: DISA FSO DTBC0019 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Disable Data Synchronization to Google [ref]rule
Google Sync is used to sync information between different user devices, this data is then stored on Google owned servers. The synced data may consist of information such as email, calendars, viewing history, etc. This feature must be disabled because the organization does not have control over the servers the data is stored on. identifiers: DISA FSO DTBC0020 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Disable Insecure And Obsolete Protocol Schemas [ref]rule
Each access to a URL is handled by the browser according to the URL's "scheme".
The "scheme" of a URL is the section before the ":". The term "protocol" is often
mistakenly used for a "scheme". The difference is that the scheme is how the browser
handles a URL and the protocol is how the browser communicates with a service. To
disable insecure and obsolete protocol schema, set If a scheme or its associated protocol used by a browser is insecure or obsolete, vulnerabilities can be exploited resulting in exposed data or unrestricted access to the browser's system. identifiers: DISA FSO DTBC0021 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Disable the AutoFill Feature [ref]rule
The AutoFill feature suggests possible matches when users are filling in forms. To
disable the AutoFill feature, set It is possible with the AutoFill feature that it will cache sensitive data and store it in the user's profile, where it might not be protected as rigorously as required by organizational policy. identifiers: DISA FSO DTBC0022 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Disable Cloud Print Sharing [ref]rule
Chromium has cloud sharing capabilities including sharing printers connected to the
system. This is done via a proxy. To disable printer sharing, set Google Chromium has the capability to act as a proxy between Google Cloud Print and legacy printers connected to the machine. Users can then enable the cloud print proxy by authentication with their Google account. identifiers: DISA FSO DTBC0023 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Disable Network Prediction [ref]rule
To disable the network prediction feature, set This controls not only DNS prefetching but also TCP and SSL preconnection and prerendering of web pages. identifiers: DISA FSO DTBC0025 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Disable Metrics Reporting [ref]rule
Whenever Chromium crashes, it sends its usage and crash-related data to Google.
This should be disabled by setting Anonymous reporting of usage and crash-related data is sent to Google. A crash report could contain sensitive information from the computer's memory. identifiers: DISA FSO DTBC0026 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Disable Search Suggestion [ref]rule
Chromium tries to guess what users are searching for when users enter
search data in the search Omnibox. This should be disabled by
setting Search suggestion should be disabled as it could lead to searches being conducted that were never intended to be made. identifiers: DISA FSO DTBC0027 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Disable Saved Passwords [ref]rule
Disable by setting Importing of saved passwords should be disabled as it could lead to unencrypted account passwords stored on the system from another browser to be viewed. identifiers: DISA FSO DTBC0029 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Disable Incognito Mode [ref]rule
Incognito Mode allows users to browse in private which prevents monitoring
and validating user browsing habits. This capability should be disabled by
setting Incognito mode allows the user to browse the Internet without recording their browsing history/activity. From a forensics perspective, this is unacceptable. Best practice requires that browser history is retained. identifiers: DISA FSO DTBC0030 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Disable All Plugins by Default [ref]rule
Plugins are developed internally or by third party sources and are designed to extend
Google Chromium's functionality. All plugins should be blacklisted from
installation by default. To blacklist all plugins set Plugins can access almost anything on a system and users can enable or install them at will. This means they pose a high risk to any system that would allow all plugins to be installed by default. identifiers: DISA FSO DTBC0034 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Enable Only Approved Plugins [ref]rule
An organization might need to use an internal or third party developed plugins. Any
organizationally approved plugin should be enabled. To enable approved plugins,
set The whitelist should only contain organizationally approved plugins. This is to prevent a user from accidently whitelisitng a malicious plugin. identifiers: DISA FSO DTBC0035 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Disable Automatic Search And Installation of Plugins [ref]rule
Chromium will automatically detect, search, and install plugins as required. This
should be disabled by setting The automatic search and installation of missing or not installed plugins should be disabled as this can cause significant risk if a unapproved or vulnerable plugin were to be installed without proper permissions or authorization. identifiers: DISA FSO DTBC0036 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Enable Online OCSP/CRL Certificate Checks [ref]rule
Certificates can become compromised, and Chromium should check that the
certificates in its store are valid by setting Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure. identifiers: DISA FSO DTBC0037 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Enable the Safe Browsing Feature [ref]rule
Chromium has the capability to check URLs for known malware and phishing
associated with websites through the Safe Browsing Feature. This can be
enabled by setting Safe browsing uses a signature database to test sites when they are be loaded to ensure that sites do not contain any known malware. identifiers: DISA FSO DTBC0038 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Enable Saving the Browser History [ref]rule
Users can enable or disable the saving of browser history in Chromium. Browser
history should be retained by setting Best practice requires that browser history is retained. identifiers: DISA FSO DTBC0039 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Block Plugins by Default [ref]rule
By default, websites are allowed to automatically run plugins.
Users should be prompted to allow plugins to execute plugins by setting
Websites should not be allowed to automatically run plugins as the plugins may be outdated or compromised. identifiers: DISA FSO DTBC0040 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Disable Session Cookies [ref]rule
To disable session only cookies sites, set Cookies should only be allowed per session and only for approved URLs as permanently stored cookies can be used for malicious intent. identifiers: DISA FSO DTBC0045 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Set the Default Home Page [ref]rule
When a browser is started the first web page displayed is the "home page".
While the home page can be selected by the user, the default home page needs
to be defined to display an approved page. To set the default home page,
set If no home page is defined then there is a possibility that a URL to a malicious site may be used as a home page which could effectively cause a denial of service to the browser. identifiers: DISA FSO DTBC0048 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
| ||||||||
Enable Plugins for Only Approved URLs [ref]rule
In some cases, plugins utilized by organizationally approved websites may be allowed
to be used by those websites, configure the approved URLs allowed to run plugins by
setting Only approved plugins for approved sites should be allowed to be utilized. identifiers: DISA FSO DTBC0051 references: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, http://iase.disa.mil/stigs/cci/Pages/index.aspx
|