Group
Guide to the Secure Configuration of Chromium
Group contains 1 group and 37 rules |
Group
Chromium
Group contains 37 rules |
[ref]
Chromium is an open-source web browser, powered by WebKit (Blink),
and developed by Google. Web browsers such as Chromium are used for a number of
reasons. This section provides settings for configuring Chromium policies to
meet compliance settings for Chromium running on Red Hat Enterprise Linux
systems.
Refer to - https://www.chromium.org/administrators/policy-list-3
for
a list of currently supported Chromium policies.
Refer to - https://www.chromium.org/administrators/policy_templates
for
pre-created Chromium JSON policy files. |
Rule
Disable All Extensions by Default
[ref] | Extensions are developed by third party sources and are designed to extend
Google Chromium's functionality. As an extension can be made by anyone, all extensions
should be blacklisted from installation by default. To blacklist all extensions, set the
ExtensionInstallBlacklist to * in the Chromium policy file. | Rationale: | Extensions can access almost anything on a system. This means they pose a high risk
to any system that would allow all extensions to be installed by default. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_blacklist_extension_installation | References: | | |
|
Rule
Prevent Desktop Notifications
[ref] | Chromium by default allows websites to display notifications on the desktop.
To disable this setting, set DefaultNotificationsSetting to 2
in the Chromium policy file. | Rationale: | Disabling Chromium's ability to display notifications on the desktop helps prevent
malicious websites from controlling desktop notifications or fooling users into
clicking on a potentially compromised notification. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_block_desktop_notifications | References: | | |
|
Rule
Enable Online OCSP/CRL Certificate Checks
[ref] | Certificates can become compromised, and Chromium should check that the
certificates in its store are valid by setting EnableOnlineRevocationChecks
to true in the Chromium policy file. | Rationale: | Certificates are revoked when they have been compromised or are no longer valid,
and this option protects users from submitting confidential data to a site that
may be fraudulent or not secure. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_check_cert_revocation | References: | | |
|
Rule
Block Plugins by Default
[ref] | By default, websites are allowed to automatically run plugins.
Users should be prompted to allow plugins to execute plugins by setting
DefaultPluginsSetting to 3 in the Chromium policy file. | Rationale: | Websites should not be allowed to automatically run plugins as the plugins
may be outdated or compromised. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_default_block_plugins | References: | | |
|
Rule
Enable the Default Search Provider
[ref] | By default users, can change search provider settings. To disable this, set
DefaultSearchProviderEnabled to true in the Chromium policy file. | Rationale: | A default search is performed when the user types text in the omnibox that is not a URL.
This should be organizationally defined and not allowed to be changed by a user. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_default_search_provider | References: | | |
|
Rule
Set the Default Search Provider's URL
[ref] | Specifies the URL of the default search provider that is to be used. To set the URL of the default search provider, set DefaultSearchProviderName to https://www.google.com in the Chromium policy file. | Rationale: | When doing internet searches, it is important to set an organizationally approved search
provider as well as use an encrypted connection via https. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_default_search_provider_name | References: | | |
|
Rule
Disable the 3D Graphics APIs
[ref] | Chromium uses WebGL to render graphics using the GPU which allows website
access to the GPU. This should be disabled by setting Disable3DAPIs
to true in the Chromium policy file. | Rationale: | This setting prevents web pages from accessing the graphics processing unit
(GPU). Specifically, web pages cannot access the WebGL API and plugins cannot
use the Pepper 3D API in order to reduce the attack surface. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_disable_3d_graphics_api | References: | | |
|
Rule
Disable the AutoFill Feature
[ref] | The AutoFill feature suggests possible matches when users are filling in forms. To
disable the AutoFill feature, set AutoFillEnabled to false in
the Chromium policy file. | Rationale: | It is possible with the AutoFill feature that it will cache sensitive data and store
it in the user's profile, where it might not be protected as rigorously as required by
organizational policy. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_disable_autocomplete | References: | | |
|
Rule
Disable Automatic Search And Installation of Plugins
[ref] | Chromium will automatically detect, search, and install plugins as required. This
should be disabled by setting DisablePluginFinder to true in the
Chromium policy file. | Rationale: | The automatic search and installation of missing or not installed plugins should be
disabled as this can cause significant risk if a unapproved or vulnerable plugin were
to be installed without proper permissions or authorization. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_disable_automatic_installation | References: | | |
|
Rule
Disable Background Processing
[ref] | Chromium can be set to run at all times and process in the background. This
should be disabled by setting BackgroundModeEnabled to false
in the Chromium policy file. | Rationale: | There is two reasons that this is not wanted. First, it can tie up system
resources that might otherwise be needed. Second, it does not make it
obvious to the user that it is running and poorly written extensions could
cause instability on the system. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_disable_background_processing | References: | | |
|
Rule
Disable Use of Cleartext Passwords
[ref] | Chromium allows users to import and store passwords in cleartext. This should be
disabled by setting PasswordManagerAllowShowPasswords to false
in the Chromium policy file. | Rationale: | Cleartext passwords would allow another individual to see password via shoulder surfing. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_disable_cleartext_passwords | References: | | |
|
Rule
Disable Cloud Print Sharing
[ref] | Chromium has cloud sharing capabilities including sharing printers connected to the
system. This is done via a proxy. To disable printer sharing, set CloudPrintProxyEnabled
to false in the Chromium policy file. | Rationale: | Google Chromium has the capability to act as a proxy between Google Cloud Print
and legacy printers connected to the machine. Users can then enable the cloud
print proxy by authentication with their Google account. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_disable_cloud_print_sharing | References: | | |
|
Rule
Disable Chromium's Ability to Traverse Firewalls
[ref] | Chromium has the ability to bypass and ignore the system firewall. This
ability should be disabled. To disable this setting, set
RemoteAccessHostFirewallTraversal to false in the
Chromium policy file. | Rationale: | Remote connections should never be allowed to bypass the system firewall
as there is no way to verify if they can be trusted. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_disable_firewall_traversal | References: | | |
|
Rule
Disable Data Synchronization to Google
[ref] | SyncDisabled to true in the Chromium policy file.
| Rationale: | Google Sync is used to sync information between different user devices,
this data is then stored on Google owned servers. The synced data may consist
of information such as email, calendars, viewing history, etc. This feature must
be disabled because the organization does not have control over the servers the
data is stored on. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_disable_google_sync | References: | | |
|
Rule
Disable Incognito Mode
[ref] | Incognito Mode allows users to browse in private which prevents monitoring
and validating user browsing habits. This capability should be disabled by
setting IncognitoModeAvailability to 1 in the Chromium
policy file. | Rationale: | Incognito mode allows the user to browse the Internet without recording their
browsing history/activity. From a forensics perspective, this is unacceptable.
Best practice requires that browser history is retained. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_disable_incognito_mode | References: | | |
|
Rule
Disable Metrics Reporting
[ref] | Whenever Chromium crashes, it sends its usage and crash-related data to Google.
This should be disabled by setting MetricsReportingEnabled to
false in the Chromium policy file. | Rationale: | Anonymous reporting of usage and crash-related data is sent to Google.
A crash report could contain sensitive information from the computer's memory. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_disable_metrics_reporting | References: | | |
|
Rule
Disable Network Prediction
[ref] | To disable the network prediction feature, set DnsPrefetchingEnabled
to false in the Chromium policy file. | Rationale: | This controls not only DNS prefetching but also TCP and SSL preconnection
and prerendering of web pages. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_disable_network_prediction | References: | | |
|
Rule
Disable Outdated Plugins
[ref] | Outdated plugins should be disabled by setting AllowOutdatedPlugins
to false in the Chromium policy file. | Rationale: | Running outdated plugins could lead to system compromise through the use
of known exploits. Having plugins updated to the most current version
ensures the smallest attack surfuce possible. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_disable_outdated_plugins | References: | | |
|
Rule
Disable Chromium Password Manager
[ref] | Chromium Password Manager allows the saving and using of passwords in Chromium. This
should be disabled by setting PasswordManagerEnabled to false in
the Chromium policy file. | Rationale: | Enables saving passwords and using saved passwords in Google Chromium. Malicious
sites may take advantage of this feature by using hidden fields gain access
to the stored information. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_disable_password_manager | References: | | |
|
Rule
Disable All Plugins by Default
[ref] | Plugins are developed internally or by third party sources and are designed to extend
Google Chromium's functionality. All plugins should be blacklisted from
installation by default. To blacklist all plugins set DisabledPlugins
to * in the Chromium policy file. | Rationale: | Plugins can access almost anything on a system and users can enable or install them
at will. This means they pose a high risk to any system that would allow all plugins
to be installed by default. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_disable_plugin_blacklist | References: | | |
|
Rule
Disable Insecure And Obsolete Protocol Schemas
[ref] | Each access to a URL is handled by the browser according to the URL's "scheme".
The "scheme" of a URL is the section before the ":". The term "protocol" is often
mistakenly used for a "scheme". The difference is that the scheme is how the browser
handles a URL and the protocol is how the browser communicates with a service. To
disable insecure and obsolete protocol schema, set URLBlacklist to
javascript://* in the Chromium policy file. | Rationale: | If a scheme or its associated protocol used by a browser is insecure or obsolete,
vulnerabilities can be exploited resulting in exposed data or unrestricted access
to the browser's system. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_disable_protocol_schemas | References: | | |
|
Rule
Disable Saved Passwords
[ref] | Disable by setting ImportSavedPasswords to false in the Chromium
policy file. | Rationale: | Importing of saved passwords should be disabled as it could lead to
unencrypted account passwords stored on the system from another browser
to be viewed. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_disable_saved_passwords | References: | | |
|
Rule
Disable Search Suggestion
[ref] | Chromium tries to guess what users are searching for when users enter
search data in the search Omnibox. This should be disabled by
setting SearchSuggestEnabled to false in the Chromium
policy file. | Rationale: | Search suggestion should be disabled as it could lead to searches being conducted
that were never intended to be made. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_disable_search_suggestions | References: | | |
|
Rule
Disable Session Cookies
[ref] | To disable session only cookies sites, set CookiesSessionOnlyForUrls
to none in the Chromium policy file. | Rationale: | Cookies should only be allowed per session and only for approved URLs as
permanently stored cookies can be used for malicious intent. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_disable_session_cookies | References: | | |
|
Rule
Disable 3rd Party Cookies
[ref] | Third party cookies should be be enabled. To disable third party cookies,
set BlockThirdPartyCookies to true in the Chromium policy
file. | Rationale: | Third party cookies are cookies which can be set by web page elements that
are not from the domain that is in the browser's address bar. This prevents
cookies from being set by web page elements that are not from the domain
that is in the browser's address bar. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_disable_thirdparty_cookies | References: | | |
|
Rule
Disable Location Tracking
[ref] | Location tracking is enabled by default and can track user's browsing habits.
Location tracking should be disabled by setting DefaultGeolocationSetting
to 2 in the Chromium policy file. | Rationale: | Website tracking is the practice of gathering information as to which websites
were accesses by a browser. The common method of doing this is to have a website
create a tracking cookie on the browser. If the information of what sites are
being accessed is made available to unauthorized persons, this violates
confidentiality requirements, and over time poses a significant OPSEC issue. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_disallow_location_tracking | References: | | |
|
Rule
Enable Only Approved Plugins
[ref] | An organization might need to use an internal or third party developed plugins. Any
organizationally approved plugin should be enabled. To enable approved plugins,
set EnabledPlugins to the list of organizationally approved plugins
in the Chromium policy file. | Rationale: | The whitelist should only contain organizationally approved plugins. This is to prevent
a user from accidently whitelisitng a malicious plugin. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_enable_approved_plugins | References: | | |
|
Rule
Enable Saving the Browser History
[ref] | Users can enable or disable the saving of browser history in Chromium. Browser
history should be retained by setting SavingBrowserHistoryDisabled to
false in the Chromium policy file. | Rationale: | Best practice requires that browser history is retained. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_enable_browser_history | References: | | |
|
Rule
Enable Encrypted Searching
[ref] | Specifies the URL of the search engine used when doing a default search.
The URL should contain the string {searchTerms} . To set the URL of the
search engine, set DefaultSearchProviderSearchURL to
https://www.google.com/#q={searchTerms} in the Chromium policy file. | Rationale: | When doing internet searches, it is important to use an encrypted connection via https. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_enable_encrypted_searching | References: | | |
|
Rule
Enable the Safe Browsing Feature
[ref] | Chromium has the capability to check URLs for known malware and phishing
associated with websites through the Safe Browsing Feature. This can be
enabled by setting SafeBrowsingEnabled to true in the Chromium
policy file. | Rationale: | Safe browsing uses a signature database to test sites when they are be loaded
to ensure that sites do not contain any known malware. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_enable_safe_browsing | References: | | |
|
Rule
Enable Only Approved Extensions
[ref] | An organization might need to use an internal or third party developed extension. Any
organizationally approved extenstion should be enabled. To enable approved extensions,
set ExtensionInstallWhitelist to oiigbmnaadbkfbmpbfijlflahbdbdgdf
in the Chromium policy file.
If there are no approved extensions, ExtensionInstallWhitelist should be set to
oiigbmnaadbkfbmpbfijlflahbdbdgdf . | Rationale: | The whitelist should only contain organizationally approved extensions. This is to prevent
a user from accidently whitelisitng a malicious extension. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_extension_whitelist | References: | | |
|
Rule
Set Chromium's HTTP Authentication Scheme
[ref] | To set the default Chromium's HTTP Authentication Scheme, set AuthSchemes to negotiate in the Chromium policy file. | Rationale: | Specifies which HTTP Authentication schemes are supported by Google Chromium. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_http_authentication | References: | | |
|
Rule
Require Outdated Plugins to be Authorized
[ref] | Chromium should prompt users for authorization to run outdated plugins. This
can be enabled by setting AlwaysAuthorizePlugins to false
in the Chromium policy file. | Rationale: | Outdated plugins can compromise security and should request authorization from
the user before running. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_plugins_require_authorization | References: | | |
|
Rule
Ensure the Chromium Policy Configuration File Exists
[ref] | Chromium can be configured with numerous policies and settings. These
settings can be set so that a user is unable to edit or change them.
To prevent users from setting or changing Chromium settings, a
JavaScript Object Notation (JSON) file (contains the .json
extension) must exist in /etc/chromium/policies/managed .
- Refer to https://www.chromium.org/administrators/policy-list-3 for
a list of currently supported Chromium policies.
- Refer to https://www.chromium.org/administrators/policy_templates for
pre-created Chromium
JSON policy files.
Warning:
If the .json file in
/etc/chromium/policies/managed is not formatted correctly,
no policies will be configured or set correctly. | Rationale: | The Chromium policy file must exist as this file contains configuration
settings set by the System's Administrator to meet organization and/or
security requirements. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_policy_file | |
|
Rule
Set the Default Home Page
[ref] | When a browser is started the first web page displayed is the "home page".
While the home page can be selected by the user, the default home page needs
to be defined to display an approved page. To set the default home page,
set HomepageLocation to about:blank
in the Chromium policy file. | Rationale: | If no home page is defined then there is a possibility that a URL to a malicious
site may be used as a home page which could effectively cause a denial of service
to the browser. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_trusted_home_page | References: | | |
|
Rule
Enable Plugins for Only Approved URLs
[ref] | In some cases, plugins utilized by organizationally approved websites may be allowed
to be used by those websites, configure the approved URLs allowed to run plugins by
setting PluginsAllowedForUrls to organizationally approved URLs
in the Chromium policy file. If there are no approved URLs, this should be set
to none
| Rationale: | Only approved plugins for approved sites should be allowed to be utilized. | Severity: | unknown | Rule ID: | xccdf_org.ssgproject.content_rule_chromium_whitelist_plugin_urls | References: | | |
|