Guide to the Secure Configuration of Google Chromium
with profile Upstream STIG for Google ChromiumThis profile is developed under the DoD consensus model and DISA FSO Vendor STIG process, serving as the upstream development environment for the Google Chromium STIG. As a result of the upstream/downstream relationship between the SCAP Security Guide project and the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO content. For official DISA FSO STIG content, refer to http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx. While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note that commercial support of this SCAP content is NOT available. This profile is provided as example SCAP content with no endorsement for suitability or production readiness. Support for this profile is provided by the upstream SCAP Security Guide community on a best-effort basis. The upstream project homepage is https://www.open-scap.org/security-policies/scap-security-guide/.
https://www.open-scap.org/security-policies/scap-security-guide
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a italics="catalog, not a checklist," and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF italics="Profiles", which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for Google Chromium, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Profile Title | Upstream STIG for Google Chromium |
---|---|
Profile ID | xccdf_org.ssgproject.content_profile_stig-chromium-upstream |
Revision History
Current version: 0.1.39
- draft (as of 2018-05-04)
Platforms
- cpe:/a:google:chromium-browser
Table of Contents
Checklist
contains 37 rules |
Chromium [ref]groupChromium is an open-source web browser, powered by WebKit (Blink), and developed by Google. Web browsers such as Chromium are used for a number of reasons. This section provides settings for configuring Chromium policies to meet compliance settings for Chromium running on Red Hat Enterprise Linux systems. Refer to
JSON policy files. |
contains 37 rules |
Disable Session Cookies [ref]ruleTo disable session only cookies sites, set Cookies should only be allowed per session and only for approved URLs as permanently stored cookies can be used for malicious intent. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0045
|
Disable Search Suggestion [ref]ruleChromium tries to guess what users are searching for when users enter
search data in the search Omnibox. This should be disabled by
setting Search suggestion should be disabled as it could lead to searches being conducted that were never intended to be made. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0027
|
Set the Default Search Provider's URL [ref]ruleSpecifies the URL of the default search provider that is to be used. To set the
URL of the default search provider, set When doing internet searches, it is important to set an organizationally approved search provider as well as use an encrypted connection via https. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0007
|
Enable Saving the Browser History [ref]ruleUsers can enable or disable the saving of browser history in Chromium. Browser
history should be retained by setting Best practice requires that browser history is retained. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0039
|
Disable the 3D Graphics APIs [ref]ruleChromium uses WebGL to render graphics using the GPU which allows website
access to the GPU. This should be disabled by setting This setting prevents web pages from accessing the graphics processing unit (GPU). Specifically, web pages cannot access the WebGL API and plugins cannot use the Pepper 3D API in order to reduce the attack surface. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0019
|
Disable Background Processing [ref]ruleChromium can be set to run at all times and process in the background. This
should be disabled by setting There is two reasons that this is not wanted. First, it can tie up system resources that might otherwise be needed. Second, it does not make it obvious to the user that it is running and poorly written extensions could cause instability on the system. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0017
|
Disable All Plugins by Default [ref]rulePlugins are developed internally or by third party sources and are designed to extend
Google Chromium's functionality. All plugins should be blacklisted from
installation by default. To blacklist all plugins set Plugins can access almost anything on a system and users can enable or install them at will. This means they pose a high risk to any system that would allow all plugins to be installed by default. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0034
|
Enable the Default Search Provider [ref]ruleBy default users, can change search provider settings. To disable this, set
A default search is performed when the user types text in the omnibox that is not a URL. This should be organizationally defined and not allowed to be changed by a user. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0009
|
Ensure the Chromium Policy Configuration File Exists [ref]ruleChromium can be configured with numerous policies and settings. These
settings can be set so that a user is unable to edit or change them.
To prevent users from setting or changing Chromium settings, a
Rationale: The Chromium policy file must exist as this file contains configuration settings set by the System's Administrator to meet organization and/or security requirements. Severity: unknown Identifiers: CCE-
|
Disable Automatic Search And Installation of Plugins [ref]ruleChromium will automatically detect, search, and install plugins as required. This
should be disabled by setting The automatic search and installation of missing or not installed plugins should be disabled as this can cause significant risk if a unapproved or vulnerable plugin were to be installed without proper permissions or authorization. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0036
|
Enable Only Approved Plugins [ref]ruleAn organization might need to use an internal or third party developed plugins. Any
organizationally approved plugin should be enabled. To enable approved plugins,
set The whitelist should only contain organizationally approved plugins. This is to prevent a user from accidently whitelisitng a malicious plugin. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0035
|
Disable Location Tracking [ref]ruleLocation tracking is enabled by default and can track user's browsing habits.
Location tracking should be disabled by setting Website tracking is the practice of gathering information as to which websites were accesses by a browser. The common method of doing this is to have a website create a tracking cookie on the browser. If the information of what sites are being accessed is made available to unauthorized persons, this violates confidentiality requirements, and over time poses a significant OPSEC issue. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0002
|
Set the Default Home Page [ref]ruleWhen a browser is started the first web page displayed is the "home page".
While the home page can be selected by the user, the default home page needs
to be defined to display an approved page. To set the default home page,
set If no home page is defined then there is a possibility that a URL to a malicious site may be used as a home page which could effectively cause a denial of service to the browser. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0048
|
Enable Plugins for Only Approved URLs [ref]ruleIn some cases, plugins utilized by organizationally approved websites may be allowed
to be used by those websites, configure the approved URLs allowed to run plugins by
setting Only approved plugins for approved sites should be allowed to be utilized. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0051
|
Disable Saved Passwords [ref]ruleDisable by setting Importing of saved passwords should be disabled as it could lead to unencrypted account passwords stored on the system from another browser to be viewed. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0029
|
Disable Popups [ref]ruleChromium allows you to manage whether or not unwanted pop-up windows appear.
To disable pop-ups, set Pop-up windows should be disabled to prevent malicious websites from controlling pop-up windows or fooling users into clicking on the wrong window. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0004
|
Disable Incognito Mode [ref]ruleIncognito Mode allows users to browse in private which prevents monitoring
and validating user browsing habits. This capability should be disabled by
setting Incognito mode allows the user to browse the Internet without recording their browsing history/activity. From a forensics perspective, this is unacceptable. Best practice requires that browser history is retained. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0030
|
Disable Chromium's Ability to Traverse Firewalls [ref]ruleChromium has the ability to bypass and ignore the system firewall. This
ability should be disabled. To disable this setting, set
Remote connections should never be allowed to bypass the system firewall as there is no way to verify if they can be trusted. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0001
|
Set Chromium's HTTP Authentication Scheme [ref]ruleTo set the default Chromium's HTTP Authentication Scheme, set
Specifies which HTTP Authentication schemes are supported by Google Chromium. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0012
|
Enable the Safe Browsing Feature [ref]ruleChromium has the capability to check URLs for known malware and phishing
associated with websites through the Safe Browsing Feature. This can be
enabled by setting Safe browsing uses a signature database to test sites when they are be loaded to ensure that sites do not contain any known malware. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0038
|
Require Outdated Plugins to be Authorized [ref]ruleChromium should prompt users for authorization to run outdated plugins. This
can be enabled by setting Outdated plugins can compromise security and should request authorization from the user before running. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0014
|
Block Plugins by Default [ref]ruleBy default, websites are allowed to automatically run plugins.
Users should be prompted to allow plugins to execute plugins by setting
Websites should not be allowed to automatically run plugins as the plugins may be outdated or compromised. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0040
|
Enable Encrypted Searching [ref]ruleSpecifies the URL of the search engine used when doing a default search.
The URL should contain the string When doing internet searches, it is important to use an encrypted connection via https. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0008
|
Disable Outdated Plugins [ref]ruleOutdated plugins should be disabled by setting Running outdated plugins could lead to system compromise through the use of known exploits. Having plugins updated to the most current version ensures the smallest attack surfuce possible. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0013
|
Enable Only Approved Extensions [ref]ruleAn organization might need to use an internal or third party developed extension. Any
organizationally approved extenstion should be enabled. To enable approved extensions,
set The whitelist should only contain organizationally approved extensions. This is to prevent a user from accidently whitelisitng a malicious extension. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0003
|
Disable the AutoFill Feature [ref]ruleThe AutoFill feature suggests possible matches when users are filling in forms. To
disable the AutoFill feature, set It is possible with the AutoFill feature that it will cache sensitive data and store it in the user's profile, where it might not be protected as rigorously as required by organizational policy. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0022
|
Enable Online OCSP/CRL Certificate Checks [ref]ruleCertificates can become compromised, and Chromium should check that the
certificates in its store are valid by setting Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0037
|
Prevent Desktop Notifications [ref]ruleChromium by default allows websites to display notifications on the desktop.
To disable this setting, set Disabling Chromium's ability to display notifications on the desktop helps prevent malicious websites from controlling desktop notifications or fooling users into clicking on a potentially compromised notification. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0003
|
Disable Data Synchronization to Google [ref]rule
Google Sync is used to sync information between different user devices, this data is then stored on Google owned servers. The synced data may consist of information such as email, calendars, viewing history, etc. This feature must be disabled because the organization does not have control over the servers the data is stored on. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0020
|
Disable 3rd Party Cookies [ref]ruleThird party cookies should be be enabled. To disable third party cookies,
set Third party cookies are cookies which can be set by web page elements that are not from the domain that is in the browser's address bar. This prevents cookies from being set by web page elements that are not from the domain that is in the browser's address bar. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0015
|
Disable Metrics Reporting [ref]ruleWhenever Chromium crashes, it sends its usage and crash-related data to Google.
This should be disabled by setting Anonymous reporting of usage and crash-related data is sent to Google. A crash report could contain sensitive information from the computer's memory. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0026
|
Disable Insecure And Obsolete Protocol Schemas [ref]ruleEach access to a URL is handled by the browser according to the URL's "scheme".
The "scheme" of a URL is the section before the ":". The term "protocol" is often
mistakenly used for a "scheme". The difference is that the scheme is how the browser
handles a URL and the protocol is how the browser communicates with a service. To
disable insecure and obsolete protocol schema, set If a scheme or its associated protocol used by a browser is insecure or obsolete, vulnerabilities can be exploited resulting in exposed data or unrestricted access to the browser's system. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0021
|
Disable Chromium Password Manager [ref]ruleChromium Password Manager allows the saving and using of passwords in Chromium. This
should be disabled by setting Enables saving passwords and using saved passwords in Google Chromium. Malicious sites may take advantage of this feature by using hidden fields gain access to the stored information. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0011
|
Disable All Extensions by Default [ref]ruleExtensions are developed by third party sources and are designed to extend
Google Chromium's functionality. As an extension can be made by anyone, all extensions
should be blacklisted from installation by default. To blacklist all extensions, set the
Extensions can access almost anything on a system. This means they pose a high risk to any system that would allow all extensions to be installed by default. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0006
|
Disable Network Prediction [ref]ruleTo disable the network prediction feature, set This controls not only DNS prefetching but also TCP and SSL preconnection and prerendering of web pages. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0025
|
Disable Cloud Print Sharing [ref]ruleChromium has cloud sharing capabilities including sharing printers connected to the
system. This is done via a proxy. To disable printer sharing, set Google Chromium has the capability to act as a proxy between Google Cloud Print and legacy printers connected to the machine. Users can then enable the cloud print proxy by authentication with their Google account. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0023
|
Disable Use of Cleartext Passwords [ref]ruleChromium allows users to import and store passwords in cleartext. This should be
disabled by setting Cleartext passwords would allow another individual to see password via shoulder surfing. Severity: unknown Identifiers: CCE- References: DISA FSO DTBC0010
|