kriterion 0.0.1

data/standards/stig_google_chrome_browser.json

@@ -0,0 +1,209 @@
+{
+  "name": "stig_google_chrome_browser",
+  "date": "2017-06-20",
+  "description": "The Google Chrome Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil",
+  "title": "Google Chrome Browser STIG",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-44711",
+      "title": "Firewall traversal from remote host must be disabled.",
+      "description": "Remote connections should never be allowed that bypass the firewall, as there is no way to verify if they can be trusted. Enables usage of STUN and relay servers when remote clients are trying to establish a connection to this machine. If this setting is enabled, then remote clients can discover and connect to this machine even if they are separated by a firewall. If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine will only allow connections from client machines within the local network. If this policy is left not set the setting will be enabled.\t",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44713",
+      "title": "Sites ability for showing desktop notifications must be disabled.",
+      "description": "Chrome by default allows websites to display notifications on the desktop.  This check allows you to set whether or not this is permitted.  Displaying desktop notifications can be allowed by default, denied by default or the user can be asked every time a website wants to show desktop notifications. If this policy is left not set, 'AskNotifications' will be used and the user will be able to change it.    \n   1 = Allow sites to show desktop notifications    \n   2 = Do not allow any site to show desktop notifications    \n   3 = Ask every time a site wants to show desktop notifications\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-44719",
+      "title": "Sites ability to show pop-ups must be disabled.",
+      "description": "Chrome allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. If you enable this policy setting, most unwanted pop-up windows are prevented from appearing. If you disable this policy setting, pop-up windows are not prevented from appearing. If you disable this policy setting, scripts can continue to create pop-up windows, and pop-ups that hide other windows. Recommend configuring this setting to ‘2’ to help prevent malicious websites from controlling the pop-up windows or fooling users into clicking on the wrong window.  If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing.  If this policy is left not set, 'BlockPopups' will be used and the user will be able to change it.    \n   1 = Allow all sites to show pop-ups    \n   2 = Do not allow any site to show pop-ups\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44723",
+      "title": "Site tracking users location must be disabled.",
+      "description": "Website tracking is the practice of gathering information as to which websites were accesses by a browser. The common method of doing this is to have a website create a tracking cookie on the browser.   If the information of what sites are being accessed is made available to unauthorized persons, this violates confidentiality requirements, and over time poses a significant OPSEC issue. This policy setting allows you to set whether websites are allowed to track the user’s physical location. Tracking the user’s physical location can be allowed by default, denied by default or the user can be asked every time a website requests the physical location.\t\n   1 = Allow sites to track the user’s physical location\t\n   2 = Do not allow any site to track the user’s physical location\t\n   3 = Ask whenever a site wants to track the user’s physical location\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44727",
+      "title": "Extensions installation must be blacklisted by default.",
+      "description": "Extensions are developed by third party sources and are designed to extend Google Chrome's functionality. An extension can be made by anyone, to do and access almost anything on a system; this means they pose a high risk to any system that would allow all extensions to be installed by default.  Allows you to specify which extensions the users can NOT install. Extensions already installed will be removed if blacklisted. A blacklist value of '*' means all extensions are blacklisted unless they are explicitly listed in the whitelist. If this policy is left not set the user can install any extension in Google Chrome.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44729",
+      "title": "Extensions that are approved for use must be whitelisted.\n",
+      "description": "The whitelist should only contain organizationally approved extensions. This is to prevent a user from accidently whitelisitng a malicious extension. This policy allows you to specify which extensions are not subject to the blacklist. A blacklist value of ‘*’ means all extensions are blacklisted and users can only install extensions listed in the whitelist. By default, no extensions are whitelisted. If all extensions have been blacklisted by policy, then the whitelist policy can be used to allow specific extensions to be installed. Administrators should determine which extensions should be allowed to be installed by their users. If no extensions are whitelisted, then no extensions can be installed when combined with blacklisting all extensions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44733",
+      "title": "The default search providers name must be set.",
+      "description": "Specifies the name of the default search provider that is to be used, if left empty or not set, the host name specified by the search URL will be used. This policy is only considered if the 'DefaultSearchProviderEnabled' policy is enabled. When doing internet searches it is important to use an encrypted connection via https.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44735",
+      "title": "The default search provider URL must be set to perform encrypted searches.\n",
+      "description": "Specifies the URL of the search engine used when doing a default search. The URL should contain the string '{searchTerms}', which will be replaced at query time by the terms the user is searching for. This option must be set when the 'DefaultSearchProviderEnabled' policy is enabled and will only be respected if this is the case.  When doing internet searches it is important to use an encrypted connection via https.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44737",
+      "title": "Default search provider must be enabled.",
+      "description": "Policy enables the use of a default search provider. If you enable this setting, a default search is performed when the user types text in the omnibox that is not a URL. You can specify the default search provider to be used by setting the rest of the default search policies. If these are left empty, the user can choose the default provider. If you disable this setting, no search is performed when the user enters non-URL text in the omnibox. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, the default search provider is enabled, and the user will be able to set the search provider list.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44741",
+      "title": "The Password Manager must be disabled.",
+      "description": "Enables saving passwords and using saved passwords in Google Chrome. Malicious sites may take advantage of this feature by using hidden fields gain access to the stored information. If you enable this setting, users can have Google Chrome memorize passwords and provide them automatically the next time they log in to a site. If you disable this setting, users are not able to save passwords or use already saved passwords. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it. ListPassword manager should not be used as it stores passwords locally.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44745",
+      "title": "The running of outdated plugins must be disabled.",
+      "description": "Running outdated plugins could lead to system compromise through the use of known exploits. Having plugins that updated to the most current version ensures the smallest attack surfuce possible. If you enable this setting, outdated plugins are used as normal plugins. If you disable this setting, outdated plugins will not be used and users will not be asked for permission to run them. If this setting is not set, users will be asked for permission to run outdated plugins.",
+      "severity": "high"
+    },
+    {
+      "id": "V-44749",
+      "title": "Plugins requiring authorization must ask for user permission.",
+      "description": "Policy allows Google Chrome to run plugins that require authorization. If you enable this setting, plugins that are not outdated will always run. If this setting is disabled or not set, users will be not be asked for permission to run plugins that require authorization. These are plugins that can compromise security.",
+      "severity": "high"
+    },
+    {
+      "id": "V-44751",
+      "title": "Third party cookies must be blocked.",
+      "description": "Third party cookies are cookies which can be set by web page elements that are not from the domain that is in the browser's address bar. Enabling this setting prevents cookies from being set by web page elements that are not from the domain that is in the browser's address bar. Disabling this setting allows cookies to be set by web page elements that are not from the domain that is in the browser's address bar and prevents users from changing this setting. If this policy is left not set, third party cookies will be enabled but the user will be able to change that.",
+      "severity": "low"
+    },
+    {
+      "id": "V-44753",
+      "title": "Background processing must be disabled.",
+      "description": "Determines whether a Google Chrome process is started on OS login that keeps running when the last browser window is closed, allowing background apps to remain active. The background process displays an icon in the system tray and can always be closed from there. If this policy is set to True, background mode is enabled and cannot be controlled by the user in the browser settings. If this policy is set to False, background mode is disabled and cannot be controlled by the user in the browser settings. If this policy is left unset, background mode is initially disabled and can be controlled by the user in the browser settings.' - Google Chrome Administrators Policy ListThis setting, if enabled, allows Google Chrome to run at all times. There is two reasons that this is not wanted. First, it can tie up system resources that might otherwise be needed. Second, it does not make it obvious to the user that it is running and poorly written extensions could cause instability on the system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44757",
+      "title": "3D Graphics APIs must be disabled.",
+      "description": "Disable support for 3D graphics APIs. Enabling this setting prevents web pages from accessing the graphics processing unit (GPU). Specifically, web pages cannot access the WebGL API and plugins cannot use the Pepper 3D API. Disabling this setting or leaving it not set potentially allows web pages to use the WebGL API and plugins to use the Pepper 3D API. The default settings of the browser may still require command line arguments to be passed in order to use these APIs. Chrome uses WebGL to render graphics using the GPU. There are few sites that currently take advantage of this feature. Since there is unlikely to be an operational impact, it is recommended that this feature is turned off in order to reduce the attack surface.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44759",
+      "title": "Google Data Synchronization must be disabled.",
+      "description": "Disables data synchronization in Google Chrome using Google-hosted synchronization services and prevents users from changing this setting. If you enable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set the user will be able to enable Google Sync.  Google Sync is used to sync information between different user devices, this data is then stored on Google owned servers. The synced data may consist of information such as email, calendars, viewing history, etc. This feature must be disabled because the organization does not have control over the servers the data is stored on.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44761",
+      "title": "The URL protocol schema javascript must be disabled.",
+      "description": "Each access to a URL is handled by the browser according to the URL's \"scheme\". The \"scheme\" of a URL is the section before the \":\". The term \"protocol\" is often mistakenly used for a \"scheme\". The difference is that the scheme is how the browser handles a URL and the protocol is how the browser communicates with a service.  If a scheme or its associated protocol used by a browser is insecure or obsolete, vulnerabilities can be exploited resulting in exposed data or unrestricted access to the browser's system.   The browser must be configured to disable the use of insecure and obsolete schemas (protocols).\nThis policy disables the listed protocol schemes in Google Chrome, URLs using a scheme from this list will not load and cannot be navigated to. If this policy is left not set or the list is empty all schemes will be accessible in Google Chrome.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44763",
+      "title": "AutoFill must be disabled.",
+      "description": "This AutoComplete feature suggests possible matches when users are filling in forms. It is possible that this feature will cache sensitive data and store it in the user's profile, where it might not be protected as rigorously as required by organizational policy. If you enable this setting or do not set a value, AutoFill will remain under the control of the user. This will allow them to configure AutoFill profiles and to switch AutoFill on or off at their own discretion.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44765",
+      "title": "Cloud print sharing must be disabled.",
+      "description": "Policy enables Google Chrome to act as a proxy between Google Cloud Print and legacy printers connected to the machine. If this setting is enabled or not configured, users can enable the cloud print proxy by authentication with their Google account. If this setting is disabled, users cannot enable the proxy, and the machine will not be allowed to share it’s printers with Google Cloud Print. If this policy is not set, this will be enabled but the user will be able to change it.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44769",
+      "title": "Network prediction must be disabled.",
+      "description": "Disables network prediction in Google Chrome and prevents users from changing this setting. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44771",
+      "title": "Metrics reporting to Google must be disabled.",
+      "description": "Enables anonymous reporting of usage and crash-related data about Google Chrome to Google and prevents users from changing this setting. If you enable this setting, anonymous reporting of usage and crash-related data is sent to Google. A crash report could contain sensitive information from the computer's memory. If you disable this setting, anonymous reporting of usage and crash-related data is never sent to Google. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set the setting will be what the user chose upon installation / first run.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44773",
+      "title": "Search suggestions must be disabled.",
+      "description": "Search suggestion should be disabled as it could lead to searches being conducted that were never intended to be made. Enables search suggestions in Google Chrome's omnibox and prevents users from changing this setting. If you enable this setting, search suggestions are used. If you disable this setting, search suggestions are never used. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44775",
+      "title": "Importing of saved passwords must be disabled.",
+      "description": "Importing of saved passwords should be disabled as it could lead to unencrypted account passwords stored on the system from another browser to be viewed. This policy forces the saved passwords to be imported from the previous default browser if enabled. If enabled, this policy also affects the import dialog. If disabled, the saved passwords are not imported. If it is not set, the user may be asked whether to import, or importing may happen automatically.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44777",
+      "title": "Incognito mode must be disabled.",
+      "description": "Incognito mode allows the user to browse the Internet without recording their browsing history/activity.  From a forensics perspective, this is unacceptable.  Best practice requires that browser history is retained.  The \"IncognitoModeAvailability\" setting controls whether the user may utilize Incognito mode in Google Chrome. If 'Enabled' is selected or the policy is left unset, pages may be opened in Incognito mode. If 'Disabled' is selected, pages may not be opened in Incognito mode. If 'Forced' is selected, pages may be opened ONLY in Incognito mode.   \n   0 = Incognito mode available.    \n   1 = Incognito mode disabled.    \n   2 = Incognito mode forced.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44787",
+      "title": "Automated installation of missing plugins must be disabled.",
+      "description": "The automatic search and installation of missing or not installed plugins should be disabled as this can cause significant risk if a unapproved or vulnerable plugin were to be installed without proper permissions or authorization. If you set this setting to enabled the automatic search and installation of missing plugins will be disabled in Google Chrome.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44789",
+      "title": "Online revocation checks must be done.",
+      "description": "By setting this policy to true, the previous behavior is restored and online OCSP/CRL checks will be performed. If the policy is not set, or is set to false, then Chrome will not perform online revocation checks. Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44791",
+      "title": "Safe Browsing must be enabled,",
+      "description": "Enables Google Chrome's Safe Browsing feature and prevents users from changing this setting. If you enable this setting, Safe Browsing is always active. If you disable this setting, Safe Browsing is never active. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it. Safe browsing uses a signature database to test sites when they are be loaded to ensure they don't contain any known malware.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44793",
+      "title": "Browser history must be saved.",
+      "description": "This policy disables saving browser history in Google Chrome and prevents users from changing this setting. If this setting is enabled, browsing history is not saved. If this setting is disabled or not set, browsing history is saved.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44795",
+      "title": "Default behavior must block webpages from automatically running plugins.",
+      "description": "This policy allows you to set whether websites are allowed to automatically run plugins. Automatically running plugins can be either allowed for all websites or denied for all websites. If this policy is left not set, 'AllowPlugins' will be used and the user will be able to change it.    \n   1 = Allow all sites to automatically run plugins    \n   2 = Block all plugins    \n   3 = Click to play.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44799",
+      "title": "Session only based cookies must be disabled.",
+      "description": "Policy allows you to set a list of URL patterns that specify sites which are allowed to set session only cookies. If this policy is left not set the global default value will be used for all sites either from the 'DefaultCookiesSetting' policy if it is set, or the user's personal configuration otherwise. If the 'RestoreOnStartup' policy is set to restore URLs from previous sessions this policy will not be respected and cookies will be stored permanently for those sites.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44805",
+      "title": "Browser must support auto-updates.",
+      "description": "One of the most effective defenses against exploitation of browser vulnerabilities is to ensure the version of the browser is current.   Frequent updates provide corrections to discovered vulnerabilities and the timely update reduces the window for zero day attacks.   Automatic installation of updates and patches is the most effective method for keeping the browser software current.  The browser must have the capability to install software updates and patches automatically. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-52795",
+      "title": "URLs must be whitelisted for plugin use",
+      "description": "This policy allows you to set a list of URL patterns that specify sites which are allowed to run plugins. If this policy is not set, plugins could be run from any website, including potentially malicious ones.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-75165",
+      "title": "Access to history URL must be disabled.",
+      "description": "Regardless of controls in place to safeguard the Chrome browser history users may still delete individual items via the Chrome://History URL.  In order to protect against this occurrence access to Chrome://History must be blacklisted.",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_google_chrome_current_windows.json

@@ -0,0 +1,215 @@
+{
+  "name": "stig_google_chrome_current_windows",
+  "date": "2018-03-13",
+  "description": "The Google Chrome Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil",
+  "title": "Google Chrome Current Windows STIG",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-44711",
+      "title": "Firewall traversal from remote host must be disabled.",
+      "description": "Remote connections should never be allowed that bypass the firewall, as there is no way to verify if they can be trusted. Enables usage of STUN and relay servers when remote clients are trying to establish a connection to this machine. If this setting is enabled, then remote clients can discover and connect to this machine even if they are separated by a firewall. If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine will only allow connections from client machines within the local network. If this policy is left not set the setting will be enabled.\t",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44713",
+      "title": "Sites ability for showing desktop notifications must be disabled.",
+      "description": "Chrome by default allows websites to display notifications on the desktop.  This check allows you to set whether or not this is permitted.  Displaying desktop notifications can be allowed by default, denied by default or the user can be asked every time a website wants to show desktop notifications. If this policy is left not set, 'AskNotifications' will be used and the user will be able to change it.    \n   1 = Allow sites to show desktop notifications    \n   2 = Do not allow any site to show desktop notifications    \n   3 = Ask every time a site wants to show desktop notifications\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-44719",
+      "title": "Sites ability to show pop-ups must be disabled.",
+      "description": "Chrome allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. If you enable this policy setting, most unwanted pop-up windows are prevented from appearing. If you disable this policy setting, pop-up windows are not prevented from appearing. If you disable this policy setting, scripts can continue to create pop-up windows, and pop-ups that hide other windows. Recommend configuring this setting to ‘2’ to help prevent malicious websites from controlling the pop-up windows or fooling users into clicking on the wrong window.  If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing.  If this policy is left not set, 'BlockPopups' will be used and the user will be able to change it.    \n   1 = Allow all sites to show pop-ups    \n   2 = Do not allow any site to show pop-ups\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44723",
+      "title": "Site tracking users location must be disabled.",
+      "description": "Website tracking is the practice of gathering information as to which websites were accesses by a browser. The common method of doing this is to have a website create a tracking cookie on the browser.   If the information of what sites are being accessed is made available to unauthorized persons, this violates confidentiality requirements, and over time poses a significant OPSEC issue. This policy setting allows you to set whether websites are allowed to track the user’s physical location. Tracking the user’s physical location can be allowed by default, denied by default or the user can be asked every time a website requests the physical location.\t\n   1 = Allow sites to track the user’s physical location\t\n   2 = Do not allow any site to track the user’s physical location\t\n   3 = Ask whenever a site wants to track the user’s physical location\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44727",
+      "title": "Extensions installation must be blacklisted by default.",
+      "description": "Extensions are developed by third party sources and are designed to extend Google Chrome's functionality. An extension can be made by anyone, to do and access almost anything on a system; this means they pose a high risk to any system that would allow all extensions to be installed by default.  Allows you to specify which extensions the users can NOT install. Extensions already installed will be removed if blacklisted. A blacklist value of '*' means all extensions are blacklisted unless they are explicitly listed in the whitelist. If this policy is left not set the user can install any extension in Google Chrome.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44729",
+      "title": "Extensions that are approved for use must be whitelisted.\n",
+      "description": "The whitelist should only contain organizationally approved extensions. This is to prevent a user from accidently whitelisitng a malicious extension. This policy allows you to specify which extensions are not subject to the blacklist. A blacklist value of ‘*’ means all extensions are blacklisted and users can only install extensions listed in the whitelist. By default, no extensions are whitelisted. If all extensions have been blacklisted by policy, then the whitelist policy can be used to allow specific extensions to be installed. Administrators should determine which extensions should be allowed to be installed by their users. If no extensions are whitelisted, then no extensions can be installed when combined with blacklisting all extensions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44733",
+      "title": "The default search providers name must be set.",
+      "description": "Specifies the name of the default search provider that is to be used, if left empty or not set, the host name specified by the search URL will be used. This policy is only considered if the 'DefaultSearchProviderEnabled' policy is enabled. When doing internet searches it is important to use an encrypted connection via https.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44735",
+      "title": "The default search provider URL must be set to perform encrypted searches.\n",
+      "description": "Specifies the URL of the search engine used when doing a default search. The URL should contain the string '{searchTerms}', which will be replaced at query time by the terms the user is searching for. This option must be set when the 'DefaultSearchProviderEnabled' policy is enabled and will only be respected if this is the case.  When doing internet searches it is important to use an encrypted connection via https.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44737",
+      "title": "Default search provider must be enabled.",
+      "description": "Policy enables the use of a default search provider. If you enable this setting, a default search is performed when the user types text in the omnibox that is not a URL. You can specify the default search provider to be used by setting the rest of the default search policies. If these are left empty, the user can choose the default provider. If you disable this setting, no search is performed when the user enters non-URL text in the omnibox. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, the default search provider is enabled, and the user will be able to set the search provider list.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44741",
+      "title": "The Password Manager must be disabled.",
+      "description": "Enables saving passwords and using saved passwords in Google Chrome. Malicious sites may take advantage of this feature by using hidden fields gain access to the stored information. If you enable this setting, users can have Google Chrome memorize passwords and provide them automatically the next time they log in to a site. If you disable this setting, users are not able to save passwords or use already saved passwords. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it. ListPassword manager should not be used as it stores passwords locally.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44745",
+      "title": "The running of outdated plugins must be disabled.",
+      "description": "Running outdated plugins could lead to system compromise through the use of known exploits. Having plugins that updated to the most current version ensures the smallest attack surfuce possible. If you enable this setting, outdated plugins are used as normal plugins. If you disable this setting, outdated plugins will not be used and users will not be asked for permission to run them. If this setting is not set, users will be asked for permission to run outdated plugins.",
+      "severity": "high"
+    },
+    {
+      "id": "V-44751",
+      "title": "Third party cookies must be blocked.",
+      "description": "Third party cookies are cookies which can be set by web page elements that are not from the domain that is in the browser's address bar. Enabling this setting prevents cookies from being set by web page elements that are not from the domain that is in the browser's address bar. Disabling this setting allows cookies to be set by web page elements that are not from the domain that is in the browser's address bar and prevents users from changing this setting. If this policy is left not set, third party cookies will be enabled but the user will be able to change that.",
+      "severity": "low"
+    },
+    {
+      "id": "V-44753",
+      "title": "Background processing must be disabled.",
+      "description": "Determines whether a Google Chrome process is started on OS login that keeps running when the last browser window is closed, allowing background apps to remain active. The background process displays an icon in the system tray and can always be closed from there. If this policy is set to True, background mode is enabled and cannot be controlled by the user in the browser settings. If this policy is set to False, background mode is disabled and cannot be controlled by the user in the browser settings. If this policy is left unset, background mode is initially disabled and can be controlled by the user in the browser settings.' - Google Chrome Administrators Policy ListThis setting, if enabled, allows Google Chrome to run at all times. There is two reasons that this is not wanted. First, it can tie up system resources that might otherwise be needed. Second, it does not make it obvious to the user that it is running and poorly written extensions could cause instability on the system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44757",
+      "title": "3D Graphics APIs must be disabled.",
+      "description": "Disable support for 3D graphics APIs. Enabling this setting prevents web pages from accessing the graphics processing unit (GPU). Specifically, web pages cannot access the WebGL API and plugins cannot use the Pepper 3D API. Disabling this setting or leaving it not set potentially allows web pages to use the WebGL API and plugins to use the Pepper 3D API. The default settings of the browser may still require command line arguments to be passed in order to use these APIs. Chrome uses WebGL to render graphics using the GPU. There are few sites that currently take advantage of this feature. Since there is unlikely to be an operational impact, it is recommended that this feature is turned off in order to reduce the attack surface.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44759",
+      "title": "Google Data Synchronization must be disabled.",
+      "description": "Disables data synchronization in Google Chrome using Google-hosted synchronization services and prevents users from changing this setting. If you enable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set the user will be able to enable Google Sync.  Google Sync is used to sync information between different user devices, this data is then stored on Google owned servers. The synced data may consist of information such as email, calendars, viewing history, etc. This feature must be disabled because the organization does not have control over the servers the data is stored on.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44761",
+      "title": "The URL protocol schema javascript must be disabled.",
+      "description": "Each access to a URL is handled by the browser according to the URL's \"scheme\". The \"scheme\" of a URL is the section before the \":\". The term \"protocol\" is often mistakenly used for a \"scheme\". The difference is that the scheme is how the browser handles a URL and the protocol is how the browser communicates with a service.  If a scheme or its associated protocol used by a browser is insecure or obsolete, vulnerabilities can be exploited resulting in exposed data or unrestricted access to the browser's system.   The browser must be configured to disable the use of insecure and obsolete schemas (protocols).\nThis policy disables the listed protocol schemes in Google Chrome, URLs using a scheme from this list will not load and cannot be navigated to. If this policy is left not set or the list is empty all schemes will be accessible in Google Chrome.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44763",
+      "title": "AutoFill must be disabled.",
+      "description": "This AutoComplete feature suggests possible matches when users are filling in forms. It is possible that this feature will cache sensitive data and store it in the user's profile, where it might not be protected as rigorously as required by organizational policy. If you enable this setting or do not set a value, AutoFill will remain under the control of the user. This will allow them to configure AutoFill profiles and to switch AutoFill on or off at their own discretion.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44765",
+      "title": "Cloud print sharing must be disabled.",
+      "description": "Policy enables Google Chrome to act as a proxy between Google Cloud Print and legacy printers connected to the machine. If this setting is enabled or not configured, users can enable the cloud print proxy by authentication with their Google account. If this setting is disabled, users cannot enable the proxy, and the machine will not be allowed to share it’s printers with Google Cloud Print. If this policy is not set, this will be enabled but the user will be able to change it.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44769",
+      "title": "Network prediction must be enabled.",
+      "description": "Enables network prediction in Google Chrome and prevents users from changing this setting. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be disabled but the user will be able to change it.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44771",
+      "title": "Metrics reporting to Google must be disabled.",
+      "description": "Enables anonymous reporting of usage and crash-related data about Google Chrome to Google and prevents users from changing this setting. If you enable this setting, anonymous reporting of usage and crash-related data is sent to Google. A crash report could contain sensitive information from the computer's memory. If you disable this setting, anonymous reporting of usage and crash-related data is never sent to Google. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set the setting will be what the user chose upon installation / first run.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44773",
+      "title": "Search suggestions must be disabled.",
+      "description": "Search suggestion should be disabled as it could lead to searches being conducted that were never intended to be made. Enables search suggestions in Google Chrome's omnibox and prevents users from changing this setting. If you enable this setting, search suggestions are used. If you disable this setting, search suggestions are never used. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44775",
+      "title": "Importing of saved passwords must be disabled.",
+      "description": "Importing of saved passwords should be disabled as it could lead to unencrypted account passwords stored on the system from another browser to be viewed. This policy forces the saved passwords to be imported from the previous default browser if enabled. If enabled, this policy also affects the import dialog. If disabled, the saved passwords are not imported. If it is not set, the user may be asked whether to import, or importing may happen automatically.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44777",
+      "title": "Incognito mode must be disabled.",
+      "description": "Incognito mode allows the user to browse the Internet without recording their browsing history/activity.  From a forensics perspective, this is unacceptable.  Best practice requires that browser history is retained.  The \"IncognitoModeAvailability\" setting controls whether the user may utilize Incognito mode in Google Chrome. If 'Enabled' is selected or the policy is left unset, pages may be opened in Incognito mode. If 'Disabled' is selected, pages may not be opened in Incognito mode. If 'Forced' is selected, pages may be opened ONLY in Incognito mode.   \n   0 = Incognito mode available.    \n   1 = Incognito mode disabled.    \n   2 = Incognito mode forced.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44789",
+      "title": "Online revocation checks must be done.",
+      "description": "By setting this policy to true, the previous behavior is restored and online OCSP/CRL checks will be performed. If the policy is not set, or is set to false, then Chrome will not perform online revocation checks. Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44791",
+      "title": "Safe Browsing must be enabled,",
+      "description": "Enables Google Chrome's Safe Browsing feature and prevents users from changing this setting. If you enable this setting, Safe Browsing is always active. If you disable this setting, Safe Browsing is never active. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it. Safe browsing uses a signature database to test sites when they are be loaded to ensure they don't contain any known malware.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44793",
+      "title": "Browser history must be saved.",
+      "description": "This policy disables saving browser history in Google Chrome and prevents users from changing this setting. If this setting is enabled, browsing history is not saved. If this setting is disabled or not set, browsing history is saved.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44795",
+      "title": "Default behavior must block webpages from automatically running plugins.",
+      "description": "This policy allows you to set whether websites are allowed to automatically run the Flash plugin. Automatically running the Flash plugin can be either allowed for all websites or denied for all websites. If this policy is left not set, the user will be able to change this setting manually.    \n   1 = Allow all sites to automatically run Flash plugin    \n   2 = Block the Flash plugin    \n   3 = Click to play",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44799",
+      "title": "Session only based cookies must be disabled.",
+      "description": "Policy allows you to set a list of URL patterns that specify sites which are allowed to set session only cookies. If this policy is left not set the global default value will be used for all sites either from the 'DefaultCookiesSetting' policy if it is set, or the user's personal configuration otherwise. If the 'RestoreOnStartup' policy is set to restore URLs from previous sessions this policy will not be respected and cookies will be stored permanently for those sites.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44805",
+      "title": "The version of Google Chrome running on the system must be the most current available.",
+      "description": "Google Chrome is being continually updated by the vendor in order to address identified security vulnerabilities. Running an older version of the browser can introduce security vulnerabilities to the system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-52795",
+      "title": "URLs must be whitelisted for plugin use",
+      "description": "This policy allows you to set a list of URL patterns that specify sites which are allowed to run the Flash plugin. If this policy is left not set, the global default value will be used for all sites either from the \"DefaultPluginsSetting\" policy if it is set, or the user’s personal configuration otherwise. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-75165",
+      "title": "Deletion of browser history must be disabled.",
+      "description": "Disabling this function will prevent users from deleting their browsing history, which could be used to identify malicious websites and files that could later be used for anti-virus and Intrusion Detection System (IDS) signatures. Furthermore, preventing users from deleting browsing history could be used to identify abusive web surfing on government systems.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-79929",
+      "title": "Prompt for download location must be enabled.",
+      "description": "If the policy is enabled, the user will be asked where to save each file before downloading. If the policy is disabled, downloads will start immediately, and the user will not be asked where to save the file. If the policy is not configured, the user will be able to change this setting.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-79931",
+      "title": "Download restrictions must be configured.",
+      "description": "Configure the type of downloads that Google Chrome will completely block, without letting users override the security decision. If you set this policy, Google Chrome will prevent certain types of downloads, and will not let user bypass the security warnings. When the \"Block dangerous downloads\" option is chosen, all downloads are allowed, except for those that carry SafeBrowsing warnings. When the \"Block potentially dangerous downloads\" option is chosen, all downloads allowed, except for those that carry SafeBrowsing warnings of potentially dangerous downloads. When the \"Block all downloads\" option is chosen, all downloads are blocked.  When this policy is not set, (or the \"No special restrictions\" option is chosen), the downloads will go through the usual security restrictions based on SafeBrowsing analysis results.\n\nNote that these restrictions apply to downloads triggered from web page content, as well as the 'download link...' context menu option. These restrictions do not apply to the save / download of the currently displayed page, nor does it apply to saving as PDF from the printing options. See https://developers.google.com/safe-browsing for more info on SafeBrowsing. \n0 = No special restrictions\n1 = Block dangerous downloads\n2 = Block potentially dangerous downloads\n3 = Block all downloads",
+      "severity": "medium"
+    },
+    {
+      "id": "V-79933",
+      "title": "AutoFill for Credit Cards must be disabled.",
+      "description": "Enabling Google Chrome's AutoFill feature allows users to auto complete credit card and address information in web forms using previously stored information. If you disable this setting, Autofill will never suggest, or fill credit card information, nor will it save additional credit card information that the user might submit while browsing the web. If you enable this setting or do not set a value, then users will be able to control the overall autofill feature (including credit cards) in the UI.",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_google_chrome_draft.json

@@ -0,0 +1,281 @@
+{
+  "name": "stig_google_chrome_draft",
+  "date": "2012-09-25",
+  "description": "Google Chrome STIG Draft",
+  "title": "Google Chrome STIG Draft",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-0001",
+      "title": "Firewall traversal from remote host must be disabled",
+      "description": "Enables usage of STUN and relay servers when remote clients are trying to establish a connection to this machine. If this setting is enabled, then remote clients can discover and connect to this machines even if they are separated by a firewall. If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine will only allow connections from client machines within the local network. If this policy is left not set the setting will be enabled. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0002",
+      "title": "Site tracking user's location must be disabled",
+      "description": "Allows you to set whether websites are allowed to track the users' physical location. Tracking the users' physical location can be allowed by default, denied by default or the user can be asked every time a website requests the physical location. If this policy is left not set, 'AskGeolocation' will be used and the user will be able to change it.\n\t1 = Allow sites to track the users' physical location\n\t2 = Do not allow any site to track the users' physical location\n\t3 = Ask whenever a site wants to track the users' physical location\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0003",
+      "title": "sites' ability for showing desktop notifications must be disabled",
+      "description": "Allows you to set whether websites are allowed to display desktop notifications. Displaying desktop notifications can be allowed by default, denied by default or the user can be asked every time a website wants to show desktop notifications. If this policy is left not set, 'AskNotifications' will be used and the user will be able to change it.\n    1 = Allow sites to show desktop notifications\n    2 = Do not allow any site to show desktop notifications\n    3 = Ask every time a site wants to show desktop notifications\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0004",
+      "title": "Sites' ability to show pop-ups must be disabled",
+      "description": "Allows you to set whether websites are allowed to show pop-ups. Showing popups can be either allowed for all websites or denied for all websites. If this policy is left not set, 'BlockPopups' will be used and the user will be able to change it.\n    1 = Allow all sites to show pop-ups\n    2 = Do not allow any site to show popups\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0005",
+      "title": "Extensions must be blacklisted by default",
+      "description": "Allows you to specify which extensions the users can NOT install. Extensions already installed will be removed if blacklisted. A blacklist value of '*' means all extensions are blacklisted unless they are explicitly listed in the whitelist. If this policy is left not set the user can install any extension in Google Chrome.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0006",
+      "title": "Extensions that are approved for use must be whitelisted",
+      "description": "Allows you to specify which extensions are not subject to the blacklist. A blacklist value of * means all extensions are blacklisted and users can only install extensions listed in the whitelist. By default, no extensions are whitelisted. If all extensions have been blacklisted by policy, then the whitelist policy can be used to allow specific extensions to be installed. Administrators should determine which extensions should be allowed to be installed by their users. If no extensions are whitelisted, then no extensions can be installed when combined with blacklisting all extensions.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0007",
+      "title": "The default search provider's name must be set",
+      "description": "Specifies the name of the default search provider. If left empty or not set, the host name specified by the search URL will be used. This policy is only considered if the 'DefaultSearchProviderEnabled' policy is enabled\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0008",
+      "title": "The default search provider URL must be set",
+      "description": "Specifies the URL of the search engine used when doing a default search. The URL should contain the string '{searchTerms}', which will be replaced at query time by the terms the user is searching for.\n\nThis option must be set when the 'DefaultSearchProviderEnabled' policy is enabled and will only be respected if this is the case.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0009",
+      "title": "Default search provider must be enabled",
+      "description": "Enables the use of a default search provider. If you enable this setting, a default search is performed when the user types text In the omnibox that is not a URL. You can specify the default search provider to be used by setting the rest of the default search policies. If these are left empty, the user can choose the default provider. If you disable this setting, no search is performed when the user enters non-URL text in the omnibox. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, the default search provider is enabled, and the user will be able to set the search provider list.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0010",
+      "title": "Use of cleartext passwords in the Password Manager must be disabled",
+      "description": "Controls whether the user may show passwords in clear text in the password manager. If you disable this setting, the password manager does not allow showing stored passwords in clear text in the password manager window. If you enable or do not set this policy, users can view their passwords in clear text in the password manager.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0011",
+      "title": "The Password Manager must be disabled",
+      "description": "Enables saving passwords and using saved passwords in Google Chrome. If you enable this setting, users can have Google Chrome memorize passwords and provide them automatically the next time they log in to a site. If you disable this setting, users are not able to save passwords or use already saved passwords. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0012",
+      "title": "The HTTP Authentication must be set to negotiate",
+      "description": "Specifies which HTTP Authentication schemes are supported by Google Chrome. Possible values are 'basic', 'digest', 'ntlm' and 'negotiate'. Separate multiple values with commas. If this policy is left not set, all four schemes will be used.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0013",
+      "title": "The running of outdated plugins must be disabled",
+      "description": "Allows Google Chrome to run plugins that are outdated. If you enable this setting, outdated plugins are used as normal plugins. If you disable this setting, outdated plugins will not be used and users will not be asked for permission to run them. If this setting is not set, users will be asked for permission to run outdated plugins.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0014",
+      "title": "Plugins requiring authorization must ask for user permission",
+      "description": "Allows Google Chrome to run plugins that require authorization. If you enable this setting, plugins that are not outdated always run. If this setting is disabled or not set, users will be asked for permission to run plugins that require authorization. These are plugins that can compromise security.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0015",
+      "title": "Third party cookies must be blocked",
+      "description": "Blocks third party cookies. Enabling this setting prevents cookies from being set by web page elements that are not from the domain that is in the browser's address bar. Disabling this setting allows cookies to be set by web page elements that are not from the domain that is in the browser's address bar and prevents users from changing this setting. If this policy is left not set, third party cookies will be enabled but the user will be able to change that.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0016",
+      "title": "Site data must not be wiped on closing the browser",
+      "description": "This policy is an override for the \"Clear cookies and other site data when I close my browser\" content settings option. When set to enabled Google Chrome will delete all locally stored data from the browser when it is shut down. If set to disabled site data will not be cleared on exit. If this policy is left not set Google Chrome will use the default which is to preserve site data on shut down and the user will be able to change this. If the \"RestoreOnStartup\" policy is set to restore URLs from previous sessions this policy will not clear cookies or other data relevant to restoring the previous browsing session completely.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0017",
+      "title": "Background processing must be disabled",
+      "description": "Determines whether a Google Chrome process is started on OS login and keeps running when the last browser window is closed, allowing background apps to remain active. The background process displays an icon in the system tray and can always be closed from there. If this policy is set to True, background mode is enabled and cannot be controlled by the user in the browser settings. If this policy is set to False, background mode is disabled and cannot be controlled by the user in the browser settings. If this policy is left unset, background mode is initially disabled and can be controlled by the user in the browser settings.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0018",
+      "title": "The SPDY protocol must be disabled",
+      "description": "Disables use of the SPDY protocol in Google Chrome. If this policy is enabled the SPDY protocol will not be available in Google Chrome. Setting this policy to disabled will allow the usage of SPDY. If this policy is left not set, SPDY will be available.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0019",
+      "title": "3D Graphics APIs must be disabled",
+      "description": "Disable support for 3D graphics APIs. Enabling this setting prevents web pages from accessing the graphics processing unit (GPU). Specifically, web pages can not access the WebGL API and plugins can not use the Pepper 3D API. Disabling this setting or leaving it not set potentially allows web pages to use the WebGL API and plugins to use the Pepper 3D API. The default settings of the browser may still require command line arguments to be passed in order to use these APIs.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0020",
+      "title": "Google Data Synchronization must be disabled",
+      "description": "Disables data synchronization in Google Chrome using Google-hosted synchronization services and prevents users from changing this setting. If you enable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set Google Sync will be available for the user to choose whether to use it or not.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0021",
+      "title": "The URL protocol schemas \"file\" and \"javascript\" must be disabled",
+      "description": "Disables the listed protocol schemes in Google Chrome. URLs using a scheme from this list will not load and can not be navigated to. If this policy is left not set or the list is empty all schemes will be accessible in Google Chrome.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0022",
+      "title": "AutoFill must be disabled",
+      "description": "Enables Google Chrome's AutoFill feature and allows users to auto complete web forms using previously stored information such as address or credit card information. If you disable this setting, AutoFill will be inaccessible to users. If you enable this setting or do not set a value, AutoFill will remain under the control of the user. This will allow them to configure AutoFill profiles and to switch AutoFill on or off at their own discretion.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0023",
+      "title": "Cloud print sharing must be disabled",
+      "description": "Enables Google Chrome to act as a proxy between Google Cloud Print and legacy printers connected to the machine. If this setting is enabled or not configured, users can enable the cloud print proxy by authentication with their Google account. If this setting is disabled, users cannot enable the proxy, and the machine will not be allowed to share it's printers with Google Cloud Print. If this policy is left not set, this will be enabled but the user will be able to change it.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0024",
+      "title": "Google Chrome Instant must be disabled",
+      "description": "Enables Google Chrome's Instant feature and prevents users from changing this setting. If you enable this setting, Google Chrome Instant is enabled. If you disable this setting, Google Chrome Instant is disabled. If you enable or disable this setting, users cannot change or override this setting. If this setting is left not set the user can decide to use this function or not.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0025",
+      "title": "Network prediction must be disabled",
+      "description": "Enables network prediction in Google Chrome and prevents users from changing this setting. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0026",
+      "title": "Mestrics reporting to Google must be disabled",
+      "description": "Enables anonymous reporting of usage and crash-related data about Google Chrome to Google and prevents users from changing this setting. If you enable this setting, anonymous reporting of usage and crash-related data is sent to Google. If you disable this setting, anonymous reporting of usage and crash-related data is never sent to Google. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set the setting will be what the user chose upon installation / first run.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0027",
+      "title": "Search suggestions must be enabled",
+      "description": "Enables search suggestions in Google Chrome's Omnibox and prevents users from changing this setting. If you enable this setting, search suggestions are used. If you disable this setting, search suggestions are never used. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0028",
+      "title": "Submitting documents to Google Print Cloud must be disabled",
+      "description": "Enables Google Chrome to submit documents to Google Cloud Print for printing. NOTE: This only affects Google Cloud Print support in Google Chrome. It does not prevent users from submitting print jobs on web sites. If this setting is enabled or not configured, users can print to Google Cloud Print from the Google Chrome print dialog. If this setting is disabled, users cannot print to Google Cloud Print from the Google Chrome print dialog\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0029",
+      "title": "Importing of saved passwords must be disabled",
+      "description": "This policy forces the saved passwords to be imported from the previous default browser if enabled. If enabled, this policy also affects the import dialog. If disabled, the saved passwords are not imported. If it is not set, the user may be asked whether to import, or importing may happen automatically.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0030",
+      "title": "Incognito mode must be disabled",
+      "description": "Specifies whether the user may open pages in Incognito mode in Google Chrome. If 'Enabled' is selected or the policy is left unset, pages may be opened in Incognito mode. If 'Disabled' is selected, pages may not be opened in Incognito mode. If 'Forced' is selected, pages may be opened ONLY in Incognito mode.\n    0 = Incognito mode available.\n    1 = Incognito mode disabled.\n    2 = Incognito mode forced.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0031",
+      "title": "Web store ads must be disabled",
+      "description": "When set to True, promotions for Chrome Web Store apps will not appear on the new tab page. Setting this option to False or leaving it not set will make the promotions for Chrome Web Store apps appear on the new tab page\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0032",
+      "title": "the Chrome cache location must be set",
+      "description": "Configures the directory that Google Chrome will use for storing cached files on the disk. If you set this policy, Google Chrome will use the provided directory regardless whether the user has specified the '--disk-cache-dir' flag or not. If this policy is left not set the default cache directory will be used and the user will be able to override it with the '--disk-cache-dir' command line flag.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0033",
+      "title": "The user data location must be set",
+      "description": "Configures the directory that Google Chrome will use for storing user data. If you set this policy, Google Chrome will use the provided directory regardless whether the user has specified the '--user-data-dir' flag or not. If this policy is left not set the default profile path will be used and the user will be able to override it with the '--user-data-dir' command line flag.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0034",
+      "title": "Plugins must be disabled by default",
+      "description": "Specifies a list of plugins that are disabled in Google Chrome and prevents users from changing this setting. The wildcard characters '*' and '?' can be used to match sequences of arbitrary characters. '*' matches an arbitrary number of characters while '?' specifies an optional single character, i.e. matches zero or one characters. The escape character is '\\', so to match actual '*', '?', or '\\' characters, you can put a '\\' in front of them. If you enable this setting, the specified list of plugins is never used in Google Chrome. The plugins are marked as disabled in 'about:plugins' and users cannot enable them. Note that this policy can be overriden by EnabledPlugins and DisabledPluginsExceptions. If this policy is left not set the user can use any plugin installed on the system except for hard-coded incompatible, outdated or dangerous plugins\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0035",
+      "title": "Plugins approved for use must be enabled",
+      "description": "Specifies a list of plugins that are enabled in Google Chrome and prevents users from changing this setting. The wildcard characters '*' and '?' can be used to match sequences of arbitrary characters. '*' matches an arbitrary number of characters while '?' specifies an optional single character, i.e. matches zero or one characters. The escape character is '\\', so to match actual '*', '?', or '\\' characters, you can put a '\\' in front of them. The specified list of plugins is always used in Google Chrome if they are installed. The plugins are marked as enabled in 'about:plugins' and users cannot disable them. Note that this policy overrides both DisabledPlugins and DisabledPluginsExceptions. If this policy is left not set the user can disable any plugin installed on the system.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0036",
+      "title": "Automated installation of missing plugins must be disabled",
+      "description": "If you set this setting to enabled the automatic search and installation of missing plugins will be disabled in Google Chrome. Setting this option to disabled or leave it not set the plugin finder will be active.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0037",
+      "title": "Online revocation checks must be done",
+      "description": "In light of the fact that soft-fail, online revocation checks provide no effective security benefit, they are disabled by default in Google Chrome version 19 and later. By setting this policy to true, the previous behaviour is restored and online OCSP/CRL checks will be performed. If the policy is not set, or is set to false, then Chrome will not perform online revocation checks in Chrome 19 and later.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0038",
+      "title": "Safe Browsing must be enabled",
+      "description": "Enables Google Chrome's Safe Browsing feature and prevents users from changing this setting. If you enable this setting, Safe Browsing is always active. If you disable this setting, Safe Browsing is never active. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0039",
+      "title": "Browser history must be saved",
+      "description": "Disables saving browser history in Google Chrome and prevents users from changing this setting. If this setting is enabled, browsing history is not saved. If this setting is disabled or not set, browsing history is saved.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0040",
+      "title": "Default behavior must block plugin usage",
+      "description": "Allows you to set whether websites are allowed to automatically run plugins. Automatically running plugins can be either allowed for all websites or denied for all websites. If this policy is left not set, 'AllowPlugins' will be used and the user will be able to change it.\n    1 = Allow all sites to automatically run plugins\n    2 = Block all plugins\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0041",
+      "title": "JavaScript must be disabled by default",
+      "description": "Allows you to set a list of url patterns that specify sites which are not allowed to run JavaScript. If this policy is left not set the global default value will be used for all sites either from the 'DefaultJavaScriptSetting' policy if it is set, or the user's personal configuration otherwise.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0042",
+      "title": "JavaScript must be enabled for approved domains",
+      "description": "Allows you to set a list of url patterns that specify sites which are allowed to run JavaScript. If this policy is left not set the global default value will be used for all sites either from the 'DefaultJavaScriptSetting' policy if it is set, or the user's personal configuration otherwise.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0043",
+      "title": "Plugin usage must be disabled by default",
+      "description": "Allows you to set a list of url patterns that specify sites which are not allowed to run plugins. If this policy is left not set the global default value will be used for all sites either from the 'DefaultPluginsSetting' policy if it is set, or the user's personal configuration otherwise.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0044",
+      "title": "Site that are approved to use approved plugins must be whitelisted",
+      "description": "Allows you to set a list of url patterns that specify sites which are allowed to run plugins. If this policy is left not set the global default value will be used for all sites either from the 'DefaultPluginsSetting' policy if it is set, or the user's personal configuration otherwise.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-0045",
+      "title": "Session only based cookies must be disabled",
+      "description": "Allows you to set a list of url patterns that specify sites which are allowed to set session only cookies. If this policy is left not set the global default value will be used for all sites either from the 'DefaultCookiesSetting' policy if it is set, or the user's personal configuration otherwise. If the \"RestoreOnStartup\" policy is set to restore URLs from previous sessions this policy will not be respectred and cookies will be stored permanently for those sites.\n",
+      "severity": "medium"
+    }
+  ]
+}