Disable All Extensions by Default

An XCCDF Rule

Description

Extensions are developed by third party sources and are designed to extend Google Chromium's functionality. As an extension can be made by anyone, all extensions should be blacklisted from installation by default. To blacklist all extensions, set the ExtensionInstallBlacklist to * in the Chromium policy file.

Rationale

Extensions can access almost anything on a system. This means they pose a high risk to any system that would allow all extensions to be installed by default.

ID: xccdf_org.ssgproject.content_rule_chromium_blacklist_extension_installation
Severity: Unknown
References: DTBC0006
Updated: over 1 year ago

Remediation Templates

if ! grep -q ExtensionInstallBlocklist /etc/chromium/policies/managed/chrome_stig_policy.json; then
   sed -i -e '/{/a \  "'ExtensionInstallBlocklist'": '[ "*" ]',' /etc/chromium/policies/managed/chrome_stig_policy.json
else
   sed -i -e 's/\"'ExtensionInstallBlocklist'.*/\"'ExtensionInstallBlocklist'\": '[ "*" ]',/g' /etc/chromium/policies/managed/chrome_stig_policy.json
fi

Disable All Extensions by Default

Description

Rationale

Remediation Templates

A Shell Script