microsoft / PowerStig

STIG Automation
https://www.powershellgallery.com/packages/PowerSTIG
Other
544 stars 114 forks source link

V-245539 for Chrome set to disabled #1217

Open kwygant opened 1 year ago

kwygant commented 1 year ago

The current check for v-245539 deletes and registry values in the key at the time the check is run, but does not protect against someone entering a url in the registry or change an existing policy if one exists to enable.

If the value was set to "**delvals." it would set the policy to disabled and delete any values in the reg key.

Group Title: SRG-APP-000080

Rule Title: Session only based cookies must be disabled.

Discussion: Cookies set by pages matching these URL patterns will be limited to the current session, i.e. they will be deleted when the browser exits.

For URLs not covered by the patterns specified here, or for all URLs if this policy is not set, the global default value will be used either from the 'DefaultCookiesSetting' policy, if it is set, or the user's personal configuration otherwise.

Check Text: Universal method:

  1. In the omnibox (address bar) type chrome://policy.
  2. If the policy "CookiesSessionOnlyForUrls" exists and has any defined values, this is a finding.

Windows method:

  1. Start regedit.
  2. Navigate to HKLM\Software\Policies\Google\Chrome\CookiesSessionOnlyForUrls.
  3. If this key exists and has any defined values, this is a finding.

Fix Text: Windows group policy:

  1. Open the group policy editor tool with gpedit.msc
  2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings.
    • Policy Name: Limit cookies from matching URLs to the current session - Policy State: Disabled
    • Policy Value: N/A
erjenkin commented 1 year ago

Hello @kwygant ,

Can you expand on this a bit - Please update with your proposed changes to the processed STIG. A picture of the proposed registry change would be helpful.

I have not been able to find references to this: **delvals."

Thank you,

Eric

kwygant commented 1 year ago

[MS-GPREG]: New or Changed GPO List Processing | Microsoft Learnhttps://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpreg/57226664-ce00-4487-994e-a6b3820f3e49

The STIG setting is to delete all values, you can do so by adding the **delvals

From: Eric Jenkins @.> Sent: Friday, September 15, 2023 11:47 AM To: microsoft/PowerStig @.> Cc: Mention @.>; Author @.> Subject: Re: [microsoft/PowerStig] V-245539 for Chrome set to disabled (Issue #1217)

Hello @kwyganthttps://github.com/kwygant ,

Can you expand on this a bit - Please update with your proposed changes to the processed STIG.

I have not been able to find references to this: **delvals."

Thank you,

Eric

- Reply to this email directly, view it on GitHubhttps://github.com/microsoft/PowerStig/issues/1217#issuecomment-1721569665 or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIGEBTNXVUD6YKSMYXN6MJTX2SA6TBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLLDTOVRGUZLDORPXI6LQMWWES43TOVSUG33NNVSW45FGORXXA2LDOOJIFJDUPFYGLKTSMVYG643JORXXE6NFOZQWY5LFVEYTGMRRGAYDKMRZQKSHI6LQMWSWS43TOVS2K5TBNR2WLKRRGY2TMMBXGMYTOONHORZGSZ3HMVZKMY3SMVQXIZI. You are receiving this email because you were mentioned.

Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

erjenkin commented 1 year ago

I would be curious to know if this would trigger a positive hit on automated scanners such as Nessus or SCAP, because the STIG says ". If this key exists and has any defined values, this is a finding". Technically the key would exist and would have a value of **delvals. I will need to do a bit more research and try to get a scan to confirm this won't trigger a new finding.

kwygant commented 1 year ago

The reg key wouldn't exist, the **delvals is defined in the registry.pol which would in turn delete any reg values that exist.

Ken Wygant Sr Cloud Solution Architect - Engineering Configuration Manager Microsoft Federal Office: (320) 434-6041 Mobile: (952) 463-6280 @.**@.> @.***

Recommended for Endpoint Configuration Manager Environments: Microsoft Endpoint Manager : Update Compliance Dashboardhttps://techcommunity.microsoft.com/t5/core-infrastructure-and-security/customer-offerings-microsoft-endpoint-manager-update-compliance/ba-p/2113768 @.**@*.**@*.**@.

From: Eric Jenkins @.> Sent: Monday, September 18, 2023 8:19 AM To: microsoft/PowerStig @.> Cc: Author @.>; Comment @.> Subject: Re: [microsoft/PowerStig] V-245539 for Chrome set to disabled (Issue #1217)

I would be curious to know if this would trigger a positive hit on automated scanners such as Nessus or SCAP, because the STIG says ". If this key exists and has any defined values, this is a finding". Technically the key would exist and would have a value of **delvals. I will need to do a bit more research and try to get a scan to confirm this won't trigger a new finding.

- Reply to this email directly, view it on GitHubhttps://github.com/microsoft/PowerStig/issues/1217#issuecomment-1723394809 or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIGEBTKGHGMMTIZ6XZLBNYDX3BC5RBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLLDTOVRGUZLDORPXI6LQMWWES43TOVSUG33NNVSW45FGORXXA2LDOOJIFJDUPFYGLKTSMVYG643JORXXE6NFOZQWY5LFVEYTGMRRGAYDKMRZQKSHI6LQMWSWS43TOVS2K5TBNR2WLKRRGY2TMMBXGMYTOONHORZGSZ3HMVZKMY3SMVQXIZI. You are receiving this email because you authored the thread.

Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.