Title

Metrics reporting to Google must be disabled. (Cat II impact)

Discussion

Enables anonymous reporting of usage and crash-related data about Google Chrome to Google and prevents users from changing this setting. If you enable this setting, anonymous reporting of usage and crash-related data is sent to Google. A crash report could contain sensitive information from the computer's memory. If you disable this setting, anonymous reporting of usage and crash-related data is never sent to Google. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set the setting will be what the user chose upon installation / first run.

Check Content

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If MetricsReportingEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the MetricsReportingEnabled value name does not exist or its value data is not set to 0, then this is a finding. Note: This policy will only display in the chrome://policy tab on domain joined systems. On standalone systems, the policy will not display.

Fix Text

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ Policy Name: Enable reporting of usage and crash-related data Policy State: Disabled Policy Value: N/A

Additional Identifiers

Rule ID: SV-221575r879587_rule

Vulnerability ID: V-221575

Group Title: SRG-APP-000141

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.