From e1f6b5ba9fc114e63708e5606ab4c1e96ffe84ea Mon Sep 17 00:00:00 2001
From: qoijjj <129108030+qoijjj@users.noreply.github.com>
Date: Sun, 31 Mar 2024 06:32:39 +0000
Subject: [PATCH] feat: add additional chromium policy hardening and drop
 chkrootkit as its false positives make it low-utility

---
 config/common/common-packages.yml                  |  1 -
 .../etc/chromium/policies/managed/hardening.json   |  5 ++++-
 .../policies/managed/hardening.json.readme.md      | 14 +++++++++++++-
 3 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/config/common/common-packages.yml b/config/common/common-packages.yml
index 0d98c33..7f2498c 100644
--- a/config/common/common-packages.yml
+++ b/config/common/common-packages.yml
@@ -5,7 +5,6 @@ install:
   - lm_sensors
   - lynis
   - hardened_malloc
-  - chkrootkit
   - usbguard
   - usbguard-dbus
 
diff --git a/config/files/usr/etc/chromium/policies/managed/hardening.json b/config/files/usr/etc/chromium/policies/managed/hardening.json
index 08eff5a..6863971 100644
--- a/config/files/usr/etc/chromium/policies/managed/hardening.json
+++ b/config/files/usr/etc/chromium/policies/managed/hardening.json
@@ -40,5 +40,8 @@
 	"CloudPrintSubmitEnabled": false,
 	"AutofillAddressEnabled": false,
 	"AutofillCreditCardEnabled": false,
-	"ImportSavedPasswords": false
+	"ImportSavedPasswords": false,
+	"DefaultWebUsbGuardSetting": 2,
+	"DefaultWebBluetoothGuardSetting": 2,
+	"DefaultSerialGuardSetting": 2
 }
\ No newline at end of file
diff --git a/config/files/usr/etc/chromium/policies/managed/hardening.json.readme.md b/config/files/usr/etc/chromium/policies/managed/hardening.json.readme.md
index ed0192e..cc82774 100644
--- a/config/files/usr/etc/chromium/policies/managed/hardening.json.readme.md
+++ b/config/files/usr/etc/chromium/policies/managed/hardening.json.readme.md
@@ -166,4 +166,16 @@
 
 **Do not import saved passwords on first run**
 
-`"ImportSavedPasswords": false`
\ No newline at end of file
+`"ImportSavedPasswords": false`
+
+**Disable WebUSB by default**
+
+`"DefaultWebUsbGuardSetting": 2`
+
+**Disable WebBluetooth by default**
+
+`"DefaultWebBluetoothGuardSetting": 2`
+
+**Disable serial port access by default**
+
+`"DefaultSerialGuardSetting": 2`
\ No newline at end of file