Guide to the Secure Configuration of Firefox

with profile Upstream Firefox STIG
This profile is developed under the DoD consensus model and DISA FSO Vendor STIG process, serving as the upstream development environment for the Firefox STIG. As a result of the upstream/downstream relationship between the SCAP Security Guide project and the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO content. For official DISA FSO STIG content, refer to http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx. While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note that commercial support of this SCAP content is NOT available. This profile is provided as example SCAP content with no endorsement for suitability or production readiness. Support for this profile is provided by the upstream SCAP Security Guide community on a best-effort basis. The upstream project homepage is https://www.open-scap.org/security-policies/scap-security-guide/.

This guide presents a catalog of security-relevant configuration settings for Firefox. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for Firefox, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.
Profile TitleUpstream Firefox STIG
Profile IDxccdf_org.ssgproject.content_profile_stig-firefox-upstream

Revision History

Current version: 0.1.31

  • draft (as of 2017-03-31)

Platforms

  • cpe:/a:mozilla:firefox

Table of Contents

  1. Firefox
    1. Prevent Users from Changing Firefox Configuration Settings
    2. The DoD Root Certificate Is Required
    3. Clearing Cookies And Other Data

Checklist

contains 28 rules

Firefox   [ref]group

Firefox is an open-source web browser and developed by Mozilla. Web browsers such as Firefox are used for a number of reasons. This section provides settings for configuring Firefox policies to meet compliance settings for Firefox running on Red Hat Enterprise Linux systems.

contains 28 rules

Prevent Users from Changing Firefox Configuration Settings   [ref]group

Firefox required security preferences cannot be changed by users.

references:  ECSC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

contains 2 rules

Disable Firefox Configuration File ROT-13 Encoding   [ref]rule

Disable ROT-13 encoding by setting general.config.obscure_value to 0.

Rationale:

ROT-13 encoded prevents system adminstrators from easily configuring and deploying Firefox configuration settings. It also prevents validating settings easily from automated security tools.

identifiers:  DTBF070

references:  ECSC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict

function firefox_js_setting {
  local firefox_js=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
  local firefox_pref="/defaults/pref"
  local firefox_preferences="/defaults/preferences"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_js_setting 'config_javascript_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Different versions of Firefox have different preferences directories, check for them and set the right one
      if [ -d "${firefox_dir}/${firefox_pref}" ] ; then
        local firefox_pref_dir="${firefox_dir}/${firefox_pref}"
      elif [ -d "${firefox_dir}/${firefox_preferences}" ] ; then
        local firefox_pref_dir="${firefox_dir}/${firefox_preferences}"
      else
        mkdir -m 755 -p "${firefox_dir}/${firefox_preferences}"
        local firefox_pref_dir="${firefox_dir}/${firefox_preferences}"
      fi

      # Make sure the Firefox .js file exists and has the appropriate permissions
      if ! [ -f "${firefox_pref_dir}/${firefox_js}" ] ; then
        touch "${firefox_pref_dir}/${firefox_js}"
        chmod 644 "${firefox_pref_dir}/${firefox_js}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^pref(\"${key}\", " "${firefox_pref_dir}/${firefox_js}"` ; then
        sed -i "s/pref(\"${key}\".*/pref(\"${key}\", ${value});/g" "${firefox_pref_dir}/${firefox_js}"
      else
        echo "pref(\"${key}\", ${value});" >> "${firefox_pref_dir}/${firefox_js}"
      fi
    fi
  done

}

firefox_js_setting "stig_settings.js" "general.config.obscure_value" "0"

Set Firefox Configuration File Location   [ref]rule

Specify the Firefox configuration file location by setting general.config.filename to the configuration (i.e. mozilla.cfg) filename that contains the Firefox security preferences.

Rationale:

Locked settings prevents users from accessing about:config and changing the security settings set by the system administrator.

identifiers:  DTBF070

references:  ECSC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict

function firefox_js_setting {
  local firefox_js=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
  local firefox_pref="/defaults/pref"
  local firefox_preferences="/defaults/preferences"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_js_setting 'config_javascript_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Different versions of Firefox have different preferences directories, check for them and set the right one
      if [ -d "${firefox_dir}/${firefox_pref}" ] ; then
        local firefox_pref_dir="${firefox_dir}/${firefox_pref}"
      elif [ -d "${firefox_dir}/${firefox_preferences}" ] ; then
        local firefox_pref_dir="${firefox_dir}/${firefox_preferences}"
      else
        mkdir -m 755 -p "${firefox_dir}/${firefox_preferences}"
        local firefox_pref_dir="${firefox_dir}/${firefox_preferences}"
      fi

      # Make sure the Firefox .js file exists and has the appropriate permissions
      if ! [ -f "${firefox_pref_dir}/${firefox_js}" ] ; then
        touch "${firefox_pref_dir}/${firefox_js}"
        chmod 644 "${firefox_pref_dir}/${firefox_js}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^pref(\"${key}\", " "${firefox_pref_dir}/${firefox_js}"` ; then
        sed -i "s/pref(\"${key}\".*/pref(\"${key}\", ${value});/g" "${firefox_pref_dir}/${firefox_js}"
      else
        echo "pref(\"${key}\", ${value});" >> "${firefox_pref_dir}/${firefox_js}"
      fi
    fi
  done

}

firefox_js_setting "stig_settings.js" "general.config.filename" "\"stig.cfg\""

The DoD Root Certificate Is Required   [ref]group

The Shared System Certificates store contains certificates that applications can access for a single certificate repository. If enabled, Firefox can access that single system certificate repository. If the DoD root certificate is also installed into the shared system certificate repository, Firefox will see and use the DoD root certificate as a valid certificate authority.

references:  AC-10, 54

contains 2 rules

Enable Shared System Certificates   [ref]rule

The Shared System Certificates store makes NSS, GnuTLS, OpenSSL, and Java share a default source for retrieving system certificate anchors and blacklist information. Firefox has the capability of using this centralized store for its CA certificates. If the Shared System Certificates store is disabled, it can be enabled by running the following command:

$ sudo update-ca-trust enable

Rationale:

The DOD root certificate will ensure that the trust chain is established for server certificates issued from the DOD CA.

identifiers:  CCE-27457-1

references:  AC-10, 54

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict
P11=$(readlink /etc/alternatives/libnssckbi.so*)
P11LIB="/usr/lib/pkcs11/p11-kit-trust.so"
P11LIB64="/usr/lib64/pkcs11/p11-kit-trust.so"

if ! [[ ${P11} == "${P11LIB64}" ]] || ! [[ ${P11} == "${P11LIB}" ]] ; then
   /usr/bin/update-ca-trust enable
fi

The DoD Root Certificate Exists   [ref]rule

The DoD root certificate should be installed in the Shared System Certificates store for Firefox to be able to access the DoD certificate. To install the root certificated into the Shared System Certificates store, copy the DoD root certificate into /etc/pki/ca-trust/source/anchors. Once the file is copied, run the following command:

$ sudo update-ca-trust extract

Rationale:

The DOD root certificate will ensure that the trust chain is established for server certificates issued from the DOD CA.

identifiers:  CCE-27457-1

references:  AC-10, 54

Clearing Cookies And Other Data   [ref]group

Browser preferences should be set to perform a Clear Private Data operation when closing the browser in order to clear cookies and other data installed by websites visited during the session.

references:  ECSC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

contains 2 rules

Clear Data When Firefox Closes   [ref]rule

When a user browses to a website, cookies and other types of data get stored on the system. This can be disabled by setting privacy.sanitize.sanitizeOnShutdown to true.

Rationale:

Cookies can help websites perform better but can also be part of spyware. To mitigate this risk, set browser preferences to perform a Clear Private Data operation when closing the browser in order to clear cookies and other data installed by websites visited during the session.

identifiers:  DTBF170

references:  ECSC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict

function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "privacy.sanitize.sanitizeOnShutdown" "true"

Disable User Prompt When Data Is Cleared   [ref]rule

By default, users are asked if it is okay to clear out cookies and data when Firefox closes. This can be disabled by setting privacy.sanitize.promptOnSanitize to false.

Rationale:

Cookies can help websites perform better but can also be part of spyware. To mitigate this risk, set browser preferences to perform a Clear Private Data operation when closing the browser in order to clear cookies and other data installed by websites visited during the session.

identifiers:  DTBF170

references:  ECSC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict

function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "privacy.sanitize.promptOnSanitize" "false"

Disable Addons Plugin Updates   [ref]rule

Firefox automatically updates installed add-ons and plugins which can be disabled by setting extensions.update.enabled to false.

Rationale:

Automatic updates from untrusted sites puts the enclave at risk of attack and may override security settings.

identifiers:  DTBF090

references:  ECSC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict

function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "extensions.update.enabled" "false"

Disable Autofill Form Assistance   [ref]rule

Firefox provides tools to auto-fill forms from prefilled information. This can be disabled by setting browser.formfill.enable to false.

Rationale:

In order to protect privacy and sensitive data, Firefox provides the ability to configure Firefox such that data entered into forms is not saved. This mitigates the risk of a website gleaning private information from prefilled information.

identifiers:  DTBF140

references:  ECSC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict

function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "browser.formfill.enable" "false"

Disable User Ability To Autofill Passwords   [ref]rule

Firefox automatically allows users to save passwords to be auto-filled into password forms. This can be disabled by setting signon.prefillForms to false.

Rationale:

While on the internet, it may be possible for an attacker to view the saved password files and gain access to the user's accounts on various hosts.

identifiers:  DTBF150

references:  ECSC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict

function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "signon.prefillForms" "false"

Disable Firefox Auto-Update Capability   [ref]rule

Firefox can be set to automatically update as new updates. This can be disabled by setting app.update.enable to false.

Rationale:

Allowing software updates from non-trusted sites can introduce settings that will override a secured installation of the application. This can place DoD information at risk. If this setting is enabled, then there are many other default settings which point to untrusted sites which must be changed to point to an authorized update site that is not publicly accessible.

identifiers:  DTBF080

references:  ECSC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict

function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "app.update.enabled" "false"

Enable Downloading and Opening File Confirmation   [ref]rule

To have an action dialog box appear promping users what action to take when certain types of files are downloaded or opened, set plugin.disable_full_page_plugin_for_types to application/pdf,application/doc,application/xls,application/bat,application/ppt,application/mdb,application/mde,application/fdf,application/xfdf,application/lsl,application/lso,appliation/lss,application/iqy,application/rqy,application/xlk,application/pot,application/pps,application/dot,application/wbk,application/ps,application/eps,application/wch,application/wcm,application/wbi,application/wb1,application/wb3,application/rtf,application/wch,application/wcm,application/ad,application/adp,application/xlt,application/dos,application/wks.

Rationale:

When the user receives a dialog box asking if they want to save the file or open it with a specified application, this indicates that a plugin does not exist. Also, the user has not previously selected a download action or helper application to automatically use for that type of file. When prompted, if the user checks the option to 'Do this automatically for files like this from now on', then an entry will appear for that type of file in the plugins listing, and this file type is automatically opened in the future. This can be a security issue. New file types cannot be added directly to the Application plugin listing.

identifiers:  DTBF110

references:  ECSC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict

var_required_file_types="application/pdf,application/doc,application/xls,application/bat,application/ppt,application/mdb,application/mde,application/fdf,application/xfdf,application/lsl,application/lso,appliation/lss,application/iqy,application/rqy,application/xlk,application/pot,application/pps,application/dot,application/wbk,application/ps,application/eps,application/wch,application/wcm,application/wbi,application/wb1,application/wb3,application/rtf,application/wch,application/wcm,application/ad,application/adp,application/xlt,application/dos,application/wks"

function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "plugin.disable_full_page_plugin_for_types" "\"${var_required_file_types}\""

Disable the Firefox Password Store   [ref]rule

Firefox allows users to store passwords whether or not a master password is set for the password store. To disable the storing of passwords, set signon.rememberSignons to false.

Rationale:

Autofill of a password can be enabled when a site is visited. This feature could also be used to autofill the certificate pin which could lead to compromise of DoD information.

identifiers:  DTBF160

references:  ECSC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict

function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "signon.rememberSignons" "false"

Disable Installed Search Plugins Update Checking   [ref]rule

Firefox automatically checks for updated versions of search plugins. To disable the automatic updates of plugins, set browser.search.update to false.

Rationale:

Updates need to be controlled and installed from authorized and trusted servers. This setting overrides a number of other settings which may direct the application to access external URLs.

identifiers:  DTBF085

references:  ECSC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict

function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "browser.search.update" "false"

Disable Firefox Access to Shell Protocols   [ref]rule

Access to the shell is disabled by default but can be changed. To prevent shell access from being enabled, set network.protocol-handler.external.shell to false.

Rationale:

If enabled, this setting would allow the browser to access the Windows shell. This could allow access to the underlying system.

identifiers:  DTBF105

references:  ECSC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict

function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "network.protocol-handler.external.shell" "false"

Disable SSL Version 2.0 in Firefox   [ref]rule

SSL version 2 is not enabled by default and should not be enabled. To prevent SSL version 2 from being enabled set security.enable_ssl2 to false.

Rationale:

Use of versions prior to TLS 1.0 are not permitted because these versions are non-standard. SSL 2.0 and SSL 3.0 contain a number of security flaws.

identifiers:  DTBF010

references:  ECSC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict

function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "security.enable_ssl2" "false"

Enable TLS Usage in Firefox   [ref]rule

To enable TLS, set security.enable_tls to true.

Rationale:

Earlier versions of SSL have known security vulnerabilities and are not authorized for use in DOD environments.

identifiers:  DTBF030

references:  ECSC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict

function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "security.enable_tls" "true"

Enable Certificate Verification   [ref]rule

Firefox can be configured to prompt the user to choose a certificate to present to a website when asked. To enable certificate verification, set security.default_personal_cert to Ask Every Time.

Rationale:

Websites within DoD require user authentication for access which increases security for DoD information. Access will be denied to the user if certificate management is not configured.

identifiers:  DTBF050

references:  ECSC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict

function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "security.default_personal_cert" "\"Ask Every Time\""

Disable SSL Version 3.0 in Firefox   [ref]rule

SSL version 3.0 is vulnerable and should be disabled by setting security.enable_ssl3 to false.

Rationale:

Earlier versions of SSL have known security vulnerabilities and are not authorized for use in DOD.

identifiers:  DTBF020

references:  ECSC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict

function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "security.enable_ssl3" "false"

Default Firefox Home Page Configured   [ref]rule

The default home page is set to a vendor's defined website or Firefox's own website. This can be changed to an organizationally defined website or about:blank. To set the default home page, set browser.startup.homepage to about:blank.

Rationale:

The browser home page parameter specifies the web page that is to be displayed when the browser is started explicitly and when product-specific buttons or key sequences for the home page are accessed. This helps to mitigate the possibility of automatic inadvertent execution of scripts added to a previously safe site.

identifiers:  DTBF017

references:  ECSC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict

var_default_home_page="about:blank"

function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "browser.startup.homepage" "\"${var_default_home_page}\""

Supported Version of Firefox Installed   [ref]rule

If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates:

$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded and installed using rpm.

Rationale:

Use of versions of an application which are not supported by the vendor are not permitted. Vendors respond to security flaws with updates and patches. These updates are not available for unsupported version which can leave the application vulnerable to attack.

identifiers:  DTBF003

references:  DCMC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Disable JavaScript's Ability To Modify The Browser Appearance   [ref]rule

JavaScript can configure and make changes to the web browser's appearance by specifically hiding the status bar from view. This can disabled by setting dom.disable_window_open_feature.status to true.

Rationale:

JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window. Webpage authors can disable many features of a popup window that they open. This setting prevents the status bar from being hidden.

identifiers:  DTBF185

references:  ECSC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict

function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "dom.disable_window_open_feature.status" "true"

Disable JavaScript Context Menus   [ref]rule

JavaScript can configure and make changes to the web browser's appearance by specifically disabling or replacing context menus. This can be disabled by setting dom.event.contextmenu.enabled to false.

Rationale:

A website may execute JavaScript that can make changes to these context menus. This can help disguise an attack.

identifiers:  DTBF183

references:  ECSC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict

function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "dom.event.contextmenu.enabled" "false"

Disable JavaScript's Ability To Change The Status Bar   [ref]rule

JavaScript can configure and make changes to the web browser's appearance by specifically hiding or changing the status bar. This can be disabled by setting dom.disable_window_status_change to true.

Rationale:

When a user visits some webpages, JavaScript can hide or make changes to the browser’s appearance to hide unauthorized activity. This activity can help disguise an attack taking place in a minimized background window.

identifiers:  DTBF184

references:  ECSC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict

function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "dom.disable_window_status_change" "true"

Disable JavaScript's Moving Or Resizing Windows Capability   [ref]rule

JavaScript can configure and make changes to the web browser's appearance by specifically moving and resizing browser windows. This can be disabled by setting dom.disable_window_move_resize to true.

Rationale:

JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window.

identifiers:  DTBF181

references:  ECSC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict

function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "dom.disable_window_move_resize" "true"

Disable JavaScript's Raise Or Lower Windows Capability   [ref]rule

JavaScript can configure and make changes to the web browser's appearance by specifically raising and lowering windows. This can be disabled by setting dom.disable_window_flip to true.

Rationale:

JavaScript can make changes to the browser’s appearance. Allowing a website to use JavaScript to raise and lower browser windows may disguise an attack.

identifiers:  DTBF182

references:  ECSC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict

function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "dom.disable_window_flip" "true"

Enable Non-Secure Page Warnings   [ref]rule

When users browse websites, web pages can switch in between secure and non-secure protocols. Users can be warned each time by setting security.warn_leaving_secure to true.

Rationale:

Users may not be aware that the information being viewed under secure conditions in a previous page are not currently being viewed under the same security settings.

identifiers:  DTBF130

references:  ECSC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict

function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "security.warn_leaving_secure" "true"

Enable Firefox Pop-up Blocker   [ref]rule

The pop-up blocker can be enabled by setting dom.disable_window_open_feature.status to true.

Rationale:

Popup windows may be used to launch an attack within a new browser window with altered settings.

identifiers:  DTBF180

references:  ECSC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict

function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "dom.disable_window_open_feature.status" "true"

Disable Automatic Downloads of MIME Types   [ref]rule

MIME type files are automatically downloaded or executed in Firefox. This can be disabled by setting browser.helperApps.alwaysAsk.force to true.

Rationale:

The default action for file types for which a plugin is installed is to automatically download and execute the file using the associated plugin. Firefox allows users to change the specified download action so that the file is opened with a selected external application or saved to disk instead.

identifiers:  DTBF100

references:  DCMC-1, http://iase.disa.mil/stigs/cci/Pages/index.aspx

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict

function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "browser.helperApps.alwaysAsk.force" "true"
Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.