Group
Guide to the Secure Configuration of Firefox
Group contains 3 groups and 22 rules |
Group
Firefox
Group contains 2 groups and 22 rules |
[ref]
Firefox is an open-source web browser and developed by Mozilla.
Web browsers such as Firefox are used for a number of reasons. This section
provides settings for configuring Firefox policies to meet compliance
settings for Firefox running on Red Hat Enterprise Linux systems.
|
Group
The DoD Root Certificate Is Required
Group contains 2 rules |
[ref]
The Shared System Certificates store contains certificates that
applications can access for a single certificate repository.
If enabled, Firefox can access that single system certificate
repository. If the DoD root certificate is also installed into
the shared system certificate repository, Firefox will see and
use the DoD root certificate as a valid certificate authority. |
Rule
The DoD Root Certificate Exists
[ref] | The DoD root certificate should be installed in the Shared System Certificates store
for Firefox to be able to access the DoD certificate. To install the root certificated
into the Shared System Certificates store, copy the DoD root certificate into
/etc/pki/ca-trust/source/anchors . Once the file is copied, run the following
command:
$ sudo update-ca-trust extract | Rationale: | The DOD root certificate will ensure that the trust chain is
established for server certificates issued from the DOD CA. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_firefox_preferences-dod_root_certificate_installed | Identifiers and References | Identifiers:
CCE-82056-3 References:
CCI-000054, AC-10 | |
|
Rule
Enable Shared System Certificates
[ref] | The Shared System Certificates store makes NSS, GnuTLS, OpenSSL, and Java
share a default source for retrieving system certificate anchors and blacklist
information. Firefox has the capability of using this centralized store for its
CA certificates. If the Shared System Certificates store is disabled, it can
be enabled by running the following command:
$ sudo update-ca-trust enable | Rationale: | The DOD root certificate will ensure that the trust chain is
established for server certificates issued from the DOD CA. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_firefox_preferences-enable_ca_trust | Identifiers and References | Identifiers:
CCE-82057-1 References:
CCI-000054, AC-10 | |
|
Group
Prevent Users from Changing Firefox Configuration Settings
Group contains 2 rules |
[ref]
Firefox required security preferences cannot be changed by users. |
Rule
Set Firefox Configuration File Location
[ref] | Specify the Firefox configuration file location by setting
general.config.filename to the configuration (i.e. mozilla.cfg )
filename that contains the Firefox security preferences. | Rationale: | Locked settings prevents users from accessing about:config and changing
the security settings set by the system administrator. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file | Identifiers and References | References:
CCI-000366, CM-6, DTBF070 | |
|
Rule
Disable Firefox Configuration File ROT-13 Encoding
[ref] | Disable ROT-13 encoding by setting general.config.obscure_value
to 0 . | Rationale: | ROT-13 encoded prevents system adminstrators from easily configuring
and deploying Firefox configuration settings. It also prevents validating
settings easily from automated security tools. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure | Identifiers and References | References:
ECSC-1, DTBF070 | |
|
Rule
Disable Addons Plugin Updates
[ref] | Firefox automatically updates installed add-ons and plugins which
can be disabled by setting extensions.update.enabled to
false . | Rationale: | Automatic updates from untrusted sites puts the enclave at
risk of attack and may override security settings. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_firefox_preferences-addons_plugin_updates | Identifiers and References | References:
CCI-000381, CM-7, DTBF090, SV-223155r612236_rule | |
|
Rule
Disable Automatic Downloads of MIME Types
[ref] | MIME type files are automatically downloaded or executed in Firefox. This
can be disabled by setting browser.helperApps.alwaysAsk.force to
true . | Rationale: | The default action for file types for which a plugin is installed is to
automatically download and execute the file using the associated plugin.
Firefox allows users to change the specified download action so that the
file is opened with a selected external application or saved to disk
instead. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_firefox_preferences-auto-download_actions | Identifiers and References | References:
CCI-001242, SI-3, DTBF100, SV-223156r612236_rule | |
|
Rule
Disable Autofill Form Assistance
[ref] | Firefox provides tools to auto-fill forms from prefilled information.
This can be disabled by setting browser.formfill.enable to
false . | Rationale: | In order to protect privacy and sensitive data, Firefox provides
the ability to configure Firefox such that data entered into forms
is not saved. This mitigates the risk of a website gleaning private
information from prefilled information. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_firefox_preferences-autofill_forms | Identifiers and References | References:
CCI-000381, CM-7, DTBF140, SV-223160r612236_rule | |
|
Rule
Disable User Ability To Autofill Passwords
[ref] | Firefox automatically allows users to save passwords to be auto-filled
into password forms. This can be disabled by setting
signon.autofillForms to false . | Rationale: | While on the internet, it may be possible for an attacker to view
the saved password files and gain access to the user's accounts on
various hosts. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_firefox_preferences-autofill_passwords | Identifiers and References | References:
CCI-000381, CM-7, DTBF150, SV-223161r612236_rule | |
|
Rule
Disable Background Information Submission
[ref] | Firefox submits usage data in the background to Mozilla and posts portions of the data publicly.
This can be disabled by setting datareporting.policy.dataSubmissionEnabled to
false . | Rationale: | In order to protect privacy and sensitive data, Mozilla provides
the ability to configure Firefox so that no data is submited to Mozilla.
This mitigates the risk of potentially compromizing information becoming publicly available. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_firefox_preferences-background_data | Identifiers and References | References:
CCI-000381, CM-7, DTBF190, SV-223168r612236_rule | |
|
Rule
Disable Firefox Development Tools
[ref] | Firefox provides development tools which identify detailed information
about the browser and its configuration. These details are often also
recorded into a log file, giving an attacker the ability to capture
detailed information about the system.
This can be disabled by setting devtools.policy.disabled to
true . | Rationale: | In order to protect privacy and sensitive data, Mozilla provides
the ability to configure Firefox so that development tools are prevented from being used. | Severity: | low | Rule ID: | xccdf_org.ssgproject.content_rule_firefox_preferences-development_tools | Identifiers and References | References:
CCI-001312, SI-11, DTBF195, SV-223169r612236_rule | |
|
Rule
Disable Extension Installation
[ref] | Firefox provides the ability to disable the installation of extensions.
This can be disabled by setting xpinstall.enabled to
false . | Rationale: | If a browser is configured to allow unrestricted use of extensions then
plug-ins can be loaded and installed from malicious sources and used on
the browser. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_firefox_preferences-install_extensions | Identifiers and References | References:
CCI-000381, CM-7, DTBF186, SV-223167r612236_rule | |
|
Rule
Disable JavaScript's Raise Or Lower Windows Capability
[ref] | JavaScript can configure and make changes to the web browser's appearance by
specifically raising and lowering windows. This can be disabled by
setting dom.disable_window_flip to true . | Rationale: | JavaScript can make changes to the browser’s appearance. Allowing a website
to use JavaScript to raise and lower browser windows may disguise an attack. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_window_changes | Identifiers and References | References:
CCI-000381, CM-7, DTBF182, SV-223165r612236_rule | |
|
Rule
Disable JavaScript's Moving Or Resizing Windows Capability
[ref] | JavaScript can configure and make changes to the web browser's appearance by
specifically moving and resizing browser windows. This can be disabled by
setting dom.disable_window_move_resize to true . | Rationale: | JavaScript can make changes to the browser’s appearance. This activity
can help disguise an attack taking place in a minimized background window. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_window_resizing | Identifiers and References | References:
CCI-000381, CM-7, DTBF181, SV-223164r612236_rule | |
|
Rule
Enable Downloading and Opening File Confirmation
[ref] | To have an action dialog box appear promping users what action to take when
certain types of files are downloaded or opened, set
plugin.disable_full_page_plugin_for_types to
application/pdf,application/fdf,application/xfdf,application/lsl,application/lso,application/lss,application/iqy,application/rqy,application/xlk,application/xls,application/xlt,application/pot,application/pps,application/ppt,application/dos,application/dot,application/wks,application/bat,application/ps,application/eps,application/wch,application/wcm,application/wb1,application/wb3,application/rtf,application/doc,application/mdb,application/mde,application/wbk,application/ad,application/adp . | Rationale: | When the user receives a dialog box asking if they want to save the file
or open it with a specified application, this indicates that a plugin does
not exist. Also, the user has not previously selected a download action or helper
application to automatically use for that type of file. When prompted, if the user
checks the option to 'Do this automatically for files like this from now on', then
an entry will appear for that type of file in the plugins listing, and this file
type is automatically opened in the future. This can be a security issue. New file
types cannot be added directly to the Application plugin listing. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_firefox_preferences-open_confirmation | Identifiers and References | References:
CCI-001243, SI-3, DTBF110, SV-223158r612236_rule | |
|
Rule
Disable the Firefox Password Store
[ref] | Firefox allows users to store passwords whether or not a master password
is set for the password store. To disable the storing of passwords, set
signon.rememberSignons to false . | Rationale: | Autofill of a password can be enabled when a site is visited. This feature could also
be used to autofill the certificate pin which could lead to compromise of DoD information. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_firefox_preferences-password_store | Identifiers and References | References:
CCI-000381, CM-7, DTBF160, SV-223162r612236_rule | |
|
Rule
Enable Firefox Pop-up Blocker
[ref] | The pop-up blocker can be enabled by setting
dom.disable_window_open_feature.status to true . | Rationale: | Popup windows may be used to launch an attack within a new browser window
with altered settings. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_firefox_preferences-pop-up_windows | Identifiers and References | References:
CCI-000381, CM-7, DTBF180, SV-223163r612236_rule | |
|
Rule
Disable Installed Search Plugins Update Checking
[ref] | Firefox automatically checks for updated versions of search plugins.
To disable the automatic updates of plugins, set
browser.search.update to false . | Rationale: | Updates need to be controlled and installed from authorized and trusted servers.
This setting overrides a number of other settings which may direct the application
to access external URLs. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_firefox_preferences-search_update | Identifiers and References | References:
CCI-000381, CM-7, DTBF085, SV-223154r612236_rule | |
|
Rule
Disable Firefox Access to Shell Protocols
[ref] | Access to the shell is disabled by default but can be changed.
To prevent shell access from being enabled, set
network.protocol-handler.external.shell to false . | Rationale: | If enabled, this setting would allow the browser to access the Windows shell.
This could allow access to the underlying system. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_firefox_preferences-shell_protocol | Identifiers and References | References:
CCI-000381, CM-7, DTBF105, SV-223157r612236_rule | |
|
Rule
Enable TLS Usage in Firefox
[ref] | To enable TLS, set security.tls.version.min to 2 and set security.tls.version.max to 4 . | Rationale: | Earlier versions of SSL have known security vulnerabilities and are not
authorized for use in DOD environments. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_firefox_preferences-ssl_protocol_tls | Identifiers and References | References:
CCI-002450, SC-13, DTBF030, SV-223152r612236_rule | |
|
Rule
Enable Certificate Verification
[ref] | Firefox can be configured to prompt the user to choose a certificate
to present to a website when asked. To enable certificate verification,
set security.default_personal_cert to Ask Every Time . | Rationale: | Websites within DoD require user authentication for access which increases
security for DoD information. Access will be denied to the user if
certificate management is not configured. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_firefox_preferences-verification | Identifiers and References | References:
CCI-001274, SI-4(12), DTBF050, SV-223153r612236_rule | |
|
Rule
Supported Version of Firefox Installed
[ref] | If the system is joined to the Red Hat Network, a Red Hat Satellite Server,
or a yum server, run the following command to install updates:
$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages)
can be manually downloaded and installed using rpm . | Rationale: | Use of versions of an application which are not supported by the vendor
are not permitted. Vendors respond to security flaws with updates and
patches. These updates are not available for unsupported version which
can leave the application vulnerable to attack. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_installed_firefox_version_supported | Identifiers and References | References:
CCI-003376, SA-22, DTBF003, SV-223151r612236_rule | |
|