Guide to the Secure Configuration of Firefox

with profile Upstream Firefox STIG
This profile is developed under the DoD consensus model and DISA FSO Vendor STIG process, serving as the upstream development environment for the Firefox STIG. As a result of the upstream/downstream relationship between the SCAP Security Guide project and the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO content. For official DISA FSO STIG content, refer to https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Cbrowser-guidance. While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note that commercial support of this SCAP content is NOT available. This profile is provided as example SCAP content with no endorsement for suitability or production readiness. Support for this profile is provided by the upstream SCAP Security Guide community on a best-effort basis. The upstream project homepage is https://www.open-scap.org/security-policies/scap-security-guide/.

The SCAP Security Guide Project
https://www.open-scap.org/security-policies/scap-security-guide

This guide presents a catalog of security-relevant configuration settings for Firefox. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for Firefox, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title	Upstream Firefox STIG
Profile ID	xccdf_org.ssgproject.content_profile_stig

CPE Platforms

cpe:/a:mozilla:firefox

Revision History

Current version: 0.1.58

draft (as of 2021-09-24)

Firefox
1. The DoD Root Certificate Is Required
2. Prevent Users from Changing Firefox Configuration Settings

Checklist

Group Guide to the Secure Configuration of Firefox Group contains 3 groups and 22 rules

Group Firefox Group contains 2 groups and 22 rules

[ref] Firefox is an open-source web browser and developed by Mozilla. Web browsers such as Firefox are used for a number of reasons. This section provides settings for configuring Firefox policies to meet compliance settings for Firefox running on Red Hat Enterprise Linux systems.

http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries

Group The DoD Root Certificate Is Required Group contains 2 rules

[ref] The Shared System Certificates store contains certificates that applications can access for a single certificate repository. If enabled, Firefox can access that single system certificate repository. If the DoD root certificate is also installed into the shared system certificate repository, Firefox will see and use the DoD root certificate as a valid certificate authority.

Rule The DoD Root Certificate Exists [ref]
The DoD root certificate should be installed in the Shared System Certificates store for Firefox to be able to access the DoD certificate. To install the root certificated into the Shared System Certificates store, copy the DoD root certificate into `/etc/pki/ca-trust/source/anchors`. Once the file is copied, run the following command: $ sudo update-ca-trust extract
Rationale:	The DOD root certificate will ensure that the trust chain is established for server certificates issued from the DOD CA.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_firefox_preferences-dod_root_certificate_installed
Identifiers and References	Identifiers: CCE-82056-3 References: CCI-000054, AC-10

Rule Enable Shared System Certificates [ref]
The Shared System Certificates store makes NSS, GnuTLS, OpenSSL, and Java share a default source for retrieving system certificate anchors and blacklist information. Firefox has the capability of using this centralized store for its CA certificates. If the Shared System Certificates store is disabled, it can be enabled by running the following command: $ sudo update-ca-trust enable
Rationale:	The DOD root certificate will ensure that the trust chain is established for server certificates issued from the DOD CA.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_firefox_preferences-enable_ca_trust
Identifiers and References	Identifiers: CCE-82057-1 References: CCI-000054, AC-10
Remediation Shell script ⇲ `P11=$(readlink /etc/alternatives/libnssckbi.so*) P11LIB="/usr/lib/pkcs11/p11-kit-trust.so" P11LIB64="/usr/lib64/pkcs11/p11-kit-trust.so" if ! [[ ${P11} == "${P11LIB64}" ]] \|\| ! [[ ${P11} == "${P11LIB}" ]] ; then /usr/bin/update-ca-trust enable fi`

Group Prevent Users from Changing Firefox Configuration Settings Group contains 2 rules

[ref] Firefox required security preferences cannot be changed by users.

Rule Set Firefox Configuration File Location [ref]
Specify the Firefox configuration file location by setting `general.config.filename` to the configuration (i.e. `mozilla.cfg`) filename that contains the Firefox security preferences.
Rationale:	Locked settings prevents users from accessing about:config and changing the security settings set by the system administrator.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file
Identifiers and References	References: CCI-000366, CM-6, DTBF070
Remediation Shell script ⇲ value="\"mozilla.cfg\"" firefox_js="local-settings.js" firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" firefox_pref="defaults/pref" firefox_preferences="defaults/preferences" # Check the possible Firefox install directories for firefox_dir in ${firefox_dirs}; do # If the Firefox directory exists, then Firefox is installed if [ -d "${firefox_dir}" ]; then # Different versions of Firefox have different preferences directories, check for them and set the right one if [ -d "${firefox_dir}/${firefox_preferences}" ] ; then firefox_pref_dir="${firefox_dir}/${firefox_preferences}" elif [ -d "${firefox_dir}/${firefox_pref}" ] ; then firefox_pref_dir="${firefox_dir}/${firefox_pref}" else firefox_pref_dir="${firefox_dir}/${firefox_preferences}" mkdir -m 755 -p "${firefox_pref_dir}" fi # Make sure the Firefox .js file exists and has the appropriate permissions if ! [ -f "${firefox_pref_dir}/${firefox_js}" ] ; then touch "${firefox_pref_dir}/${firefox_js}" chmod 644 "${firefox_pref_dir}/${firefox_js}" fi # If the key exists, change it. Otherwise, add it to the config_file. if LC_ALL=C grep -m 1 -q '^pref("general.config.filename", ' "${firefox_pref_dir}/${firefox_js}"; then sed -i 's/pref("general.config.filename".*/pref("general.config.filename", '"$value)"';/g' "${firefox_pref_dir}/${firefox_js}" else echo 'pref("general.config.filename", '"$value"');' >> "${firefox_pref_dir}/${firefox_js}" fi fi done

Rule Disable Firefox Configuration File ROT-13 Encoding [ref]
Disable ROT-13 encoding by setting `general.config.obscure_value` to `0`.
Rationale:	ROT-13 encoded prevents system adminstrators from easily configuring and deploying Firefox configuration settings. It also prevents validating settings easily from automated security tools.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure
Identifiers and References	References: ECSC-1, DTBF070
Remediation Shell script ⇲ value="0" firefox_js="local-settings.js" firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" firefox_pref="defaults/pref" firefox_preferences="defaults/preferences" # Check the possible Firefox install directories for firefox_dir in ${firefox_dirs}; do # If the Firefox directory exists, then Firefox is installed if [ -d "${firefox_dir}" ]; then # Different versions of Firefox have different preferences directories, check for them and set the right one if [ -d "${firefox_dir}/${firefox_preferences}" ] ; then firefox_pref_dir="${firefox_dir}/${firefox_preferences}" elif [ -d "${firefox_dir}/${firefox_pref}" ] ; then firefox_pref_dir="${firefox_dir}/${firefox_pref}" else firefox_pref_dir="${firefox_dir}/${firefox_preferences}" mkdir -m 755 -p "${firefox_pref_dir}" fi # Make sure the Firefox .js file exists and has the appropriate permissions if ! [ -f "${firefox_pref_dir}/${firefox_js}" ] ; then touch "${firefox_pref_dir}/${firefox_js}" chmod 644 "${firefox_pref_dir}/${firefox_js}" fi # If the key exists, change it. Otherwise, add it to the config_file. if LC_ALL=C grep -m 1 -q '^pref("general.config.obscure_value", ' "${firefox_pref_dir}/${firefox_js}"; then sed -i 's/pref("general.config.obscure_value".*/pref("general.config.obscure_value", '"$value)"';/g' "${firefox_pref_dir}/${firefox_js}" else echo 'pref("general.config.obscure_value", '"$value"');' >> "${firefox_pref_dir}/${firefox_js}" fi fi done

Rule Disable Addons Plugin Updates [ref]
Firefox automatically updates installed add-ons and plugins which can be disabled by setting `extensions.update.enabled` to `false`.
Rationale:	Automatic updates from untrusted sites puts the enclave at risk of attack and may override security settings.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_firefox_preferences-addons_plugin_updates
Identifiers and References	References: CCI-000381, CM-7, DTBF090, SV-223155r612236_rule
Remediation Shell script ⇲ firefox_cfg="mozilla.cfg" value="false" firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" # Check the possible Firefox install directories for firefox_dir in ${firefox_dirs}; do # If the Firefox directory exists, then Firefox is installed if [ -d "${firefox_dir}" ]; then # Make sure the Firefox .cfg file exists and has the appropriate permissions if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then echo "//" "${firefox_dir}/${firefox_cfg}" chmod 644 "${firefox_dir}/${firefox_cfg}" elif ! [ $(head -1 "${firefox_dir}/${firefox_cfg}" \| grep "^//$") ]; then sed -i '1 i\//' "${firefox_dir}/${firefox_cfg}" fi # If the key exists, change it. Otherwise, add it to the config_file. if LC_ALL=C grep -m 1 -q '^lockPref("extensions.update.enabled", ' "${firefox_dir}/${firefox_cfg}"; then sed -i 's/lockPref("extensions.update.enabled".*/lockPref("extensions.update.enabled", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}" else echo 'lockPref("extensions.update.enabled", '"$value"');' >> "${firefox_dir}/${firefox_cfg}" fi fi done

Rule Disable Automatic Downloads of MIME Types [ref]
MIME type files are automatically downloaded or executed in Firefox. This can be disabled by setting `browser.helperApps.alwaysAsk.force` to `true`.
Rationale:	The default action for file types for which a plugin is installed is to automatically download and execute the file using the associated plugin. Firefox allows users to change the specified download action so that the file is opened with a selected external application or saved to disk instead.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_firefox_preferences-auto-download_actions
Identifiers and References	References: CCI-001242, SI-3, DTBF100, SV-223156r612236_rule
Remediation Shell script ⇲ firefox_cfg="mozilla.cfg" value="true" firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" # Check the possible Firefox install directories for firefox_dir in ${firefox_dirs}; do # If the Firefox directory exists, then Firefox is installed if [ -d "${firefox_dir}" ]; then # Make sure the Firefox .cfg file exists and has the appropriate permissions if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then echo "//" "${firefox_dir}/${firefox_cfg}" chmod 644 "${firefox_dir}/${firefox_cfg}" elif ! [ $(head -1 "${firefox_dir}/${firefox_cfg}" \| grep "^//$") ]; then sed -i '1 i\//' "${firefox_dir}/${firefox_cfg}" fi # If the key exists, change it. Otherwise, add it to the config_file. if LC_ALL=C grep -m 1 -q '^lockPref("browser.helperApps.alwaysAsk.force", ' "${firefox_dir}/${firefox_cfg}"; then sed -i 's/lockPref("browser.helperApps.alwaysAsk.force".*/lockPref("browser.helperApps.alwaysAsk.force", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}" else echo 'lockPref("browser.helperApps.alwaysAsk.force", '"$value"');' >> "${firefox_dir}/${firefox_cfg}" fi fi done

Rule Disable Autofill Form Assistance [ref]
Firefox provides tools to auto-fill forms from prefilled information. This can be disabled by setting `browser.formfill.enable` to `false`.
Rationale:	In order to protect privacy and sensitive data, Firefox provides the ability to configure Firefox such that data entered into forms is not saved. This mitigates the risk of a website gleaning private information from prefilled information.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_firefox_preferences-autofill_forms
Identifiers and References	References: CCI-000381, CM-7, DTBF140, SV-223160r612236_rule
Remediation Shell script ⇲ firefox_cfg="mozilla.cfg" value="false" firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" # Check the possible Firefox install directories for firefox_dir in ${firefox_dirs}; do # If the Firefox directory exists, then Firefox is installed if [ -d "${firefox_dir}" ]; then # Make sure the Firefox .cfg file exists and has the appropriate permissions if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then echo "//" "${firefox_dir}/${firefox_cfg}" chmod 644 "${firefox_dir}/${firefox_cfg}" elif ! [ $(head -1 "${firefox_dir}/${firefox_cfg}" \| grep "^//$") ]; then sed -i '1 i\//' "${firefox_dir}/${firefox_cfg}" fi # If the key exists, change it. Otherwise, add it to the config_file. if LC_ALL=C grep -m 1 -q '^lockPref("browser.formfill.enable", ' "${firefox_dir}/${firefox_cfg}"; then sed -i 's/lockPref("browser.formfill.enable".*/lockPref("browser.formfill.enable", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}" else echo 'lockPref("browser.formfill.enable", '"$value"');' >> "${firefox_dir}/${firefox_cfg}" fi fi done

Rule Disable User Ability To Autofill Passwords [ref]
Firefox automatically allows users to save passwords to be auto-filled into password forms. This can be disabled by setting `signon.autofillForms` to `false`.
Rationale:	While on the internet, it may be possible for an attacker to view the saved password files and gain access to the user's accounts on various hosts.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_firefox_preferences-autofill_passwords
Identifiers and References	References: CCI-000381, CM-7, DTBF150, SV-223161r612236_rule
Remediation Shell script ⇲ firefox_cfg="mozilla.cfg" value="false" firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" # Check the possible Firefox install directories for firefox_dir in ${firefox_dirs}; do # If the Firefox directory exists, then Firefox is installed if [ -d "${firefox_dir}" ]; then # Make sure the Firefox .cfg file exists and has the appropriate permissions if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then echo "//" "${firefox_dir}/${firefox_cfg}" chmod 644 "${firefox_dir}/${firefox_cfg}" elif ! [ $(head -1 "${firefox_dir}/${firefox_cfg}" \| grep "^//$") ]; then sed -i '1 i\//' "${firefox_dir}/${firefox_cfg}" fi # If the key exists, change it. Otherwise, add it to the config_file. if LC_ALL=C grep -m 1 -q '^lockPref("signon.autofillForms", ' "${firefox_dir}/${firefox_cfg}"; then sed -i 's/lockPref("signon.autofillForms".*/lockPref("signon.autofillForms", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}" else echo 'lockPref("signon.autofillForms", '"$value"');' >> "${firefox_dir}/${firefox_cfg}" fi fi done

Rule Disable Background Information Submission [ref]
Firefox submits usage data in the background to Mozilla and posts portions of the data publicly. This can be disabled by setting `datareporting.policy.dataSubmissionEnabled` to `false`.
Rationale:	In order to protect privacy and sensitive data, Mozilla provides the ability to configure Firefox so that no data is submited to Mozilla. This mitigates the risk of potentially compromizing information becoming publicly available.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_firefox_preferences-background_data
Identifiers and References	References: CCI-000381, CM-7, DTBF190, SV-223168r612236_rule
Remediation Shell script ⇲ firefox_cfg="mozilla.cfg" value="false" firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" # Check the possible Firefox install directories for firefox_dir in ${firefox_dirs}; do # If the Firefox directory exists, then Firefox is installed if [ -d "${firefox_dir}" ]; then # Make sure the Firefox .cfg file exists and has the appropriate permissions if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then echo "//" "${firefox_dir}/${firefox_cfg}" chmod 644 "${firefox_dir}/${firefox_cfg}" elif ! [ $(head -1 "${firefox_dir}/${firefox_cfg}" \| grep "^//$") ]; then sed -i '1 i\//' "${firefox_dir}/${firefox_cfg}" fi # If the key exists, change it. Otherwise, add it to the config_file. if LC_ALL=C grep -m 1 -q '^lockPref("datareporting.policy.dataSubmissionEnabled", ' "${firefox_dir}/${firefox_cfg}"; then sed -i 's/lockPref("datareporting.policy.dataSubmissionEnabled".*/lockPref("datareporting.policy.dataSubmissionEnabled", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}" else echo 'lockPref("datareporting.policy.dataSubmissionEnabled", '"$value"');' >> "${firefox_dir}/${firefox_cfg}" fi fi done

Rule Disable Firefox Development Tools [ref]
Firefox provides development tools which identify detailed information about the browser and its configuration. These details are often also recorded into a log file, giving an attacker the ability to capture detailed information about the system. This can be disabled by setting `devtools.policy.disabled` to `true`.
Rationale:	In order to protect privacy and sensitive data, Mozilla provides the ability to configure Firefox so that development tools are prevented from being used.
Severity:	low
Rule ID:	xccdf_org.ssgproject.content_rule_firefox_preferences-development_tools
Identifiers and References	References: CCI-001312, SI-11, DTBF195, SV-223169r612236_rule
Remediation Shell script ⇲ firefox_cfg="mozilla.cfg" value="true" firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" # Check the possible Firefox install directories for firefox_dir in ${firefox_dirs}; do # If the Firefox directory exists, then Firefox is installed if [ -d "${firefox_dir}" ]; then # Make sure the Firefox .cfg file exists and has the appropriate permissions if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then echo "//" "${firefox_dir}/${firefox_cfg}" chmod 644 "${firefox_dir}/${firefox_cfg}" elif ! [ $(head -1 "${firefox_dir}/${firefox_cfg}" \| grep "^//$") ]; then sed -i '1 i\//' "${firefox_dir}/${firefox_cfg}" fi # If the key exists, change it. Otherwise, add it to the config_file. if LC_ALL=C grep -m 1 -q '^lockPref("devtools.policy.disabled", ' "${firefox_dir}/${firefox_cfg}"; then sed -i 's/lockPref("devtools.policy.disabled".*/lockPref("devtools.policy.disabled", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}" else echo 'lockPref("devtools.policy.disabled", '"$value"');' >> "${firefox_dir}/${firefox_cfg}" fi fi done

Rule Disable Extension Installation [ref]
Firefox provides the ability to disable the installation of extensions. This can be disabled by setting `xpinstall.enabled` to `false`.
Rationale:	If a browser is configured to allow unrestricted use of extensions then plug-ins can be loaded and installed from malicious sources and used on the browser.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_firefox_preferences-install_extensions
Identifiers and References	References: CCI-000381, CM-7, DTBF186, SV-223167r612236_rule
Remediation Shell script ⇲ firefox_cfg="mozilla.cfg" value="false" firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" # Check the possible Firefox install directories for firefox_dir in ${firefox_dirs}; do # If the Firefox directory exists, then Firefox is installed if [ -d "${firefox_dir}" ]; then # Make sure the Firefox .cfg file exists and has the appropriate permissions if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then echo "//" "${firefox_dir}/${firefox_cfg}" chmod 644 "${firefox_dir}/${firefox_cfg}" elif ! [ $(head -1 "${firefox_dir}/${firefox_cfg}" \| grep "^//$") ]; then sed -i '1 i\//' "${firefox_dir}/${firefox_cfg}" fi # If the key exists, change it. Otherwise, add it to the config_file. if LC_ALL=C grep -m 1 -q '^lockPref("xpinstall.enabled", ' "${firefox_dir}/${firefox_cfg}"; then sed -i 's/lockPref("xpinstall.enabled".*/lockPref("xpinstall.enabled", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}" else echo 'lockPref("xpinstall.enabled", '"$value"');' >> "${firefox_dir}/${firefox_cfg}" fi fi done

Rule Disable JavaScript Context Menus [ref]
JavaScript can configure and make changes to the web browser's appearance by specifically disabling or replacing context menus. This can be disabled by setting `dom.event.contextmenu.enabled` to `false`.
Rationale:	A website may execute JavaScript that can make changes to these context menus. This can help disguise an attack.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_context_menus
Identifiers and References	References: CCI-000381, CM-7, DTBF183, SV-223166r612236_rule
Remediation Shell script ⇲ firefox_cfg="mozilla.cfg" value="false" firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" # Check the possible Firefox install directories for firefox_dir in ${firefox_dirs}; do # If the Firefox directory exists, then Firefox is installed if [ -d "${firefox_dir}" ]; then # Make sure the Firefox .cfg file exists and has the appropriate permissions if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then echo "//" "${firefox_dir}/${firefox_cfg}" chmod 644 "${firefox_dir}/${firefox_cfg}" elif ! [ $(head -1 "${firefox_dir}/${firefox_cfg}" \| grep "^//$") ]; then sed -i '1 i\//' "${firefox_dir}/${firefox_cfg}" fi # If the key exists, change it. Otherwise, add it to the config_file. if LC_ALL=C grep -m 1 -q '^lockPref("dom.event.contextmenu.enabled", ' "${firefox_dir}/${firefox_cfg}"; then sed -i 's/lockPref("dom.event.contextmenu.enabled".*/lockPref("dom.event.contextmenu.enabled", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}" else echo 'lockPref("dom.event.contextmenu.enabled", '"$value"');' >> "${firefox_dir}/${firefox_cfg}" fi fi done

Rule Disable JavaScript's Raise Or Lower Windows Capability [ref]
JavaScript can configure and make changes to the web browser's appearance by specifically raising and lowering windows. This can be disabled by setting `dom.disable_window_flip` to `true`.
Rationale:	JavaScript can make changes to the browser’s appearance. Allowing a website to use JavaScript to raise and lower browser windows may disguise an attack.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_window_changes
Identifiers and References	References: CCI-000381, CM-7, DTBF182, SV-223165r612236_rule
Remediation Shell script ⇲ firefox_cfg="mozilla.cfg" value="true" firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" # Check the possible Firefox install directories for firefox_dir in ${firefox_dirs}; do # If the Firefox directory exists, then Firefox is installed if [ -d "${firefox_dir}" ]; then # Make sure the Firefox .cfg file exists and has the appropriate permissions if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then echo "//" "${firefox_dir}/${firefox_cfg}" chmod 644 "${firefox_dir}/${firefox_cfg}" elif ! [ $(head -1 "${firefox_dir}/${firefox_cfg}" \| grep "^//$") ]; then sed -i '1 i\//' "${firefox_dir}/${firefox_cfg}" fi # If the key exists, change it. Otherwise, add it to the config_file. if LC_ALL=C grep -m 1 -q '^lockPref("dom.disable_window_flip", ' "${firefox_dir}/${firefox_cfg}"; then sed -i 's/lockPref("dom.disable_window_flip".*/lockPref("dom.disable_window_flip", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}" else echo 'lockPref("dom.disable_window_flip", '"$value"');' >> "${firefox_dir}/${firefox_cfg}" fi fi done

Rule Disable JavaScript's Moving Or Resizing Windows Capability [ref]
JavaScript can configure and make changes to the web browser's appearance by specifically moving and resizing browser windows. This can be disabled by setting `dom.disable_window_move_resize` to `true`.
Rationale:	JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_window_resizing
Identifiers and References	References: CCI-000381, CM-7, DTBF181, SV-223164r612236_rule
Remediation Shell script ⇲ firefox_cfg="mozilla.cfg" value="true" firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" # Check the possible Firefox install directories for firefox_dir in ${firefox_dirs}; do # If the Firefox directory exists, then Firefox is installed if [ -d "${firefox_dir}" ]; then # Make sure the Firefox .cfg file exists and has the appropriate permissions if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then echo "//" "${firefox_dir}/${firefox_cfg}" chmod 644 "${firefox_dir}/${firefox_cfg}" elif ! [ $(head -1 "${firefox_dir}/${firefox_cfg}" \| grep "^//$") ]; then sed -i '1 i\//' "${firefox_dir}/${firefox_cfg}" fi # If the key exists, change it. Otherwise, add it to the config_file. if LC_ALL=C grep -m 1 -q '^lockPref("dom.disable_window_move_resize", ' "${firefox_dir}/${firefox_cfg}"; then sed -i 's/lockPref("dom.disable_window_move_resize".*/lockPref("dom.disable_window_move_resize", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}" else echo 'lockPref("dom.disable_window_move_resize", '"$value"');' >> "${firefox_dir}/${firefox_cfg}" fi fi done

Rule Enable Downloading and Opening File Confirmation [ref]
To have an action dialog box appear promping users what action to take when certain types of files are downloaded or opened, set `plugin.disable_full_page_plugin_for_types` to `application/pdf,application/fdf,application/xfdf,application/lsl,application/lso,application/lss,application/iqy,application/rqy,application/xlk,application/xls,application/xlt,application/pot,application/pps,application/ppt,application/dos,application/dot,application/wks,application/bat,application/ps,application/eps,application/wch,application/wcm,application/wb1,application/wb3,application/rtf,application/doc,application/mdb,application/mde,application/wbk,application/ad,application/adp`.
Rationale:	When the user receives a dialog box asking if they want to save the file or open it with a specified application, this indicates that a plugin does not exist. Also, the user has not previously selected a download action or helper application to automatically use for that type of file. When prompted, if the user checks the option to 'Do this automatically for files like this from now on', then an entry will appear for that type of file in the plugins listing, and this file type is automatically opened in the future. This can be a security issue. New file types cannot be added directly to the Application plugin listing.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_firefox_preferences-open_confirmation
Identifiers and References	References: CCI-001243, SI-3, DTBF110, SV-223158r612236_rule
Remediation Shell script ⇲ var_required_file_types="application/pdf,application/fdf,application/xfdf,application/lsl,application/lso,application/lss,application/iqy,application/rqy,application/xlk,application/xls,application/xlt,application/pot,application/pps,application/ppt,application/dos,application/dot,application/wks,application/bat,application/ps,application/eps,application/wch,application/wcm,application/wb1,application/wb3,application/rtf,application/doc,application/mdb,application/mde,application/wbk,application/ad,application/adp" firefox_cfg="mozilla.cfg" value="\"${var_required_file_types}\"" firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" # Check the possible Firefox install directories for firefox_dir in ${firefox_dirs}; do # If the Firefox directory exists, then Firefox is installed if [ -d "${firefox_dir}" ]; then # Make sure the Firefox .cfg file exists and has the appropriate permissions if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then echo "//" "${firefox_dir}/${firefox_cfg}" chmod 644 "${firefox_dir}/${firefox_cfg}" elif ! [ $(head -1 "${firefox_dir}/${firefox_cfg}" \| grep "^//$") ]; then sed -i '1 i\//' "${firefox_dir}/${firefox_cfg}" fi # If the key exists, change it. Otherwise, add it to the config_file. if LC_ALL=C grep -m 1 -q '^lockPref("plugin.disable_full_page_plugin_for_types", ' "${firefox_dir}/${firefox_cfg}"; then sed -i 's\|lockPref("plugin.disable_full_page_plugin_for_types".*\|lockPref("plugin.disable_full_page_plugin_for_types", '"$value)"';\|g' "${firefox_dir}/${firefox_cfg}" else echo 'lockPref("plugin.disable_full_page_plugin_for_types", '"$value"');' >> "${firefox_dir}/${firefox_cfg}" fi fi done

Rule Disable the Firefox Password Store [ref]
Firefox allows users to store passwords whether or not a master password is set for the password store. To disable the storing of passwords, set `signon.rememberSignons` to `false`.
Rationale:	Autofill of a password can be enabled when a site is visited. This feature could also be used to autofill the certificate pin which could lead to compromise of DoD information.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_firefox_preferences-password_store
Identifiers and References	References: CCI-000381, CM-7, DTBF160, SV-223162r612236_rule
Remediation Shell script ⇲ firefox_cfg="mozilla.cfg" value="false" firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" # Check the possible Firefox install directories for firefox_dir in ${firefox_dirs}; do # If the Firefox directory exists, then Firefox is installed if [ -d "${firefox_dir}" ]; then # Make sure the Firefox .cfg file exists and has the appropriate permissions if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then echo "//" "${firefox_dir}/${firefox_cfg}" chmod 644 "${firefox_dir}/${firefox_cfg}" elif ! [ $(head -1 "${firefox_dir}/${firefox_cfg}" \| grep "^//$") ]; then sed -i '1 i\//' "${firefox_dir}/${firefox_cfg}" fi # If the key exists, change it. Otherwise, add it to the config_file. if LC_ALL=C grep -m 1 -q '^lockPref("signon.rememberSignons", ' "${firefox_dir}/${firefox_cfg}"; then sed -i 's/lockPref("signon.rememberSignons".*/lockPref("signon.rememberSignons", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}" else echo 'lockPref("signon.rememberSignons", '"$value"');' >> "${firefox_dir}/${firefox_cfg}" fi fi done

Rule Enable Firefox Pop-up Blocker [ref]
The pop-up blocker can be enabled by setting `dom.disable_window_open_feature.status` to `true`.
Rationale:	Popup windows may be used to launch an attack within a new browser window with altered settings.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_firefox_preferences-pop-up_windows
Identifiers and References	References: CCI-000381, CM-7, DTBF180, SV-223163r612236_rule
Remediation Shell script ⇲ firefox_cfg="mozilla.cfg" value="true" firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" # Check the possible Firefox install directories for firefox_dir in ${firefox_dirs}; do # If the Firefox directory exists, then Firefox is installed if [ -d "${firefox_dir}" ]; then # Make sure the Firefox .cfg file exists and has the appropriate permissions if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then echo "//" "${firefox_dir}/${firefox_cfg}" chmod 644 "${firefox_dir}/${firefox_cfg}" elif ! [ $(head -1 "${firefox_dir}/${firefox_cfg}" \| grep "^//$") ]; then sed -i '1 i\//' "${firefox_dir}/${firefox_cfg}" fi # If the key exists, change it. Otherwise, add it to the config_file. if LC_ALL=C grep -m 1 -q '^lockPref("dom.disable_window_open_feature.status", ' "${firefox_dir}/${firefox_cfg}"; then sed -i 's/lockPref("dom.disable_window_open_feature.status".*/lockPref("dom.disable_window_open_feature.status", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}" else echo 'lockPref("dom.disable_window_open_feature.status", '"$value"');' >> "${firefox_dir}/${firefox_cfg}" fi fi done

Rule Disable Installed Search Plugins Update Checking [ref]
Firefox automatically checks for updated versions of search plugins. To disable the automatic updates of plugins, set `browser.search.update` to `false`.
Rationale:	Updates need to be controlled and installed from authorized and trusted servers. This setting overrides a number of other settings which may direct the application to access external URLs.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_firefox_preferences-search_update
Identifiers and References	References: CCI-000381, CM-7, DTBF085, SV-223154r612236_rule
Remediation Shell script ⇲ firefox_cfg="mozilla.cfg" value="false" firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" # Check the possible Firefox install directories for firefox_dir in ${firefox_dirs}; do # If the Firefox directory exists, then Firefox is installed if [ -d "${firefox_dir}" ]; then # Make sure the Firefox .cfg file exists and has the appropriate permissions if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then echo "//" "${firefox_dir}/${firefox_cfg}" chmod 644 "${firefox_dir}/${firefox_cfg}" elif ! [ $(head -1 "${firefox_dir}/${firefox_cfg}" \| grep "^//$") ]; then sed -i '1 i\//' "${firefox_dir}/${firefox_cfg}" fi # If the key exists, change it. Otherwise, add it to the config_file. if LC_ALL=C grep -m 1 -q '^lockPref("browser.search.update", ' "${firefox_dir}/${firefox_cfg}"; then sed -i 's/lockPref("browser.search.update".*/lockPref("browser.search.update", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}" else echo 'lockPref("browser.search.update", '"$value"');' >> "${firefox_dir}/${firefox_cfg}" fi fi done

Rule Disable Firefox Access to Shell Protocols [ref]
Access to the shell is disabled by default but can be changed. To prevent shell access from being enabled, set `network.protocol-handler.external.shell` to `false`.
Rationale:	If enabled, this setting would allow the browser to access the Windows shell. This could allow access to the underlying system.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_firefox_preferences-shell_protocol
Identifiers and References	References: CCI-000381, CM-7, DTBF105, SV-223157r612236_rule
Remediation Shell script ⇲ firefox_cfg="mozilla.cfg" value="false" firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" # Check the possible Firefox install directories for firefox_dir in ${firefox_dirs}; do # If the Firefox directory exists, then Firefox is installed if [ -d "${firefox_dir}" ]; then # Make sure the Firefox .cfg file exists and has the appropriate permissions if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then echo "//" "${firefox_dir}/${firefox_cfg}" chmod 644 "${firefox_dir}/${firefox_cfg}" elif ! [ $(head -1 "${firefox_dir}/${firefox_cfg}" \| grep "^//$") ]; then sed -i '1 i\//' "${firefox_dir}/${firefox_cfg}" fi # If the key exists, change it. Otherwise, add it to the config_file. if LC_ALL=C grep -m 1 -q '^lockPref("network.protocol-handler.external.shell", ' "${firefox_dir}/${firefox_cfg}"; then sed -i 's/lockPref("network.protocol-handler.external.shell".*/lockPref("network.protocol-handler.external.shell", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}" else echo 'lockPref("network.protocol-handler.external.shell", '"$value"');' >> "${firefox_dir}/${firefox_cfg}" fi fi done

Rule Enable TLS Usage in Firefox [ref]
To enable TLS, set `security.tls.version.min` to `2` and set `security.tls.version.max` to `4`.
Rationale:	Earlier versions of SSL have known security vulnerabilities and are not authorized for use in DOD environments.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_firefox_preferences-ssl_protocol_tls
Identifiers and References	References: CCI-002450, SC-13, DTBF030, SV-223152r612236_rule
Remediation Shell script ⇲ firefox_cfg="mozilla.cfg" value="2" firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" # Check the possible Firefox install directories for firefox_dir in ${firefox_dirs}; do # If the Firefox directory exists, then Firefox is installed if [ -d "${firefox_dir}" ]; then # Make sure the Firefox .cfg file exists and has the appropriate permissions if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then echo "//" "${firefox_dir}/${firefox_cfg}" chmod 644 "${firefox_dir}/${firefox_cfg}" elif ! [ $(head -1 "${firefox_dir}/${firefox_cfg}" \| grep "^//$") ]; then sed -i '1 i\//' "${firefox_dir}/${firefox_cfg}" fi # If the key exists, change it. Otherwise, add it to the config_file. if LC_ALL=C grep -m 1 -q '^lockPref("security.tls.version.min", ' "${firefox_dir}/${firefox_cfg}"; then sed -i 's/lockPref("security.tls.version.min"./lockPref("security.tls.version.min", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}" else echo 'lockPref("security.tls.version.min", '"$value"');' >> "${firefox_dir}/${firefox_cfg}" fi fi done firefox_cfg="mozilla.cfg" value="4" firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" # Check the possible Firefox install directories for firefox_dir in ${firefox_dirs}; do # If the Firefox directory exists, then Firefox is installed if [ -d "${firefox_dir}" ]; then # Make sure the Firefox .cfg file exists and has the appropriate permissions if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then echo "//" "${firefox_dir}/${firefox_cfg}" chmod 644 "${firefox_dir}/${firefox_cfg}" elif ! [ $(head -1 "${firefox_dir}/${firefox_cfg}" \| grep "^//$") ]; then sed -i '1 i\//' "${firefox_dir}/${firefox_cfg}" fi # If the key exists, change it. Otherwise, add it to the config_file. if LC_ALL=C grep -m 1 -q '^lockPref("security.tls.version.max", ' "${firefox_dir}/${firefox_cfg}"; then sed -i 's/lockPref("security.tls.version.max"./lockPref("security.tls.version.max", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}" else echo 'lockPref("security.tls.version.max", '"$value"');' >> "${firefox_dir}/${firefox_cfg}" fi fi done

Rule Enable Certificate Verification [ref]
Firefox can be configured to prompt the user to choose a certificate to present to a website when asked. To enable certificate verification, set `security.default_personal_cert` to `Ask Every Time`.
Rationale:	Websites within DoD require user authentication for access which increases security for DoD information. Access will be denied to the user if certificate management is not configured.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_firefox_preferences-verification
Identifiers and References	References: CCI-001274, SI-4(12), DTBF050, SV-223153r612236_rule
Remediation Shell script ⇲ firefox_cfg="mozilla.cfg" value="\"Ask Every Time\"" firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" # Check the possible Firefox install directories for firefox_dir in ${firefox_dirs}; do # If the Firefox directory exists, then Firefox is installed if [ -d "${firefox_dir}" ]; then # Make sure the Firefox .cfg file exists and has the appropriate permissions if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then echo "//" "${firefox_dir}/${firefox_cfg}" chmod 644 "${firefox_dir}/${firefox_cfg}" elif ! [ $(head -1 "${firefox_dir}/${firefox_cfg}" \| grep "^//$") ]; then sed -i '1 i\//' "${firefox_dir}/${firefox_cfg}" fi # If the key exists, change it. Otherwise, add it to the config_file. if LC_ALL=C grep -m 1 -q '^lockPref("security.default_personal_cert", ' "${firefox_dir}/${firefox_cfg}"; then sed -i 's/lockPref("security.default_personal_cert".*/lockPref("security.default_personal_cert", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}" else echo 'lockPref("security.default_personal_cert", '"$value"');' >> "${firefox_dir}/${firefox_cfg}" fi fi done

Rule Supported Version of Firefox Installed [ref]
If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: $ sudo yum update If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded and installed using `rpm`.
Rationale:	Use of versions of an application which are not supported by the vendor are not permitted. Vendors respond to security flaws with updates and patches. These updates are not available for unsupported version which can leave the application vulnerable to attack.
Severity:	high
Rule ID:	xccdf_org.ssgproject.content_rule_installed_firefox_version_supported
Identifiers and References	References: CCI-003376, SA-22, DTBF003, SV-223151r612236_rule

Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.