This guide presents a catalog of security-relevant
configuration settings for Firefox. It is a rendering of
content structured in the eXtensible Configuration Checklist Description Format (XCCDF)
in order to support security automation. The SCAP content is
is available in the Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for Firefox, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance. Applicable platforms
|
Version: 0.1.31 Revision history
|
1. Remediation functions used by the SCAP Security Guide Project
XCCDF form of the various remediation functions as used by remediation scripts from the SCAP Security Guide Project
2. Introduction
The purpose of this guidance is to provide security configuration recommendations and baselines for the Firefox application. Recommended settings for the basic application are provided. The guide is intended for system administrators. Readers are assumed to possess basic system administration skills for Unix-like systems, as well as some familiarity with the product's documentation and administration conventions. Some instructions within this guide are complex. All directions should be followed completely and with understanding of their effects in order to avoid serious adverse effects on the system and its security.
Table of Contents
link | previous | next | up | toc | home
2.1. How to Use This Guide
Readers should heed the following points when using the guide.
link | previous | next | up | toc | home
2.1.1. Read Sections Completely and in Order
Each section may build on information and recommendations discussed in prior sections. Each section should be read and understood completely; instructions should never be blindly applied. Relevant discussion may occur after instructions for an action.
2.1.2. Test in Non-Production Environment
This guidance should always be tested in a non-production environment before deployment. This test environment should simulate the setup in which the system will be deployed as closely as possible.
2.1.3. Root Shell Environment Assumed
Most of the actions listed in this document are written with the
assumption that they will be executed by the root user running the
/bin/bash
shell. Commands preceded with a hash mark (#)
assume that the administrator will execute the commands as root, i.e.
apply the command via sudo
whenever possible, or use
su
to gain root privileges if sudo
cannot be
used. Commands which can be executed as a non-root user are are preceded
by a dollar sign ($) prompt.
2.1.4. Formatting Conventions
Commands intended for shell execution, as well as configuration file text,
are featured in a monospace font
. Italics are used
to indicate instances where the system administrator must substitute
the appropriate information into a command or configuration file.
3. Firefox
Firefox is an open-source web browser and developed by Mozilla. Web browsers such as Firefox are used for a number of reasons. This section provides settings for configuring Firefox policies to meet compliance settings for Firefox running on Red Hat Enterprise Linux systems.
-
http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries
Table of Contents
- 3.a. Disable Addons Plugin Updates
- 3.b. Disable Autofill Form Assistance
- 3.c. Disable User Ability To Autofill Passwords
- 3.d. Disable Firefox Auto-Update Capability
- 3.e. Enable Downloading and Opening File Confirmation
- 3.f. Disable the Firefox Password Store
- 3.g. Disable Installed Search Plugins Update Checking
- 3.h. Disable Firefox Access to Shell Protocols
- 3.i. Disable SSL Version 2.0 in Firefox
- 3.j. Enable TLS Usage in Firefox
- 3.k. Enable Certificate Verification
- 3.l. Disable SSL Version 3.0 in Firefox
- 3.m. Default Firefox Home Page Configured
- 3.n. Supported Version of Firefox Installed
- 3.o. Disable JavaScript's Ability To Modify The Browser Appearance
- 3.q. Disable JavaScript's Ability To Change The Status Bar
- 3.r. Disable JavaScript's Moving Or Resizing Windows Capability
- 3.s. Disable JavaScript's Raise Or Lower Windows Capability
- 3.t. Enable Non-Secure Page Warnings
- 3.u. Enable Firefox Pop-up Blocker
- 3.v. Disable Automatic Downloads of MIME Types
- 3.23. Prevent Users from Changing Firefox Configuration Settings
- 3.24. The DoD Root Certificate Is Required
link | previous | next | up | toc | home
3.a. Disable Addons Plugin Updates
Firefox automatically updates installed add-ons and plugins which
can be disabled by setting extensions.update.enabled
to
false
.
Automatic updates from untrusted sites puts the enclave at risk of attack and may override security settings.
Remediation script
function firefox_cfg_setting {
local firefox_cfg=$1
local key=$2
local value=$3
local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check sanity of input
if [ $# -lt "3" ]
then
echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
echo
echo "Aborting."
exit 1
fi
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
else
echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
}
firefox_cfg_setting "stig.cfg" "extensions.update.enabled" "false"
Security identifiers
- DTBF090
References
3.b. Disable Autofill Form Assistance
Firefox provides tools to auto-fill forms from prefilled information.
This can be disabled by setting browser.formfill.enable
to
false
.
In order to protect privacy and sensitive data, Firefox provides the ability to configure Firefox such that data entered into forms is not saved. This mitigates the risk of a website gleaning private information from prefilled information.
Remediation script
function firefox_cfg_setting {
local firefox_cfg=$1
local key=$2
local value=$3
local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check sanity of input
if [ $# -lt "3" ]
then
echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
echo
echo "Aborting."
exit 1
fi
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
else
echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
}
firefox_cfg_setting "stig.cfg" "browser.formfill.enable" "false"
Security identifiers
- DTBF140
References
3.c. Disable User Ability To Autofill Passwords
Firefox automatically allows users to save passwords to be auto-filled
into password forms. This can be disabled by setting
signon.prefillForms
to false
.
While on the internet, it may be possible for an attacker to view the saved password files and gain access to the user's accounts on various hosts.
Remediation script
function firefox_cfg_setting {
local firefox_cfg=$1
local key=$2
local value=$3
local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check sanity of input
if [ $# -lt "3" ]
then
echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
echo
echo "Aborting."
exit 1
fi
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
else
echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
}
firefox_cfg_setting "stig.cfg" "signon.prefillForms" "false"
Security identifiers
- DTBF150
References
3.d. Disable Firefox Auto-Update Capability
Firefox can be set to automatically update as new updates. This can be
disabled by setting app.update.enable
to false
.
Allowing software updates from non-trusted sites can introduce settings that will override a secured installation of the application. This can place DoD information at risk. If this setting is enabled, then there are many other default settings which point to untrusted sites which must be changed to point to an authorized update site that is not publicly accessible.
Remediation script
function firefox_cfg_setting {
local firefox_cfg=$1
local key=$2
local value=$3
local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check sanity of input
if [ $# -lt "3" ]
then
echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
echo
echo "Aborting."
exit 1
fi
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
else
echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
}
firefox_cfg_setting "stig.cfg" "app.update.enabled" "false"
Security identifiers
- DTBF080
References
3.e. Enable Downloading and Opening File Confirmation
To have an action dialog box appear promping users what action to take when
certain types of files are downloaded or opened, set
plugin.disable_full_page_plugin_for_types
to
.
When the user receives a dialog box asking if they want to save the file or open it with a specified application, this indicates that a plugin does not exist. Also, the user has not previously selected a download action or helper application to automatically use for that type of file. When prompted, if the user checks the option to 'Do this automatically for files like this from now on', then an entry will appear for that type of file in the plugins listing, and this file type is automatically opened in the future. This can be a security issue. New file types cannot be added directly to the Application plugin listing.
Remediation script
var_required_file_types=""
function firefox_cfg_setting {
local firefox_cfg=$1
local key=$2
local value=$3
local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check sanity of input
if [ $# -lt "3" ]
then
echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
echo
echo "Aborting."
exit 1
fi
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
else
echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
}
firefox_cfg_setting "stig.cfg" "plugin.disable_full_page_plugin_for_types" "\"${var_required_file_types}\""
Security identifiers
- DTBF110
References
3.f. Disable the Firefox Password Store
Firefox allows users to store passwords whether or not a master password
is set for the password store. To disable the storing of passwords, set
signon.rememberSignons
to false
.
Autofill of a password can be enabled when a site is visited. This feature could also be used to autofill the certificate pin which could lead to compromise of DoD information.
Remediation script
function firefox_cfg_setting {
local firefox_cfg=$1
local key=$2
local value=$3
local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check sanity of input
if [ $# -lt "3" ]
then
echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
echo
echo "Aborting."
exit 1
fi
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
else
echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
}
firefox_cfg_setting "stig.cfg" "signon.rememberSignons" "false"
Security identifiers
- DTBF160
References
3.g. Disable Installed Search Plugins Update Checking
Firefox automatically checks for updated versions of search plugins.
To disable the automatic updates of plugins, set
browser.search.update
to false
.
Updates need to be controlled and installed from authorized and trusted servers. This setting overrides a number of other settings which may direct the application to access external URLs.
Remediation script
function firefox_cfg_setting {
local firefox_cfg=$1
local key=$2
local value=$3
local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check sanity of input
if [ $# -lt "3" ]
then
echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
echo
echo "Aborting."
exit 1
fi
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
else
echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
}
firefox_cfg_setting "stig.cfg" "browser.search.update" "false"
Security identifiers
- DTBF085
References
3.h. Disable Firefox Access to Shell Protocols
Access to the shell is disabled by default but can be changed.
To prevent shell access from being enabled, set
network.protocol-handler.external.shell
to false
.
If enabled, this setting would allow the browser to access the Windows shell. This could allow access to the underlying system.
Remediation script
function firefox_cfg_setting {
local firefox_cfg=$1
local key=$2
local value=$3
local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check sanity of input
if [ $# -lt "3" ]
then
echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
echo
echo "Aborting."
exit 1
fi
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
else
echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
}
firefox_cfg_setting "stig.cfg" "network.protocol-handler.external.shell" "false"
Security identifiers
- DTBF105
References
3.i. Disable SSL Version 2.0 in Firefox
SSL version 2 is not enabled by default and should not be enabled.
To prevent SSL version 2 from being enabled set
security.enable_ssl2
to false
.
Use of versions prior to TLS 1.0 are not permitted because these versions are non-standard. SSL 2.0 and SSL 3.0 contain a number of security flaws.
Remediation script
function firefox_cfg_setting {
local firefox_cfg=$1
local key=$2
local value=$3
local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check sanity of input
if [ $# -lt "3" ]
then
echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
echo
echo "Aborting."
exit 1
fi
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
else
echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
}
firefox_cfg_setting "stig.cfg" "security.enable_ssl2" "false"
Security identifiers
- DTBF010
References
3.j. Enable TLS Usage in Firefox
To enable TLS, set security.enable_tls
to true
.
Earlier versions of SSL have known security vulnerabilities and are not authorized for use in DOD environments.
Remediation script
function firefox_cfg_setting {
local firefox_cfg=$1
local key=$2
local value=$3
local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check sanity of input
if [ $# -lt "3" ]
then
echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
echo
echo "Aborting."
exit 1
fi
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
else
echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
}
firefox_cfg_setting "stig.cfg" "security.enable_tls" "true"
Security identifiers
- DTBF030
References
3.k. Enable Certificate Verification
Firefox can be configured to prompt the user to choose a certificate
to present to a website when asked. To enable certificate verification,
set security.default_personal_cert
to Ask Every Time
.
Websites within DoD require user authentication for access which increases security for DoD information. Access will be denied to the user if certificate management is not configured.
Remediation script
function firefox_cfg_setting {
local firefox_cfg=$1
local key=$2
local value=$3
local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check sanity of input
if [ $# -lt "3" ]
then
echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
echo
echo "Aborting."
exit 1
fi
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
else
echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
}
firefox_cfg_setting "stig.cfg" "security.default_personal_cert" "\"Ask Every Time\""
Security identifiers
- DTBF050
References
3.l. Disable SSL Version 3.0 in Firefox
SSL version 3.0 is vulnerable and should be disabled by setting
security.enable_ssl3
to false
.
Earlier versions of SSL have known security vulnerabilities and are not authorized for use in DOD.
Remediation script
function firefox_cfg_setting {
local firefox_cfg=$1
local key=$2
local value=$3
local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check sanity of input
if [ $# -lt "3" ]
then
echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
echo
echo "Aborting."
exit 1
fi
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
else
echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
}
firefox_cfg_setting "stig.cfg" "security.enable_ssl3" "false"
Security identifiers
- DTBF020
References
3.m. Default Firefox Home Page Configured
The default home page is set to a vendor's defined website or
Firefox's own website. This can be changed to an organizationally defined website
or about:blank
. To set the default home page, set
browser.startup.homepage
to .
The browser home page parameter specifies the web page that is to be displayed when the browser is started explicitly and when product-specific buttons or key sequences for the home page are accessed. This helps to mitigate the possibility of automatic inadvertent execution of scripts added to a previously safe site.
Remediation script
var_default_home_page=""
function firefox_cfg_setting {
local firefox_cfg=$1
local key=$2
local value=$3
local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check sanity of input
if [ $# -lt "3" ]
then
echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
echo
echo "Aborting."
exit 1
fi
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
else
echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
}
firefox_cfg_setting "stig.cfg" "browser.startup.homepage" "\"${var_default_home_page}\""
Security identifiers
- DTBF017
References
3.n. Supported Version of Firefox Installed
If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates:
$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages)
can be manually downloaded and installed using rpm
.
Use of versions of an application which are not supported by the vendor are not permitted. Vendors respond to security flaws with updates and patches. These updates are not available for unsupported version which can leave the application vulnerable to attack.
Security identifiers
- DTBF003
References
3.o. Disable JavaScript's Ability To Modify The Browser Appearance
JavaScript can configure and make changes to the web browser's appearance by
specifically hiding the status bar from view. This can disabled by
setting dom.disable_window_open_feature.status
to true
.
JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window. Webpage authors can disable many features of a popup window that they open. This setting prevents the status bar from being hidden.
Remediation script
function firefox_cfg_setting {
local firefox_cfg=$1
local key=$2
local value=$3
local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check sanity of input
if [ $# -lt "3" ]
then
echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
echo
echo "Aborting."
exit 1
fi
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
else
echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
}
firefox_cfg_setting "stig.cfg" "dom.disable_window_open_feature.status" "true"
Security identifiers
- DTBF185
References
3.q. Disable JavaScript's Ability To Change The Status Bar
JavaScript can configure and make changes to the web browser's appearance by
specifically hiding or changing the status bar. This can be disabled by
setting dom.disable_window_status_change
to true
.
When a user visits some webpages, JavaScript can hide or make changes to the browser’s appearance to hide unauthorized activity. This activity can help disguise an attack taking place in a minimized background window.
Remediation script
function firefox_cfg_setting {
local firefox_cfg=$1
local key=$2
local value=$3
local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check sanity of input
if [ $# -lt "3" ]
then
echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
echo
echo "Aborting."
exit 1
fi
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
else
echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
}
firefox_cfg_setting "stig.cfg" "dom.disable_window_status_change" "true"
Security identifiers
- DTBF184
References
3.r. Disable JavaScript's Moving Or Resizing Windows Capability
JavaScript can configure and make changes to the web browser's appearance by
specifically moving and resizing browser windows. This can be disabled by
setting dom.disable_window_move_resize
to true
.
JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window.
Remediation script
function firefox_cfg_setting {
local firefox_cfg=$1
local key=$2
local value=$3
local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check sanity of input
if [ $# -lt "3" ]
then
echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
echo
echo "Aborting."
exit 1
fi
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
else
echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
}
firefox_cfg_setting "stig.cfg" "dom.disable_window_move_resize" "true"
Security identifiers
- DTBF181
References
3.s. Disable JavaScript's Raise Or Lower Windows Capability
JavaScript can configure and make changes to the web browser's appearance by
specifically raising and lowering windows. This can be disabled by
setting dom.disable_window_flip
to true
.
JavaScript can make changes to the browser’s appearance. Allowing a website to use JavaScript to raise and lower browser windows may disguise an attack.
Remediation script
function firefox_cfg_setting {
local firefox_cfg=$1
local key=$2
local value=$3
local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check sanity of input
if [ $# -lt "3" ]
then
echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
echo
echo "Aborting."
exit 1
fi
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
else
echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
}
firefox_cfg_setting "stig.cfg" "dom.disable_window_flip" "true"
Security identifiers
- DTBF182
References
3.t. Enable Non-Secure Page Warnings
When users browse websites, web pages can switch in between secure and
non-secure protocols. Users can be warned each time by
setting security.warn_leaving_secure
to true
.
Users may not be aware that the information being viewed under secure conditions in a previous page are not currently being viewed under the same security settings.
Remediation script
function firefox_cfg_setting {
local firefox_cfg=$1
local key=$2
local value=$3
local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check sanity of input
if [ $# -lt "3" ]
then
echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
echo
echo "Aborting."
exit 1
fi
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
else
echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
}
firefox_cfg_setting "stig.cfg" "security.warn_leaving_secure" "true"
Security identifiers
- DTBF130
References
3.u. Enable Firefox Pop-up Blocker
The pop-up blocker can be enabled by setting
dom.disable_window_open_feature.status
to true
.
Popup windows may be used to launch an attack within a new browser window with altered settings.
Remediation script
function firefox_cfg_setting {
local firefox_cfg=$1
local key=$2
local value=$3
local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check sanity of input
if [ $# -lt "3" ]
then
echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
echo
echo "Aborting."
exit 1
fi
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
else
echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
}
firefox_cfg_setting "stig.cfg" "dom.disable_window_open_feature.status" "true"
Security identifiers
- DTBF180
References
3.v. Disable Automatic Downloads of MIME Types
MIME type files are automatically downloaded or executed in Firefox. This
can be disabled by setting browser.helperApps.alwaysAsk.force
to
true
.
The default action for file types for which a plugin is installed is to automatically download and execute the file using the associated plugin. Firefox allows users to change the specified download action so that the file is opened with a selected external application or saved to disk instead.
Remediation script
function firefox_cfg_setting {
local firefox_cfg=$1
local key=$2
local value=$3
local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check sanity of input
if [ $# -lt "3" ]
then
echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
echo
echo "Aborting."
exit 1
fi
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
else
echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
}
firefox_cfg_setting "stig.cfg" "browser.helperApps.alwaysAsk.force" "true"
Security identifiers
- DTBF100
References
3.23. Prevent Users from Changing Firefox Configuration Settings
Firefox required security preferences cannot be changed by users.
References
link | previous | next | up | toc | home
3.23.a. Disable Firefox Configuration File ROT-13 Encoding
Disable ROT-13 encoding by setting general.config.obscure_value
to 0
.
ROT-13 encoded prevents system adminstrators from easily configuring and deploying Firefox configuration settings. It also prevents validating settings easily from automated security tools.
Remediation script
function firefox_js_setting {
local firefox_js=$1
local key=$2
local value=$3
local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
local firefox_pref="/defaults/pref"
local firefox_preferences="/defaults/preferences"
# Check sanity of input
if [ $# -lt "3" ]
then
echo "Usage: firefox_js_setting 'config_javascript_file' 'key_to_search' 'new_value'"
echo
echo "Aborting."
exit 1
fi
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Different versions of Firefox have different preferences directories, check for them and set the right one
if [ -d "${firefox_dir}/${firefox_pref}" ] ; then
local firefox_pref_dir="${firefox_dir}/${firefox_pref}"
elif [ -d "${firefox_dir}/${firefox_preferences}" ] ; then
local firefox_pref_dir="${firefox_dir}/${firefox_preferences}"
else
mkdir -m 755 -p "${firefox_dir}/${firefox_preferences}"
local firefox_pref_dir="${firefox_dir}/${firefox_preferences}"
fi
# Make sure the Firefox .js file exists and has the appropriate permissions
if ! [ -f "${firefox_pref_dir}/${firefox_js}" ] ; then
touch "${firefox_pref_dir}/${firefox_js}"
chmod 644 "${firefox_pref_dir}/${firefox_js}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if `grep -q "^pref(\"${key}\", " "${firefox_pref_dir}/${firefox_js}"` ; then
sed -i "s/pref(\"${key}\".*/pref(\"${key}\", ${value});/g" "${firefox_pref_dir}/${firefox_js}"
else
echo "pref(\"${key}\", ${value});" >> "${firefox_pref_dir}/${firefox_js}"
fi
fi
done
}
firefox_js_setting "stig_settings.js" "general.config.obscure_value" "0"
Security identifiers
- DTBF070
References
3.23.b. Set Firefox Configuration File Location
Specify the Firefox configuration file location by setting
general.config.filename
to the configuration (i.e. mozilla.cfg
)
filename that contains the Firefox security preferences.
Locked settings prevents users from accessing about:config and changing the security settings set by the system administrator.
Remediation script
function firefox_js_setting {
local firefox_js=$1
local key=$2
local value=$3
local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
local firefox_pref="/defaults/pref"
local firefox_preferences="/defaults/preferences"
# Check sanity of input
if [ $# -lt "3" ]
then
echo "Usage: firefox_js_setting 'config_javascript_file' 'key_to_search' 'new_value'"
echo
echo "Aborting."
exit 1
fi
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Different versions of Firefox have different preferences directories, check for them and set the right one
if [ -d "${firefox_dir}/${firefox_pref}" ] ; then
local firefox_pref_dir="${firefox_dir}/${firefox_pref}"
elif [ -d "${firefox_dir}/${firefox_preferences}" ] ; then
local firefox_pref_dir="${firefox_dir}/${firefox_preferences}"
else
mkdir -m 755 -p "${firefox_dir}/${firefox_preferences}"
local firefox_pref_dir="${firefox_dir}/${firefox_preferences}"
fi
# Make sure the Firefox .js file exists and has the appropriate permissions
if ! [ -f "${firefox_pref_dir}/${firefox_js}" ] ; then
touch "${firefox_pref_dir}/${firefox_js}"
chmod 644 "${firefox_pref_dir}/${firefox_js}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if `grep -q "^pref(\"${key}\", " "${firefox_pref_dir}/${firefox_js}"` ; then
sed -i "s/pref(\"${key}\".*/pref(\"${key}\", ${value});/g" "${firefox_pref_dir}/${firefox_js}"
else
echo "pref(\"${key}\", ${value});" >> "${firefox_pref_dir}/${firefox_js}"
fi
fi
done
}
firefox_js_setting "stig_settings.js" "general.config.filename" "\"stig.cfg\""
Security identifiers
- DTBF070
References
3.24. The DoD Root Certificate Is Required
The Shared System Certificates store contains certificates that applications can access for a single certificate repository. If enabled, Firefox can access that single system certificate repository. If the DoD root certificate is also installed into the shared system certificate repository, Firefox will see and use the DoD root certificate as a valid certificate authority.
References
link | previous | next | up | toc | home
3.24.a. Enable Shared System Certificates
The Shared System Certificates store makes NSS, GnuTLS, OpenSSL, and Java share a default source for retrieving system certificate anchors and blacklist information. Firefox has the capability of using this centralized store for its CA certificates. If the Shared System Certificates store is disabled, it can be enabled by running the following command:
$ sudo update-ca-trust enable
The DOD root certificate will ensure that the trust chain is established for server certificates issued from the DOD CA.
Remediation script
P11=$(readlink /etc/alternatives/libnssckbi.so*)
P11LIB="/usr/lib/pkcs11/p11-kit-trust.so"
P11LIB64="/usr/lib64/pkcs11/p11-kit-trust.so"
if ! [[ ${P11} == "${P11LIB64}" ]] || ! [[ ${P11} == "${P11LIB}" ]] ; then
/usr/bin/update-ca-trust enable
fi
Security identifiers
- CCE-27457-1
References
3.24.b. The DoD Root Certificate Exists
The DoD root certificate should be installed in the Shared System Certificates store
for Firefox to be able to access the DoD certificate. To install the root certificated
into the Shared System Certificates store, copy the DoD root certificate into
/etc/pki/ca-trust/source/anchors
. Once the file is copied, run the following
command:
$ sudo update-ca-trust extract
The DOD root certificate will ensure that the trust chain is established for server certificates issued from the DOD CA.
Security identifiers
- CCE-27457-1
References
3.25. Clearing Cookies And Other Data
Browser preferences should be set to perform a Clear Private Data operation when closing the browser in order to clear cookies and other data installed by websites visited during the session.
link | previous | next | up | toc | home
3.25.a. Clear Data When Firefox Closes
When a user browses to a website, cookies and other types of data
get stored on the system. This can be disabled by setting
privacy.sanitize.sanitizeOnShutdown
to true
.
Cookies can help websites perform better but can also be part of spyware. To mitigate this risk, set browser preferences to perform a Clear Private Data operation when closing the browser in order to clear cookies and other data installed by websites visited during the session.
Remediation script
function firefox_cfg_setting {
local firefox_cfg=$1
local key=$2
local value=$3
local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check sanity of input
if [ $# -lt "3" ]
then
echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
echo
echo "Aborting."
exit 1
fi
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
else
echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
}
firefox_cfg_setting "stig.cfg" "privacy.sanitize.sanitizeOnShutdown" "true"
Security identifiers
- DTBF170
3.25.b. Disable User Prompt When Data Is Cleared
By default, users are asked if it is okay to clear out cookies and data
when Firefox closes. This can be disabled by
setting privacy.sanitize.promptOnSanitize
to false
.
Cookies can help websites perform better but can also be part of spyware. To mitigate this risk, set browser preferences to perform a Clear Private Data operation when closing the browser in order to clear cookies and other data installed by websites visited during the session.
Remediation script
function firefox_cfg_setting {
local firefox_cfg=$1
local key=$2
local value=$3
local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check sanity of input
if [ $# -lt "3" ]
then
echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
echo
echo "Aborting."
exit 1
fi
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
else
echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
}
firefox_cfg_setting "stig.cfg" "privacy.sanitize.promptOnSanitize" "false"
Security identifiers
- DTBF170
Colophon
Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.