This guide presents a catalog of security-relevant configuration settings for Firefox. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at

.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for Firefox, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.

Applicable platforms

  • cpe:/a:mozilla:firefox

Version: 0.1.31

Revision history

  • draft (as of 2017-04-10)

1. Remediation functions used by the SCAP Security Guide Project

XCCDF form of the various remediation functions as used by remediation scripts from the SCAP Security Guide Project

2. Introduction

The purpose of this guidance is to provide security configuration recommendations and baselines for the Firefox application. Recommended settings for the basic application are provided. The guide is intended for system administrators. Readers are assumed to possess basic system administration skills for Unix-like systems, as well as some familiarity with the product's documentation and administration conventions. Some instructions within this guide are complex. All directions should be followed completely and with understanding of their effects in order to avoid serious adverse effects on the system and its security.

2.1. How to Use This Guide

Readers should heed the following points when using the guide.

2.1.1. Read Sections Completely and in Order

Each section may build on information and recommendations discussed in prior sections. Each section should be read and understood completely; instructions should never be blindly applied. Relevant discussion may occur after instructions for an action.

2.1.2. Test in Non-Production Environment

This guidance should always be tested in a non-production environment before deployment. This test environment should simulate the setup in which the system will be deployed as closely as possible.

2.1.3. Root Shell Environment Assumed

Most of the actions listed in this document are written with the assumption that they will be executed by the root user running the /bin/bash shell. Commands preceded with a hash mark (#) assume that the administrator will execute the commands as root, i.e. apply the command via sudo whenever possible, or use su to gain root privileges if sudo cannot be used. Commands which can be executed as a non-root user are are preceded by a dollar sign ($) prompt.

2.1.4. Formatting Conventions

Commands intended for shell execution, as well as configuration file text, are featured in a monospace font. Italics are used to indicate instances where the system administrator must substitute the appropriate information into a command or configuration file.

3. Firefox

Firefox is an open-source web browser and developed by Mozilla. Web browsers such as Firefox are used for a number of reasons. This section provides settings for configuring Firefox policies to meet compliance settings for Firefox running on Red Hat Enterprise Linux systems.

  • http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries

3.a. Disable Addons Plugin Updates

Firefox automatically updates installed add-ons and plugins which can be disabled by setting extensions.update.enabled to false.

Automatic updates from untrusted sites puts the enclave at risk of attack and may override security settings.

Remediation script

                
function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "extensions.update.enabled" "false"

              

Security identifiers

  • DTBF090

3.b. Disable Autofill Form Assistance

Firefox provides tools to auto-fill forms from prefilled information. This can be disabled by setting browser.formfill.enable to false.

In order to protect privacy and sensitive data, Firefox provides the ability to configure Firefox such that data entered into forms is not saved. This mitigates the risk of a website gleaning private information from prefilled information.

Remediation script

                
function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "browser.formfill.enable" "false"

              

Security identifiers

  • DTBF140

3.c. Disable User Ability To Autofill Passwords

Firefox automatically allows users to save passwords to be auto-filled into password forms. This can be disabled by setting signon.prefillForms to false.

While on the internet, it may be possible for an attacker to view the saved password files and gain access to the user's accounts on various hosts.

Remediation script

                
function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "signon.prefillForms" "false"

              

Security identifiers

  • DTBF150

3.d. Disable Firefox Auto-Update Capability

Firefox can be set to automatically update as new updates. This can be disabled by setting app.update.enable to false.

Allowing software updates from non-trusted sites can introduce settings that will override a secured installation of the application. This can place DoD information at risk. If this setting is enabled, then there are many other default settings which point to untrusted sites which must be changed to point to an authorized update site that is not publicly accessible.

Remediation script

                
function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "app.update.enabled" "false"

              

Security identifiers

  • DTBF080

3.e. Enable Downloading and Opening File Confirmation

To have an action dialog box appear promping users what action to take when certain types of files are downloaded or opened, set plugin.disable_full_page_plugin_for_types to .

When the user receives a dialog box asking if they want to save the file or open it with a specified application, this indicates that a plugin does not exist. Also, the user has not previously selected a download action or helper application to automatically use for that type of file. When prompted, if the user checks the option to 'Do this automatically for files like this from now on', then an entry will appear for that type of file in the plugins listing, and this file type is automatically opened in the future. This can be a security issue. New file types cannot be added directly to the Application plugin listing.

Remediation script

                
var_required_file_types=""

function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "plugin.disable_full_page_plugin_for_types" "\"${var_required_file_types}\""

              

Security identifiers

  • DTBF110

3.f. Disable the Firefox Password Store

Firefox allows users to store passwords whether or not a master password is set for the password store. To disable the storing of passwords, set signon.rememberSignons to false.

Autofill of a password can be enabled when a site is visited. This feature could also be used to autofill the certificate pin which could lead to compromise of DoD information.

Remediation script

                
function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "signon.rememberSignons" "false"

              

Security identifiers

  • DTBF160

3.g. Disable Installed Search Plugins Update Checking

Firefox automatically checks for updated versions of search plugins. To disable the automatic updates of plugins, set browser.search.update to false.

Updates need to be controlled and installed from authorized and trusted servers. This setting overrides a number of other settings which may direct the application to access external URLs.

Remediation script

                
function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "browser.search.update" "false"

              

Security identifiers

  • DTBF085

3.h. Disable Firefox Access to Shell Protocols

Access to the shell is disabled by default but can be changed. To prevent shell access from being enabled, set network.protocol-handler.external.shell to false.

If enabled, this setting would allow the browser to access the Windows shell. This could allow access to the underlying system.

Remediation script

                
function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "network.protocol-handler.external.shell" "false"

              

Security identifiers

  • DTBF105

3.i. Disable SSL Version 2.0 in Firefox

SSL version 2 is not enabled by default and should not be enabled. To prevent SSL version 2 from being enabled set security.enable_ssl2 to false.

Use of versions prior to TLS 1.0 are not permitted because these versions are non-standard. SSL 2.0 and SSL 3.0 contain a number of security flaws.

Remediation script

                
function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "security.enable_ssl2" "false"

              

Security identifiers

  • DTBF010

3.j. Enable TLS Usage in Firefox

To enable TLS, set security.enable_tls to true.

Earlier versions of SSL have known security vulnerabilities and are not authorized for use in DOD environments.

Remediation script

                
function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "security.enable_tls" "true"

              

Security identifiers

  • DTBF030

3.k. Enable Certificate Verification

Firefox can be configured to prompt the user to choose a certificate to present to a website when asked. To enable certificate verification, set security.default_personal_cert to Ask Every Time.

Websites within DoD require user authentication for access which increases security for DoD information. Access will be denied to the user if certificate management is not configured.

Remediation script

                
function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "security.default_personal_cert" "\"Ask Every Time\""

              

Security identifiers

  • DTBF050

3.l. Disable SSL Version 3.0 in Firefox

SSL version 3.0 is vulnerable and should be disabled by setting security.enable_ssl3 to false.

Earlier versions of SSL have known security vulnerabilities and are not authorized for use in DOD.

Remediation script

                
function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "security.enable_ssl3" "false"

              

Security identifiers

  • DTBF020

3.m. Default Firefox Home Page Configured

The default home page is set to a vendor's defined website or Firefox's own website. This can be changed to an organizationally defined website or about:blank. To set the default home page, set browser.startup.homepage to .

The browser home page parameter specifies the web page that is to be displayed when the browser is started explicitly and when product-specific buttons or key sequences for the home page are accessed. This helps to mitigate the possibility of automatic inadvertent execution of scripts added to a previously safe site.

Remediation script

                
var_default_home_page=""

function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "browser.startup.homepage" "\"${var_default_home_page}\""

              

Security identifiers

  • DTBF017

3.n. Supported Version of Firefox Installed

If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates:

$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded and installed using rpm.

Use of versions of an application which are not supported by the vendor are not permitted. Vendors respond to security flaws with updates and patches. These updates are not available for unsupported version which can leave the application vulnerable to attack.

Security identifiers

  • DTBF003

3.o. Disable JavaScript's Ability To Modify The Browser Appearance

JavaScript can configure and make changes to the web browser's appearance by specifically hiding the status bar from view. This can disabled by setting dom.disable_window_open_feature.status to true.

JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window. Webpage authors can disable many features of a popup window that they open. This setting prevents the status bar from being hidden.

Remediation script

                
function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "dom.disable_window_open_feature.status" "true"

              

Security identifiers

  • DTBF185

3.p. Disable JavaScript Context Menus

JavaScript can configure and make changes to the web browser's appearance by specifically disabling or replacing context menus. This can be disabled by setting dom.event.contextmenu.enabled to false.

A website may execute JavaScript that can make changes to these context menus. This can help disguise an attack.

Remediation script

                
function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "dom.event.contextmenu.enabled" "false"

              

Security identifiers

  • DTBF183

3.q. Disable JavaScript's Ability To Change The Status Bar

JavaScript can configure and make changes to the web browser's appearance by specifically hiding or changing the status bar. This can be disabled by setting dom.disable_window_status_change to true.

When a user visits some webpages, JavaScript can hide or make changes to the browser’s appearance to hide unauthorized activity. This activity can help disguise an attack taking place in a minimized background window.

Remediation script

                
function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "dom.disable_window_status_change" "true"

              

Security identifiers

  • DTBF184

3.r. Disable JavaScript's Moving Or Resizing Windows Capability

JavaScript can configure and make changes to the web browser's appearance by specifically moving and resizing browser windows. This can be disabled by setting dom.disable_window_move_resize to true.

JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window.

Remediation script

                
function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "dom.disable_window_move_resize" "true"

              

Security identifiers

  • DTBF181

3.s. Disable JavaScript's Raise Or Lower Windows Capability

JavaScript can configure and make changes to the web browser's appearance by specifically raising and lowering windows. This can be disabled by setting dom.disable_window_flip to true.

JavaScript can make changes to the browser’s appearance. Allowing a website to use JavaScript to raise and lower browser windows may disguise an attack.

Remediation script

                
function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "dom.disable_window_flip" "true"

              

Security identifiers

  • DTBF182

3.t. Enable Non-Secure Page Warnings

When users browse websites, web pages can switch in between secure and non-secure protocols. Users can be warned each time by setting security.warn_leaving_secure to true.

Users may not be aware that the information being viewed under secure conditions in a previous page are not currently being viewed under the same security settings.

Remediation script

                
function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "security.warn_leaving_secure" "true"

              

Security identifiers

  • DTBF130

3.u. Enable Firefox Pop-up Blocker

The pop-up blocker can be enabled by setting dom.disable_window_open_feature.status to true.

Popup windows may be used to launch an attack within a new browser window with altered settings.

Remediation script

                
function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "dom.disable_window_open_feature.status" "true"

              

Security identifiers

  • DTBF180

3.v. Disable Automatic Downloads of MIME Types

MIME type files are automatically downloaded or executed in Firefox. This can be disabled by setting browser.helperApps.alwaysAsk.force to true.

The default action for file types for which a plugin is installed is to automatically download and execute the file using the associated plugin. Firefox allows users to change the specified download action so that the file is opened with a selected external application or saved to disk instead.

Remediation script

                
function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "browser.helperApps.alwaysAsk.force" "true"

              

Security identifiers

  • DTBF100

3.23. Prevent Users from Changing Firefox Configuration Settings

Firefox required security preferences cannot be changed by users.

3.23.a. Disable Firefox Configuration File ROT-13 Encoding

Disable ROT-13 encoding by setting general.config.obscure_value to 0.

ROT-13 encoded prevents system adminstrators from easily configuring and deploying Firefox configuration settings. It also prevents validating settings easily from automated security tools.

Remediation script

                  
function firefox_js_setting {
  local firefox_js=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
  local firefox_pref="/defaults/pref"
  local firefox_preferences="/defaults/preferences"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_js_setting 'config_javascript_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Different versions of Firefox have different preferences directories, check for them and set the right one
      if [ -d "${firefox_dir}/${firefox_pref}" ] ; then
        local firefox_pref_dir="${firefox_dir}/${firefox_pref}"
      elif [ -d "${firefox_dir}/${firefox_preferences}" ] ; then
        local firefox_pref_dir="${firefox_dir}/${firefox_preferences}"
      else
        mkdir -m 755 -p "${firefox_dir}/${firefox_preferences}"
        local firefox_pref_dir="${firefox_dir}/${firefox_preferences}"
      fi

      # Make sure the Firefox .js file exists and has the appropriate permissions
      if ! [ -f "${firefox_pref_dir}/${firefox_js}" ] ; then
        touch "${firefox_pref_dir}/${firefox_js}"
        chmod 644 "${firefox_pref_dir}/${firefox_js}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^pref(\"${key}\", " "${firefox_pref_dir}/${firefox_js}"` ; then
        sed -i "s/pref(\"${key}\".*/pref(\"${key}\", ${value});/g" "${firefox_pref_dir}/${firefox_js}"
      else
        echo "pref(\"${key}\", ${value});" >> "${firefox_pref_dir}/${firefox_js}"
      fi
    fi
  done

}

firefox_js_setting "stig_settings.js" "general.config.obscure_value" "0"

                

Security identifiers

  • DTBF070

3.23.b. Set Firefox Configuration File Location

Specify the Firefox configuration file location by setting general.config.filename to the configuration (i.e. mozilla.cfg) filename that contains the Firefox security preferences.

Locked settings prevents users from accessing about:config and changing the security settings set by the system administrator.

Remediation script

                  
function firefox_js_setting {
  local firefox_js=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
  local firefox_pref="/defaults/pref"
  local firefox_preferences="/defaults/preferences"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_js_setting 'config_javascript_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Different versions of Firefox have different preferences directories, check for them and set the right one
      if [ -d "${firefox_dir}/${firefox_pref}" ] ; then
        local firefox_pref_dir="${firefox_dir}/${firefox_pref}"
      elif [ -d "${firefox_dir}/${firefox_preferences}" ] ; then
        local firefox_pref_dir="${firefox_dir}/${firefox_preferences}"
      else
        mkdir -m 755 -p "${firefox_dir}/${firefox_preferences}"
        local firefox_pref_dir="${firefox_dir}/${firefox_preferences}"
      fi

      # Make sure the Firefox .js file exists and has the appropriate permissions
      if ! [ -f "${firefox_pref_dir}/${firefox_js}" ] ; then
        touch "${firefox_pref_dir}/${firefox_js}"
        chmod 644 "${firefox_pref_dir}/${firefox_js}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^pref(\"${key}\", " "${firefox_pref_dir}/${firefox_js}"` ; then
        sed -i "s/pref(\"${key}\".*/pref(\"${key}\", ${value});/g" "${firefox_pref_dir}/${firefox_js}"
      else
        echo "pref(\"${key}\", ${value});" >> "${firefox_pref_dir}/${firefox_js}"
      fi
    fi
  done

}

firefox_js_setting "stig_settings.js" "general.config.filename" "\"stig.cfg\""

                

Security identifiers

  • DTBF070

3.24. The DoD Root Certificate Is Required

The Shared System Certificates store contains certificates that applications can access for a single certificate repository. If enabled, Firefox can access that single system certificate repository. If the DoD root certificate is also installed into the shared system certificate repository, Firefox will see and use the DoD root certificate as a valid certificate authority.

3.24.a. Enable Shared System Certificates

The Shared System Certificates store makes NSS, GnuTLS, OpenSSL, and Java share a default source for retrieving system certificate anchors and blacklist information. Firefox has the capability of using this centralized store for its CA certificates. If the Shared System Certificates store is disabled, it can be enabled by running the following command:

$ sudo update-ca-trust enable

The DOD root certificate will ensure that the trust chain is established for server certificates issued from the DOD CA.

Remediation script

                  P11=$(readlink /etc/alternatives/libnssckbi.so*)
P11LIB="/usr/lib/pkcs11/p11-kit-trust.so"
P11LIB64="/usr/lib64/pkcs11/p11-kit-trust.so"

if ! [[ ${P11} == "${P11LIB64}" ]] || ! [[ ${P11} == "${P11LIB}" ]] ; then
   /usr/bin/update-ca-trust enable
fi

                

Security identifiers

  • CCE-27457-1

3.24.b. The DoD Root Certificate Exists

The DoD root certificate should be installed in the Shared System Certificates store for Firefox to be able to access the DoD certificate. To install the root certificated into the Shared System Certificates store, copy the DoD root certificate into /etc/pki/ca-trust/source/anchors. Once the file is copied, run the following command:

$ sudo update-ca-trust extract

The DOD root certificate will ensure that the trust chain is established for server certificates issued from the DOD CA.

Security identifiers

  • CCE-27457-1

3.25. Clearing Cookies And Other Data

Browser preferences should be set to perform a Clear Private Data operation when closing the browser in order to clear cookies and other data installed by websites visited during the session.

3.25.a. Clear Data When Firefox Closes

When a user browses to a website, cookies and other types of data get stored on the system. This can be disabled by setting privacy.sanitize.sanitizeOnShutdown to true.

Cookies can help websites perform better but can also be part of spyware. To mitigate this risk, set browser preferences to perform a Clear Private Data operation when closing the browser in order to clear cookies and other data installed by websites visited during the session.

Remediation script

                  
function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "privacy.sanitize.sanitizeOnShutdown" "true"

                

Security identifiers

  • DTBF170

3.25.b. Disable User Prompt When Data Is Cleared

By default, users are asked if it is okay to clear out cookies and data when Firefox closes. This can be disabled by setting privacy.sanitize.promptOnSanitize to false.

Cookies can help websites perform better but can also be part of spyware. To mitigate this risk, set browser preferences to perform a Clear Private Data operation when closing the browser in order to clear cookies and other data installed by websites visited during the session.

Remediation script

                  
function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}

firefox_cfg_setting "stig.cfg" "privacy.sanitize.promptOnSanitize" "false"

                

Security identifiers

  • DTBF170

Colophon

Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.