Guide to the Secure Configuration for Firefox
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for RHEL 6 is one example of a baseline created from this guidance.
Profile Title | Upstream Firefox STIG |
---|---|
Profile ID | stig-firefox-upstream |
Revision History
Current version: 0.9
- draft (as of 2015-06-18)
Platforms
- cpe:/a:mozilla:firefox
Table of Contents
Checklist
contains 28 rules |
IntroductiongroupThe purpose of this guidance is to provide security configuration recommendations and baselines for the Firefox application. Recommended settings for the basic application are provided. The guide is intended for system administrators. Readers are assumed to possess basic system administration skills for Unix-like systems, as well as some familiarity with Red Hat's documentation and administration conventions. Some instructions within this guide are complex. All directions should be followed completely and with understanding of their effects in order to avoid serious adverse effects on the system and its security. |
How to Use This GuidegroupReaders should heed the following points when using the guide. |
Read Sections Completely and in OrdergroupEach section may build on information and recommendations discussed in prior sections. Each section should be read and understood completely; instructions should never be blindly applied. Relevant discussion may occur after instructions for an action. |
Test in Non-Production EnvironmentgroupThis guidance should always be tested in a non-production environment before deployment. This test environment should simulate the setup in which the system will be deployed as closely as possible. |
Root Shell Environment Assumedgroup
Most of the actions listed in this document are written with the
assumption that they will be executed by the root user running the
|
Formatting Conventionsgroup
Commands intended for shell execution, as well as configuration file text,
are featured in a |
FirefoxgroupFirefox is an open-source web browser and developed by Mozilla. Web browsers such as Firefox are used for a number of reasons. This section provides settings for configuring Firefox policies to meet compliance settings for Firefox running on Red Hat Enterprise Linux systems.
|
contains 28 rules |
Prevent Users from Changing Firefox Configuration SettingsgroupFirefox required security preferences cannot be changed by users. references: ECSC-1, http://iase.disa.mil/cci/index.html |
contains 2 rules |
Disable Firefox Configuration File ROT-13 Encodingrule
Disable ROT-13 encoding by setting ROT-13 encoded prevents system adminstrators from easily configuring and deploying Firefox configuration settings. It also prevents validating settings easily from automated security tools. identifiers: DISA FSO DTBF070 references: ECSC-1, http://iase.disa.mil/cci/index.html Remediation script:
|
Set Firefox Configuration File Locationrule
Specify the Firefox configuration file location by setting
Locked settings prevents users from accessing about:config and changing the security settings set by the system administrator. identifiers: DISA FSO DTBF070 references: ECSC-1, http://iase.disa.mil/cci/index.html Remediation script:
|
The DoD Root Certificate Is RequiredgroupThe Shared System Certificates store contains certificates that applications can access for a single certificate repository. If enabled, Firefox can access that single system certificate repository. If the DoD root certificate is also installed into the shared system certificate repository, Firefox will see and use the DoD root certificate as a valid certificate authority. |
contains 2 rules |
Enable Shared System CertificatesruleThe Shared System Certificates store makes NSS, GnuTLS, OpenSSL, and Java share a default source for retrieving system certificate anchors and blacklist information. Firefox has the capability of using this centralized store for its CA certificates. If the Shared System Certificates store is disabled, it can be enabled by running the following command: $ sudo update-ca-trust enableRationale: The DOD root certificate will ensure that the trust chain is established for server certificates issued from the DOD CA. identifiers: CCE-27457-1 Remediation script:
|
The DoD Root Certificate Existsrule
The DoD root certificate should be installed in the Shared System Certificates store
for Firefox to be able to access the DoD certificate. To install the root certificated
into the Shared System Certificates store, copy the DoD root certificate into
$ sudo update-ca-trust extractRationale: The DOD root certificate will ensure that the trust chain is established for server certificates issued from the DOD CA. identifiers: CCE-27457-1 |
Clearing Cookies And Other DatagroupBrowser preferences should be set to perform a Clear Private Data operation when closing the browser in order to clear cookies and other data installed by websites visited during the session. references: ECSC-1, http://iase.disa.mil/cci/index.html |
contains 2 rules |
Clear Data When Firefox Closesrule
When a user browses to a website, cookies and other types of data
get stored on the system. This can be disabled by setting
Cookies can help websites perform better but can also be part of spyware. To mitigate this risk, set browser preferences to perform a Clear Private Data operation when closing the browser in order to clear cookies and other data installed by websites visited during the session. identifiers: DISA FSO DTBF170 references: ECSC-1, http://iase.disa.mil/cci/index.html Remediation script:
|
Disable User Prompt When Data Is Clearedrule
By default, users are asked if it is okay to clear out cookies and data
when Firefox closes. This can be disabled by
setting Cookies can help websites perform better but can also be part of spyware. To mitigate this risk, set browser preferences to perform a Clear Private Data operation when closing the browser in order to clear cookies and other data installed by websites visited during the session. identifiers: DISA FSO DTBF170 references: ECSC-1, http://iase.disa.mil/cci/index.html Remediation script:
|
Disable Addons Plugin Updatesrule
Firefox automatically updates installed add-ons and plugins which
can be disabled by setting Automatic updates from untrusted sites puts the enclave at risk of attack and may override security settings. identifiers: DISA FSO DTBF090 references: ECSC-1, http://iase.disa.mil/cci/index.html Remediation script:
|
Disable Autofill Form Assistancerule
Firefox provides tools to auto-fill forms from prefilled information.
This can be disabled by setting In order to protect privacy and sensitive data, Firefox provides the ability to configure Firefox such that data entered into forms is not saved. This mitigates the risk of a website gleaning private information from prefilled information. identifiers: DISA FSO DTBF140 references: ECSC-1, http://iase.disa.mil/cci/index.html Remediation script:
|
Disable User Ability To Autofill Passwordsrule
Firefox automatically allows users to save passwords to be auto-filled
into password forms. This can be disabled by setting
While on the internet, it may be possible for an attacker to view the saved password files and gain access to the user's accounts on various hosts. identifiers: DISA FSO DTBF150 references: ECSC-1, http://iase.disa.mil/cci/index.html Remediation script:
|
Disable Firefox Auto-Update Capabilityrule
Firefox can be set to automatically update as new updates. This can be
disabled by setting Allowing software updates from non-trusted sites can introduce settings that will override a secured installation of the application. This can place DoD information at risk. If this setting is enabled, then there are many other default settings which point to untrusted sites which must be changed to point to an authorized update site that is not publicly accessible. identifiers: DISA FSO DTBF080 references: ECSC-1, http://iase.disa.mil/cci/index.html Remediation script:
|
Enable Downloading and Opening File Confirmationrule
To have an action dialog box appear promping users what action to take when
certain types of files are downloaded or opened, set
When the user receives a dialog box asking if they want to save the file or open it with a specified application, this indicates that a plugin does not exist. Also, the user has not previously selected a download action or helper application to automatically use for that type of file. When prompted, if the user checks the option to 'Do this automatically for files like this from now on', then an entry will appear for that type of file in the plugins listing, and this file type is automatically opened in the future. This can be a security issue. New file types cannot be added directly to the Application plugin listing. identifiers: DISA FSO DTBF110 references: ECSC-1, http://iase.disa.mil/cci/index.html Remediation script:
|
Disable the Firefox Password Storerule
Firefox allows users to store passwords whether or not a master password
is set for the password store. To disable the storing of passwords, set
Autofill of a password can be enabled when a site is visited. This feature could also be used to autofill the certificate pin which could lead to compromise of DoD information. identifiers: DISA FSO DTBF160 references: ECSC-1, http://iase.disa.mil/cci/index.html Remediation script:
|
Disable Installed Search Plugins Update Checkingrule
Firefox automatically checks for updated versions of search plugins.
To disable the automatic updates of plugins, set
Updates need to be controlled and installed from authorized and trusted servers. This setting overrides a number of other settings which may direct the application to access external URLs. identifiers: DISA FSO DTBF085 references: ECSC-1, http://iase.disa.mil/cci/index.html Remediation script:
|
Disable Firefox Access to Shell Protocolsrule
Access to the shell is disabled by default but can be changed.
To prevent shell access from being enabled, set
If enabled, this setting would allow the browser to access the Windows shell. This could allow access to the underlying system. identifiers: DISA FSO DTBF105 references: ECSC-1, http://iase.disa.mil/cci/index.html Remediation script:
|
Disable SSL Version 2.0 in Firefoxrule
SSL version 2 is not enabled by default and should not be enabled.
To prevent SSL version 2 from being enabled set
Use of versions prior to TLS 1.0 are not permitted because these versions are non-standard. SSL 2.0 and SSL 3.0 contain a number of security flaws. identifiers: DISA FSO DTBF010 references: ECSC-1, http://iase.disa.mil/cci/index.html Remediation script:
|
Enable TLS Usage in Firefoxrule
To enable TLS, set Earlier versions of SSL have known security vulnerabilities and are not authorized for use in DOD environments. identifiers: DISA FSO DTBF030 references: ECSC-1, http://iase.disa.mil/cci/index.html Remediation script:
|
Enable Certificate Verificationrule
Firefox can be configured to prompt the user to choose a certificate
to present to a website when asked. To enable certificate verification,
set Websites within DoD require user authentication for access which increases security for DoD information. Access will be denied to the user if certificate management is not configured. identifiers: DISA FSO DTBF050 references: ECSC-1, http://iase.disa.mil/cci/index.html Remediation script:
|
Disable SSL Version 3.0 in Firefoxrule
SSL version 3.0 is vulnerable and should be disabled by setting
Earlier versions of SSL have known security vulnerabilities and are not authorized for use in DOD. identifiers: DISA FSO DTBF020 references: ECSC-1, http://iase.disa.mil/cci/index.html Remediation script:
|
Default Firefox Home Page Configuredrule
The default home page is set to a vendor's defined website or
Firefox's own website. This can be changed to an organizationally defined website
or The browser home page parameter specifies the web page that is to be displayed when the browser is started explicitly and when product-specific buttons or key sequences for the home page are accessed. This helps to mitigate the possibility of automatic inadvertent execution of scripts added to a previously safe site. identifiers: DISA FSO DTBF017 references: ECSC-1, http://iase.disa.mil/cci/index.html Remediation script:
|
Supported Version of Firefox InstalledruleIf the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: $ sudo yum updateIf the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded and installed using rpm .
Rationale:Use of versions of an application which are not supported by the vendor are not permitted. Vendors respond to security flaws with updates and patches. These updates are not available for unsupported version which can leave the application vulnerable to attack. identifiers: DISA FSO DTBF003 references: DCMC-1, http://iase.disa.mil/cci/index.html |
Disable JavaScript's Ability To Modify The Browser Appearancerule
JavaScript can configure and make changes to the web browser's appearance by
specifically hiding the status bar from view. This can disabled by
setting JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window. Webpage authors can disable many features of a popup window that they open. This setting prevents the status bar from being hidden. identifiers: DISA FSO DTBF185 references: ECSC-1, http://iase.disa.mil/cci/index.html Remediation script:
|
Disable JavaScript Context Menusrule
JavaScript can configure and make changes to the web browser's appearance by
specifically disabling or replacing context menus. This can be disabled by
setting A website may execute JavaScript that can make changes to these context menus. This can help disguise an attack. identifiers: DISA FSO DTBF183 references: ECSC-1, http://iase.disa.mil/cci/index.html Remediation script:
|
Disable JavaScript's Ability To Change The Status Barrule
JavaScript can configure and make changes to the web browser's appearance by
specifically hiding or changing the status bar. This can be disabled by
setting When a user visits some webpages, JavaScript can hide or make changes to the browser’s appearance to hide unauthorized activity. This activity can help disguise an attack taking place in a minimized background window. identifiers: DISA FSO DTBF184 references: ECSC-1, http://iase.disa.mil/cci/index.html Remediation script:
|
Disable JavaScript's Moving Or Resizing Windows Capabilityrule
JavaScript can configure and make changes to the web browser's appearance by
specifically moving and resizing browser windows. This can be disabled by
setting JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window. identifiers: DISA FSO DTBF181 references: ECSC-1, http://iase.disa.mil/cci/index.html Remediation script:
|
Disable JavaScript's Raise Or Lower Windows Capabilityrule
JavaScript can configure and make changes to the web browser's appearance by
specifically raising and lowering windows. This can be disabled by
setting JavaScript can make changes to the browser’s appearance. Allowing a website to use JavaScript to raise and lower browser windows may disguise an attack. identifiers: DISA FSO DTBF182 references: ECSC-1, http://iase.disa.mil/cci/index.html Remediation script:
|
Enable Non-Secure Page Warningsrule
When users browse websites, web pages can switch in between secure and
non-secure protocols. Users can be warned each time by
setting Users may not be aware that the information being viewed under secure conditions in a previous page are not currently being viewed under the same security settings. identifiers: DISA FSO DTBF130 references: ECSC-1, http://iase.disa.mil/cci/index.html Remediation script:
|
Enable Firefox Pop-up Blockerrule
The pop-up blocker can be enabled by setting
Popup windows may be used to launch an attack within a new browser window with altered settings. identifiers: DISA FSO DTBF180 references: ECSC-1, http://iase.disa.mil/cci/index.html Remediation script:
|
Disable Automatic Downloads of MIME Typesrule
MIME type files are automatically downloaded or executed in Firefox. This
can be disabled by setting The default action for file types for which a plugin is installed is to automatically download and execute the file using the associated plugin. Firefox allows users to change the specified download action so that the file is opened with a selected external application or saved to disk instead. identifiers: DISA FSO DTBF100 references: DCMC-1, http://iase.disa.mil/cci/index.html Remediation script:
|