Guide to the Secure Configuration for Firefox

This guide presents a catalog of security-relevant configuration settings for firefox formatted in the eXtensible Configuration Checklist Description Format (XCCDF).

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for RHEL 6 is one example of a baseline created from this guidance.
Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.
Profile TitleUpstream Firefox STIG
Profile IDstig-firefox-upstream

Revision History

Current version: 0.9

  • draft (as of 2015-06-18)

Platforms

  • cpe:/a:mozilla:firefox

Table of Contents

  1. Introduction
    1. How to Use This Guide
  2. Firefox
    1. Prevent Users from Changing Firefox Configuration Settings
    2. The DoD Root Certificate Is Required
    3. Clearing Cookies And Other Data

Checklist

contains 28 rules

Introductiongroup

The purpose of this guidance is to provide security configuration recommendations and baselines for the Firefox application. Recommended settings for the basic application are provided. The guide is intended for system administrators. Readers are assumed to possess basic system administration skills for Unix-like systems, as well as some familiarity with Red Hat's documentation and administration conventions. Some instructions within this guide are complex. All directions should be followed completely and with understanding of their effects in order to avoid serious adverse effects on the system and its security.

How to Use This Guidegroup

Readers should heed the following points when using the guide.

Read Sections Completely and in Ordergroup

Each section may build on information and recommendations discussed in prior sections. Each section should be read and understood completely; instructions should never be blindly applied. Relevant discussion may occur after instructions for an action.

Test in Non-Production Environmentgroup

This guidance should always be tested in a non-production environment before deployment. This test environment should simulate the setup in which the system will be deployed as closely as possible.

Root Shell Environment Assumedgroup

Most of the actions listed in this document are written with the assumption that they will be executed by the root user running the /bin/bash shell. Commands preceded with a hash mark (#) assume that the administrator will execute the commands as root, i.e. apply the command via sudo whenever possible, or use su to gain root privileges if sudo cannot be used. Commands which can be executed as a non-root user are are preceded by a dollar sign ($) prompt.

Formatting Conventionsgroup

Commands intended for shell execution, as well as configuration file text, are featured in a monospace font. Italics are used to indicate instances where the system administrator must substitute the appropriate information into a command or configuration file.

Firefoxgroup

Firefox is an open-source web browser and developed by Mozilla. Web browsers such as Firefox are used for a number of reasons. This section provides settings for configuring Firefox policies to meet compliance settings for Firefox running on Red Hat Enterprise Linux systems.

    Refer to
  • http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries
    • for a list of currently supported Firefox settings.

contains 28 rules

Prevent Users from Changing Firefox Configuration Settingsgroup

Firefox required security preferences cannot be changed by users.

references:  ECSC-1, http://iase.disa.mil/cci/index.html

contains 2 rules

Disable Firefox Configuration File ROT-13 Encodingrule

Disable ROT-13 encoding by setting general.config.obscure_value to 0.

Rationale:

ROT-13 encoded prevents system adminstrators from easily configuring and deploying Firefox configuration settings. It also prevents validating settings easily from automated security tools.

identifiers:  DISA FSO DTBF070

references:  ECSC-1, http://iase.disa.mil/cci/index.html

Remediation script:
FIREFOX_DIRS="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
for FIREFOX_DIR in ${FIREFOX_DIRS}; do
  if [ -d "${FIREFOX_DIR}" ] ; then
    PREFERENCE_DIR="${FIREFOX_DIR}"/defaults/preferences/
    
    if [ ! -d "${PREFERENCE_DIR}" ]; then
      mkdir -p -m 755 "${PREFERENCE_DIR}"
    fi

    grep -q '^pref(\"general.config.obscure_value\", 0);' "${PREFERENCE_DIR}"/security_settings.js && \
    sed -i 's/pref(\"general.config.obscure_value\".*/pref(\"general.config.obscure_value\", 0);/g' "${PREFERENCE_DIR}"/security_settings.js
    if ! [ $? -eq 0 ] ; then
      echo 'pref("general.config.obscure_value", 0);' >> "${PREFERENCE_DIR}"/security_settings.js
    fi
  fi
done

Set Firefox Configuration File Locationrule

Specify the Firefox configuration file location by setting general.config.filename to the configuration (i.e. mozilla.cfg) filename that contains the Firefox security preferences.

Rationale:

Locked settings prevents users from accessing about:config and changing the security settings set by the system administrator.

identifiers:  DISA FSO DTBF070

references:  ECSC-1, http://iase.disa.mil/cci/index.html

Remediation script:
FIREFOX_DIRS="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
for FIREFOX_DIR in ${FIREFOX_DIRS}; do
  if [ -d "${FIREFOX_DIR}" ] ; then
    PREFERENCE_DIR="${FIREFOX_DIR}"/defaults/preferences/
    
    if [ ! -d "${PREFERENCE_DIR}" ]; then
      mkdir -p -m 755 "${PREFERENCE_DIR}"
    fi

    grep -q 'pref(\"general.config.filename\", \"mozilla.cfg\");' "${PREFERENCE_DIR}"/security_settings.js && \
    sed -i 's/pref(\"general.config.filename\".*/pref(\"general.config.filename\", \"mozilla.cfg\");/g' "${PREFERENCE_DIR}"/security_settings.js
    if ! [ $? -eq 0 ] ; then
      echo 'pref("general.config.filename", "mozilla.cfg");' >> "${PREFERENCE_DIR}"/security_settings.js
    fi
  fi
done

The DoD Root Certificate Is Requiredgroup

The Shared System Certificates store contains certificates that applications can access for a single certificate repository. If enabled, Firefox can access that single system certificate repository. If the DoD root certificate is also installed into the shared system certificate repository, Firefox will see and use the DoD root certificate as a valid certificate authority.

references:  AC-10, 54

contains 2 rules

Enable Shared System Certificatesrule

The Shared System Certificates store makes NSS, GnuTLS, OpenSSL, and Java share a default source for retrieving system certificate anchors and blacklist information. Firefox has the capability of using this centralized store for its CA certificates. If the Shared System Certificates store is disabled, it can be enabled by running the following command: 

$ sudo update-ca-trust enable

Rationale:

The DOD root certificate will ensure that the trust chain is established for server certificates issued from the DOD CA.

identifiers:  CCE-27457-1

references:  AC-10, 54

Remediation script:
P11=$(readlink /etc/alternatives/libnssckbi.so*)
P11LIB="/usr/lib/pkcs11/p11-kit-trust.so"
P11LIB64="/usr/lib64/pkcs11/p11-kit-trust.so"

if ! [[ ${P11} == "${P11LIB64}" ]] || ! [[ ${P11} == "${P11LIB}" ]] ; then
   /usr/bin/update-ca-trust enable
fi

The DoD Root Certificate Existsrule

The DoD root certificate should be installed in the Shared System Certificates store for Firefox to be able to access the DoD certificate. To install the root certificated into the Shared System Certificates store, copy the DoD root certificate into /etc/pki/ca-trust/source/anchors. Once the file is copied, run the following command: 

$ sudo update-ca-trust extract

Rationale:

The DOD root certificate will ensure that the trust chain is established for server certificates issued from the DOD CA.

identifiers:  CCE-27457-1

references:  AC-10, 54

Clearing Cookies And Other Datagroup

Browser preferences should be set to perform a Clear Private Data operation when closing the browser in order to clear cookies and other data installed by websites visited during the session.

references:  ECSC-1, http://iase.disa.mil/cci/index.html

contains 2 rules

Clear Data When Firefox Closesrule

When a user browses to a website, cookies and other types of data get stored on the system. This can be disabled by setting privacy.sanitize.sanitizeOnShutdown to true.

Rationale:

Cookies can help websites perform better but can also be part of spyware. To mitigate this risk, set browser preferences to perform a Clear Private Data operation when closing the browser in order to clear cookies and other data installed by websites visited during the session.

identifiers:  DISA FSO DTBF170

references:  ECSC-1, http://iase.disa.mil/cci/index.html

Remediation script:
FIREFOX_DIRS="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
for FIREFOX_DIR in ${FIREFOX_DIRS}; do
  if [ -d "${FIREFOX_DIR}" ]; then
    grep -q '^lockPref(\"privacy.sanitize.sanitizeOnShutdown\", true);' "${FIREFOX_DIR}"/mozilla.cfg && \
    sed -i 's/lockPref(\"privacy.sanitize.sanitizeOnShutdown\".*/lockPref(\"privacy.sanitize.sanitizeOnShutdown\", true);/g' "${FIREFOX_DIR}"/mozilla.cfg
    if ! [ $? -eq 0 ] ; then
      echo 'lockPref("privacy.sanitize.sanitizeOnShutdown", true);' >> "${FIREFOX_DIR}"/mozilla.cfg
    fi
  fi
done

Disable User Prompt When Data Is Clearedrule

By default, users are asked if it is okay to clear out cookies and data when Firefox closes. This can be disabled by setting privacy.sanitize.promptOnSanitize to false.

Rationale:

Cookies can help websites perform better but can also be part of spyware. To mitigate this risk, set browser preferences to perform a Clear Private Data operation when closing the browser in order to clear cookies and other data installed by websites visited during the session.

identifiers:  DISA FSO DTBF170

references:  ECSC-1, http://iase.disa.mil/cci/index.html

Remediation script:
FIREFOX_DIRS="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
for FIREFOX_DIR in ${FIREFOX_DIRS}; do
  if [ -d "${FIREFOX_DIR}" ]; then
    grep -q '^lockPref(\"privacy.sanitize.promptOnSanitize\", false);' "${FIREFOX_DIR}"/mozilla.cfg && \
    sed -i 's/lockPref(\"privacy.sanitize.promptOnSanitize\".*/lockPref(\"privacy.sanitize.promptOnSanitize\", false);/g' "${FIREFOX_DIR}"/mozilla.cfg
    if ! [ $? -eq 0 ] ; then
      echo 'lockPref("privacy.sanitize.promptOnSanitize", false);' >> "${FIREFOX_DIR}"/mozilla.cfg
    fi
  fi
done

Disable Addons Plugin Updatesrule

Firefox automatically updates installed add-ons and plugins which can be disabled by setting extensions.update.enabled to false.

Rationale:

Automatic updates from untrusted sites puts the enclave at risk of attack and may override security settings.

identifiers:  DISA FSO DTBF090

references:  ECSC-1, http://iase.disa.mil/cci/index.html

Remediation script:
FIREFOX_DIRS="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
for FIREFOX_DIR in ${FIREFOX_DIRS}; do
  if [ -d "${FIREFOX_DIR}" ]; then
    grep -q '^lockPref(\"extensions.update.enabled\", false);' "${FIREFOX_DIR}"/mozilla.cfg && \
    sed -i 's/lockPref(\"extensions.update.enabled\".*/lockPref(\"extensions.update.enabled\", false);/g' "${FIREFOX_DIR}"/mozilla.cfg
    if ! [ $? -eq 0 ] ; then
        echo "lockPref(\"extensions.update.enabled\", false);" >> "${FIREFOX_DIR}"/mozilla.cfg
    fi
  fi
done

Disable Autofill Form Assistancerule

Firefox provides tools to auto-fill forms from prefilled information. This can be disabled by setting browser.formfill.enable to false.

Rationale:

In order to protect privacy and sensitive data, Firefox provides the ability to configure Firefox such that data entered into forms is not saved. This mitigates the risk of a website gleaning private information from prefilled information.

identifiers:  DISA FSO DTBF140

references:  ECSC-1, http://iase.disa.mil/cci/index.html

Remediation script:
FIREFOX_DIRS="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
for FIREFOX_DIR in ${FIREFOX_DIRS}; do
  if [ -d "${FIREFOX_DIR}" ]; then
    grep -q '^lockPref(\"browser.formfill.enable\", false);' "${FIREFOX_DIR}"/mozilla.cfg && \
    sed -i 's/lockPref(\"browser.formfill.enable\".*/lockPref(\"browser.formfill.enable\", false);/g' "${FIREFOX_DIR}"/mozilla.cfg
    if ! [ $? -eq 0 ] ; then
      echo 'lockPref("browser.formfill.enable", false);' >> "${FIREFOX_DIR}"/mozilla.cfg
    fi
  fi
done

Disable User Ability To Autofill Passwordsrule

Firefox automatically allows users to save passwords to be auto-filled into password forms. This can be disabled by setting signon.prefillForms to false.

Rationale:

While on the internet, it may be possible for an attacker to view the saved password files and gain access to the user's accounts on various hosts.

identifiers:  DISA FSO DTBF150

references:  ECSC-1, http://iase.disa.mil/cci/index.html

Remediation script:
FIREFOX_DIRS="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
for FIREFOX_DIR in ${FIREFOX_DIRS}; do
  if [ -d "${FIREFOX_DIR}" ]; then
    grep -q '^lockPref(\"signon.prefillForms\", false);' "${FIREFOX_DIR}"/mozilla.cfg && \
    sed -i 's/lockPref(\"signon.prefillForms\".*/lockPref(\"signon.prefillForms\", false);/g' "${FIREFOX_DIR}"/mozilla.cfg
    if ! [ $? -eq 0 ] ; then 
      echo 'lockPref("signon.prefillForms", false);' >> "${FIREFOX_DIR}"/mozilla.cfg
    fi
  fi
done

Disable Firefox Auto-Update Capabilityrule

Firefox can be set to automatically update as new updates. This can be disabled by setting app.update.enable to false.

Rationale:

Allowing software updates from non-trusted sites can introduce settings that will override a secured installation of the application. This can place DoD information at risk. If this setting is enabled, then there are many other default settings which point to untrusted sites which must be changed to point to an authorized update site that is not publicly accessible.

identifiers:  DISA FSO DTBF080

references:  ECSC-1, http://iase.disa.mil/cci/index.html

Remediation script:
FIREFOX_DIRS="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
for FIREFOX_DIR in ${FIREFOX_DIRS}; do
  if [ -d "${FIREFOX_DIR}" ]; then
    grep -q '^lockPref(\"app.update.enabled\", false);' "${FIREFOX_DIR}"/mozilla.cfg && \
    sed -i 's/lockPref(\"app.update.enabled\".*/lockPref(\"app.update.enabled\", false);/g' "${FIREFOX_DIR}"/mozilla.cfg
    if ! [ $? -eq 0 ] ; then
      echo 'lockPref("app.update.enabled", false);' >> "${FIREFOX_DIR}"/mozilla.cfg
    fi
  fi
done

Enable Downloading and Opening File Confirmationrule

To have an action dialog box appear promping users what action to take when certain types of files are downloaded or opened, set plugin.disable_full_page_plugin_for_types to application/pdf,application/doc,application/xls,application/bat,application/ppt,application/mdb,application/mde,application/fdf,application/xfdf,application/lsl,application/lso,appliation/lss,application/iqy,application/rqy,application/xlk,application/pot,application/pps,application/dot,application/wbk,application/ps,application/eps,application/wch,application/wcm,application/wbi,application/wb1,application/wb3,application/rtf,application/wch,application/wcm,application/ad,application/adp,application/xlt,application/dos,application/wks.

Rationale:

When the user receives a dialog box asking if they want to save the file or open it with a specified application, this indicates that a plugin does not exist. Also, the user has not previously selected a download action or helper application to automatically use for that type of file. When prompted, if the user checks the option to 'Do this automatically for files like this from now on', then an entry will appear for that type of file in the plugins listing, and this file type is automatically opened in the future. This can be a security issue. New file types cannot be added directly to the Application plugin listing.

identifiers:  DISA FSO DTBF110

references:  ECSC-1, http://iase.disa.mil/cci/index.html

Remediation script:
var_required_file_types="application/pdf,application/doc,application/xls,application/bat,application/ppt,application/mdb,application/mde,application/fdf,application/xfdf,application/lsl,application/lso,appliation/lss,application/iqy,application/rqy,application/xlk,application/pot,application/pps,application/dot,application/wbk,application/ps,application/eps,application/wch,application/wcm,application/wbi,application/wb1,application/wb3,application/rtf,application/wch,application/wcm,application/ad,application/adp,application/xlt,application/dos,application/wks"
FIREFOX_DIRS="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
for FIREFOX_DIR in ${FIREFOX_DIRS}; do
  if [ -d "${FIREFOX_DIR}" ]; then
    grep -q '^lockPref(\"plugin.disable_full_page_plugin_for_types\"' "${FIREFOX_DIR}"/mozilla.cfg && \
    sed -i "s;lockPref(\"plugin.disable_full_page_plugin_for_types\".*;lockPref(\"plugin.disable_full_page_plugin_for_types\", \"${var_required_file_types}\")\;;g" "${FIREFOX_DIR}"/mozilla.cfg
    if ! [ $? -eq 0 ] ; then
      echo "lockPref(\"plugin.disable_full_page_plugin_for_types\", \"${var_required_file_types}\");" >> "${FIREFOX_DIR}"/mozilla.cfg
    fi
  fi
done

Disable the Firefox Password Storerule

Firefox allows users to store passwords whether or not a master password is set for the password store. To disable the storing of passwords, set signon.rememberSignons to false.

Rationale:

Autofill of a password can be enabled when a site is visited. This feature could also be used to autofill the certificate pin which could lead to compromise of DoD information.

identifiers:  DISA FSO DTBF160

references:  ECSC-1, http://iase.disa.mil/cci/index.html

Remediation script:
FIREFOX_DIRS="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
for FIREFOX_DIR in ${FIREFOX_DIRS}; do
  if [ -d "${FIREFOX_DIR}" ] ; then
    grep -q '^lockPref(\"signon.rememberSignons\", false);' "${FIREFOX_DIR}"/mozilla.cfg && \
    sed -i 's/lockPref(\"signon.rememberSignons\".*/lockPref(\"signon.rememberSignons\", false);/g' "${FIREFOX_DIR}"/mozilla.cfg
    if ! [ $? -eq 0 ] ; then
      echo 'lockPref("signon.rememberSignons", false);' >> "${FIREFOX_DIR}"/mozilla.cfg
    fi
  fi
done

Disable Installed Search Plugins Update Checkingrule

Firefox automatically checks for updated versions of search plugins. To disable the automatic updates of plugins, set browser.search.update to false.

Rationale:

Updates need to be controlled and installed from authorized and trusted servers. This setting overrides a number of other settings which may direct the application to access external URLs.

identifiers:  DISA FSO DTBF085

references:  ECSC-1, http://iase.disa.mil/cci/index.html

Remediation script:
FIREFOX_DIRS="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
for FIREFOX_DIR in ${FIREFOX_DIRS}; do
  if [ -d "${FIREFOX_DIR}" ]; then
    grep -q '^lockPref(\"browser.search.update\", false);' "${FIREFOX_DIR}"/mozilla.cfg && \
    sed -i 's/lockPref(\"browser.search.update\".*/lockPref(\"browser.search.update\", false);/g' "${FIREFOX_DIR}"/mozilla.cfg
    if ! [ $? -eq 0 ] ; then
      echo 'lockPref("browser.search.update", false);' >> "${FIREFOX_DIR}"/mozilla.cfg
    fi
  fi
done

Disable Firefox Access to Shell Protocolsrule

Access to the shell is disabled by default but can be changed. To prevent shell access from being enabled, set network.protocol-handler.external.shell to false.

Rationale:

If enabled, this setting would allow the browser to access the Windows shell. This could allow access to the underlying system.

identifiers:  DISA FSO DTBF105

references:  ECSC-1, http://iase.disa.mil/cci/index.html

Remediation script:
FIREFOX_DIRS="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
for FIREFOX_DIR in ${FIREFOX_DIRS}; do
  if [ -d "${FIREFOX_DIR}" ]; then
    grep -q '^lockPref(\"network.protocol-handler.external.shell\", false);' "${FIREFOX_DIR}"/mozilla.cfg && \
    sed -i 's/lockPref(\"network.protocol-handler.external.shell\".*/lockPref(\"network.protocol-handler.external.shell\", false);/g' "${FIREFOX_DIR}"/mozilla.cfg
    if ! [ $? -eq 0 ] ; then
      echo 'lockPref("network.protocol-handler.external.shell", false);' >> "${FIREFOX_DIR}"/mozilla.cfg
    fi
  fi
done

Disable SSL Version 2.0 in Firefoxrule

SSL version 2 is not enabled by default and should not be enabled. To prevent SSL version 2 from being enabled set security.enable_ssl2 to false.

Rationale:

Use of versions prior to TLS 1.0 are not permitted because these versions are non-standard. SSL 2.0 and SSL 3.0 contain a number of security flaws.

identifiers:  DISA FSO DTBF010

references:  ECSC-1, http://iase.disa.mil/cci/index.html

Remediation script:
FIREFOX_DIRS="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
for FIREFOX_DIR in ${FIREFOX_DIRS}; do
  if [ -d "${FIREFOX_DIR}" ]; then
    grep -q '^lockPref(\"security.enable_ssl2\", false);' "${FIREFOX_DIR}"/mozilla.cfg && \
    sed -i 's/lockPref(\"security.enable_ssl2\".*/lockPref(\"security.enable_ssl2\", false);/g' "${FIREFOX_DIR}"/mozilla.cfg
    if ! [ $? -eq 0 ] ; then
      echo 'lockPref("security.enable_ssl2", false);' >> "${FIREFOX_DIR}"/mozilla.cfg
    fi
  fi
done

Enable TLS Usage in Firefoxrule

To enable TLS, set security.enable_tls to true.

Rationale:

Earlier versions of SSL have known security vulnerabilities and are not authorized for use in DOD environments.

identifiers:  DISA FSO DTBF030

references:  ECSC-1, http://iase.disa.mil/cci/index.html

Remediation script:
FIREFOX_DIRS="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
for FIREFOX_DIR in ${FIREFOX_DIRS}; do
  if [ -d "${FIREFOX_DIR}" ]; then
    grep -q '^lockPref(\"security.enable_tls\", true);' "${FIREFOX_DIR}"/mozilla.cfg && \
    sed -i 's/lockPref(\"security.enable_tls\".*/lockPref(\"security.enable_tls\", true);/g' "${FIREFOX_DIR}"/mozilla.cfg
    if ! [ $? -eq 0 ] ; then
      echo 'lockPref("security.enable_tls", true);' >> "${FIREFOX_DIR}"/mozilla.cfg
    fi
  fi
done

Enable Certificate Verificationrule

Firefox can be configured to prompt the user to choose a certificate to present to a website when asked. To enable certificate verification, set security.default_personal_cert to Ask Every Time.

Rationale:

Websites within DoD require user authentication for access which increases security for DoD information. Access will be denied to the user if certificate management is not configured.

identifiers:  DISA FSO DTBF050

references:  ECSC-1, http://iase.disa.mil/cci/index.html

Remediation script:
FIREFOX_DIRS="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
for FIREFOX_DIR in ${FIREFOX_DIRS}; do
  if [ -d "${FIREFOX_DIR}" ]; then
    grep -q '^lockPref(\"security.default_personal_cert\", \"Ask Every Time\");' "${FIREFOX_DIR}"/mozilla.cfg && \
    sed -i 's/lockPref(\"security.default_personal_cert\".*/lockPref(\"security.default_personal_cert\", \"Ask Every Time\");/g' "${FIREFOX_DIR}"/mozilla.cfg
    if ! [ $? -eq 0 ]; then
      echo 'lockPref("security.default_personal_cert", "Ask Every Time");' >> "${FIREFOX_DIR}"/mozilla.cfg
    fi
  fi
done

Disable SSL Version 3.0 in Firefoxrule

SSL version 3.0 is vulnerable and should be disabled by setting security.enable_ssl3 to false.

Rationale:

Earlier versions of SSL have known security vulnerabilities and are not authorized for use in DOD.

identifiers:  DISA FSO DTBF020

references:  ECSC-1, http://iase.disa.mil/cci/index.html

Remediation script:
FIREFOX_DIRS="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
for FIREFOX_DIR in ${FIREFOX_DIRS}; do
  if [ -d "${FIREFOX_DIR}" ]; then
    grep -q '^lockPref(\"security.enable_ssl3\", false);' "${FIREFOX_DIR}"/mozilla.cfg && \
    sed -i 's/lockPref(\"security.enable_ssl3\".*/lockPref(\"security.enable_ssl3\", false);/g' "${FIREFOX_DIR}"/mozilla.cfg
    if ! [ $? -eq 0 ] ; then
      echo 'lockPref("security.enable_ssl3", false);' >> "${FIREFOX_DIR}"/mozilla.cfg
    fi
  fi
done

Default Firefox Home Page Configuredrule

The default home page is set to a vendor's defined website or Firefox's own website. This can be changed to an organizationally defined website or about:blank. To set the default home page, set browser.startup.homepage to about:blank.

Rationale:

The browser home page parameter specifies the web page that is to be displayed when the browser is started explicitly and when product-specific buttons or key sequences for the home page are accessed. This helps to mitigate the possibility of automatic inadvertent execution of scripts added to a previously safe site.

identifiers:  DISA FSO DTBF017

references:  ECSC-1, http://iase.disa.mil/cci/index.html

Remediation script:
var_default_home_page="about:blank"
FIREFOX_DIRS="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
for FIREFOX_DIR in ${FIREFOX_DIRS}; do
  if [ -d "${FIREFOX_DIR}" ]; then
    grep -q '^lockPref(\"browser.startup.homepage\"' "${FIREFOX_DIR}"/mozilla.cfg && \
    sed -i "s;lockPref(\"browser.startup.homepage\".*;lockPref(\"browser.startup.homepage\", \"${var_default_home_page}\")\;;g" "${FIREFOX_DIR}"/mozilla.cfg
    if ! [ $? -eq 0 ] ; then
      echo "lockPref(\"browser.startup.homepage\", \"${var_default_home_page}\");" >> "${FIREFOX_DIR}"/mozilla.cfg
    fi
  fi
done

Supported Version of Firefox Installedrule

If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: 

$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded and installed using rpm.

Rationale:

Use of versions of an application which are not supported by the vendor are not permitted. Vendors respond to security flaws with updates and patches. These updates are not available for unsupported version which can leave the application vulnerable to attack.

identifiers:  DISA FSO DTBF003

references:  DCMC-1, http://iase.disa.mil/cci/index.html

Disable JavaScript's Ability To Modify The Browser Appearancerule

JavaScript can configure and make changes to the web browser's appearance by specifically hiding the status bar from view. This can disabled by setting dom.disable_window_open_feature.status to true.

Rationale:

JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window. Webpage authors can disable many features of a popup window that they open. This setting prevents the status bar from being hidden.

identifiers:  DISA FSO DTBF185

references:  ECSC-1, http://iase.disa.mil/cci/index.html

Remediation script:
FIREFOX_DIRS="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
for FIREFOX_DIR in ${FIREFOX_DIRS}; do
  if [ -d "${FIREFOX_DIR}" ]; then
    grep -q '^lockPref(\"dom.disable_window_open_feature.status\", true);' "${FIREFOX_DIR}"/mozilla.cfg && \
    sed -i 's/lockPref(\"dom.disable_window_open_feature.status\".*/lockPref(\"dom.disable_window_open_feature.status\", true);/g' "${FIREFOX_DIR}"/mozilla.cfg
    if ! [ $? -eq 0 ] ; then
      echo 'lockPref("dom.disable_window_open_feature.status", true);' >> "${FIREFOX_DIR}"/mozilla.cfg
    fi
  fi
done

Disable JavaScript Context Menusrule

JavaScript can configure and make changes to the web browser's appearance by specifically disabling or replacing context menus. This can be disabled by setting dom.event.contextmenu.enabled to false.

Rationale:

A website may execute JavaScript that can make changes to these context menus. This can help disguise an attack.

identifiers:  DISA FSO DTBF183

references:  ECSC-1, http://iase.disa.mil/cci/index.html

Remediation script:
FIREFOX_DIRS="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
for FIREFOX_DIR in ${FIREFOX_DIRS}; do
  if [ -d "${FIREFOX_DIR}" ]; then
    grep -q '^lockPref(\"dom.event.contextmenu.enabled\", false);' "${FIREFOX_DIR}"/mozilla.cfg && \
    sed -i 's/lockPref(\"dom.event.contextmenu.enabled\".*/lockPref(\"dom.event.contextmenu.enabled\", false);/g' "${FIREFOX_DIR}"/mozilla.cfg
    if ! [ $? -eq 0 ] ; then
      echo 'lockPref("dom.event.contextmenu.enabled", false);' >> "${FIREFOX_DIR}"/mozilla.cfg
    fi
  fi
done

Disable JavaScript's Ability To Change The Status Barrule

JavaScript can configure and make changes to the web browser's appearance by specifically hiding or changing the status bar. This can be disabled by setting dom.disable_window_status_change to true.

Rationale:

When a user visits some webpages, JavaScript can hide or make changes to the browser’s appearance to hide unauthorized activity. This activity can help disguise an attack taking place in a minimized background window.

identifiers:  DISA FSO DTBF184

references:  ECSC-1, http://iase.disa.mil/cci/index.html

Remediation script:
FIREFOX_DIRS="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
for FIREFOX_DIR in ${FIREFOX_DIRS}; do
  if [ -d "${FIREFOX_DIR}" ]; then
    grep -q '^lockPref(\"dom.disable_window_status_change\", true);' "${FIREFOX_DIR}"/mozilla.cfg && \
    sed -i 's/lockPref(\"dom.disable_window_status_change\".*/lockPref(\"dom.disable_window_status_change\", true);/g' "${FIREFOX_DIR}"/mozilla.cfg
    if ! [ $? -eq 0 ] ; then
      echo 'lockPref("dom.disable_window_status_change", true);' >> "${FIREFOX_DIR}"/mozilla.cfg
    fi
  fi
done

Disable JavaScript's Moving Or Resizing Windows Capabilityrule

JavaScript can configure and make changes to the web browser's appearance by specifically moving and resizing browser windows. This can be disabled by setting dom.disable_window_move_resize to true.

Rationale:

JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window.

identifiers:  DISA FSO DTBF181

references:  ECSC-1, http://iase.disa.mil/cci/index.html

Remediation script:
FIREFOX_DIRS="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
for FIREFOX_DIR in ${FIREFOX_DIRS}; do
  if [ -d "${FIREFOX_DIR}" ]; then
    grep -q '^lockPref(\"dom.disable_window_move_resize\", true);' "${FIREFOX_DIR}"/mozilla.cfg && \
    sed -i 's/lockPref(\"dom.disable_window_move_resize\".*/lockPref(\"dom.disable_window_move_resize\", true);/g' "${FIREFOX_DIR}"/mozilla.cfg
    if ! [ $? -eq 0 ] ; then
      echo 'lockPref("dom.disable_window_move_resize", true);' >> "${FIREFOX_DIR}"/mozilla.cfg
    fi
  fi
done

Disable JavaScript's Raise Or Lower Windows Capabilityrule

JavaScript can configure and make changes to the web browser's appearance by specifically raising and lowering windows. This can be disabled by setting dom.disable_window_flip to true.

Rationale:

JavaScript can make changes to the browser’s appearance. Allowing a website to use JavaScript to raise and lower browser windows may disguise an attack.

identifiers:  DISA FSO DTBF182

references:  ECSC-1, http://iase.disa.mil/cci/index.html

Remediation script:
FIREFOX_DIRS="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
for FIREFOX_DIR in ${FIREFOX_DIRS}; do
  if [ -d "${FIREFOX_DIR}" ]; then
    grep -q '^lockPref(\"dom.disable_window_flip\", true);' "${FIREFOX_DIR}"/mozilla.cfg && \
    sed -i 's/lockPref(\"dom.disable_window_flip\".*/lockPref(\"dom.disable_window_flip\", true);/g' "${FIREFOX_DIR}"/mozilla.cfg
    if ! [ $? -eq 0 ] ; then
      echo 'lockPref("dom.disable_window_flip", true);' >> "${FIREFOX_DIR}"/mozilla.cfg
    fi
  fi
done

Enable Non-Secure Page Warningsrule

When users browse websites, web pages can switch in between secure and non-secure protocols. Users can be warned each time by setting security.warn_leaving_secure to true.

Rationale:

Users may not be aware that the information being viewed under secure conditions in a previous page are not currently being viewed under the same security settings.

identifiers:  DISA FSO DTBF130

references:  ECSC-1, http://iase.disa.mil/cci/index.html

Remediation script:
FIREFOX_DIRS="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
for FIREFOX_DIR in ${FIREFOX_DIRS}; do
  if [ -d "${FIREFOX_DIR}" ]; then
    grep -q '^lockPref(\"security.warn_leaving_secure\", true);' "${FIREFOX_DIR}"/mozilla.cfg && \
    sed -i 's/lockPref(\"security.warn_leaving_secure\".*/lockPref(\"security.warn_leaving_secure\", true);/g' "${FIREFOX_DIR}"/mozilla.cfg
    if ! [ $? -eq 0 ] ; then
      echo 'lockPref("security.warn_leaving_secure", true);' >> "${FIREFOX_DIR}"/mozilla.cfg
    fi
  fi
done

Enable Firefox Pop-up Blockerrule

The pop-up blocker can be enabled by setting dom.disable_window_open_feature.status to true.

Rationale:

Popup windows may be used to launch an attack within a new browser window with altered settings.

identifiers:  DISA FSO DTBF180

references:  ECSC-1, http://iase.disa.mil/cci/index.html

Remediation script:
FIREFOX_DIRS="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
for FIREFOX_DIR in ${FIREFOX_DIRS}; do
  if [ -d "${FIREFOX_DIR}" ]; then
    grep -q '^lockPref(\"dom.disable_window_open_feature.status\", true);' "${FIREFOX_DIR}"/mozilla.cfg && \
    sed -i 's/lockPref(\"dom.disable_window_open_feature.status\".*/lockPref(\"dom.disable_window_open_feature.status\", true);/g' "${FIREFOX_DIR}"/mozilla.cfg
    if ! [ $? -eq 0 ] ; then
      echo '^lockPref("dom.disable_window_open_feature.status", true);' >> "${FIREFOX_DIR}"/mozilla.cfg
    fi
  fi
done

Disable Automatic Downloads of MIME Typesrule

MIME type files are automatically downloaded or executed in Firefox. This can be disabled by setting browser.helperApps.alwaysAsk.force to true.

Rationale:

The default action for file types for which a plugin is installed is to automatically download and execute the file using the associated plugin. Firefox allows users to change the specified download action so that the file is opened with a selected external application or saved to disk instead.

identifiers:  DISA FSO DTBF100

references:  DCMC-1, http://iase.disa.mil/cci/index.html

Remediation script:
FIREFOX_DIRS="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
for FIREFOX_DIR in ${FIREFOX_DIRS}; do
  if [ -d "${FIREFOX_DIR}" ]; then
    grep -q '^lockPref(\"browser.helperApps.alwaysAsk.force\", true);' "${FIREFOX_DIR}"/mozilla.cfg && \
    sed -i 's/lockPref(\"browser.helperApps.alwaysAsk.force\".*/lockPref(\"browser.helperApps.alwaysAsk.force\", true);/g' "${FIREFOX_DIR}"/mozilla.cfg
    if ! [ $? -eq 0 ]; then
      echo 'lockPref("browser.helperApps.alwaysAsk.force", true);' >> "${FIREFOX_DIR}"/mozilla.cfg
    fi
  fi
done
Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.