Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-19743 | DTBF070 | SV-21889r3_rule | ECSC-1 | Medium |
Description |
---|
Locked settings prevent users from accessing about:config and changing the security settings set by the system administrator. Locked settings should be placed in the mozilla.cfg file. The mozilla.cfg file is an encoded file of JavaScript commands. The encoding is a simple "byte-shifting" with an offset of 13 (Netscape 4 used a similar encoding, but with a 7 instead). This file also needs to be "called" from the configuration file local-settings.js |
STIG | Date |
---|---|
Mozilla Firefox | 2015-03-26 |
Check Text ( C-24189r4_chk ) |
---|
Verify that required settings are marked as locked in about:config. Verify that mozilla.cfg file is used to lock required security settings. For instructions and a tool for reading the bitshifted file go to http://www.alain.knaff.lu/howto/MozillaCustomization/cgi/byteshf.cgi Sample file: // lockPref("browser.startup.homepage", "https://www.us.army.mil/suite/page/429668"); lockPref("browser.download.dir", "N:"); lockPref("browser.download.downloadDir", "N:"); lockPref("app.update.enabled", false); lockPref("extensions.update.enabled", false); lockPref("browser.shell.checkDefaultBrowser", false); lockPref("browser.search.update", false); lockPref("browser.formfill.enable", false); lockPref("signon.prefillForms", false); lockPref("dom.disable_open_during_load", true); lockPref("dom.disable_window_move_resize", true); lockPref("dom.event.contextmenu.enabled", false); lockPref("dom.disable_window_status_change", true); lockPref("dom.disable_window_flip", true); lockPref("dom.disable_window_open_feature.status", true); lockPref("security.warn_leaving_secure", true); lockPref("privacy.sanitize.promptOnSanitize", false); lockPref("privacy.sanitize.sanitizeOnShutdown", true); lockPref("security.default_personal_cert", "Ask Every Time"); lockPref("signon.rememberSignons", false); lockPref("xpinstall.whitelist.required", true); lockPref(“network.protocol-handler.external.shell”,false); lockPref(“security.enable_ssl3”,true); lockPref(“security.enable_ssl2”,false); lockPref(“security.enable_tls”,true); lockPref("plugin.disable_full_page_plugin_for_types", "application/pdf,application/doc,application/xls,application/bat,application/ppt,application/mdb,application/mde,application/fdf,application/xfdf,application/lsl,application/lso,appliation/lss,application/iqy,application/rqy,application/xlk,application/pot,application/pps,application/dot,application/wbk,application/ps,application/eps,application/wch,application/wcm,application/wbi,application/wb1,application/wb3,application/rtf,application/wch,application/wcm,application/ad,application/adp,application/xlt, application/dos, application/wks"); lockPref("privacy.item.history", false) Note: Append line into local-settings.js file to include in the Mozilla config file |
Fix Text (F-22495r4_fix) |
---|
Ensure the required settings In "About:config" are locked using the Mozilla.cfg file. |