Mozilla Firefox for Linux STIG SCAP Benchmark
V006.003R6 2022-09-09       U_MOZ_Firefox_Windows_V6R3_STIG_SCAP_1-2_Benchmark.xml
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]
Vuln Rule Version CCI Severity Title Description
SV-251546r820745_rule FFOX-00-000002 CCI-001453 HIGH Firefox must be configured to allow only TLS 1.2 or above. Use of versions prior to TLS 1.2 are not permitted. SSL 2.0 and SSL 3.0 contain a number of security flaws. These versions must be disabled in compliance with the Network Infrastructure and Secure Remote Computing STIGs.
SV-251549r807119_rule FFOX-00-000005 CCI-000381 MEDIUM Firefox must be configured to not automatically update installed add-ons and plugins. Set this to false to disable checking for updated versions of the Extensions/Themes. Automatic updates from untrusted sites puts the enclave at risk of attack and may override security settings.
SV-251551r807125_rule FFOX-00-000007 CCI-000381 MEDIUM Firefox must be configured to disable form fill assistance. To protect privacy and sensitive data, Firefox provides the ability to configure the program so that data entered into forms is not saved. This mitigates the risk of a website gleaning private information from prefilled information.
SV-251552r822411_rule FFOX-00-000008 CCI-000381 MEDIUM Firefox must be configured to not use a password store with or without a master password. Firefox can be set to store passwords for sites visited by the user. These individual passwords are stored in a file and can be protected by a master password. Autofill of the password can then be enabled when the site is visited. This feature could also be used to autofill the certificate PIN, which could lead to compromise of DoD information.
SV-251553r862958_rule FFOX-00-000009 CCI-000381 MEDIUM Firefox must be configured to block pop-up windows. Pop-up windows may be used to launch an attack within a new browser window with altered settings. This setting blocks pop-up windows created while the page is loading.
SV-251557r820752_rule FFOX-00-000013 CCI-000381 MEDIUM Firefox must be configured to disable the installation of extensions. A browser extension is a program that has been installed into the browser to add functionality. Where a plug-in interacts only with a web page and usually a third-party external application (e.g., Flash, Adobe Reader), an extension interacts with the browser program itself. Extensions are not embedded in web pages and must be downloaded and installed in order to work. Extensions allow browsers to avoid restrictions that apply to web pages. For example, an extension can be written to combine data from multiple domains and present it when a certain page is accessed, which can be considered cross-site scripting. If a browser is configured to allow unrestricted use of extensions, plug-ins can be loaded and installed from malicious sources and used on the browser.
SV-251558r807146_rule FFOX-00-000014 CCI-000381 MEDIUM Background submission of information to Mozilla must be disabled. Firefox by default sends information about Firefox to Mozilla servers. There should be no background submission of technical and other information from DoD computers to Mozilla with portions posted publicly.
SV-251559r807149_rule FFOX-00-000015 CCI-001312 LOW Firefox development tools must be disabled. Information needed by an attacker to begin looking for possible vulnerabilities in a web browser includes any information about the web browser and plug-ins or modules being used. When debugging or trace information is enabled in a production web browser, information about the web browser, such as web browser type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any back ends being used for data storage may be displayed. Because this information may be placed in logs and general messages during normal operation of the web browser, an attacker does not have to cause an error condition to gain this information.
SV-251562r849961_rule FFOX-00-000018 CCI-002355 MEDIUM Firefox must prevent the user from quickly deleting data. There should not be an option for a user to "forget" work they have done. This is required to meet non-repudiation controls.
SV-251563r807161_rule FFOX-00-000019 CCI-000381 MEDIUM Firefox private browsing must be disabled. Private browsing allows the user to browse the internet without recording their browsing history/activity. From a forensics perspective, this is unacceptable. Best practice requires that browser history is retained.
SV-251564r807164_rule FFOX-00-000020 CCI-000381 MEDIUM Firefox search suggestions must be disabled. Search suggestions must be disabled as this could lead to searches being conducted that were never intended to be made.
SV-251565r832307_rule FFOX-00-000021 CCI-000381 LOW Firefox autoplay must be disabled. Autoplay allows the user to control whether videos can play automatically (without user consent) with audio content. The user must be able to select content that is run within the browser window.
SV-251566r807170_rule FFOX-00-000022 CCI-000381 MEDIUM Firefox network prediction must be disabled. If network prediction is enabled, requests to URLs are made without user consent. The browser should always make a direct DNS request without prefetching occurring.
SV-251567r807173_rule FFOX-00-000023 CCI-000381 MEDIUM Firefox fingerprinting protection must be enabled. The Content Blocking/Tracking Protection feature stops Firefox from loading content from malicious sites. The content might be a script or an image, for example. If a site is on one of the tracker lists that Firefox is set to use, the fingerprinting script (or other tracking script/image) will not be loaded from that site. Fingerprinting scripts collect information about browser and device configuration, such as operating system, screen resolution, and other settings. By compiling these pieces of data, fingerprinters create a unique profile that can be used to track the user around the web.
SV-251568r807176_rule FFOX-00-000024 CCI-000381 MEDIUM Firefox cryptomining protection must be enabled. The Content Blocking/Tracking Protection feature stops Firefox from loading content from malicious sites. The content might be a script or an image, for example. If a site is on one of the tracker lists that Firefox is set to use, the fingerprinting script (or other tracking script/image) will not be loaded from that site. Cryptomining scripts use a computer's central processing unit to invisibly mine cryptocurrency.
SV-251571r820762_rule FFOX-00-000027 CCI-000381 MEDIUM Firefox deprecated ciphers must be disabled. A weak cipher is defined as an encryption/decryption algorithm that uses a key of insufficient length. Using an insufficient length for a key in an encryption/decryption algorithm opens up the possibility (or probability) that the encryption scheme could be broken.
SV-251572r807188_rule FFOX-00-000028 CCI-000381 MEDIUM Firefox must not recommend extensions as the user is using the browser. The Recommended Extensions program recommends extensions to users as they surf the web. The user must not be encouraged to install extensions from the websites they visit. Allowed extensions are to be centrally managed.
SV-251573r822781_rule FFOX-00-000029 CCI-000381 MEDIUM The Firefox New Tab page must not show Top Sites, Sponsored Top Sites, Pocket Recommendations, Sponsored Pocket Stories, Searches, Highlights, or Snippets. The New Tab page by default shows a list of built-in top sites, as well as the top sites the user has visited. It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include but are not limited to advertising software or browser plug-ins that are not related to requirements or provide a wide array of functionality not required for every mission but that cannot be disabled. The new tab page must not actively show user activity.
SV-251577r807203_rule FFOX-00-000033 CCI-000381 MEDIUM Firefox must be configured so that DNS over HTTPS is disabled. DNS over HTTPS has generally not been adopted in the DoD. DNS is tightly controlled. It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, advertising software or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission, but cannot be disabled.
SV-251578r807206_rule FFOX-00-000034 CCI-000381 MEDIUM Firefox accounts must be disabled. Disable Firefox Accounts integration (Sync). It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include but are not limited to advertising software or browser plug-ins that are not related to requirements or provide a wide array of functionality not required for every mission but that cannot be disabled.
SV-251580r809561_rule FFOX-00-000036 CCI-000381 MEDIUM Firefox feedback reporting must be disabled. Disable the menus for reporting sites (Submit Feedback, Report Deceptive Site). It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include but are not limited to advertising software or browser plug-ins that are not related to requirements or provide a wide array of functionality not required for every mission but that cannot be disabled.
SV-251581r807215_rule FFOX-00-000037 CCI-000381 MEDIUM Firefox encrypted media extensions must be disabled. Enable or disable Encrypted Media Extensions and optionally lock it. If "Enabled" is set to "false", Firefox does not download encrypted media extensions (such as Widevine) unless the user consents to installing them. If "Locked" is set to "true" and "Enabled" is set to "false", Firefox will not download encrypted media extensions (such as Widevine) or ask the user to install them. It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include but are not limited to advertising software or browser plug-ins that are not related to requirements or provide a wide array of functionality not required for every mission but that cannot be disabled.
SV-252881r820757_rule FFOX-00-000017 CCI-000381 MEDIUM Firefox must be configured to not delete data upon shutdown. For diagnostic purposes, data must remain behind when the browser is closed. This is required to meet non-repudiation controls.