combine_ovals.py from SCAP Security Guide
ssg: [0, 1, 48], python: 3.7.6
5.11
2020-01-16T13:51:04
Enable Certificate Verification
Firefox
When a web site asks for a certificate for user authentication, Firefox must be configured to have the user choose which certificate to present. Websites within DOD require user authentication for access which increases security for DoD information. Access will be denied to the user if certificate management is not configured
Enable TLS Usage in Firefox
Firefox
DoD implementations of SSL must use TLS 1.0 in accordance with
the Network Infrastructure STIG.
Disable JavaScript's Raise Or Lower Windows Capability
Firefox
Firefox should be configured to not allow JavaScript to
raise or lower windows.
Default Firefox Home Page Configured
Firefox
The default homepage for Firefox is set and cannot be changed.
Enable Firefox Pop-up Blocker
Firefox
The Firefox Pop-up blocker should be enabled as windows may be
used to launch an attack within a new browser window with altered settings.
Supported Version of Firefox Installed
Firefox
Use of versions of an application which are not
supported by the vendor are not permitted. Vendors respond to
security flaws with updates and patches. These updates are not
available for unsupported versions which can leave the application
vulnerable to attack.
Disable Installed Search Plugins Update Checking
Firefox
Search plugins can be automatically configured to check for
updates. Updates need to be controlled and installed from authorized and
trusted servers.
Enable Non-Secure Page Warnings
Firefox
Firefox is not configured to provide warnings when a user switches
from a secure (SSL-enabled) to a non-secure page.
Disable Automatic Downloads of MIME Types
Firefox
Firefox automatically executes or downloads MIME types which are
not authorized for auto-download.
Disable JavaScript's Moving Or Resizing Windows Capability
Firefox
FireFox should not be configured to allow JavaScript to move
or resize windows.
Disable Firefox Access to Shell Protocols
Firefox
Firefox can be configured to access systems shells which
could potentially allow Firefox and other users to access to the
underlying system.
Disable the Firefox Password Store
Firefox
The Firefox password store should be disabled.
Enable Downloading and Opening File Confirmation
Firefox
Firefox is not configured to prompt user before downloading and
opening required file types.
Disable SSL Version 3 in Firefox
Firefox
Earlier versions of SSL have known security vulnerabilities
and are not authorized for use in DOD.
Disable Addons Plugin Updates
Firefox
Firefox automatically updates installed
add-ons and plugins.
Disable SSL Version 2.0 in Firefox
Firefox
SSL 2.0 and SSL 3.0 contain a number of security flaws.
Therefore, SSL 2.0 should be disabled.
Disable User Ability To Autofill Passwords
Firefox
Firefox should not be configured to autofill passwords.
Disable JavaScript's Ability To Change The Status Bar
Firefox
Firefox should be configured to not allow JavaScript to
hide or change the status bar.
Disable JavaScript's Ability To Modify The Browser Appearance
Firefox
Firefox should be configured not to allow JavaScript
to change the status bar text.
Disable Firefox Auto-Update Capability
Firefox
Firefox should not be able to automatically
update itself.
Disable Autofill Form Assistance
Firefox
Firefox formfill assistance option is disabled.
Clear Cookies And Other Data When Firefox Closes
Firefox
Set browser preferences to perform a Clear Private Data
operation when closing the browser in order to clear cookies and other
data installed by websites visited during the session.
Disable User Prompt For Clearing Cookies And Other Data
Firefox
Users should not be prompted about data and cookies being
cleared when the browser is closed.
Prevent Users from Changing Firefox Configuration Settings
Firefox
Locked settings prevents users from accessing about:config and
changing the security settings set by the system administrator.
Prevent Users from Changing Firefox Configuration Settings
Firefox
Locked settings prevents users from accessing about:config and
changing the security settings set by the system administrator.
Mozilla Firefox
Firefox
The application installed on the system is firefox.
Installed operating system is part of the Unix family
Firefox
The operating system installed on the system is part of the Unix OS family
^\/usr\/(|local\/)lib(|64)\/firefox
^.*\.cfg$
^lockPref\("security.default_personal_cert",[\s]+"Ask Every Time"\);$
1
^\/usr\/(|local\/)lib(|64)\/firefox
^.*\.cfg$
^lockPref\("security.enable_tls",[\s]+true\);$
1
^\/usr\/(|local\/)lib(|64)\/firefox
^.*\.cfg$
^lockPref\("dom.disable_window_flip",[\s]+true\);$
1
^\/usr\/(|local\/)lib(|64)\/firefox
^.*\.cfg$
^lockPref\("browser.startup.homepage",[\s]+"(\S+)"\);$
1
^\/usr\/(|local\/)lib(|64)\/firefox
^.*\.cfg$
^lockPref\("dom.disable_window_open_feature.status",[\s]+true\);$
1
firefox
^\/usr\/(|local\/)lib(|64)\/firefox
^.*\.cfg$
^lockPref\("browser.search.update",[\s]+false\);$
1
^\/usr\/(|local\/)lib(|64)\/firefox
^.*\.cfg$
^lockPref\("security.warn_leaving_secure",[\s]+true\);$
1
^\/usr\/(|local\/)lib(|64)\/firefox
^.*\.cfg$
^lockPref\("browser.helperApps.alwaysAsk.force",[\s]+true\);$
1
^\/usr\/(|local\/)lib(|64)\/firefox
^.*\.cfg$
^lockPref\("dom.disable_window_move_resize",[\s]+true\);$
1
^\/usr\/(|local\/)lib(|64)\/firefox
^.*\.cfg$
^lockPref\("network.protocol-handler.external.shell",[\s]+false\);$
1
^\/usr\/(|local\/)lib(|64)\/firefox
^.*\.cfg$
^lockPref\("signon.rememberSignons",[\s]+false\);$
1
^\/usr\/(|local\/)lib(|64)\/firefox
^.*\.cfg$
^lockPref\("plugin.disable_full_page_plugin_for_types",[\s]+"(\S+)"\);$
1
^\/usr\/(|local\/)lib(|64)\/firefox
^.*\.cfg$
^lockPref\("security.enable_ssl3",[\s]+false\);$
1
^\/usr\/(|local\/)lib(|64)\/firefox
^.*\.cfg$
^lockPref\("extensions.update.enabled",[\s]+false\);$
1
^\/usr\/(|local\/)lib(|64)\/firefox
^.*\.cfg$
^lockPref\("security.enable_ssl2",[\s]+false\);$
1
^\/usr\/(|local\/)lib(|64)\/firefox
^.*\.cfg$
^lockPref\("signon.prefillForms",[\s]+false\);$
1
^\/usr\/(|local\/)lib(|64)\/firefox
^.*\.cfg$
^lockPref\("dom.disable_window_status_change",[\s]+true\);$
1
^\/usr\/(|local\/)lib(|64)\/firefox
^.*\.cfg$
^lockPref\("dom.disable_window_open_feature.status",[\s]+true\);$
1
^\/usr\/(|local\/)lib(|64)\/firefox
^.*\.cfg$
^lockPref\("app.update.enabled",[\s]+false\);$
1
^\/usr\/(|local\/)lib(|64)\/firefox
^.*\.cfg$
^lockPref\("browser.formfill.enable",[\s]+false\);$
1
^\/usr\/(|local\/)lib(|64)\/firefox
^.*\.cfg$
^lockPref\("privacy.sanitize.sanitizeOnShutdown",[\s]+true\);$
1
^\/usr\/(|local\/)lib(|64)\/firefox
^.*\.cfg$
^lockPref\("privacy.sanitize.promptOnSanitize",[\s]+false\);$
1
^\/usr\/(|local\/)lib(|64)\/firefox\/defaults\/(preferences|pref)
^.*\.js$
^pref\("general.config.obscure_value",[\s]+0\);$
1
^\/usr\/(|local\/)lib(|64)\/firefox\/defaults\/(preferences|pref)
^.*\.js$
^pref\("general.config.filename",[\s]+"(\S+)\.cfg"\);$
1
firefox
3.0.0
unix
xccdf-create-ocil.xslt from SCAP Security Guide
ssg: 0.1.48
2.0
2020-01-16T00:00:00Z
Default Firefox Home Page Configured
ocil:ssg-firefox_preferences-home_page_action:testaction:1
Enable Non-Secure Page Warnings
ocil:ssg-firefox_preferences-non-secure_page_warning_action:testaction:1
Disable SSL Version 3.0 in Firefox
ocil:ssg-firefox_preferences-ssl_version_3_action:testaction:1
Disable the Firefox Password Store
ocil:ssg-firefox_preferences-password_store_action:testaction:1
Supported Version of Firefox Installed
ocil:ssg-installed_firefox_version_supported_action:testaction:1
Disable Automatic Downloads of MIME Types
ocil:ssg-firefox_preferences-auto-download_actions_action:testaction:1
Enable Downloading and Opening File Confirmation
ocil:ssg-firefox_preferences-open_confirmation_action:testaction:1
Enable Certificate Verification
ocil:ssg-firefox_preferences-verification_action:testaction:1
Disable JavaScript's Moving Or Resizing Windows Capability
ocil:ssg-firefox_preferences-javascript_window_resizing_action:testaction:1
Disable Installed Search Plugins Update Checking
ocil:ssg-firefox_preferences-search_update_action:testaction:1
Disable Autofill Form Assistance
ocil:ssg-firefox_preferences-autofill_forms_action:testaction:1
Disable Firefox Access to Shell Protocols
ocil:ssg-firefox_preferences-shell_protocol_action:testaction:1
Disable Addons Plugin Updates
ocil:ssg-firefox_preferences-addons_plugin_updates_action:testaction:1
Disable User Ability To Autofill Passwords
ocil:ssg-firefox_preferences-autofill_passwords_action:testaction:1
Disable SSL Version 2.0 in Firefox
ocil:ssg-firefox_preferences-ssl_version_2_action:testaction:1
Enable TLS Usage in Firefox
ocil:ssg-firefox_preferences-ssl_protocol_tls_action:testaction:1
Disable JavaScript's Ability To Modify The Browser Appearance
ocil:ssg-firefox_preferences-javascript_status_bar_text_action:testaction:1
Disable JavaScript's Raise Or Lower Windows Capability
ocil:ssg-firefox_preferences-javascript_window_changes_action:testaction:1
Disable JavaScript's Ability To Change The Status Bar
ocil:ssg-firefox_preferences-javascript_status_bar_changes_action:testaction:1
Disable Firefox Auto-Update Capability
ocil:ssg-firefox_preferences-auto-update_of_firefox_action:testaction:1
Enable Firefox Pop-up Blocker
ocil:ssg-firefox_preferences-pop-up_windows_action:testaction:1
Set Firefox Configuration File Location
ocil:ssg-firefox_preferences-lock_settings_config_file_action:testaction:1
Disable Firefox Configuration File ROT-13 Encoding
ocil:ssg-firefox_preferences-lock_settings_obscure_action:testaction:1
Enable Shared System Certificates
ocil:ssg-firefox_preferences-enable_ca_trust_action:testaction:1
The DoD Root Certificate Exists
ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1
Clear Data When Firefox Closes
ocil:ssg-firefox_preferences-cookies_clear_action:testaction:1
Disable User Prompt When Data Is Cleared
ocil:ssg-firefox_preferences-cookies_user_notice_action:testaction:1
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
To verify that default home page is set,
run the following command:
$ grep 'browser.startup.homepage' FIREFOX_INSTALL_DIR/*.cfg
The output should return:
lockPref("browser.startup.homepage", "");
Is it the case that it is not configured?
To verify that non-secure page warnings are enabled,
run the following command:
$ grep 'security.warn_leaving_secure' FIREFOX_INSTALL_DIR/*.cfg
The output should return:
lockPref("security.warn_leaving_secure", "true");
Is it the case that it is not enabled?
To verify that SSL version 3 is disabled,
run the following command:
$ grep 'security.enable_ssl3' FIREFOX_INSTALL_DIR/*.cfg
The output should return:
lockPref("security.enable_ssl3", "false");
Is it the case that it is not enabled?
To verify that the password store is disabled,
run the following command:
$ grep 'signon.rememberSignons' FIREFOX_INSTALL_DIR/*.cfg
The output should return:
lockPref("signon.rememberSignons", "false");
Is it the case that it is not disabled?
If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or
a yum server which provides updates, invoking the following command will
indicate if updates are available:
$ sudo yum check-update
If the system is not configured to update from one of these sources,
run the following command to list when each package was last updated:
$ rpm -qa -last
Compare this to Red Hat Security Advisories (RHSA) listed at
https://access.redhat.com/security/updates/active/https://access.redhat.com/security/updates/active/
to determine if the system is missing applicable updates.
Is it the case that it is not updated?
To verify that user interaction is required for the downloading of MIME types,
run the following command:
$ grep 'browser.helperApps.alwaysAsk.force' FIREFOX_INSTALL_DIR/*.cfg
The output should return:
lockPref("browser.helperApps.alwaysAsk.force", "true");
Is it the case that it is not disabled?
To verify that downloading and opening file confirmation is enabled,
run the following command:
$ grep 'plugin.disable_full_page_plugin_for_types' FIREFOX_INSTALL_DIR/*.cfg
The output should return:
lockPref("plugin.disable_full_page_plugin_for_types", "");
Is it the case that it is not set or application listing is incorrect?
To verify that certificate verification is enabled, run the following command:
$ grep 'security.default_personal_cert' FIREFOX_INSTALL_DIR/*.cfg
The output should return:
lockPref("security.default_personal_cert", "Ask Every Time");
Is it the case that it is not enabled?
To verify that JavaScript cannot change windows sizing,
run the following command:
$ grep 'dom.disable_window_move_resize' FIREFOX_INSTALL_DIR/*.cfg
The output should return:
lockPref("dom.disable_window_move_resize", "true");
Is it the case that it is not disabled?
To verify that search plugins cannot automatically update,
run the following command:
$ grep 'browser.search.update' FIREFOX_INSTALL_DIR/*.cfg
The output should return:
lockPref("browser.search.update", "false");
Is it the case that it is not disabled?
To verify that Autofill Form Assistance is disabled,
run the following command:
$ grep 'browser.formfill.enable' FIREFOX_INSTALL_DIR/*.cfg
The output should return:
lockPref("browser.formfill.enable", false);
Is it the case that it is not disabled?
To verify that the shell protocol access is disabled,
run the following command:
$ grep 'network.protocol-handler.external.shell' FIREFOX_INSTALL_DIR/*.cfg
The output should return:
lockPref("network.protocol-handler.external.shell", "false");
Is it the case that it is not disabled?
To verify that add-ons and plugins cannot automatically update,
run the following command:
$ grep 'extensions.update.enabled' FIREFOX_INSTALL_DIR/*.cfg
The output should return:
lockPref("extensions.update.enabled", false);
Is it the case that it is not disabled?
To verify that password autofill is disabled,
run the following command:
$ grep 'signon.prefillForms' FIREFOX_INSTALL_DIR/*.cfg
The output should return:
lockPref("signon.prefillForms", false);
Is it the case that it is not disabled?
To verify that SSL version 2.0 is disabled,
run the following command:
$ grep 'security.enable_ssl2' FIREFOX_INSTALL_DIR/*.cfg
The output should return:
lockPref("security.enable_ssl2", "false");
Is it the case that it is not disabled?
To verify that TLS is enabled, run the following command:
$ grep 'security.enable_tls' FIREFOX_INSTALL_DIR/*.cfg
The output should return:
lockPref("security.enable_tls", "true");
Is it the case that it is not enabled?
To verify that JavaScript cannot change the browser appearance,
run the following command:
$ grep 'dom.disable_window_open_feature.status' FIREFOX_INSTALL_DIR/*.cfg
The output should return:
lockPref("dom.disable_window_open_feature.status", "true");
Is it the case that it is not disabled?
To verify that JavaScript cannot change windows sizing,
run the following command:
$ grep 'dom.disable_window_flip' FIREFOX_INSTALL_DIR/*.cfg
The output should return:
lockPref("dom.disable_window_flip", "true");
Is it the case that it is not disabled?
To verify that JavaScript cannot change the status bar,
run the following command:
$ grep 'dom.disable_window_status_change' FIREFOX_INSTALL_DIR/*.cfg
The output should return:
lockPref("dom.disable_window_status_change", "true");
Is it the case that it is not disabled?
To verify that Firefox cannot auto-update,
run the following command:
$ grep 'app.update.enable' FIREFOX_INSTALL_DIR/*.cfg
The output should return:
lockPref("app.update.enable", false);
Is it the case that it is not disabled?
To verify that pop-up blocker is enabled,
run the following command:
$ grep 'dom.disable_window_open_feature.status' FIREFOX_INSTALL_DIR/*.cfg
The output should return:
lockPref("dom.disable_window_open_feature.status", "true");
Is it the case that it is not enabled?
To verify that configuration filename is set, run the following command:
$ grep 'filename' FIREFOX_INSTALL_DIR/defaults/preferences/*.js
The output should return something similar to:
pref("general.config.filename", "mozilla.cfg");
Is it the case that users can change mandatory settings?
To verify that ROT-13 encoding is disabled, run the following command:
$ grep 'obscure_value' FIREFOX_INSTALL_DIR/defaults/preferences/*.js
The output should return something similar to:
pref("general.config.obscure_value", 0);
Is it the case that users can change mandatory settings?
To verify that the central system cerificate authority store is enabled,
run the following command:
$ ls -l /etc/alternatives/libnssckbi.so.x86_64
The output should return something similar to:
lrwxrwxrwx. 1 root root 34 Apr 30 09:19 /etc/alternatives/libnssckbi.so.x86_64 -> /usr/lib64/pkcs11/p11-kit-trust.so
Is it the case that it is not enabled?
To verify that the DoD root certificate is installed,
list all certificates in /etc/pki/ca-trust/source/anchors
and compare them to the DoD root certificate. If there is a match
to the DoD root certificate, then the DoD root certificate is
installed.
Is it the case that it is not installed?
To verify that Firefox clears data on exit,
run the following command:
$ grep 'privacy.sanitize.sanitizeOnShutdown' FIREFOX_INSTALL_DIR/*.cfg
The output should return:
lockPref("privacy.sanitize.sanitizeOnShutdown", true);
Is it the case that it is not set to clear?
To verify that Firefox does not prompt users about data being cleared,
run the following command:
$ grep 'privacy.sanitize.promptOnSanitize' FIREFOX_INSTALL_DIR/*.cfg
The output should return:
lockPref("privacy.sanitize.promptOnSanitize", false);
Is it the case that it is not disabled?
draft
Guide to the Secure Configuration of Firefox
This guide presents a catalog of security-relevant
configuration settings for Firefox. It is a rendering of
content structured in the eXtensible Configuration Checklist Description Format (XCCDF)
in order to support security automation. The SCAP content is
is available in the scap-security-guide package which is developed at
https://www.open-scap.org/security-policies/scap-security-guide.
Providing system administrators with such guidance informs them how to securely
configure systems under their control in a variety of network roles. Policy
makers and baseline creators can use this catalog of settings, with its
associated references to higher-level security control catalogs, in order to
assist them in security baseline creation. This guide is a catalog, not a
checklist, and satisfaction of every item is not likely to be possible or
sensible in many operational scenarios. However, the XCCDF format enables
granular selection and adjustment of settings, and their association with OVAL
and OCIL content provides an automated checking capability. Transformations of
this document, and its associated automated checking content, are capable of
providing baselines that meet a diverse set of policy objectives. Some example
XCCDF Profiles, which are selections of items that form checklists and
can be used as baselines, are available with this guide. They can be
processed, in an automated fashion, with tools that support the Security
Content Automation Protocol (SCAP). The DISA STIG for Firefox,
which provides required settings for US Department of Defense systems, is
one example of a baseline created from this guidance.
Do not attempt to implement any of the settings in
this guide without first testing them in a non-operational environment. The
creators of this guidance assume no responsibility whatsoever for its use by
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
The SCAP Security Guide Project
https://www.open-scap.org/security-policies/scap-security-guide
Red Hat and Red Hat Enterprise Linux are either registered
trademarks or trademarks of Red Hat, Inc. in the United States and other
countries. All other names are registered trademarks or trademarks of their
respective companies.
0.1.48
SCAP Security Guide Project
SCAP Security Guide Project
Frank J Cameron (CAM1244) <cameron@ctc.com>
0x66656c6978 <0x66656c6978@users.noreply.github.com>
Gabe Alford <redhatrises@gmail.com>
Firas AlShafei <firas.alshafei@us.abb.com>
Christopher Anderson <cba@fedoraproject.org>
angystardust <angystardust@users.noreply.github.com>
Chuck Atkins <chuck.atkins@kitware.com>
Ryan Ballanger <root@rballang-admin-2.fastenal.com>
Alex Baranowski <alex@euro-linux.com>
Molly Jo Bault <Molly.Jo.Bault@ballardtech.com>
Gabriel Becker <ggasparb@redhat.com>
Alexander Bergmann <abergmann@suse.com>
Jose Luis BG <bgjoseluis@gmail.com>
Joseph Bisch <joseph.bisch@gmail.com>
Jeffrey Blank <blank@eclipse.ncsc.mil>
Olivier Bonhomme <ptitoliv@ptitoliv.net>
Ted Brunell <tbrunell@redhat.com>
Blake Burkhart <blake.burkhart@us.af.mil>
Patrick Callahan <pmc@patrickcallahan.com>
Nick Carboni <ncarboni@redhat.com>
James Cassell <james.cassell@ll.mit.edu>
Frank Caviggia <fcaviggi@ra.iad.redhat.com>
Eric Christensen <echriste@redhat.com>
Jayson Cofell <1051437+70k10@users.noreply.github.com>
Caleb Cooper <coopercd@ornl.gov>
Deric Crago <deric.crago@gmail.com>
Maura Dailey <maura@eclipse.ncsc.mil>
Klaas Demter <demter@atix.de>
dhanushkar-wso2 <dhanushkar@wso2.com>
Andrew DiPrinzio <andrew.diprinzio@jhuapl.edu>
dom <dominique.blaze@devinci.fr>
Jean-Baptiste Donnette <jean-baptiste.donnette@epita.fr>
drax <applezip@gmail.com>
Sebastian Dunne <sdunne@redhat.com>
Greg Elin <gregelin@gitmachines.com>
Alexis Facques <alexis.facques@mythalesgroup.io>
Leah Fisher <lfisher047@gmail.com>
Alijohn Ghassemlouei <alijohn.ghassemlouei@sapns2.com>
ghylock <ghylock@gmail.com>
Andrew Gilmore <agilmore2@gmail.com>
Joshua Glemza <jglemza@nasa.gov>
Loren Gordon <lorengordon@users.noreply.github.com>
Patrik Greco <sikevux@sikevux.se>
Steve Grubb <sgrubb@redhat.com>
Marek Haicman <mhaicman@redhat.com>
Rebekah Hayes <rhayes@corp.rivierautilities.com>
Trey Henefield <thenefield@gmail.com>
Henning Henkel <henning.henkel@helvetia.ch>
hex2a <hex2a@users.noreply.github.com>
John Hooks <jhooks@starscream.pa.jhbcomputers.com>
Jakub Hrozek <jhrozek@redhat.com>
De Huo <De.Huo@windriver.com>
Robin Price II <robin@redhat.com>
Yasir Imam <yimam@redhat.com>
Jiri Jaburek <jjaburek@redhat.com>
Keith Jackson <keithkjackson@gmail.com>
Jeremiah Jahn <jeremiah@goodinassociates.com>
Stephan Joerrens <Stephan.Joerrens@fiduciagad.de>
Jono <jono@ubuntu-18.localdomain>
Kai Kang <kai.kang@windriver.com>
Charles Kernstock <charles.kernstock@ultra-ats.com>
Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Nathan Kinder <nkinder@redhat.com>
Lee Kinser <lee.kinser@gmail.com>
Evgeny Kolesnikov <ekolesni@redhat.com>
Peter 'Pessoft' Kolínek <github@pessoft.com>
Luke Kordell <luke.t.kordell@lmco.com>
Malte Kraus <malte.kraus@suse.com>
kspargur <kspargur@kspargur.csb>
Amit Kumar <amitkuma@redhat.com>
Fen Labalme <fen@civicactions.com>
Ian Lee <lee1001@llnl.gov>
Jarrett Lee <jarrettl@umd.edu>
Jan Lieskovsky <jlieskov@redhat.com>
Šimon Lukašík <slukasik@redhat.com>
Milan Lysonek <mlysonek@redhat.com>
Fredrik Lysén <fredrik@pipemore.se>
Matus Marhefka <mmarhefk@redhat.com>
Jamie Lorwey Martin <jlmartin@redhat.com>
Robert McAllister <rmcallis@redhat.com>
Michael McConachie <michael@redhat.com>
Khary Mendez <kharyam@gmail.com>
Rodney Mercer <rmercer@harris.com>
Matt Micene <nzwulfin@gmail.com>
Brian Millett <bmillett@gmail.com>
Mixer9 <35545791+Mixer9@users.noreply.github.com>
mmosel <mmosel@kde.example.com>
Zbynek Moravec <zmoravec@redhat.com>
Kazuo Moriwaka <moriwaka@users.noreply.github.com>
Michael Moseley <michael@eclipse.ncsc.mil>
Joe Nall <joe@nall.com>
Neiloy <neiloy@redhat.com>
Axel Nennker <axel@nennker.de>
Michele Newman <mnewman@redhat.com>
Sean O'Keeffe <seanokeeffe797@gmail.com>
Ilya Okomin <ilya.okomin@oracle.com>
Kaustubh Padegaonkar <theTuxRacer@gmail.com>
Michael Palmiotto <mpalmiotto@tresys.com>
Max R.D. Parmer <maxp@trystero.is>
Jan Pazdziora <jpazdziora@redhat.com>
pcactr <paul.c.arnold4.ctr@mail.mil>
Kenneth Peeples <kennethwpeeples@gmail.com>
Nathan Peters <Nathaniel.Peters@ca.com>
Frank Lin PIAT <fpiat@klabs.be>
Stefan Pietsch <mail.ipv4v6+gh@gmail.com>
Vojtech Polasek <vpolasek@redhat.com>
Martin Preisler <mpreisle@redhat.com>
Wesley Ceraso Prudencio <wcerasop@redhat.com>
Raphael Sanchez Prudencio <rsprudencio@redhat.com>
T.O. Radzy Radzykewycz <radzy@windriver.com>
Kenyon Ralph <kenyon@kenyonralph.com>
Mike Ralph <mralph@redhat.com>
Rick Renshaw <Richard_Renshaw@xtoenergy.com>
Chris Reynolds <c.reynolds82@gmail.com>
rhayes <rhayes@rivierautilities.com>
Pat Riehecky <riehecky@fnal.gov>
rlucente-se-jboss <rlucente@redhat.com>
Jesse Roland <j.roland277@gmail.com>
Joshua Roys <roysjosh@gmail.com>
rrenshaw <bofh69@yahoo.com>
Chris Ruffalo <chris.ruffalo@gmail.com>
Ray Shaw (Cont ARL/CISD) rvshaw <rvshaw@esme.arl.army.mil>
Willy Santos <wsantos@redhat.com>
Gautam Satish <gautams@hpe.com>
Watson Sato <wsato@redhat.com>
Satoru SATOH <satoru.satoh@gmail.com>
Alexander Scheel <ascheel@redhat.com>
Bryan Schneiders <pschneiders@trisept.com>
shaneboulden <shane.boulden@gmail.com>
Spencer Shimko <sshimko@tresys.com>
Mark Shoger <mshoger@redhat.com>
Thomas Sjögren <konstruktoid@users.noreply.github.com>
Francisco Slavin <fslavin@tresys.com>
David Smith <dsmith@eclipse.ncsc.mil>
Kevin Spargur <kspargur@redhat.com>
Kenneth Stailey <kstailey.lists@gmail.com>
Leland Steinke <leland.j.steinke.ctr@mail.mil>
Justin Stephenson <jstephen@redhat.com>
Brian Stinson <brian@bstinson.com>
Jake Stookey <jakestookey@gmail.com>
Jonathan Sturges <jsturges@jsturges.remote.csb>
Philippe Thierry <phil@reseau-libre.net>
Derek Thurston <thegrit@gmail.com>
tianzhenjia <jiatianzhen@cmss.chinamobile.com>
Paul Tittle <ptittle@cmf.nrl.navy.mil>
tomas.hudik <tomas.hudik@embedit.cz>
Jeb Trayer <jeb.d.trayer@uscg.mil>
Matěj Týč <matyc@redhat.com>
VadimDor <29509093+VadimDor@users.noreply.github.com>
Shawn Wells <shawn@redhat.com>
Daniel E. White <linuxdan@users.noreply.github.com>
Roy Williams <roywilli@roywilli.redhat.com>
Rob Wilmoth <rwilmoth@redhat.com>
Lucas Yamanishi <lucas.yamanishi@onyxpoint.com>
Xirui Yang <xirui.yang@oracle.com>
Kevin Zimmerman <kevin.zimmerman@kitware.com>
Jan Černý <jcerny@redhat.com>
Michal Šrubař <msrubar@redhat.com>
https://github.com/OpenSCAP/scap-security-guide/releases/latest
Upstream Firefox STIG
This profile is developed under the DoD consensus model and DISA FSO Vendor STIG process,
serving as the upstream development environment for the Firefox STIG.
As a result of the upstream/downstream relationship between the SCAP Security Guide project
and the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO content.
For official DISA FSO STIG content, refer to https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Cbrowser-guidance.
While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note
that commercial support of this SCAP content is NOT available. This profile is provided as example
SCAP content with no endorsement for suitability or production readiness. Support for this
profile is provided by the upstream SCAP Security Guide community on a best-effort basis. The
upstream project homepage is https://www.open-scap.org/security-policies/scap-security-guide/.
Remediation functions used by the SCAP Security Guide Project
XCCDF form of the various remediation functions as used by remediation scripts from the SCAP Security Guide Project.
Remediation function include_merge_files_by_lines
Shared bash remediation function. Not intended to be changed by tailoring.
function include_merge_files_by_lines {
:
}
# 1: Filename of the "master" file
# 2: Filename of the newly created file
function create_empty_file_like {
local lines_count
lines_count=$(cat "$1" | wc -l)
for _ in $(seq 1 "$lines_count"); do
printf '\n' >> "$2"
done
}
# 1: Filename of the "master" file
# 2: Filename of sample flie
function second_file_is_same_except_newlines {
local lines_of_master lines_of_sample len_of_master line_number i
readarray -t lines_of_master < "$1"
readarray -t lines_of_sample < "$2"
len_of_master="${#lines_of_master[@]}"
if test "$len_of_master" != "${#lines_of_sample[@]}"; then
echo "Files '$1' and '$2' have different number of lines, $len_of_master and ${#lines_of_sample[@]} respectively."
return 1
fi
for line_number in $(seq 1 "$len_of_master"); do
i=$((line_number - 1))
test -n "${lines_of_sample[$i]}" || continue
if test "${lines_of_master[$i]}" != "${lines_of_sample[$i]}"; then
echo "Line $line_number is different in files '$1' and '$2'."
return 1
fi
done
}
# 1: Filename of the "master" file
# 2: Filename of sample flie
# 3: List of indices (1-based, space-separated string)
function merge_first_lines_to_second_on_indices {
local lines_of_master lines_of_sample line_number i
test -f "$2" || create_empty_file_like "$1" "$2"
readarray -t lines_of_master < "$1"
readarray -t lines_of_sample < "$2"
error_msg="$(second_file_is_same_except_newlines "$1" "$2")"
if test $? != 0; then
echo "Error merging lines into '$2': $error_msg" >&2
return 1
fi
for line_number in $3; do
i=$((line_number - 1))
lines_of_sample[$i]="${lines_of_master[$i]}"
done
printf "%s\n" "${lines_of_sample[@]}" > "$2"
}
Remediation function perform_audit_adjtimex_settimeofday_stime_remediation
Shared bash remediation function. Not intended to be changed by tailoring.
# Function to fix syscall audit rule for given system call. It is
# based on example audit syscall rule definitions as outlined in
# /usr/share/doc/audit-2.3.7/stig.rules file provided with the audit
# package. It will combine multiple system calls belonging to the same
# syscall group into one audit rule (rather than to create audit rule per
# different system call) to avoid audit infrastructure performance penalty
# in the case of 'one-audit-rule-definition-per-one-system-call'. See:
#
# https://www.redhat.com/archives/linux-audit/2014-November/msg00009.html
#
# for further details.
#
# Expects five arguments (each of them is required) in the form of:
# * audit tool tool used to load audit rules,
# either 'auditctl', or 'augenrules
# * audit rules' pattern audit rule skeleton for same syscall
# * syscall group greatest common string this rule shares
# with other rules from the same group
# * architecture architecture this rule is intended for
# * full form of new rule to add expected full form of audit rule as to be
# added into audit.rules file
#
# Note: The 2-th up to 4-th arguments are used to determine how many existing
# audit rules will be inspected for resemblance with the new audit rule
# (5-th argument) the function is going to add. The rule's similarity check
# is performed to optimize audit.rules definition (merge syscalls of the same
# group into one rule) to avoid the "single-syscall-per-audit-rule" performance
# penalty.
#
# Example call:
#
# See e.g. 'audit_rules_file_deletion_events.sh' remediation script
#
function fix_audit_syscall_rule {
# Load function arguments into local variables
local tool="$1"
local pattern="$2"
local group="$3"
local arch="$4"
local full_rule="$5"
# Check sanity of the input
if [ $# -ne "5" ]
then
echo "Usage: fix_audit_syscall_rule 'tool' 'pattern' 'group' 'arch' 'full rule'"
echo "Aborting."
exit 1
fi
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
#
declare -a files_to_inspect
retval=0
# First check sanity of the specified audit tool
if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ]
then
echo "Unknown audit rules loading tool: $1. Aborting."
echo "Use either 'auditctl' or 'augenrules'!"
return 1
# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# file to the list of files to be inspected
elif [ "$tool" == 'auditctl' ]
then
files_to_inspect+=('/etc/audit/audit.rules' )
# If audit tool is 'augenrules', then check if the audit rule is defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
elif [ "$tool" == 'augenrules' ]
then
# Extract audit $key from audit rule so we can use it later
key=$(expr "$full_rule" : '.*-k[[:space:]]\([^[:space:]]\+\)' '|' "$full_rule" : '.*-F[[:space:]]key=\([^[:space:]]\+\)')
readarray -t matches < <(sed -s -n -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d;F" /etc/audit/rules.d/*.rules)
if [ $? -ne 0 ]
then
retval=1
fi
for match in "${matches[@]}"
do
files_to_inspect+=("${match}")
done
# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
if [ ${#files_to_inspect[@]} -eq "0" ]
then
file_to_inspect="/etc/audit/rules.d/$key.rules"
files_to_inspect=("$file_to_inspect")
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
chmod 0640 "$file_to_inspect"
fi
fi
fi
#
# Indicator that we want to append $full_rule into $audit_file by default
local append_expected_rule=0
for audit_file in "${files_to_inspect[@]}"
do
# Filter existing $audit_file rules' definitions to select those that:
# * follow the rule pattern, and
# * meet the hardware architecture requirement, and
# * are current syscall group specific
readarray -t existing_rules < <(sed -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d" "$audit_file")
if [ $? -ne 0 ]
then
retval=1
fi
# Process rules found case-by-case
for rule in "${existing_rules[@]}"
do
# Found rule is for same arch & key, but differs (e.g. in count of -S arguments)
if [ "${rule}" != "${full_rule}" ]
then
# If so, isolate just '(-S \w)+' substring of that rule
rule_syscalls=$(echo "$rule" | grep -o -P '(-S \w+ )+')
# Check if list of '-S syscall' arguments of that rule is subset
# of '-S syscall' list of expected $full_rule
if grep -q -- "$rule_syscalls" <<< "$full_rule"
then
# Rule is covered (i.e. the list of -S syscalls for this rule is
# subset of -S syscalls of $full_rule => existing rule can be deleted
# Thus delete the rule from audit.rules & our array
sed -i -e "\;${rule};d" "$audit_file"
if [ $? -ne 0 ]
then
retval=1
fi
existing_rules=("${existing_rules[@]//$rule/}")
else
# Rule isn't covered by $full_rule - it besides -S syscall arguments
# for this group contains also -S syscall arguments for other syscall
# group. Example: '-S lchown -S fchmod -S fchownat' => group='chown'
# since 'lchown' & 'fchownat' share 'chown' substring
# Therefore:
# * 1) delete the original rule from audit.rules
# (original '-S lchown -S fchmod -S fchownat' rule would be deleted)
# * 2) delete the -S syscall arguments for this syscall group, but
# keep those not belonging to this syscall group
# (original '-S lchown -S fchmod -S fchownat' would become '-S fchmod'
# * 3) append the modified (filtered) rule again into audit.rules
# if the same rule not already present
#
# 1) Delete the original rule
sed -i -e "\;${rule};d" "$audit_file"
if [ $? -ne 0 ]
then
retval=1
fi
# 2) Delete syscalls for this group, but keep those from other groups
# Convert current rule syscall's string into array splitting by '-S' delimiter
IFS_BKP="$IFS"
IFS=$'-S'
read -a rule_syscalls_as_array <<< "$rule_syscalls"
# Reset IFS back to default
IFS="$IFS_BKP"
# Splitting by "-S" can't be replaced by the readarray functionality easily
# Declare new empty string to hold '-S syscall' arguments from other groups
new_syscalls_for_rule=''
# Walk through existing '-S syscall' arguments
for syscall_arg in "${rule_syscalls_as_array[@]}"
do
# Skip empty $syscall_arg values
if [ "$syscall_arg" == '' ]
then
continue
fi
# If the '-S syscall' doesn't belong to current group add it to the new list
# (together with adding '-S' delimiter back for each of such item found)
if grep -q -v -- "$group" <<< "$syscall_arg"
then
new_syscalls_for_rule="$new_syscalls_for_rule -S $syscall_arg"
fi
done
# Replace original '-S syscall' list with the new one for this rule
updated_rule=${rule//$rule_syscalls/$new_syscalls_for_rule}
# Squeeze repeated whitespace characters in rule definition (if any) into one
updated_rule=$(echo "$updated_rule" | tr -s '[:space:]')
# 3) Append the modified / filtered rule again into audit.rules
# (but only in case it's not present yet to prevent duplicate definitions)
if ! grep -q -- "$updated_rule" "$audit_file"
then
echo "$updated_rule" >> "$audit_file"
fi
fi
else
# $audit_file already contains the expected rule form for this
# architecture & key => don't insert it second time
append_expected_rule=1
fi
done
# We deleted all rules that were subset of the expected one for this arch & key.
# Also isolated rules containing system calls not from this system calls group.
# Now append the expected rule if it's not present in $audit_file yet
if [[ ${append_expected_rule} -eq "0" ]]
then
echo "$full_rule" >> "$audit_file"
fi
done
return $retval
}
# Function to perform remediation for the 'adjtimex', 'settimeofday', and 'stime' audit
# system calls on RHEL, Fedora or OL systems.
# Remediation performed for both possible tools: 'auditctl' and 'augenrules'.
#
# Note: 'stime' system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
# therefore excluded from the list of time group system calls to be audited on this arch
#
# Example Call:
#
# perform_audit_adjtimex_settimeofday_stime_remediation
#
function perform_audit_adjtimex_settimeofday_stime_remediation {
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *"
# Create expected audit group and audit rule form for particular system call & architecture
if [ ${ARCH} = "b32" ]
then
# stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
# so append it to the list of time group system calls to be audited
GROUP="\(adjtimex\|settimeofday\|stime\)"
FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules"
elif [ ${ARCH} = "b64" ]
then
# stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
# therefore don't add it to the list of time group system calls to be audited
GROUP="\(adjtimex\|settimeofday\)"
FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules"
fi
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
}
Remediation function fix_audit_watch_rule
Shared bash remediation function. Not intended to be changed by tailoring.
# Function to fix audit file system object watch rule for given path:
# * if rule exists, also verifies the -w bits match the requirements
# * if rule doesn't exist yet, appends expected rule form to $files_to_inspect
# audit rules file, depending on the tool which was used to load audit rules
#
# Expects four arguments (each of them is required) in the form of:
# * audit tool tool used to load audit rules,
# either 'auditctl', or 'augenrules'
# * path value of -w audit rule's argument
# * required access bits value of -p audit rule's argument
# * key value of -k audit rule's argument
#
# Example call:
#
# fix_audit_watch_rule "auditctl" "/etc/localtime" "wa" "audit_time_rules"
#
function fix_audit_watch_rule {
# Load function arguments into local variables
local tool="$1"
local path="$2"
local required_access_bits="$3"
local key="$4"
# Check sanity of the input
if [ $# -ne "4" ]
then
echo "Usage: fix_audit_watch_rule 'tool' 'path' 'bits' 'key'"
echo "Aborting."
exit 1
fi
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
declare -a files_to_inspect
files_to_inspect=()
# Check sanity of the specified audit tool
if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ]
then
echo "Unknown audit rules loading tool: $1. Aborting."
echo "Use either 'auditctl' or 'augenrules'!"
exit 1
# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
elif [ "$tool" == 'auditctl' ]
then
files_to_inspect+=('/etc/audit/audit.rules')
# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/$key.rules' to list of files for inspection.
elif [ "$tool" == 'augenrules' ]
then
readarray -t matches < <(grep -P "[\s]*-w[\s]+$path" /etc/audit/rules.d/*.rules)
# For each of the matched entries
for match in "${matches[@]}"
do
# Extract filepath from the match
rulesd_audit_file=$(echo $match | cut -f1 -d ':')
# Append that path into list of files for inspection
files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
# Append '/etc/audit/rules.d/$key.rules' into list of files for inspection
local key_rule_file="/etc/audit/rules.d/$key.rules"
# If the $key.rules file doesn't exist yet, create it with correct permissions
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
chmod 0640 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
fi
# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
if grep -q -P -- "[\s]*-w[\s]+$path" "$audit_rules_file"
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
# Escape slashes in path for use in sed pattern below
local esc_path=${path//$'/'/$'\/'}
# Define BRE whitespace class shortcut
local sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
current_access_bits=$(sed -ne "s/$sp*-w$sp\+$esc_path$sp\+-p$sp\+\([rxwa]\{1,4\}\).*/\1/p" "$audit_rules_file")
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "$required_access_bits" | grep -o .)
do
# For each from the required access bits (e.g. 'w', 'a') check
# if they are already present in current access bits for rule.
# If not, append that bit at the end
if ! grep -q "$access_bit" <<< "$current_access_bits"
then
# Concatenate the existing mask with the missing bit
current_access_bits="$current_access_bits$access_bit"
fi
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
sed -i "s/\($sp*-w$sp\+$esc_path$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)/\1$current_access_bits\3/" "$audit_rules_file"
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
echo "-w $path -p $required_access_bits -k $key" >> "$audit_rules_file"
fi
done
}
Remediation function set_faillock_option_to_value_in_pam_file
Shared bash remediation function. Not intended to be changed by tailoring.
function set_faillock_option_to_value_in_pam_file {
# If invoked with no arguments, exit. This is an intentional behavior.
[ $# -gt 1 ] || return 0
[ $# -ge 3 ] || die "$0 requires exactly zero, three, or four arguments"
[ $# -le 4 ] || die "$0 requires exactly zero, three, or four arguments"
local _pamFile="$1" _option="$2" _value="$3" _insert_lines_callback="$4"
# pam_faillock.so already present?
if grep -q "^auth.*pam_faillock.so.*" "$_pamFile"; then
# pam_faillock.so present, is the option present?
if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*$_option=" "$_pamFile"; then
# both pam_faillock.so & option present, just correct option to the right value
sed -i --follow-symlinks "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\($_option *= *\).*/\1\2$_value/" "$_pamFile"
sed -i --follow-symlinks "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\($_option *= *\).*/\1\2$_value/" "$_pamFile"
# pam_faillock.so present, but the option not yet
else
# append correct option value to appropriate places
sed -i --follow-symlinks "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ $_option=$_value/" "$_pamFile"
sed -i --follow-symlinks "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ $_option=$_value/" "$_pamFile"
fi
# pam_faillock.so not present yet
else
test -z "$_insert_lines_callback" || "$_insert_lines_callback" "$_option" "$_value" "$_pamFile"
# insert pam_faillock.so preauth & authfail rows with proper value of the option in question
fi
}
Remediation function create_audit_remediation_unsuccessful_file_modification_detailed
Shared bash remediation function. Not intended to be changed by tailoring.
function create_audit_remediation_unsuccessful_file_modification_detailed {
mkdir -p "$(dirname "$1")"
# The - option to mark a here document limit string (<<-EOF) suppresses leading tabs (but not spaces) in the output.
cat <<-EOF > "$1"
## This content is a section of an Audit config snapshot recommended for RHEL8 sytems that target OSPP compliance.
## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules
## The purpose of these rules is to meet the requirements for Operating
## System Protection Profile (OSPP)v4.2. These rules depends on having
## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed.
## Unsuccessful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
## Unsuccessful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
## Unsuccessful file access (any other opens) This has to go last.
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
EOF
}
Remediation function perform_audit_rules_privileged_commands_remediation
Shared bash remediation function. Not intended to be changed by tailoring.
# Function to perform remediation for 'audit_rules_privileged_commands' rule
#
# Expects two arguments:
#
# audit_tool tool used to load audit rules
# One of 'auditctl' or 'augenrules'
#
# min_auid Minimum original ID the user logged in with
# '500' for RHEL-6 and before, '1000' for RHEL-7 and after.
#
# Example Call(s):
#
# perform_audit_rules_privileged_commands_remediation "auditctl" "500"
# perform_audit_rules_privileged_commands_remediation "augenrules" "1000"
#
function perform_audit_rules_privileged_commands_remediation {
#
# Load function arguments into local variables
local tool="$1"
local min_auid="$2"
# Check sanity of the input
if [ $# -ne "2" ]
then
echo "Usage: perform_audit_rules_privileged_commands_remediation 'auditctl | augenrules' '500 | 1000'"
echo "Aborting."
exit 1
fi
declare -a files_to_inspect=()
# Check sanity of the specified audit tool
if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ]
then
echo "Unknown audit rules loading tool: $1. Aborting."
echo "Use either 'auditctl' or 'augenrules'!"
exit 1
# If the audit tool is 'auditctl', then:
# * add '/etc/audit/audit.rules'to the list of files to be inspected,
# * specify '/etc/audit/audit.rules' as the output audit file, where
# missing rules should be inserted
elif [ "$tool" == 'auditctl' ]
then
files_to_inspect=("/etc/audit/audit.rules")
output_audit_file="/etc/audit/audit.rules"
#
# If the audit tool is 'augenrules', then:
# * add '/etc/audit/rules.d/*.rules' to the list of files to be inspected
# (split by newline),
# * specify /etc/audit/rules.d/privileged.rules' as the output file, where
# missing rules should be inserted
elif [ "$tool" == 'augenrules' ]
then
readarray -t files_to_inspect < <(find /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -print)
output_audit_file="/etc/audit/rules.d/privileged.rules"
fi
# Obtain the list of SUID/SGID binaries on the particular system (split by newline)
# into privileged_binaries array
readarray -t privileged_binaries < <(find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null)
# Keep list of SUID/SGID binaries that have been already handled within some previous iteration
declare -a sbinaries_to_skip=()
# For each found sbinary in privileged_binaries list
for sbinary in "${privileged_binaries[@]}"
do
# Check if this sbinary wasn't already handled in some of the previous sbinary iterations
# Return match only if whole sbinary definition matched (not in the case just prefix matched!!!)
if [[ $(sed -ne "\|${sbinary}|p" <<< "${sbinaries_to_skip[*]}") ]]
then
# If so, don't process it second time & go to process next sbinary
continue
fi
# Reset the counter of inspected files when starting to check
# presence of existing audit rule for new sbinary
local count_of_inspected_files=0
# Define expected rule form for this binary
expected_rule="-a always,exit -F path=${sbinary} -F perm=x -F auid>=${min_auid} -F auid!=unset -k privileged"
# If list of audit rules files to be inspected is empty, just add new rule and move on to next binary
if [[ ${#files_to_inspect[@]} -eq 0 ]]; then
echo "$expected_rule" >> "$output_audit_file"
continue
fi
# Replace possible slash '/' character in sbinary definition so we could use it in sed expressions below
sbinary_esc=${sbinary//$'/'/$'\/'}
# For each audit rules file from the list of files to be inspected
for afile in "${files_to_inspect[@]}"
do
# Search current audit rules file's content for match. Match criteria:
# * existing rule is for the same SUID/SGID binary we are currently processing (but
# can contain multiple -F path= elements covering multiple SUID/SGID binaries)
# * existing rule contains all arguments from expected rule form (though can contain
# them in arbitrary order)
base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'/!d' \
-e '/-F path=[^[:space:]]\+/!d' -e '/-F perm=.*/!d' \
-e '/-F auid>='"${min_auid}"'/!d' -e '/-F auid!=\(4294967295\|unset\)/!d' \
-e '/-k \|-F key=/!d' "$afile")
# Increase the count of inspected files for this sbinary
count_of_inspected_files=$((count_of_inspected_files + 1))
# Require execute access type to be set for existing audit rule
exec_access='x'
# Search current audit rules file's content for presence of rule pattern for this sbinary
if [[ $base_search ]]
then
# Current audit rules file already contains rule for this binary =>
# Store the exact form of found rule for this binary for further processing
concrete_rule=$base_search
# Select all other SUID/SGID binaries possibly also present in the found rule
readarray -t handled_sbinaries < <(grep -o -e "-F path=[^[:space:]]\+" <<< "$concrete_rule")
handled_sbinaries=("${handled_sbinaries[@]//-F path=/}")
# Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates
readarray -t sbinaries_to_skip < <(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo "$i"; done | sort -du)
# Separate concrete_rule into three sections using hash '#'
# sign as a delimiter around rule's permission section borders
concrete_rule="$(echo "$concrete_rule" | sed -n "s/\(.*\)\+\(-F perm=[rwax]\+\)\+/\1#\2#/p")"
# Split concrete_rule into head, perm, and tail sections using hash '#' delimiter
rule_head=$(cut -d '#' -f 1 <<< "$concrete_rule")
rule_perm=$(cut -d '#' -f 2 <<< "$concrete_rule")
rule_tail=$(cut -d '#' -f 3 <<< "$concrete_rule")
# Extract already present exact access type [r|w|x|a] from rule's permission section
access_type=${rule_perm//-F perm=/}
# Verify current permission access type(s) for rule contain 'x' (execute) permission
if ! grep -q "$exec_access" <<< "$access_type"
then
# If not, append the 'x' (execute) permission to the existing access type bits
access_type="$access_type$exec_access"
# Reconstruct the permissions section for the rule
new_rule_perm="-F perm=$access_type"
# Update existing rule in current audit rules file with the new permission section
sed -i "s#${rule_head}\(.*\)${rule_tail}#${rule_head}${new_rule_perm}${rule_tail}#" "$afile"
fi
# If the required audit rule for particular sbinary wasn't found yet, insert it under following conditions:
#
# * in the "auditctl" mode of operation insert particular rule each time
# (because in this mode there's only one file -- /etc/audit/audit.rules to be inspected for presence of this rule),
#
# * in the "augenrules" mode of operation insert particular rule only once and only in case we have already
# searched all of the files from /etc/audit/rules.d/*.rules location (since that audit rule can be defined
# in any of those files and if not, we want it to be inserted only once into /etc/audit/rules.d/privileged.rules file)
#
elif [ "$tool" == "auditctl" ] || [[ "$tool" == "augenrules" && $count_of_inspected_files -eq "${#files_to_inspect[@]}" ]]
then
# Check if this sbinary wasn't already handled in some of the previous afile iterations
# Return match only if whole sbinary definition matched (not in the case just prefix matched!!!)
if [[ ! $(sed -ne "\|${sbinary}|p" <<< "${sbinaries_to_skip[*]}") ]]
then
# Current audit rules file's content doesn't contain expected rule for this
# SUID/SGID binary yet => append it
echo "$expected_rule" >> "$output_audit_file"
fi
continue
fi
done
done
}
Remediation function fix_audit_syscall_rule
Shared bash remediation function. Not intended to be changed by tailoring.
# Function to fix syscall audit rule for given system call. It is
# based on example audit syscall rule definitions as outlined in
# /usr/share/doc/audit-2.3.7/stig.rules file provided with the audit
# package. It will combine multiple system calls belonging to the same
# syscall group into one audit rule (rather than to create audit rule per
# different system call) to avoid audit infrastructure performance penalty
# in the case of 'one-audit-rule-definition-per-one-system-call'. See:
#
# https://www.redhat.com/archives/linux-audit/2014-November/msg00009.html
#
# for further details.
#
# Expects five arguments (each of them is required) in the form of:
# * audit tool tool used to load audit rules,
# either 'auditctl', or 'augenrules
# * audit rules' pattern audit rule skeleton for same syscall
# * syscall group greatest common string this rule shares
# with other rules from the same group
# * architecture architecture this rule is intended for
# * full form of new rule to add expected full form of audit rule as to be
# added into audit.rules file
#
# Note: The 2-th up to 4-th arguments are used to determine how many existing
# audit rules will be inspected for resemblance with the new audit rule
# (5-th argument) the function is going to add. The rule's similarity check
# is performed to optimize audit.rules definition (merge syscalls of the same
# group into one rule) to avoid the "single-syscall-per-audit-rule" performance
# penalty.
#
# Example call:
#
# See e.g. 'audit_rules_file_deletion_events.sh' remediation script
#
function fix_audit_syscall_rule {
# Load function arguments into local variables
local tool="$1"
local pattern="$2"
local group="$3"
local arch="$4"
local full_rule="$5"
# Check sanity of the input
if [ $# -ne "5" ]
then
echo "Usage: fix_audit_syscall_rule 'tool' 'pattern' 'group' 'arch' 'full rule'"
echo "Aborting."
exit 1
fi
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
#
declare -a files_to_inspect
retval=0
# First check sanity of the specified audit tool
if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ]
then
echo "Unknown audit rules loading tool: $1. Aborting."
echo "Use either 'auditctl' or 'augenrules'!"
return 1
# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# file to the list of files to be inspected
elif [ "$tool" == 'auditctl' ]
then
files_to_inspect+=('/etc/audit/audit.rules' )
# If audit tool is 'augenrules', then check if the audit rule is defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
elif [ "$tool" == 'augenrules' ]
then
# Extract audit $key from audit rule so we can use it later
key=$(expr "$full_rule" : '.*-k[[:space:]]\([^[:space:]]\+\)' '|' "$full_rule" : '.*-F[[:space:]]key=\([^[:space:]]\+\)')
readarray -t matches < <(sed -s -n -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d;F" /etc/audit/rules.d/*.rules)
if [ $? -ne 0 ]
then
retval=1
fi
for match in "${matches[@]}"
do
files_to_inspect+=("${match}")
done
# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
if [ ${#files_to_inspect[@]} -eq "0" ]
then
file_to_inspect="/etc/audit/rules.d/$key.rules"
files_to_inspect=("$file_to_inspect")
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
chmod 0640 "$file_to_inspect"
fi
fi
fi
#
# Indicator that we want to append $full_rule into $audit_file by default
local append_expected_rule=0
for audit_file in "${files_to_inspect[@]}"
do
# Filter existing $audit_file rules' definitions to select those that:
# * follow the rule pattern, and
# * meet the hardware architecture requirement, and
# * are current syscall group specific
readarray -t existing_rules < <(sed -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d" "$audit_file")
if [ $? -ne 0 ]
then
retval=1
fi
# Process rules found case-by-case
for rule in "${existing_rules[@]}"
do
# Found rule is for same arch & key, but differs (e.g. in count of -S arguments)
if [ "${rule}" != "${full_rule}" ]
then
# If so, isolate just '(-S \w)+' substring of that rule
rule_syscalls=$(echo "$rule" | grep -o -P '(-S \w+ )+')
# Check if list of '-S syscall' arguments of that rule is subset
# of '-S syscall' list of expected $full_rule
if grep -q -- "$rule_syscalls" <<< "$full_rule"
then
# Rule is covered (i.e. the list of -S syscalls for this rule is
# subset of -S syscalls of $full_rule => existing rule can be deleted
# Thus delete the rule from audit.rules & our array
sed -i -e "\;${rule};d" "$audit_file"
if [ $? -ne 0 ]
then
retval=1
fi
existing_rules=("${existing_rules[@]//$rule/}")
else
# Rule isn't covered by $full_rule - it besides -S syscall arguments
# for this group contains also -S syscall arguments for other syscall
# group. Example: '-S lchown -S fchmod -S fchownat' => group='chown'
# since 'lchown' & 'fchownat' share 'chown' substring
# Therefore:
# * 1) delete the original rule from audit.rules
# (original '-S lchown -S fchmod -S fchownat' rule would be deleted)
# * 2) delete the -S syscall arguments for this syscall group, but
# keep those not belonging to this syscall group
# (original '-S lchown -S fchmod -S fchownat' would become '-S fchmod'
# * 3) append the modified (filtered) rule again into audit.rules
# if the same rule not already present
#
# 1) Delete the original rule
sed -i -e "\;${rule};d" "$audit_file"
if [ $? -ne 0 ]
then
retval=1
fi
# 2) Delete syscalls for this group, but keep those from other groups
# Convert current rule syscall's string into array splitting by '-S' delimiter
IFS_BKP="$IFS"
IFS=$'-S'
read -a rule_syscalls_as_array <<< "$rule_syscalls"
# Reset IFS back to default
IFS="$IFS_BKP"
# Splitting by "-S" can't be replaced by the readarray functionality easily
# Declare new empty string to hold '-S syscall' arguments from other groups
new_syscalls_for_rule=''
# Walk through existing '-S syscall' arguments
for syscall_arg in "${rule_syscalls_as_array[@]}"
do
# Skip empty $syscall_arg values
if [ "$syscall_arg" == '' ]
then
continue
fi
# If the '-S syscall' doesn't belong to current group add it to the new list
# (together with adding '-S' delimiter back for each of such item found)
if grep -q -v -- "$group" <<< "$syscall_arg"
then
new_syscalls_for_rule="$new_syscalls_for_rule -S $syscall_arg"
fi
done
# Replace original '-S syscall' list with the new one for this rule
updated_rule=${rule//$rule_syscalls/$new_syscalls_for_rule}
# Squeeze repeated whitespace characters in rule definition (if any) into one
updated_rule=$(echo "$updated_rule" | tr -s '[:space:]')
# 3) Append the modified / filtered rule again into audit.rules
# (but only in case it's not present yet to prevent duplicate definitions)
if ! grep -q -- "$updated_rule" "$audit_file"
then
echo "$updated_rule" >> "$audit_file"
fi
fi
else
# $audit_file already contains the expected rule form for this
# architecture & key => don't insert it second time
append_expected_rule=1
fi
done
# We deleted all rules that were subset of the expected one for this arch & key.
# Also isolated rules containing system calls not from this system calls group.
# Now append the expected rule if it's not present in $audit_file yet
if [[ ${append_expected_rule} -eq "0" ]]
then
echo "$full_rule" >> "$audit_file"
fi
done
return $retval
}
Remediation function populate
Shared bash remediation function. Not intended to be changed by tailoring.
# The populate function isn't directly used by SSG at the moment but it can be
# used for testing purposes and will be used in SSG Testsuite in the future.
function populate {
# code to populate environment variables needed (for unit testing)
if [ -z "${!1}" ]; then
echo "$1 is not defined. Exiting."
exit
fi
}
Remediation function include_mount_options_functions
Shared bash remediation function. Not intended to be changed by tailoring.
function include_mount_options_functions {
:
}
# $1: type of filesystem
# $2: new mount point option
# $3: filesystem of new mount point (used when adding new entry in fstab)
# $4: mount type of new mount point (used when adding new entry in fstab)
function ensure_mount_option_for_vfstype {
local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=()
readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}')
for _vfstype_point in "${_vfstype_points[@]}"
do
ensure_mount_option_in_fstab "$_vfstype_point" "$_new_opt" "$_filesystem" "$_type"
done
}
# $1: mount point
# $2: new mount point option
# $3: device or virtual string (used when adding new entry in fstab)
# $4: mount type of mount point (used when adding new entry in fstab)
function ensure_mount_option_in_fstab {
local _mount_point="$1" _new_opt="$2" _device=$3 _type=$4
local _mount_point_match_regexp="" _previous_mount_opts=""
_mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")"
if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
# runtime opts without some automatic kernel/userspace-added defaults
_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
| sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//")
[ "$_previous_mount_opts" ] && _previous_mount_opts+=","
echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab
elif [ "$(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt")" -eq 0 ]; then
_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}')
sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab
fi
}
# $1: mount point
function get_mount_point_regexp {
printf "[[:space:]]%s[[:space:]]" "$1"
}
# $1: mount point
function assert_mount_point_in_fstab {
local _mount_point_match_regexp
_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
grep "$_mount_point_match_regexp" -q /etc/fstab \
|| { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; }
}
# $1: mount point
function remove_defaults_from_fstab_if_overriden {
local _mount_point_match_regexp
_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
if grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,"
then
sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab
fi
}
# $1: mount point
function ensure_partition_is_mounted {
local _mount_point="$1"
mkdir -p "$_mount_point" || return 1
if mountpoint -q "$_mount_point"; then
mount -o remount --target "$_mount_point"
else
mount --target "$_mount_point"
fi
}
Remediation function replace_or_append
Shared bash remediation function. Not intended to be changed by tailoring.
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file: Configuration file that will be modified
# key: Configuration option to change
# value: Value of the configuration option to change
# cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format: The printf-like format string that will be given stripped key and value as arguments,
# so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format: Optional argument to specify the format of how key/value should be
# modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
# With default format of 'key = value':
# replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
# With custom key/value format:
# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
# With a variable:
# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
local config_file=$1
local key=$2
local value=$3
local cce=$4
local format=$5
if [ "$case_insensitive_mode" = yes ]; then
sed_case_insensitive_option="i"
grep_case_insensitive_option="-i"
fi
[ -n "$format" ] || format="$default_format"
# Check sanity of the input
[ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "$config_file"; then
sed_command+=('--follow-symlinks')
fi
# Test that the cce arg is not empty or does not equal @CCENUM@.
# If @CCENUM@ exists, it means that there is no CCE assigned.
if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
cce="${cce}"
else
cce="CCE"
fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")
# shellcheck disable=SC2059
printf -v formatted_output "$format" "$stripped_key" "$value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
"${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
else
# \n is precaution for case where file ends without trailing newline
printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
printf '%s\n' "$formatted_output" >> "$config_file"
fi
}
Remediation function die
Shared bash remediation function. Not intended to be changed by tailoring.
# Print a message to stderr and exit the shell
# $1: The message to print.
# $2: The error code (optional, default is 1)
function die {
local _message="$1" _rc="${2:-1}"
printf '%s\n' "$_message" >&2
exit "$_rc"
}
Firefox
Firefox is an open-source web browser and developed by Mozilla.
Web browsers such as Firefox are used for a number of reasons. This section
provides settings for configuring Firefox policies to meet compliance
settings for Firefox running on Red Hat Enterprise Linux systems.
Refer to http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries
for a list of currently supported Firefox settings.
The Default Required Firefox File Types
The default required file types that need to request usage
confirmation in Firefox.
application/pdf,application/doc,application/xls,application/bat,application/ppt,application/mdb,application/mde,application/fdf,application/xfdf,application/lsl,application/lso,appliation/lss,application/iqy,application/rqy,application/xlk,application/pot,application/pps,application/dot,application/wbk,application/ps,application/eps,application/wch,application/wcm,application/wbi,application/wb1,application/wb3,application/rtf,application/wch,application/wcm,application/ad,application/adp,application/xlt,application/dos,application/wks
The Default Firefox Home Page
The default home page for Firefox users.
about:blank
None
Default Firefox Home Page Configured
The default home page is set to a vendor's defined website or
Firefox's own website. This can be changed to an organizationally defined website
or about:blank. To set the default home page, set
browser.startup.homepage to .
ECSC-1
FIREFOX-DTBF017
The browser home page parameter specifies the web page that is to be
displayed when the browser is started explicitly and when product-specific
buttons or key sequences for the home page are accessed. This helps to
mitigate the possibility of automatic inadvertent execution of scripts
added to a previously safe site.
var_default_home_page=""
firefox_cfg="stig.cfg"
value="\"${var_default_home_page}\""
firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if LC_ALL=C grep -m 1 -q '^lockPref("browser.startup.homepage", ' "${firefox_dir}/${firefox_cfg}"; then
sed -i 's/lockPref("browser.startup.homepage".*/lockPref("browser.startup.homepage", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}"
else
echo 'lockPref("browser.startup.homepage", '"$value"');' >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
Enable Non-Secure Page Warnings
When users browse websites, web pages can switch in between secure and
non-secure protocols. Users can be warned each time by
setting security.warn_leaving_secure to true.
ECSC-1
FIREFOX-DTBF130
Users may not be aware that the information being viewed under secure
conditions in a previous page are not currently being viewed under
the same security settings.
firefox_cfg="stig.cfg"
value="true"
firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if LC_ALL=C grep -m 1 -q '^lockPref("security.warn_leaving_secure", ' "${firefox_dir}/${firefox_cfg}"; then
sed -i 's/lockPref("security.warn_leaving_secure".*/lockPref("security.warn_leaving_secure", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}"
else
echo 'lockPref("security.warn_leaving_secure", '"$value"');' >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
Disable SSL Version 3.0 in Firefox
SSL version 3.0 is vulnerable and should be disabled by setting
security.enable_ssl3 to false.
ECSC-1
FIREFOX-DTBF020
Earlier versions of SSL have known security vulnerabilities and are not
authorized for use in DOD.
firefox_cfg="stig.cfg"
value="false"
firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if LC_ALL=C grep -m 1 -q '^lockPref("security.enable_ssl3", ' "${firefox_dir}/${firefox_cfg}"; then
sed -i 's/lockPref("security.enable_ssl3".*/lockPref("security.enable_ssl3", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}"
else
echo 'lockPref("security.enable_ssl3", '"$value"');' >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
Disable the Firefox Password Store
Firefox allows users to store passwords whether or not a master password
is set for the password store. To disable the storing of passwords, set
signon.rememberSignons to false.
ECSC-1
FIREFOX-DTBF160
Autofill of a password can be enabled when a site is visited. This feature could also
be used to autofill the certificate pin which could lead to compromise of DoD information.
firefox_cfg="stig.cfg"
value="false"
firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if LC_ALL=C grep -m 1 -q '^lockPref("signon.rememberSignons", ' "${firefox_dir}/${firefox_cfg}"; then
sed -i 's/lockPref("signon.rememberSignons".*/lockPref("signon.rememberSignons", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}"
else
echo 'lockPref("signon.rememberSignons", '"$value"');' >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
Supported Version of Firefox Installed
If the system is joined to the Red Hat Network, a Red Hat Satellite Server,
or a yum server, run the following command to install updates:
$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages)
can be manually downloaded and installed using rpm.
DCMC-1
FIREFOX-DTBF003
Use of versions of an application which are not supported by the vendor
are not permitted. Vendors respond to security flaws with updates and
patches. These updates are not available for unsupported version which
can leave the application vulnerable to attack.
Disable Automatic Downloads of MIME Types
MIME type files are automatically downloaded or executed in Firefox. This
can be disabled by setting browser.helperApps.alwaysAsk.force to
true.
DCMC-1
FIREFOX-DTBF100
The default action for file types for which a plugin is installed is to
automatically download and execute the file using the associated plugin.
Firefox allows users to change the specified download action so that the
file is opened with a selected external application or saved to disk
instead.
firefox_cfg="stig.cfg"
value="true"
firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if LC_ALL=C grep -m 1 -q '^lockPref("browser.helperApps.alwaysAsk.force", ' "${firefox_dir}/${firefox_cfg}"; then
sed -i 's/lockPref("browser.helperApps.alwaysAsk.force".*/lockPref("browser.helperApps.alwaysAsk.force", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}"
else
echo 'lockPref("browser.helperApps.alwaysAsk.force", '"$value"');' >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
Enable Downloading and Opening File Confirmation
To have an action dialog box appear promping users what action to take when
certain types of files are downloaded or opened, set
plugin.disable_full_page_plugin_for_types to
.
ECSC-1
FIREFOX-DTBF110
When the user receives a dialog box asking if they want to save the file
or open it with a specified application, this indicates that a plugin does
not exist. Also, the user has not previously selected a download action or helper
application to automatically use for that type of file. When prompted, if the user
checks the option to 'Do this automatically for files like this from now on', then
an entry will appear for that type of file in the plugins listing, and this file
type is automatically opened in the future. This can be a security issue. New file
types cannot be added directly to the Application plugin listing.
var_required_file_types=""
firefox_cfg="stig.cfg"
value="\"${var_required_file_types}\""
firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if LC_ALL=C grep -m 1 -q '^lockPref("plugin.disable_full_page_plugin_for_types", ' "${firefox_dir}/${firefox_cfg}"; then
sed -i 's|lockPref("plugin.disable_full_page_plugin_for_types".*|lockPref("plugin.disable_full_page_plugin_for_types", '"$value)"';|g' "${firefox_dir}/${firefox_cfg}"
else
echo 'lockPref("plugin.disable_full_page_plugin_for_types", '"$value"');' >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
Enable Certificate Verification
Firefox can be configured to prompt the user to choose a certificate
to present to a website when asked. To enable certificate verification,
set security.default_personal_cert to Ask Every Time.
ECSC-1
FIREFOX-DTBF050
Websites within DoD require user authentication for access which increases
security for DoD information. Access will be denied to the user if
certificate management is not configured.
firefox_cfg="stig.cfg"
value="\"Ask Every Time\""
firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if LC_ALL=C grep -m 1 -q '^lockPref("security.default_personal_cert", ' "${firefox_dir}/${firefox_cfg}"; then
sed -i 's/lockPref("security.default_personal_cert".*/lockPref("security.default_personal_cert", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}"
else
echo 'lockPref("security.default_personal_cert", '"$value"');' >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
Disable JavaScript's Moving Or Resizing Windows Capability
JavaScript can configure and make changes to the web browser's appearance by
specifically moving and resizing browser windows. This can be disabled by
setting dom.disable_window_move_resize to true.
ECSC-1
FIREFOX-DTBF181
JavaScript can make changes to the browser’s appearance. This activity
can help disguise an attack taking place in a minimized background window.
firefox_cfg="stig.cfg"
value="true"
firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if LC_ALL=C grep -m 1 -q '^lockPref("dom.disable_window_move_resize", ' "${firefox_dir}/${firefox_cfg}"; then
sed -i 's/lockPref("dom.disable_window_move_resize".*/lockPref("dom.disable_window_move_resize", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}"
else
echo 'lockPref("dom.disable_window_move_resize", '"$value"');' >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
Disable Installed Search Plugins Update Checking
Firefox automatically checks for updated versions of search plugins.
To disable the automatic updates of plugins, set
browser.search.update to false.
ECSC-1
FIREFOX-DTBF085
Updates need to be controlled and installed from authorized and trusted servers.
This setting overrides a number of other settings which may direct the application
to access external URLs.
firefox_cfg="stig.cfg"
value="false"
firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if LC_ALL=C grep -m 1 -q '^lockPref("browser.search.update", ' "${firefox_dir}/${firefox_cfg}"; then
sed -i 's/lockPref("browser.search.update".*/lockPref("browser.search.update", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}"
else
echo 'lockPref("browser.search.update", '"$value"');' >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
Disable Autofill Form Assistance
Firefox provides tools to auto-fill forms from prefilled information.
This can be disabled by setting browser.formfill.enable to
false.
ECSC-1
FIREFOX-DTBF140
In order to protect privacy and sensitive data, Firefox provides
the ability to configure Firefox such that data entered into forms
is not saved. This mitigates the risk of a website gleaning private
information from prefilled information.
firefox_cfg="stig.cfg"
value="false"
firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if LC_ALL=C grep -m 1 -q '^lockPref("browser.formfill.enable", ' "${firefox_dir}/${firefox_cfg}"; then
sed -i 's/lockPref("browser.formfill.enable".*/lockPref("browser.formfill.enable", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}"
else
echo 'lockPref("browser.formfill.enable", '"$value"');' >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
Disable Firefox Access to Shell Protocols
Access to the shell is disabled by default but can be changed.
To prevent shell access from being enabled, set
network.protocol-handler.external.shell to false.
ECSC-1
FIREFOX-DTBF105
If enabled, this setting would allow the browser to access the Windows shell.
This could allow access to the underlying system.
firefox_cfg="stig.cfg"
value="false"
firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if LC_ALL=C grep -m 1 -q '^lockPref("network.protocol-handler.external.shell", ' "${firefox_dir}/${firefox_cfg}"; then
sed -i 's/lockPref("network.protocol-handler.external.shell".*/lockPref("network.protocol-handler.external.shell", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}"
else
echo 'lockPref("network.protocol-handler.external.shell", '"$value"');' >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
Disable Addons Plugin Updates
Firefox automatically updates installed add-ons and plugins which
can be disabled by setting extensions.update.enabled to
false.
ECSC-1
FIREFOX-DTBF090
Automatic updates from untrusted sites puts the enclave at
risk of attack and may override security settings.
firefox_cfg="stig.cfg"
value="false"
firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if LC_ALL=C grep -m 1 -q '^lockPref("extensions.update.enabled", ' "${firefox_dir}/${firefox_cfg}"; then
sed -i 's/lockPref("extensions.update.enabled".*/lockPref("extensions.update.enabled", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}"
else
echo 'lockPref("extensions.update.enabled", '"$value"');' >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
Disable User Ability To Autofill Passwords
Firefox automatically allows users to save passwords to be auto-filled
into password forms. This can be disabled by setting
signon.prefillForms to false.
ECSC-1
FIREFOX-DTBF150
While on the internet, it may be possible for an attacker to view
the saved password files and gain access to the user's accounts on
various hosts.
firefox_cfg="stig.cfg"
value="false"
firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if LC_ALL=C grep -m 1 -q '^lockPref("signon.prefillForms", ' "${firefox_dir}/${firefox_cfg}"; then
sed -i 's/lockPref("signon.prefillForms".*/lockPref("signon.prefillForms", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}"
else
echo 'lockPref("signon.prefillForms", '"$value"');' >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
Disable SSL Version 2.0 in Firefox
SSL version 2 is not enabled by default and should not be enabled.
To prevent SSL version 2 from being enabled set
security.enable_ssl2 to false.
ECSC-1
FIREFOX-DTBF010
Use of versions prior to TLS 1.0 are not permitted because these versions are
non-standard. SSL 2.0 and SSL 3.0 contain a number of security flaws.
firefox_cfg="stig.cfg"
value="false"
firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if LC_ALL=C grep -m 1 -q '^lockPref("security.enable_ssl2", ' "${firefox_dir}/${firefox_cfg}"; then
sed -i 's/lockPref("security.enable_ssl2".*/lockPref("security.enable_ssl2", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}"
else
echo 'lockPref("security.enable_ssl2", '"$value"');' >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
Enable TLS Usage in Firefox
To enable TLS, set security.enable_tls to true.
ECSC-1
FIREFOX-DTBF030
Earlier versions of SSL have known security vulnerabilities and are not
authorized for use in DOD environments.
firefox_cfg="stig.cfg"
value="true"
firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if LC_ALL=C grep -m 1 -q '^lockPref("security.enable_tls", ' "${firefox_dir}/${firefox_cfg}"; then
sed -i 's/lockPref("security.enable_tls".*/lockPref("security.enable_tls", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}"
else
echo 'lockPref("security.enable_tls", '"$value"');' >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
Disable JavaScript's Ability To Modify The Browser Appearance
JavaScript can configure and make changes to the web browser's appearance by
specifically hiding the status bar from view. This can disabled by
setting dom.disable_window_open_feature.status to true.
ECSC-1
FIREFOX-DTBF185
JavaScript can make changes to the browser’s appearance. This activity
can help disguise an attack taking place in a minimized background window.
Webpage authors can disable many features of a popup window that they open.
This setting prevents the status bar from being hidden.
firefox_cfg="stig.cfg"
value="true"
firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if LC_ALL=C grep -m 1 -q '^lockPref("dom.disable_window_open_feature.status", ' "${firefox_dir}/${firefox_cfg}"; then
sed -i 's/lockPref("dom.disable_window_open_feature.status".*/lockPref("dom.disable_window_open_feature.status", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}"
else
echo 'lockPref("dom.disable_window_open_feature.status", '"$value"');' >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
Disable JavaScript's Raise Or Lower Windows Capability
JavaScript can configure and make changes to the web browser's appearance by
specifically raising and lowering windows. This can be disabled by
setting dom.disable_window_flip to true.
ECSC-1
FIREFOX-DTBF182
JavaScript can make changes to the browser’s appearance. Allowing a website
to use JavaScript to raise and lower browser windows may disguise an attack.
firefox_cfg="stig.cfg"
value="true"
firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if LC_ALL=C grep -m 1 -q '^lockPref("dom.disable_window_flip", ' "${firefox_dir}/${firefox_cfg}"; then
sed -i 's/lockPref("dom.disable_window_flip".*/lockPref("dom.disable_window_flip", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}"
else
echo 'lockPref("dom.disable_window_flip", '"$value"');' >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
Disable JavaScript's Ability To Change The Status Bar
JavaScript can configure and make changes to the web browser's appearance by
specifically hiding or changing the status bar. This can be disabled by
setting dom.disable_window_status_change to true.
ECSC-1
FIREFOX-DTBF184
When a user visits some webpages, JavaScript can hide or make changes
to the browser’s appearance to hide unauthorized activity. This activity
can help disguise an attack taking place in a minimized background window.
firefox_cfg="stig.cfg"
value="true"
firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if LC_ALL=C grep -m 1 -q '^lockPref("dom.disable_window_status_change", ' "${firefox_dir}/${firefox_cfg}"; then
sed -i 's/lockPref("dom.disable_window_status_change".*/lockPref("dom.disable_window_status_change", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}"
else
echo 'lockPref("dom.disable_window_status_change", '"$value"');' >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
Disable Firefox Auto-Update Capability
Firefox can be set to automatically update as new updates. This can be
disabled by setting app.update.enable to false.
ECSC-1
FIREFOX-DTBF080
Allowing software updates from non-trusted sites can introduce settings
that will override a secured installation of the application. This can
place DoD information at risk. If this setting is enabled, then there are
many other default settings which point to untrusted sites which must be
changed to point to an authorized update site that is not publicly accessible.
firefox_cfg="stig.cfg"
value="false"
firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if LC_ALL=C grep -m 1 -q '^lockPref("app.update.enabled", ' "${firefox_dir}/${firefox_cfg}"; then
sed -i 's/lockPref("app.update.enabled".*/lockPref("app.update.enabled", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}"
else
echo 'lockPref("app.update.enabled", '"$value"');' >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
Enable Firefox Pop-up Blocker
The pop-up blocker can be enabled by setting
dom.disable_window_open_feature.status to true.
ECSC-1
FIREFOX-DTBF180
Popup windows may be used to launch an attack within a new browser window
with altered settings.
firefox_cfg="stig.cfg"
value="true"
firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if LC_ALL=C grep -m 1 -q '^lockPref("dom.disable_window_open_feature.status", ' "${firefox_dir}/${firefox_cfg}"; then
sed -i 's/lockPref("dom.disable_window_open_feature.status".*/lockPref("dom.disable_window_open_feature.status", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}"
else
echo 'lockPref("dom.disable_window_open_feature.status", '"$value"');' >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
Prevent Users from Changing Firefox Configuration Settings
Firefox required security preferences cannot be changed by users.
Set Firefox Configuration File Location
Specify the Firefox configuration file location by setting
general.config.filename to the configuration (i.e. mozilla.cfg)
filename that contains the Firefox security preferences.
ECSC-1
FIREFOX-DTBF070
Locked settings prevents users from accessing about:config and changing
the security settings set by the system administrator.
value="\"stig.cfg\""
firefox_js="stig_settings.js"
firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
firefox_pref="/defaults/pref"
firefox_preferences="/defaults/preferences"
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Different versions of Firefox have different preferences directories, check for them and set the right one
if [ -d "${firefox_dir}/${firefox_pref}" ] ; then
firefox_pref_dir="${firefox_dir}/${firefox_pref}"
elif [ -d "${firefox_dir}/${firefox_preferences}" ] ; then
firefox_pref_dir="${firefox_dir}/${firefox_preferences}"
else
mkdir -m 755 -p "${firefox_dir}/${firefox_preferences}"
firefox_pref_dir="${firefox_dir}/${firefox_preferences}"
fi
# Make sure the Firefox .js file exists and has the appropriate permissions
if ! [ -f "${firefox_pref_dir}/${firefox_js}" ] ; then
touch "${firefox_pref_dir}/${firefox_js}"
chmod 644 "${firefox_pref_dir}/${firefox_js}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if LC_ALL=C grep -m 1 -q '^pref("general.config.filename", ' "${firefox_pref_dir}/${firefox_js}"; then
sed -i 's/pref("general.config.filename".*/pref("general.config.filename", '"$value)"';/g' "${firefox_pref_dir}/${firefox_js}"
else
echo 'pref("general.config.filename", '"$value"');' >> "${firefox_pref_dir}/${firefox_js}"
fi
fi
done
Disable Firefox Configuration File ROT-13 Encoding
Disable ROT-13 encoding by setting general.config.obscure_value
to 0.
ECSC-1
FIREFOX-DTBF070
ROT-13 encoded prevents system adminstrators from easily configuring
and deploying Firefox configuration settings. It also prevents validating
settings easily from automated security tools.
value="0"
firefox_js="stig_settings.js"
firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
firefox_pref="/defaults/pref"
firefox_preferences="/defaults/preferences"
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Different versions of Firefox have different preferences directories, check for them and set the right one
if [ -d "${firefox_dir}/${firefox_pref}" ] ; then
firefox_pref_dir="${firefox_dir}/${firefox_pref}"
elif [ -d "${firefox_dir}/${firefox_preferences}" ] ; then
firefox_pref_dir="${firefox_dir}/${firefox_preferences}"
else
mkdir -m 755 -p "${firefox_dir}/${firefox_preferences}"
firefox_pref_dir="${firefox_dir}/${firefox_preferences}"
fi
# Make sure the Firefox .js file exists and has the appropriate permissions
if ! [ -f "${firefox_pref_dir}/${firefox_js}" ] ; then
touch "${firefox_pref_dir}/${firefox_js}"
chmod 644 "${firefox_pref_dir}/${firefox_js}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if LC_ALL=C grep -m 1 -q '^pref("general.config.obscure_value", ' "${firefox_pref_dir}/${firefox_js}"; then
sed -i 's/pref("general.config.obscure_value".*/pref("general.config.obscure_value", '"$value)"';/g' "${firefox_pref_dir}/${firefox_js}"
else
echo 'pref("general.config.obscure_value", '"$value"');' >> "${firefox_pref_dir}/${firefox_js}"
fi
fi
done
The DoD Root Certificate Is Required
The Shared System Certificates store contains certificates that
applications can access for a single certificate repository.
If enabled, Firefox can access that single system certificate
repository. If the DoD root certificate is also installed into
the shared system certificate repository, Firefox will see and
use the DoD root certificate as a valid certificate authority.
Enable Shared System Certificates
The Shared System Certificates store makes NSS, GnuTLS, OpenSSL, and Java
share a default source for retrieving system certificate anchors and blacklist
information. Firefox has the capability of using this centralized store for its
CA certificates. If the Shared System Certificates store is disabled, it can
be enabled by running the following command:
$ sudo update-ca-trust enable
CCI-000054
AC-10
The DOD root certificate will ensure that the trust chain is
established for server certificates issued from the DOD CA.
CCE-82057-1
P11=$(readlink /etc/alternatives/libnssckbi.so*)
P11LIB="/usr/lib/pkcs11/p11-kit-trust.so"
P11LIB64="/usr/lib64/pkcs11/p11-kit-trust.so"
if ! [[ ${P11} == "${P11LIB64}" ]] || ! [[ ${P11} == "${P11LIB}" ]] ; then
/usr/bin/update-ca-trust enable
fi
The DoD Root Certificate Exists
The DoD root certificate should be installed in the Shared System Certificates store
for Firefox to be able to access the DoD certificate. To install the root certificated
into the Shared System Certificates store, copy the DoD root certificate into
/etc/pki/ca-trust/source/anchors. Once the file is copied, run the following
command:
$ sudo update-ca-trust extract
CCI-000054
AC-10
The DOD root certificate will ensure that the trust chain is
established for server certificates issued from the DOD CA.
CCE-82056-3
Clearing Cookies And Other Data
Browser preferences should be set to perform a Clear Private Data
operation when closing the browser in order to clear cookies and other
data installed by websites visited during the session.
Clear Data When Firefox Closes
When a user browses to a website, cookies and other types of data
get stored on the system. This can be disabled by setting
privacy.sanitize.sanitizeOnShutdown to true.
ECSC-1
FIREFOX-DTBF170
Cookies can help websites perform better but can also be part of spyware.
To mitigate this risk, set browser preferences to perform a Clear Private
Data operation when closing the browser in order to clear cookies and
other data installed by websites visited during the session.
firefox_cfg="stig.cfg"
value="true"
firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if LC_ALL=C grep -m 1 -q '^lockPref("privacy.sanitize.sanitizeOnShutdown", ' "${firefox_dir}/${firefox_cfg}"; then
sed -i 's/lockPref("privacy.sanitize.sanitizeOnShutdown".*/lockPref("privacy.sanitize.sanitizeOnShutdown", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}"
else
echo 'lockPref("privacy.sanitize.sanitizeOnShutdown", '"$value"');' >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
Disable User Prompt When Data Is Cleared
By default, users are asked if it is okay to clear out cookies and data
when Firefox closes. This can be disabled by
setting privacy.sanitize.promptOnSanitize to false.
ECSC-1
FIREFOX-DTBF170
Cookies can help websites perform better but can also be part of spyware.
To mitigate this risk, set browser preferences to perform a Clear Private
Data operation when closing the browser in order to clear cookies and
other data installed by websites visited during the session.
firefox_cfg="stig.cfg"
value="false"
firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
# Check the possible Firefox install directories
for firefox_dir in ${firefox_dirs}; do
# If the Firefox directory exists, then Firefox is installed
if [ -d "${firefox_dir}" ]; then
# Make sure the Firefox .cfg file exists and has the appropriate permissions
if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
touch "${firefox_dir}/${firefox_cfg}"
chmod 644 "${firefox_dir}/${firefox_cfg}"
fi
# If the key exists, change it. Otherwise, add it to the config_file.
if LC_ALL=C grep -m 1 -q '^lockPref("privacy.sanitize.promptOnSanitize", ' "${firefox_dir}/${firefox_cfg}"; then
sed -i 's/lockPref("privacy.sanitize.promptOnSanitize".*/lockPref("privacy.sanitize.promptOnSanitize", '"$value)"';/g' "${firefox_dir}/${firefox_cfg}"
else
echo 'lockPref("privacy.sanitize.promptOnSanitize", '"$value"');' >> "${firefox_dir}/${firefox_cfg}"
fi
fi
done
combine_ovals.py from SCAP Security Guide
ssg: [0, 1, 48], python: 3.7.6
5.11
2020-01-16T13:51:04
Mozilla Firefox
Firefox
The application installed on the system is firefox.
Installed operating system is part of the Unix family
Firefox
The operating system installed on the system is part of the Unix OS family
firefox
unix
Mozilla Firefox
oval:ssg-installed_app_is_firefox:def:1