foreman_openscap 0.7.1 → 0.7.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/app/controllers/api/v2/compliance/arf_reports_controller.rb +1 -1
- data/app/controllers/api/v2/compliance/policies_controller.rb +2 -2
- data/app/controllers/api/v2/compliance/scap_contents_controller.rb +1 -1
- data/app/controllers/api/v2/compliance/tailoring_files_controller.rb +1 -1
- data/app/controllers/arf_reports_controller.rb +9 -9
- data/app/controllers/concerns/foreman/controller/parameters/policy.rb +1 -1
- data/app/controllers/openscap_proxies_controller.rb +5 -5
- data/app/controllers/policies_controller.rb +16 -17
- data/app/controllers/policy_dashboard_controller.rb +2 -1
- data/app/controllers/scap_contents_controller.rb +2 -2
- data/app/controllers/tailoring_files_controller.rb +4 -4
- data/app/helpers/arf_report_dashboard_helper.rb +2 -3
- data/app/helpers/arf_reports_helper.rb +1 -1
- data/app/helpers/compliance_hosts_helper.rb +1 -2
- data/app/helpers/policies_helper.rb +4 -4
- data/app/helpers/policy_dashboard_helper.rb +2 -3
- data/app/lib/proxy_api/available_proxy.rb +2 -2
- data/app/lib/proxy_api/openscap.rb +1 -1
- data/app/mailers/foreman_openscap/policy_mailer.rb +1 -1
- data/app/models/concerns/foreman_openscap/compliance_status_scoped_search.rb +7 -8
- data/app/models/concerns/foreman_openscap/host_extensions.rb +44 -25
- data/app/models/concerns/foreman_openscap/log_extensions.rb +1 -1
- data/app/models/concerns/foreman_openscap/openscap_proxy_core_extensions.rb +3 -3
- data/app/models/foreman_openscap/arf_report.rb +34 -12
- data/app/models/foreman_openscap/policy.rb +19 -17
- data/app/models/foreman_openscap/scap_content.rb +4 -2
- data/app/services/foreman_openscap/arf_report_status_calculator.rb +1 -1
- data/app/services/foreman_openscap/host_report_dashboard/data.rb +2 -2
- data/app/services/foreman_openscap/policy_dashboard/data.rb +4 -3
- data/app/validators/foreman_openscap/data_stream_validator.rb +2 -2
- data/app/views/policy_dashboard/_policy_status_widget.html.erb +5 -5
- data/config/routes.rb +6 -6
- data/db/migrate/20141015115511_add_arf_report_unique_constraint.rb +1 -1
- data/db/migrate/20141113221054_create_scaptimony_scap_content_profiles.rb +1 -1
- data/db/migrate/20141116170632_remove_xccdf_profile_from_scaptimony_policies.rb +1 -1
- data/db/migrate/20141121120326_create_scaptimony_arf_report_breakdowns.rb +15 -15
- data/db/migrate/20141121164042_replace_arf_report_breakdown_view.rb +15 -15
- data/db/migrate/20141206211151_create_scaptimony_assets_policies.rb +1 -1
- data/db/migrate/20150115155947_add_scaptimony_scap_content_digest.rb +1 -1
- data/db/migrate/20150821100137_migrate_from_scaptimony.rb +1 -1
- data/db/migrate/20160830113437_remove_deleted_policy.rb +1 -1
- data/db/migrate/20160925213031_change_scap_widget_names.rb +8 -8
- data/db/migrate/20161223153249_add_permissions_to_arf_report.rb +4 -4
- data/db/seeds.d/75-job_templates.rb +6 -1
- data/db/seeds.d/openscap_feature.rb +1 -1
- data/lib/foreman_openscap/data_migration.rb +1 -2
- data/lib/foreman_openscap/engine.rb +33 -34
- data/lib/foreman_openscap/helper.rb +5 -7
- data/lib/foreman_openscap/message_cleaner.rb +32 -0
- data/lib/foreman_openscap/version.rb +1 -1
- data/lib/tasks/foreman_openscap_tasks.rake +12 -0
- data/locale/de/foreman_openscap.po +205 -43
- data/locale/en_GB/foreman_openscap.po +205 -43
- data/locale/es/foreman_openscap.po +205 -43
- data/locale/foreman_openscap.pot +418 -185
- data/locale/fr/foreman_openscap.po +205 -43
- data/locale/gl/foreman_openscap.po +205 -43
- data/locale/it/foreman_openscap.po +205 -43
- data/locale/ja/foreman_openscap.po +205 -43
- data/locale/ko/foreman_openscap.po +205 -43
- data/locale/pt_BR/foreman_openscap.po +205 -43
- data/locale/ru/foreman_openscap.po +205 -43
- data/locale/sv_SE/foreman_openscap.po +205 -43
- data/locale/zh_CN/foreman_openscap.po +205 -43
- data/locale/zh_TW/foreman_openscap.po +205 -43
- data/test/factories/arf_report_factory.rb +2 -2
- data/test/factories/asset_factory.rb +5 -0
- data/test/factories/compliance_host_factory.rb +4 -4
- data/test/factories/compliance_log_factory.rb +9 -4
- data/test/files/arf_report/arf_report.json +1 -0
- data/test/files/arf_report/arf_report_msg_desc_changed.json +1 -0
- data/test/files/arf_report/arf_report_msg_value_changed.json +1 -0
- data/test/functional/api/v2/compliance/arf_reports_controller_test.rb +111 -1
- data/test/functional/api/v2/compliance/policies_controller_test.rb +1 -1
- data/test/functional/api/v2/compliance/tailoring_files_controller_test.rb +4 -4
- data/test/test_plugin_helper.rb +4 -4
- data/test/unit/arf_report_test.rb +5 -5
- data/test/unit/concerns/host_extensions_test.rb +64 -4
- data/test/unit/message_cleaner_test.rb +31 -0
- data/test/unit/policy_mailer_test.rb +1 -2
- data/test/unit/scap_content_test.rb +3 -5
- data/test/unit/services/report_dashboard/data_test.rb +1 -1
- data/test/unit/services/tailoring_files_proxy_check_test.rb +4 -4
- metadata +12 -6
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"logs":[{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure","result":"fail","title":"Disable Firefox Configuration File ROT-13 Encoding","description":"\nDisable ROT-13 encoding by setting general.config.obscure_value\nto 0.\n","rationale":"\nROT-13 encoded prevents system adminstrators from easily configuring\nand deploying Firefox configuration settings. It also prevents validating\nsettings easily from automated security tools.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ] ; then\n PREFERENCE_DIR=${FIREFOX_DIR}/defaults/preferences/\n \n if [ ! -d ${PREFERENCE_DIR} ]; then\n mkdir -p -m 755 ${PREFERENCE_DIR}\n fi\n\n grep -q '^pref(\\\"general.config.obscure_value\\\", 0);' ${PREFERENCE_DIR}/security_settings.js && \\\n sed -i 's/pref(\\\"general.config.obscure_value\\\".*/pref(\\\"general.config.obscure_value\\\", 0);/g' ${PREFERENCE_DIR}/security_settings.js\n if ! [ $? -eq 0 ] ; then\n echo 'pref(\"general.config.obscure_value\", 0);' >> ${PREFERENCE_DIR}/security_settings.js\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file","result":"fail","title":"Set Firefox Configuration File Location","description":"\nSpecify the Firefox configuration file location by setting \ngeneral.config.filename to the configuration (i.e. mozilla.cfg)\nfilename that contains the Firefox security preferences.\n","rationale":"\nLocked settings prevents users from accessing about:config and changing\nthe security settings set by the system administrator.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ] ; then\n PREFERENCE_DIR=${FIREFOX_DIR}/defaults/preferences/\n \n if [ ! -d ${PREFERENCE_DIR} ]; then\n mkdir -p -m 755 ${PREFERENCE_DIR}\n fi\n\n grep -q 'pref(\\\"general.config.filename\\\", \\\"mozilla.cfg\\\");' ${PREFERENCE_DIR}/security_settings.js && \\\n sed -i 's/pref(\\\"general.config.filename\\\".*/pref(\\\"general.config.filename\\\", \\\"mozilla.cfg\\\");/g' ${PREFERENCE_DIR}/security_settings.js\n if ! [ $? -eq 0 ] ; then\n echo 'pref(\"general.config.filename\", \"mozilla.cfg\");' >> ${PREFERENCE_DIR}/security_settings.js\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-enable_ca_trust","result":"notchecked","title":"Enable Shared System Certificates","description":"\nThe Shared System Certificates store makes NSS, GnuTLS, OpenSSL, and Java\nshare a default source for retrieving system certificate anchors and blacklist\ninformation. Firefox has the capability of using this centralized store for its\nCA certificates. If the Shared System Certificates store is disabled, it can\nbe enabled by running the following command:\n$ sudo update-ca-trust enable\n","rationale":"\nThe DOD root certificate will ensure that the trust chain is\nestablished for server certificates issued from the DOD CA.\n","references":[{"title":"AC-10","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>AC-10</a>"},{"title":"54","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'>54</a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"P11=$(ls -l /etc/alternatives/libnssckbi.so* | awk {'print $11'})\nP11LIB=\"/usr/lib64/pkcs11/p11-kit-trust.so\"\n\nif ! [[ ${P11} == ${P11LIB} ]] ; then\n /usr/bin/update-ca-trust enable\nfi\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-dod_root_certificate_installed","result":"notchecked","title":"The DoD Root Certificate Exists","description":"\nThe DoD root certificate should be installed in the Shared System Certificates store\nfor Firefox to be able to access the DoD certificate. To install the root certificated\ninto the Shared System Certificates store, copy the DoD root certificate into\n/etc/pki/ca-trust/source/anchors. Once the file is copied, run the following\ncommand:\n$ sudo update-ca-trust extract\n","rationale":"\nThe DOD root certificate will ensure that the trust chain is\nestablished for server certificates issued from the DOD CA.\n","references":[{"title":"AC-10","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>AC-10</a>"},{"title":"54","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'>54</a>"}],"fixes":[],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-addons_plugin_updates","result":"fail","title":"Disable Addons Plugin Updates","description":"\nFirefox automatically updates installed add-ons and plugins which \ncan be disabled by setting extensions.update.enabled to\nfalse.\n","rationale":"\nAutomatic updates from untrusted sites puts the enclave at\nrisk of attack and may override security settings.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"extensions.update.enabled\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"extensions.update.enabled\\\".*/lockPref(\\\"extensions.update.enabled\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo \"lockPref(\\\"extensions.update.enabled\\\", false);\" >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-autofill_forms","result":"fail","title":"Disable Autofill Form Assistance","description":"\nFirefox provides tools to auto-fill forms from prefilled information.\nThis can be disabled by setting browser.formfill.enable to\nfalse.\n","rationale":"\nIn order to protect privacy and sensitive data, Firefox provides\nthe ability to configure Firefox such that data entered into forms\nis not saved. This mitigates the risk of a website gleaning private\ninformation from prefilled information.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"browser.formfill.enable\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"browser.formfill.enable\\\".*/lockPref(\\\"browser.formfill.enable\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"browser.formfill.enable\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-autofill_passwords","result":"fail","title":"Disable User Ability To Autofill Passwords","description":"\nFirefox automatically allows users to save passwords to be auto-filled\ninto password forms. This can be disabled by setting\nsignon.prefillForms to false.\n","rationale":"\nWhile on the internet, it may be possible for an attacker to view\nthe saved password files and gain access to the user's accounts on\nvarious hosts.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"signon.prefillForms\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"signon.prefillForms\\\".*/lockPref(\\\"signon.prefillForms\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then \n echo 'lockPref(\"signon.prefillForms\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-auto-update_of_firefox","result":"fail","title":"Disable Firefox Auto-Update Capability","description":"\nFirefox can be set to automatically update as new updates. This can be\ndisabled by setting app.update.enable to false.\n","rationale":"\nAllowing software updates from non-trusted sites can introduce settings\nthat will override a secured installation of the application. This can\nplace DoD information at risk. If this setting is enabled, then there are\nmany other default settings which point to untrusted sites which must be\nchanged to point to an authorized update site that is not publicly accessible.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"app.update.enabled\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"app.update.enabled\\\".*/lockPref(\\\"app.update.enabled\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"app.update.enabled\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_clear","result":"fail","title":"Clear Data When Firefox Closes","description":"\nWhen a user browses to a website, cookies and other types of data\nget stored on the system. This can be disabled by setting\nprivacy.sanitize.sanitizeOnShutdown to true.\n","rationale":"\nCookies can help websites perform better but can also be part of spyware.\nTo mitigate this risk, set browser preferences to perform a Clear Private\nData operation when closing the browser in order to clear cookies and\nother data installed by websites visited during the session.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"privacy.sanitize.sanitizeOnShutdown\\\", true);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"privacy.sanitize.sanitizeOnShutdown\\\".*/lockPref(\\\"privacy.sanitize.sanitizeOnShutdown\\\", true);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"privacy.sanitize.sanitizeOnShutdown\", true);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_user_notice","result":"fail","title":"Disable User Prompt When Data Is Cleared","description":"\nBy default, users are asked if it is okay to clear out cookies and data\nwhen Firefox closes. This can be disabled by \nsetting privacy.sanitize.promptOnSanitize to false.\n","rationale":"\nCookies can help websites perform better but can also be part of spyware.\nTo mitigate this risk, set browser preferences to perform a Clear Private\nData operation when closing the browser in order to clear cookies and\nother data installed by websites visited during the session.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"privacy.sanitize.promptOnSanitize\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"privacy.sanitize.promptOnSanitize\\\".*/lockPref(\\\"privacy.sanitize.promptOnSanitize\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"privacy.sanitize.promptOnSanitize\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-open_confirmation","result":"fail","title":"Enable Downloading and Opening File Confirmation","description":"\nTo have an action dialog box appear promping users what action to take when\ncertain types of files are downloaded or opened, set\nplugin.disable_full_page_plugin_for_types to\n.\n","rationale":"\nWhen the user receives a dialog box asking if they want to save the file\nor open it with a specified application, this indicates that a plugin does\nnot exist. Also, the user has not previously selected a download action or helper\napplication to automatically use for that type of file. When prompted, if the user\nchecks the option to 'Do this automatically for files like this from now on', then\nan entry will appear for that type of file in the plugins listing, and this file\ntype is automatically opened in the future. This can be a security issue. New file\ntypes cannot be added directly to the Application plugin listing.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"var_required_file_types=\"<sub xmlns=\"http://checklists.nist.gov/xccdf/1.2\" idref=\"xccdf_org.ssgproject.content_value_var_required_file_types\" use=\"legacy\"/>\"\nFIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"plugin.disable_full_page_plugin_for_types\\\"' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i \"s;lockPref(\\\"plugin.disable_full_page_plugin_for_types\\\".*;lockPref(\\\"plugin.disable_full_page_plugin_for_types\\\", \\\"${var_required_file_types}\\\")\\;;g\" ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo \"lockPref(\\\"plugin.disable_full_page_plugin_for_types\\\", \\\"${var_required_file_types}\\\");\" >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-password_store","result":"fail","title":"Disable the Firefox Password Store","description":"\nFirefox allows users to store passwords whether or not a master password\nis set for the password store. To disable the storing of passwords, set\nsignon.rememberSignons to false.\n","rationale":"\nAutofill of a password can be enabled when a site is visited. This feature could also\nbe used to autofill the certificate pin which could lead to compromise of DoD information.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ] ; then\n grep -q '^lockPref(\\\"signon.rememberSignons\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"signon.rememberSignons\\\".*/lockPref(\\\"signon.rememberSignons\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"signon.rememberSignons\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-search_update","result":"fail","title":"Disable Installed Search Plugins Update Checking","description":"\nFirefox automatically checks for updated versions of search plugins.\nTo disable the automatic updates of plugins, set\nbrowser.search.update to false.\n","rationale":"\nUpdates need to be controlled and installed from authorized and trusted servers.\nThis setting overrides a number of other settings which may direct the application\nto access external URLs.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"browser.search.update\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"browser.search.update\\\".*/lockPref(\\\"browser.search.update\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"browser.search.update\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-shell_protocol","result":"fail","title":"Disable Firefox Access to Shell Protocols","description":"\nAccess to the shell is disabled by default but can be changed.\nTo prevent shell access from being enabled, set\nnetwork.protocol-handler.external.shell to false.\n","rationale":"\nIf enabled, this setting would allow the browser to access the Windows shell.\nThis could allow access to the underlying system.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"network.protocol-handler.external.shell\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"network.protocol-handler.external.shell\\\".*/lockPref(\\\"network.protocol-handler.external.shell\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"network.protocol-handler.external.shell\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-ssl_version_2","result":"fail","title":"Disable SSL Version 2.0 in Firefox","description":"\nSSL version 2 is not enabled by default and should not be enabled.\nTo prevent SSL version 2 from being enabled set\nsecurity.enable_ssl2 to false.\n","rationale":"\nUse of versions prior to TLS 1.0 are not permitted because these versions are\nnon-standard. SSL 2.0 and SSL 3.0 contain a number of security flaws.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"security.enable_ssl2\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"security.enable_ssl2\\\".*/lockPref(\\\"security.enable_ssl2\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"security.enable_ssl2\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-ssl_protocol_tls","result":"fail","title":"Enable TLS Usage in Firefox","description":"\nTo enable TLS, set security.enable_tls to true.\n","rationale":"\nEarlier versions of SSL have known security vulnerabilities and are not\nauthorized for use in DOD environments.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"security.enable_tls\\\", true);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"security.enable_tls\\\".*/lockPref(\\\"security.enable_tls\\\", true);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"security.enable_tls\", true);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-verification","result":"fail","title":"Enable Certificate Verification","description":"\nFirefox can be configured to prompt the user to choose a certificate\nto present to a website when asked. To enable certificate verification, \nset security.default_personal_cert to Ask Every Time.\n","rationale":"\nWebsites within DoD require user authentication for access which increases\nsecurity for DoD information. Access will be denied to the user if\ncertificate management is not configured.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"security.default_personal_cert\\\", \\\"Ask Every Time\\\");' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"security.default_personal_cert\\\".*/lockPref(\\\"security.default_personal_cert\\\", \\\"Ask Every Time\\\");/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ]; then\n echo 'lockPref(\"security.default_personal_cert\", \"Ask Every Time\");' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-ssl_version_3","result":"fail","title":"Disable SSL Version 3.0 in Firefox","description":"\nSSL version 3.0 is vulnerable and should be disabled by setting\nsecurity.enable_ssl3 to false.\n","rationale":"\nEarlier versions of SSL have known security vulnerabilities and are not\nauthorized for use in DOD.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"security.enable_ssl3\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"security.enable_ssl3\\\".*/lockPref(\\\"security.enable_ssl3\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"security.enable_ssl3\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-home_page","result":"fail","title":"Default Firefox Home Page Configured","description":"\nThe default home page is set to a vendor's defined website or\nFirefox's own website. This can be changed to an organizationally defined website\nor about:blank. To set the default home page, set\nbrowser.startup.homepage to .\n","rationale":"\nThe browser home page parameter specifies the web page that is to be\ndisplayed when the browser is started explicitly and when product-specific\nbuttons or key sequences for the home page are accessed. This helps to\nmitigate the possibility of automatic inadvertent execution of scripts \nadded to a previously safe site.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"var_default_home_page=\"<sub xmlns=\"http://checklists.nist.gov/xccdf/1.2\" idref=\"xccdf_org.ssgproject.content_value_var_default_home_page\" use=\"legacy\"/>\"\nFIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"browser.startup.homepage\\\"' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i \"s;lockPref(\\\"browser.startup.homepage\\\".*;lockPref(\\\"browser.startup.homepage\\\", \\\"${var_default_home_page}\\\")\\;;g\" ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo \"lockPref(\\\"browser.startup.homepage\\\", \\\"${var_default_home_page}\\\");\" >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_installed_firefox_version_supported","result":"pass","title":"Supported Version of Firefox Installed","description":"\nIf the system is joined to the Red Hat Network, a Red Hat Satellite Server,\nor a yum server, run the following command to install updates:\n$ sudo yum update\nIf the system is not configured to use one of these sources, updates (in the form of RPM packages)\ncan be manually downloaded and installed using rpm.\n","rationale":"\nUse of versions of an application which are not supported by the vendor\nare not permitted. Vendors respond to security flaws with updates and\npatches. These updates are not available for unsupported version which\ncan leave the application vulnerable to attack.\n","references":[{"title":"DCMC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>DCMC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[],"severity":"High"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_status_bar_text","result":"fail","title":"Disable JavaScript's Ability To Modify The Browser Appearance","description":"\nJavaScript can configure and make changes to the web browser's appearance by\nspecifically hiding the status bar from view. This can disabled by \nsetting dom.disable_window_open_feature.status to true.\n","rationale":"\nJavaScript can make changes to the browser___s appearance. This activity\ncan help disguise an attack taking place in a minimized background window.\nWebpage authors can disable many features of a popup window that they open.\nThis setting prevents the status bar from being hidden.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"dom.disable_window_open_feature.status\\\", true);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"dom.disable_window_open_feature.status\\\".*/lockPref(\\\"dom.disable_window_open_feature.status\\\", true);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"dom.disable_window_open_feature.status\", true);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_status_bar_changes","result":"fail","title":"Disable JavaScript's Ability To Change The Status Bar","description":"\nJavaScript can configure and make changes to the web browser's appearance by\nspecifically hiding or changing the status bar. This can be disabled by\nsetting dom.disable_window_status_change to true.\n","rationale":"\nWhen a user visits some webpages, JavaScript can hide or make changes\nto the browser___s appearance to hide unauthorized activity. This activity\ncan help disguise an attack taking place in a minimized background window.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"dom.disable_window_status_change\\\", true);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"dom.disable_window_status_change\\\".*/lockPref(\\\"dom.disable_window_status_change\\\", true);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"dom.disable_window_status_change\", true);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_window_resizing","result":"fail","title":"Disable JavaScript's Moving Or Resizing Windows Capability","description":"\nJavaScript can configure and make changes to the web browser's appearance by\nspecifically moving and resizing browser windows. This can be disabled by\nsetting dom.disable_window_move_resize to true.\n","rationale":"\nJavaScript can make changes to the browser___s appearance. This activity\ncan help disguise an attack taking place in a minimized background window.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"dom.disable_window_move_resize\\\", true);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"dom.disable_window_move_resize\\\".*/lockPref(\\\"dom.disable_window_move_resize\\\", true);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"dom.disable_window_move_resize\", true);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_window_changes","result":"fail","title":"Disable JavaScript's Raise Or Lower Windows Capability","description":"\nJavaScript can configure and make changes to the web browser's appearance by\nspecifically raising and lowering windows. This can be disabled by\nsetting dom.disable_window_flip to true.\n","rationale":"\nJavaScript can make changes to the browser___s appearance. Allowing a website\nto use JavaScript to raise and lower browser windows may disguise an attack.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"dom.disable_window_flip\\\", true);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"dom.disable_window_flip\\\".*/lockPref(\\\"dom.disable_window_flip\\\", true);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"dom.disable_window_flip\", true);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-non-secure_page_warning","result":"fail","title":"Enable Non-Secure Page Warnings","description":"\nWhen users browse websites, web pages can switch in between secure and \nnon-secure protocols. Users can be warned each time by\nsetting security.warn_leaving_secure to true.\n","rationale":"\nUsers may not be aware that the information being viewed under secure\nconditions in a previous page are not currently being viewed under\nthe same security settings.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"security.warn_leaving_secure\\\", true);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"security.warn_leaving_secure\\\".*/lockPref(\\\"security.warn_leaving_secure\\\", true);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"security.warn_leaving_secure\", true);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-pop-up_windows","result":"fail","title":"Enable Firefox Pop-up Blocker","description":"\nThe pop-up blocker can be enabled by setting\ndom.disable_window_open_feature.status to true.\n","rationale":"\nPopup windows may be used to launch an attack within a new browser window\nwith altered settings.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"dom.disable_window_open_feature.status\\\", true);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"dom.disable_window_open_feature.status\\\".*/lockPref(\\\"dom.disable_window_open_feature.status\\\", true);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo '^lockPref(\"dom.disable_window_open_feature.status\", true);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"}],"digest":"26a5865ab702617d716f2457aa5e7c4786950589c515f37fce1de15004b1d230","metrics":{"passed":1,"failed":23,"othered":2}}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"logs":[{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure","result":"fail","title":"Disable Firefox Configuration File ROT-13 Encoding","description":"\nDisable ROT-13 encoding by setting general.config.obscure_value\nto 42, not 0 as before.\n","rationale":"\nROT-13 encoded prevents system adminstrators from easily configuring\nand deploying Firefox configuration settings. It also prevents validating\nsettings easily from automated security tools.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ] ; then\n PREFERENCE_DIR=${FIREFOX_DIR}/defaults/preferences/\n \n if [ ! -d ${PREFERENCE_DIR} ]; then\n mkdir -p -m 755 ${PREFERENCE_DIR}\n fi\n\n grep -q '^pref(\\\"general.config.obscure_value\\\", 0);' ${PREFERENCE_DIR}/security_settings.js && \\\n sed -i 's/pref(\\\"general.config.obscure_value\\\".*/pref(\\\"general.config.obscure_value\\\", 0);/g' ${PREFERENCE_DIR}/security_settings.js\n if ! [ $? -eq 0 ] ; then\n echo 'pref(\"general.config.obscure_value\", 0);' >> ${PREFERENCE_DIR}/security_settings.js\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file","result":"fail","title":"Set Firefox Configuration File Location","description":"\nSpecify the Firefox configuration file location by setting \ngeneral.config.filename to the configuration (i.e. mozilla.cfg)\nfilename that contains the Firefox security preferences.\n","rationale":"\nLocked settings prevents users from accessing about:config and changing\nthe security settings set by the system administrator.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ] ; then\n PREFERENCE_DIR=${FIREFOX_DIR}/defaults/preferences/\n \n if [ ! -d ${PREFERENCE_DIR} ]; then\n mkdir -p -m 755 ${PREFERENCE_DIR}\n fi\n\n grep -q 'pref(\\\"general.config.filename\\\", \\\"mozilla.cfg\\\");' ${PREFERENCE_DIR}/security_settings.js && \\\n sed -i 's/pref(\\\"general.config.filename\\\".*/pref(\\\"general.config.filename\\\", \\\"mozilla.cfg\\\");/g' ${PREFERENCE_DIR}/security_settings.js\n if ! [ $? -eq 0 ] ; then\n echo 'pref(\"general.config.filename\", \"mozilla.cfg\");' >> ${PREFERENCE_DIR}/security_settings.js\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-enable_ca_trust","result":"notchecked","title":"Enable Shared System Certificates","description":"\nThe Shared System Certificates store makes NSS, GnuTLS, OpenSSL, and Java\nshare a default source for retrieving system certificate anchors and blacklist\ninformation. Firefox has the capability of using this centralized store for its\nCA certificates. If the Shared System Certificates store is disabled, it can\nbe enabled by running the following command:\n$ sudo update-ca-trust enable\n","rationale":"\nThe DOD root certificate will ensure that the trust chain is\nestablished for server certificates issued from the DOD CA.\n","references":[{"title":"AC-10","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>AC-10</a>"},{"title":"54","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'>54</a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"P11=$(ls -l /etc/alternatives/libnssckbi.so* | awk {'print $11'})\nP11LIB=\"/usr/lib64/pkcs11/p11-kit-trust.so\"\n\nif ! [[ ${P11} == ${P11LIB} ]] ; then\n /usr/bin/update-ca-trust enable\nfi\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-dod_root_certificate_installed","result":"notchecked","title":"The DoD Root Certificate Exists","description":"\nThe DoD root certificate should be installed in the Shared System Certificates store\nfor Firefox to be able to access the DoD certificate. To install the root certificated\ninto the Shared System Certificates store, copy the DoD root certificate into\n/etc/pki/ca-trust/source/anchors. Once the file is copied, run the following\ncommand:\n$ sudo update-ca-trust extract\n","rationale":"\nThe DOD root certificate will ensure that the trust chain is\nestablished for server certificates issued from the DOD CA.\n","references":[{"title":"AC-10","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>AC-10</a>"},{"title":"54","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'>54</a>"}],"fixes":[],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-addons_plugin_updates","result":"fail","title":"Disable Addons Plugin Updates","description":"\nFirefox automatically updates installed add-ons and plugins which \ncan be disabled by setting extensions.update.enabled to\nfalse.\n","rationale":"\nAutomatic updates from untrusted sites puts the enclave at\nrisk of attack and may override security settings.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"extensions.update.enabled\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"extensions.update.enabled\\\".*/lockPref(\\\"extensions.update.enabled\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo \"lockPref(\\\"extensions.update.enabled\\\", false);\" >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-autofill_forms","result":"fail","title":"Disable Autofill Form Assistance","description":"\nFirefox provides tools to auto-fill forms from prefilled information.\nThis can be disabled by setting browser.formfill.enable to\nfalse.\n","rationale":"\nIn order to protect privacy and sensitive data, Firefox provides\nthe ability to configure Firefox such that data entered into forms\nis not saved. This mitigates the risk of a website gleaning private\ninformation from prefilled information.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"browser.formfill.enable\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"browser.formfill.enable\\\".*/lockPref(\\\"browser.formfill.enable\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"browser.formfill.enable\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-autofill_passwords","result":"fail","title":"Disable User Ability To Autofill Passwords","description":"\nFirefox automatically allows users to save passwords to be auto-filled\ninto password forms. This can be disabled by setting\nsignon.prefillForms to false.\n","rationale":"\nWhile on the internet, it may be possible for an attacker to view\nthe saved password files and gain access to the user's accounts on\nvarious hosts.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"signon.prefillForms\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"signon.prefillForms\\\".*/lockPref(\\\"signon.prefillForms\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then \n echo 'lockPref(\"signon.prefillForms\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-auto-update_of_firefox","result":"fail","title":"Disable Firefox Auto-Update Capability","description":"\nFirefox can be set to automatically update as new updates. This can be\ndisabled by setting app.update.enable to false.\n","rationale":"\nAllowing software updates from non-trusted sites can introduce settings\nthat will override a secured installation of the application. This can\nplace DoD information at risk. If this setting is enabled, then there are\nmany other default settings which point to untrusted sites which must be\nchanged to point to an authorized update site that is not publicly accessible.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"app.update.enabled\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"app.update.enabled\\\".*/lockPref(\\\"app.update.enabled\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"app.update.enabled\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_clear","result":"fail","title":"Clear Data When Firefox Closes","description":"\nWhen a user browses to a website, cookies and other types of data\nget stored on the system. This can be disabled by setting\nprivacy.sanitize.sanitizeOnShutdown to true.\n","rationale":"\nCookies can help websites perform better but can also be part of spyware.\nTo mitigate this risk, set browser preferences to perform a Clear Private\nData operation when closing the browser in order to clear cookies and\nother data installed by websites visited during the session.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"privacy.sanitize.sanitizeOnShutdown\\\", true);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"privacy.sanitize.sanitizeOnShutdown\\\".*/lockPref(\\\"privacy.sanitize.sanitizeOnShutdown\\\", true);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"privacy.sanitize.sanitizeOnShutdown\", true);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_user_notice","result":"fail","title":"Disable User Prompt When Data Is Cleared","description":"\nBy default, users are asked if it is okay to clear out cookies and data\nwhen Firefox closes. This can be disabled by \nsetting privacy.sanitize.promptOnSanitize to false.\n","rationale":"\nCookies can help websites perform better but can also be part of spyware.\nTo mitigate this risk, set browser preferences to perform a Clear Private\nData operation when closing the browser in order to clear cookies and\nother data installed by websites visited during the session.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"privacy.sanitize.promptOnSanitize\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"privacy.sanitize.promptOnSanitize\\\".*/lockPref(\\\"privacy.sanitize.promptOnSanitize\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"privacy.sanitize.promptOnSanitize\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-open_confirmation","result":"fail","title":"Enable Downloading and Opening File Confirmation","description":"\nTo have an action dialog box appear promping users what action to take when\ncertain types of files are downloaded or opened, set\nplugin.disable_full_page_plugin_for_types to\n.\n","rationale":"\nWhen the user receives a dialog box asking if they want to save the file\nor open it with a specified application, this indicates that a plugin does\nnot exist. Also, the user has not previously selected a download action or helper\napplication to automatically use for that type of file. When prompted, if the user\nchecks the option to 'Do this automatically for files like this from now on', then\nan entry will appear for that type of file in the plugins listing, and this file\ntype is automatically opened in the future. This can be a security issue. New file\ntypes cannot be added directly to the Application plugin listing.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"var_required_file_types=\"<sub xmlns=\"http://checklists.nist.gov/xccdf/1.2\" idref=\"xccdf_org.ssgproject.content_value_var_required_file_types\" use=\"legacy\"/>\"\nFIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"plugin.disable_full_page_plugin_for_types\\\"' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i \"s;lockPref(\\\"plugin.disable_full_page_plugin_for_types\\\".*;lockPref(\\\"plugin.disable_full_page_plugin_for_types\\\", \\\"${var_required_file_types}\\\")\\;;g\" ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo \"lockPref(\\\"plugin.disable_full_page_plugin_for_types\\\", \\\"${var_required_file_types}\\\");\" >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-password_store","result":"fail","title":"Disable the Firefox Password Store","description":"\nFirefox allows users to store passwords whether or not a master password\nis set for the password store. To disable the storing of passwords, set\nsignon.rememberSignons to false.\n","rationale":"\nAutofill of a password can be enabled when a site is visited. This feature could also\nbe used to autofill the certificate pin which could lead to compromise of DoD information.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ] ; then\n grep -q '^lockPref(\\\"signon.rememberSignons\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"signon.rememberSignons\\\".*/lockPref(\\\"signon.rememberSignons\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"signon.rememberSignons\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-search_update","result":"fail","title":"Disable Installed Search Plugins Update Checking","description":"\nFirefox automatically checks for updated versions of search plugins.\nTo disable the automatic updates of plugins, set\nbrowser.search.update to false.\n","rationale":"\nUpdates need to be controlled and installed from authorized and trusted servers.\nThis setting overrides a number of other settings which may direct the application\nto access external URLs.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"browser.search.update\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"browser.search.update\\\".*/lockPref(\\\"browser.search.update\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"browser.search.update\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-shell_protocol","result":"fail","title":"Disable Firefox Access to Shell Protocols","description":"\nAccess to the shell is disabled by default but can be changed.\nTo prevent shell access from being enabled, set\nnetwork.protocol-handler.external.shell to false.\n","rationale":"\nIf enabled, this setting would allow the browser to access the Windows shell.\nThis could allow access to the underlying system.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"network.protocol-handler.external.shell\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"network.protocol-handler.external.shell\\\".*/lockPref(\\\"network.protocol-handler.external.shell\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"network.protocol-handler.external.shell\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-ssl_version_2","result":"fail","title":"Disable SSL Version 2.0 in Firefox","description":"\nSSL version 2 is not enabled by default and should not be enabled.\nTo prevent SSL version 2 from being enabled set\nsecurity.enable_ssl2 to false.\n","rationale":"\nUse of versions prior to TLS 1.0 are not permitted because these versions are\nnon-standard. SSL 2.0 and SSL 3.0 contain a number of security flaws.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"security.enable_ssl2\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"security.enable_ssl2\\\".*/lockPref(\\\"security.enable_ssl2\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"security.enable_ssl2\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-ssl_protocol_tls","result":"fail","title":"Enable TLS Usage in Firefox","description":"\nTo enable TLS, set security.enable_tls to true.\n","rationale":"\nEarlier versions of SSL have known security vulnerabilities and are not\nauthorized for use in DOD environments.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"security.enable_tls\\\", true);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"security.enable_tls\\\".*/lockPref(\\\"security.enable_tls\\\", true);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"security.enable_tls\", true);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-verification","result":"fail","title":"Enable Certificate Verification","description":"\nFirefox can be configured to prompt the user to choose a certificate\nto present to a website when asked. To enable certificate verification, \nset security.default_personal_cert to Ask Every Time.\n","rationale":"\nWebsites within DoD require user authentication for access which increases\nsecurity for DoD information. Access will be denied to the user if\ncertificate management is not configured.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"security.default_personal_cert\\\", \\\"Ask Every Time\\\");' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"security.default_personal_cert\\\".*/lockPref(\\\"security.default_personal_cert\\\", \\\"Ask Every Time\\\");/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ]; then\n echo 'lockPref(\"security.default_personal_cert\", \"Ask Every Time\");' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-ssl_version_3","result":"fail","title":"Disable SSL Version 3.0 in Firefox","description":"\nSSL version 3.0 is vulnerable and should be disabled by setting\nsecurity.enable_ssl3 to false.\n","rationale":"\nEarlier versions of SSL have known security vulnerabilities and are not\nauthorized for use in DOD.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"security.enable_ssl3\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"security.enable_ssl3\\\".*/lockPref(\\\"security.enable_ssl3\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"security.enable_ssl3\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-home_page","result":"fail","title":"Default Firefox Home Page Configured","description":"\nThe default home page is set to a vendor's defined website or\nFirefox's own website. This can be changed to an organizationally defined website\nor about:blank. To set the default home page, set\nbrowser.startup.homepage to .\n","rationale":"\nThe browser home page parameter specifies the web page that is to be\ndisplayed when the browser is started explicitly and when product-specific\nbuttons or key sequences for the home page are accessed. This helps to\nmitigate the possibility of automatic inadvertent execution of scripts \nadded to a previously safe site.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"var_default_home_page=\"<sub xmlns=\"http://checklists.nist.gov/xccdf/1.2\" idref=\"xccdf_org.ssgproject.content_value_var_default_home_page\" use=\"legacy\"/>\"\nFIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"browser.startup.homepage\\\"' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i \"s;lockPref(\\\"browser.startup.homepage\\\".*;lockPref(\\\"browser.startup.homepage\\\", \\\"${var_default_home_page}\\\")\\;;g\" ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo \"lockPref(\\\"browser.startup.homepage\\\", \\\"${var_default_home_page}\\\");\" >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_installed_firefox_version_supported","result":"pass","title":"Supported Version of Firefox Installed","description":"\nIf the system is joined to the Red Hat Network, a Red Hat Satellite Server,\nor a yum server, run the following command to install updates:\n$ sudo yum update\nIf the system is not configured to use one of these sources, updates (in the form of RPM packages)\ncan be manually downloaded and installed using rpm.\n","rationale":"\nUse of versions of an application which are not supported by the vendor\nare not permitted. Vendors respond to security flaws with updates and\npatches. These updates are not available for unsupported version which\ncan leave the application vulnerable to attack.\n","references":[{"title":"DCMC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>DCMC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[],"severity":"High"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_status_bar_text","result":"fail","title":"Disable JavaScript's Ability To Modify The Browser Appearance","description":"\nJavaScript can configure and make changes to the web browser's appearance by\nspecifically hiding the status bar from view. This can disabled by \nsetting dom.disable_window_open_feature.status to true.\n","rationale":"\nJavaScript can make changes to the browser___s appearance. This activity\ncan help disguise an attack taking place in a minimized background window.\nWebpage authors can disable many features of a popup window that they open.\nThis setting prevents the status bar from being hidden.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"dom.disable_window_open_feature.status\\\", true);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"dom.disable_window_open_feature.status\\\".*/lockPref(\\\"dom.disable_window_open_feature.status\\\", true);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"dom.disable_window_open_feature.status\", true);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_status_bar_changes","result":"fail","title":"Disable JavaScript's Ability To Change The Status Bar","description":"\nJavaScript can configure and make changes to the web browser's appearance by\nspecifically hiding or changing the status bar. This can be disabled by\nsetting dom.disable_window_status_change to true.\n","rationale":"\nWhen a user visits some webpages, JavaScript can hide or make changes\nto the browser___s appearance to hide unauthorized activity. This activity\ncan help disguise an attack taking place in a minimized background window.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"dom.disable_window_status_change\\\", true);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"dom.disable_window_status_change\\\".*/lockPref(\\\"dom.disable_window_status_change\\\", true);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"dom.disable_window_status_change\", true);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_window_resizing","result":"fail","title":"Disable JavaScript's Moving Or Resizing Windows Capability","description":"\nJavaScript can configure and make changes to the web browser's appearance by\nspecifically moving and resizing browser windows. This can be disabled by\nsetting dom.disable_window_move_resize to true.\n","rationale":"\nJavaScript can make changes to the browser___s appearance. This activity\ncan help disguise an attack taking place in a minimized background window.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"dom.disable_window_move_resize\\\", true);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"dom.disable_window_move_resize\\\".*/lockPref(\\\"dom.disable_window_move_resize\\\", true);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"dom.disable_window_move_resize\", true);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_window_changes","result":"fail","title":"Disable JavaScript's Raise Or Lower Windows Capability","description":"\nJavaScript can configure and make changes to the web browser's appearance by\nspecifically raising and lowering windows. This can be disabled by\nsetting dom.disable_window_flip to true.\n","rationale":"\nJavaScript can make changes to the browser___s appearance. Allowing a website\nto use JavaScript to raise and lower browser windows may disguise an attack.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"dom.disable_window_flip\\\", true);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"dom.disable_window_flip\\\".*/lockPref(\\\"dom.disable_window_flip\\\", true);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"dom.disable_window_flip\", true);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-non-secure_page_warning","result":"fail","title":"Enable Non-Secure Page Warnings","description":"\nWhen users browse websites, web pages can switch in between secure and \nnon-secure protocols. Users can be warned each time by\nsetting security.warn_leaving_secure to true.\n","rationale":"\nUsers may not be aware that the information being viewed under secure\nconditions in a previous page are not currently being viewed under\nthe same security settings.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"security.warn_leaving_secure\\\", true);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"security.warn_leaving_secure\\\".*/lockPref(\\\"security.warn_leaving_secure\\\", true);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"security.warn_leaving_secure\", true);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-pop-up_windows","result":"fail","title":"Enable Firefox Pop-up Blocker","description":"\nThe pop-up blocker can be enabled by setting\ndom.disable_window_open_feature.status to true.\n","rationale":"\nPopup windows may be used to launch an attack within a new browser window\nwith altered settings.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"dom.disable_window_open_feature.status\\\", true);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"dom.disable_window_open_feature.status\\\".*/lockPref(\\\"dom.disable_window_open_feature.status\\\", true);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo '^lockPref(\"dom.disable_window_open_feature.status\", true);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"}],"digest":"26a5865ab702617d716f2457aa5e7c4786950589c515f37fce1de15004b1d230","metrics":{"passed":1,"failed":23,"othered":2}}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"logs":[{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure","result":"fail","title":"Disable Firefox Configuration File ROT-13 Encoding Changed For Test","description":"\nDisable ROT-13 encoding by setting general.config.obscure_value\nto 0.\n","rationale":"\nROT-13 encoded prevents system adminstrators from easily configuring\nand deploying Firefox configuration settings. It also prevents validating\nsettings easily from automated security tools.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ] ; then\n PREFERENCE_DIR=${FIREFOX_DIR}/defaults/preferences/\n \n if [ ! -d ${PREFERENCE_DIR} ]; then\n mkdir -p -m 755 ${PREFERENCE_DIR}\n fi\n\n grep -q '^pref(\\\"general.config.obscure_value\\\", 0);' ${PREFERENCE_DIR}/security_settings.js && \\\n sed -i 's/pref(\\\"general.config.obscure_value\\\".*/pref(\\\"general.config.obscure_value\\\", 0);/g' ${PREFERENCE_DIR}/security_settings.js\n if ! [ $? -eq 0 ] ; then\n echo 'pref(\"general.config.obscure_value\", 0);' >> ${PREFERENCE_DIR}/security_settings.js\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file","result":"fail","title":"Set Firefox Configuration File Location","description":"\nSpecify the Firefox configuration file location by setting \ngeneral.config.filename to the configuration (i.e. mozilla.cfg)\nfilename that contains the Firefox security preferences.\n","rationale":"\nLocked settings prevents users from accessing about:config and changing\nthe security settings set by the system administrator.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ] ; then\n PREFERENCE_DIR=${FIREFOX_DIR}/defaults/preferences/\n \n if [ ! -d ${PREFERENCE_DIR} ]; then\n mkdir -p -m 755 ${PREFERENCE_DIR}\n fi\n\n grep -q 'pref(\\\"general.config.filename\\\", \\\"mozilla.cfg\\\");' ${PREFERENCE_DIR}/security_settings.js && \\\n sed -i 's/pref(\\\"general.config.filename\\\".*/pref(\\\"general.config.filename\\\", \\\"mozilla.cfg\\\");/g' ${PREFERENCE_DIR}/security_settings.js\n if ! [ $? -eq 0 ] ; then\n echo 'pref(\"general.config.filename\", \"mozilla.cfg\");' >> ${PREFERENCE_DIR}/security_settings.js\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-enable_ca_trust","result":"notchecked","title":"Enable Shared System Certificates","description":"\nThe Shared System Certificates store makes NSS, GnuTLS, OpenSSL, and Java\nshare a default source for retrieving system certificate anchors and blacklist\ninformation. Firefox has the capability of using this centralized store for its\nCA certificates. If the Shared System Certificates store is disabled, it can\nbe enabled by running the following command:\n$ sudo update-ca-trust enable\n","rationale":"\nThe DOD root certificate will ensure that the trust chain is\nestablished for server certificates issued from the DOD CA.\n","references":[{"title":"AC-10","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>AC-10</a>"},{"title":"54","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'>54</a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"P11=$(ls -l /etc/alternatives/libnssckbi.so* | awk {'print $11'})\nP11LIB=\"/usr/lib64/pkcs11/p11-kit-trust.so\"\n\nif ! [[ ${P11} == ${P11LIB} ]] ; then\n /usr/bin/update-ca-trust enable\nfi\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-dod_root_certificate_installed","result":"notchecked","title":"The DoD Root Certificate Exists","description":"\nThe DoD root certificate should be installed in the Shared System Certificates store\nfor Firefox to be able to access the DoD certificate. To install the root certificated\ninto the Shared System Certificates store, copy the DoD root certificate into\n/etc/pki/ca-trust/source/anchors. Once the file is copied, run the following\ncommand:\n$ sudo update-ca-trust extract\n","rationale":"\nThe DOD root certificate will ensure that the trust chain is\nestablished for server certificates issued from the DOD CA.\n","references":[{"title":"AC-10","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>AC-10</a>"},{"title":"54","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'>54</a>"}],"fixes":[],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-addons_plugin_updates","result":"fail","title":"Disable Addons Plugin Updates","description":"\nFirefox automatically updates installed add-ons and plugins which \ncan be disabled by setting extensions.update.enabled to\nfalse.\n","rationale":"\nAutomatic updates from untrusted sites puts the enclave at\nrisk of attack and may override security settings.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"extensions.update.enabled\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"extensions.update.enabled\\\".*/lockPref(\\\"extensions.update.enabled\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo \"lockPref(\\\"extensions.update.enabled\\\", false);\" >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-autofill_forms","result":"fail","title":"Disable Autofill Form Assistance","description":"\nFirefox provides tools to auto-fill forms from prefilled information.\nThis can be disabled by setting browser.formfill.enable to\nfalse.\n","rationale":"\nIn order to protect privacy and sensitive data, Firefox provides\nthe ability to configure Firefox such that data entered into forms\nis not saved. This mitigates the risk of a website gleaning private\ninformation from prefilled information.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"browser.formfill.enable\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"browser.formfill.enable\\\".*/lockPref(\\\"browser.formfill.enable\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"browser.formfill.enable\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-autofill_passwords","result":"fail","title":"Disable User Ability To Autofill Passwords","description":"\nFirefox automatically allows users to save passwords to be auto-filled\ninto password forms. This can be disabled by setting\nsignon.prefillForms to false.\n","rationale":"\nWhile on the internet, it may be possible for an attacker to view\nthe saved password files and gain access to the user's accounts on\nvarious hosts.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"signon.prefillForms\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"signon.prefillForms\\\".*/lockPref(\\\"signon.prefillForms\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then \n echo 'lockPref(\"signon.prefillForms\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-auto-update_of_firefox","result":"fail","title":"Disable Firefox Auto-Update Capability","description":"\nFirefox can be set to automatically update as new updates. This can be\ndisabled by setting app.update.enable to false.\n","rationale":"\nAllowing software updates from non-trusted sites can introduce settings\nthat will override a secured installation of the application. This can\nplace DoD information at risk. If this setting is enabled, then there are\nmany other default settings which point to untrusted sites which must be\nchanged to point to an authorized update site that is not publicly accessible.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"app.update.enabled\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"app.update.enabled\\\".*/lockPref(\\\"app.update.enabled\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"app.update.enabled\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_clear","result":"fail","title":"Clear Data When Firefox Closes","description":"\nWhen a user browses to a website, cookies and other types of data\nget stored on the system. This can be disabled by setting\nprivacy.sanitize.sanitizeOnShutdown to true.\n","rationale":"\nCookies can help websites perform better but can also be part of spyware.\nTo mitigate this risk, set browser preferences to perform a Clear Private\nData operation when closing the browser in order to clear cookies and\nother data installed by websites visited during the session.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"privacy.sanitize.sanitizeOnShutdown\\\", true);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"privacy.sanitize.sanitizeOnShutdown\\\".*/lockPref(\\\"privacy.sanitize.sanitizeOnShutdown\\\", true);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"privacy.sanitize.sanitizeOnShutdown\", true);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_user_notice","result":"fail","title":"Disable User Prompt When Data Is Cleared","description":"\nBy default, users are asked if it is okay to clear out cookies and data\nwhen Firefox closes. This can be disabled by \nsetting privacy.sanitize.promptOnSanitize to false.\n","rationale":"\nCookies can help websites perform better but can also be part of spyware.\nTo mitigate this risk, set browser preferences to perform a Clear Private\nData operation when closing the browser in order to clear cookies and\nother data installed by websites visited during the session.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"privacy.sanitize.promptOnSanitize\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"privacy.sanitize.promptOnSanitize\\\".*/lockPref(\\\"privacy.sanitize.promptOnSanitize\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"privacy.sanitize.promptOnSanitize\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-open_confirmation","result":"fail","title":"Enable Downloading and Opening File Confirmation","description":"\nTo have an action dialog box appear promping users what action to take when\ncertain types of files are downloaded or opened, set\nplugin.disable_full_page_plugin_for_types to\n.\n","rationale":"\nWhen the user receives a dialog box asking if they want to save the file\nor open it with a specified application, this indicates that a plugin does\nnot exist. Also, the user has not previously selected a download action or helper\napplication to automatically use for that type of file. When prompted, if the user\nchecks the option to 'Do this automatically for files like this from now on', then\nan entry will appear for that type of file in the plugins listing, and this file\ntype is automatically opened in the future. This can be a security issue. New file\ntypes cannot be added directly to the Application plugin listing.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"var_required_file_types=\"<sub xmlns=\"http://checklists.nist.gov/xccdf/1.2\" idref=\"xccdf_org.ssgproject.content_value_var_required_file_types\" use=\"legacy\"/>\"\nFIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"plugin.disable_full_page_plugin_for_types\\\"' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i \"s;lockPref(\\\"plugin.disable_full_page_plugin_for_types\\\".*;lockPref(\\\"plugin.disable_full_page_plugin_for_types\\\", \\\"${var_required_file_types}\\\")\\;;g\" ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo \"lockPref(\\\"plugin.disable_full_page_plugin_for_types\\\", \\\"${var_required_file_types}\\\");\" >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-password_store","result":"fail","title":"Disable the Firefox Password Store","description":"\nFirefox allows users to store passwords whether or not a master password\nis set for the password store. To disable the storing of passwords, set\nsignon.rememberSignons to false.\n","rationale":"\nAutofill of a password can be enabled when a site is visited. This feature could also\nbe used to autofill the certificate pin which could lead to compromise of DoD information.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ] ; then\n grep -q '^lockPref(\\\"signon.rememberSignons\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"signon.rememberSignons\\\".*/lockPref(\\\"signon.rememberSignons\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"signon.rememberSignons\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-search_update","result":"fail","title":"Disable Installed Search Plugins Update Checking","description":"\nFirefox automatically checks for updated versions of search plugins.\nTo disable the automatic updates of plugins, set\nbrowser.search.update to false.\n","rationale":"\nUpdates need to be controlled and installed from authorized and trusted servers.\nThis setting overrides a number of other settings which may direct the application\nto access external URLs.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"browser.search.update\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"browser.search.update\\\".*/lockPref(\\\"browser.search.update\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"browser.search.update\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-shell_protocol","result":"fail","title":"Disable Firefox Access to Shell Protocols","description":"\nAccess to the shell is disabled by default but can be changed.\nTo prevent shell access from being enabled, set\nnetwork.protocol-handler.external.shell to false.\n","rationale":"\nIf enabled, this setting would allow the browser to access the Windows shell.\nThis could allow access to the underlying system.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"network.protocol-handler.external.shell\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"network.protocol-handler.external.shell\\\".*/lockPref(\\\"network.protocol-handler.external.shell\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"network.protocol-handler.external.shell\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-ssl_version_2","result":"fail","title":"Disable SSL Version 2.0 in Firefox","description":"\nSSL version 2 is not enabled by default and should not be enabled.\nTo prevent SSL version 2 from being enabled set\nsecurity.enable_ssl2 to false.\n","rationale":"\nUse of versions prior to TLS 1.0 are not permitted because these versions are\nnon-standard. SSL 2.0 and SSL 3.0 contain a number of security flaws.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"security.enable_ssl2\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"security.enable_ssl2\\\".*/lockPref(\\\"security.enable_ssl2\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"security.enable_ssl2\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-ssl_protocol_tls","result":"fail","title":"Enable TLS Usage in Firefox","description":"\nTo enable TLS, set security.enable_tls to true.\n","rationale":"\nEarlier versions of SSL have known security vulnerabilities and are not\nauthorized for use in DOD environments.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"security.enable_tls\\\", true);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"security.enable_tls\\\".*/lockPref(\\\"security.enable_tls\\\", true);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"security.enable_tls\", true);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-verification","result":"fail","title":"Enable Certificate Verification","description":"\nFirefox can be configured to prompt the user to choose a certificate\nto present to a website when asked. To enable certificate verification, \nset security.default_personal_cert to Ask Every Time.\n","rationale":"\nWebsites within DoD require user authentication for access which increases\nsecurity for DoD information. Access will be denied to the user if\ncertificate management is not configured.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"security.default_personal_cert\\\", \\\"Ask Every Time\\\");' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"security.default_personal_cert\\\".*/lockPref(\\\"security.default_personal_cert\\\", \\\"Ask Every Time\\\");/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ]; then\n echo 'lockPref(\"security.default_personal_cert\", \"Ask Every Time\");' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-ssl_version_3","result":"fail","title":"Disable SSL Version 3.0 in Firefox","description":"\nSSL version 3.0 is vulnerable and should be disabled by setting\nsecurity.enable_ssl3 to false.\n","rationale":"\nEarlier versions of SSL have known security vulnerabilities and are not\nauthorized for use in DOD.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"security.enable_ssl3\\\", false);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"security.enable_ssl3\\\".*/lockPref(\\\"security.enable_ssl3\\\", false);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"security.enable_ssl3\", false);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-home_page","result":"fail","title":"Default Firefox Home Page Configured","description":"\nThe default home page is set to a vendor's defined website or\nFirefox's own website. This can be changed to an organizationally defined website\nor about:blank. To set the default home page, set\nbrowser.startup.homepage to .\n","rationale":"\nThe browser home page parameter specifies the web page that is to be\ndisplayed when the browser is started explicitly and when product-specific\nbuttons or key sequences for the home page are accessed. This helps to\nmitigate the possibility of automatic inadvertent execution of scripts \nadded to a previously safe site.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"var_default_home_page=\"<sub xmlns=\"http://checklists.nist.gov/xccdf/1.2\" idref=\"xccdf_org.ssgproject.content_value_var_default_home_page\" use=\"legacy\"/>\"\nFIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"browser.startup.homepage\\\"' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i \"s;lockPref(\\\"browser.startup.homepage\\\".*;lockPref(\\\"browser.startup.homepage\\\", \\\"${var_default_home_page}\\\")\\;;g\" ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo \"lockPref(\\\"browser.startup.homepage\\\", \\\"${var_default_home_page}\\\");\" >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_installed_firefox_version_supported","result":"pass","title":"Supported Version of Firefox Installed","description":"\nIf the system is joined to the Red Hat Network, a Red Hat Satellite Server,\nor a yum server, run the following command to install updates:\n$ sudo yum update\nIf the system is not configured to use one of these sources, updates (in the form of RPM packages)\ncan be manually downloaded and installed using rpm.\n","rationale":"\nUse of versions of an application which are not supported by the vendor\nare not permitted. Vendors respond to security flaws with updates and\npatches. These updates are not available for unsupported version which\ncan leave the application vulnerable to attack.\n","references":[{"title":"DCMC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>DCMC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[],"severity":"High"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_status_bar_text","result":"fail","title":"Disable JavaScript's Ability To Modify The Browser Appearance","description":"\nJavaScript can configure and make changes to the web browser's appearance by\nspecifically hiding the status bar from view. This can disabled by \nsetting dom.disable_window_open_feature.status to true.\n","rationale":"\nJavaScript can make changes to the browser___s appearance. This activity\ncan help disguise an attack taking place in a minimized background window.\nWebpage authors can disable many features of a popup window that they open.\nThis setting prevents the status bar from being hidden.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"dom.disable_window_open_feature.status\\\", true);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"dom.disable_window_open_feature.status\\\".*/lockPref(\\\"dom.disable_window_open_feature.status\\\", true);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"dom.disable_window_open_feature.status\", true);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_status_bar_changes","result":"fail","title":"Disable JavaScript's Ability To Change The Status Bar","description":"\nJavaScript can configure and make changes to the web browser's appearance by\nspecifically hiding or changing the status bar. This can be disabled by\nsetting dom.disable_window_status_change to true.\n","rationale":"\nWhen a user visits some webpages, JavaScript can hide or make changes\nto the browser___s appearance to hide unauthorized activity. This activity\ncan help disguise an attack taking place in a minimized background window.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"dom.disable_window_status_change\\\", true);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"dom.disable_window_status_change\\\".*/lockPref(\\\"dom.disable_window_status_change\\\", true);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"dom.disable_window_status_change\", true);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_window_resizing","result":"fail","title":"Disable JavaScript's Moving Or Resizing Windows Capability","description":"\nJavaScript can configure and make changes to the web browser's appearance by\nspecifically moving and resizing browser windows. This can be disabled by\nsetting dom.disable_window_move_resize to true.\n","rationale":"\nJavaScript can make changes to the browser___s appearance. This activity\ncan help disguise an attack taking place in a minimized background window.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"dom.disable_window_move_resize\\\", true);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"dom.disable_window_move_resize\\\".*/lockPref(\\\"dom.disable_window_move_resize\\\", true);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"dom.disable_window_move_resize\", true);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-javascript_window_changes","result":"fail","title":"Disable JavaScript's Raise Or Lower Windows Capability","description":"\nJavaScript can configure and make changes to the web browser's appearance by\nspecifically raising and lowering windows. This can be disabled by\nsetting dom.disable_window_flip to true.\n","rationale":"\nJavaScript can make changes to the browser___s appearance. Allowing a website\nto use JavaScript to raise and lower browser windows may disguise an attack.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"dom.disable_window_flip\\\", true);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"dom.disable_window_flip\\\".*/lockPref(\\\"dom.disable_window_flip\\\", true);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"dom.disable_window_flip\", true);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-non-secure_page_warning","result":"fail","title":"Enable Non-Secure Page Warnings","description":"\nWhen users browse websites, web pages can switch in between secure and \nnon-secure protocols. Users can be warned each time by\nsetting security.warn_leaving_secure to true.\n","rationale":"\nUsers may not be aware that the information being viewed under secure\nconditions in a previous page are not currently being viewed under\nthe same security settings.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"security.warn_leaving_secure\\\", true);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"security.warn_leaving_secure\\\".*/lockPref(\\\"security.warn_leaving_secure\\\", true);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo 'lockPref(\"security.warn_leaving_secure\", true);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"},{"source":"xccdf_org.ssgproject.content_rule_firefox_preferences-pop-up_windows","result":"fail","title":"Enable Firefox Pop-up Blocker","description":"\nThe pop-up blocker can be enabled by setting\ndom.disable_window_open_feature.status to true.\n","rationale":"\nPopup windows may be used to launch an attack within a new browser window\nwith altered settings.\n","references":[{"title":"ECSC-1","href":"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf","html_link":"<a href='http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'>ECSC-1</a>"},{"title":"","href":"http://iase.disa.mil/cci/index.html","html_link":"<a href='http://iase.disa.mil/cci/index.html'></a>"}],"fixes":[{"id":"","platform":"","system":"urn:xccdf:fix:script:sh","content":"FIREFOX_DIRs=\"/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox\"\nfor FIREFOX_DIR in ${FIREFOX_DIRs}; do\n if [ -d ${FIREFOX_DIR} ]; then\n grep -q '^lockPref(\\\"dom.disable_window_open_feature.status\\\", true);' ${FIREFOX_DIR}/mozilla.cfg && \\\n sed -i 's/lockPref(\\\"dom.disable_window_open_feature.status\\\".*/lockPref(\\\"dom.disable_window_open_feature.status\\\", true);/g' ${FIREFOX_DIR}/mozilla.cfg\n if ! [ $? -eq 0 ] ; then\n echo '^lockPref(\"dom.disable_window_open_feature.status\", true);' >> ${FIREFOX_DIR}/mozilla.cfg\n fi\n fi\ndone\n"}],"severity":"Medium"}],"digest":"26a5865ab702617d716f2457aa5e7c4786950589c515f37fce1de15004b1d230","metrics":{"passed":1,"failed":23,"othered":2}}
|
|
@@ -9,7 +9,13 @@ class Api::V2::Compliance::ArfReportsControllerTest < ActionController::TestCase
|
|
|
9
9
|
@report = FactoryGirl.create(:arf_report,
|
|
10
10
|
:host_id => @host.id,
|
|
11
11
|
:openscap_proxy => FactoryGirl.create(:smart_proxy, :url => "http://smart-proxy.org:8000"))
|
|
12
|
+
@policy = FactoryGirl.create(:policy)
|
|
13
|
+
@asset = FactoryGirl.create(:asset)
|
|
14
|
+
|
|
15
|
+
@from_json = arf_from_json "#{ForemanOpenscap::Engine.root}/test/files/arf_report/arf_report.json"
|
|
16
|
+
@cname = '9521a5c5-8f44-495f-b087-20e86b30bf67'
|
|
12
17
|
end
|
|
18
|
+
|
|
13
19
|
test "should get index" do
|
|
14
20
|
get :index, {}, set_session_user
|
|
15
21
|
response = ActiveSupport::JSON.decode(@response.body)
|
|
@@ -27,7 +33,7 @@ class Api::V2::Compliance::ArfReportsControllerTest < ActionController::TestCase
|
|
|
27
33
|
end
|
|
28
34
|
|
|
29
35
|
test "should download report" do
|
|
30
|
-
bzipped_report = File.
|
|
36
|
+
bzipped_report = File.read "#{ForemanOpenscap::Engine.root}/test/files/arf_report/arf_report.bz2"
|
|
31
37
|
ForemanOpenscap::ArfReport.any_instance.stubs(:to_bzip).returns(bzipped_report)
|
|
32
38
|
get :download, { :id => @report.to_param }, set_session_user
|
|
33
39
|
t = Tempfile.new('tmp_report')
|
|
@@ -35,4 +41,108 @@ class Api::V2::Compliance::ArfReportsControllerTest < ActionController::TestCase
|
|
|
35
41
|
t.close
|
|
36
42
|
refute t.size.zero?
|
|
37
43
|
end
|
|
44
|
+
|
|
45
|
+
test "should create report" do
|
|
46
|
+
reports_cleanup
|
|
47
|
+
date = Time.new(1984, 9, 15)
|
|
48
|
+
ForemanOpenscap::Helper.stubs(:get_asset).returns(@asset)
|
|
49
|
+
post :create,
|
|
50
|
+
@from_json.merge(:cname => @cname,
|
|
51
|
+
:policy_id => @policy.id,
|
|
52
|
+
:date => date.to_i),
|
|
53
|
+
set_session_user
|
|
54
|
+
report = ForemanOpenscap::ArfReport.unscoped.last
|
|
55
|
+
assert_equal date, report.reported_at
|
|
56
|
+
report_logs = report.logs
|
|
57
|
+
msg_count = report_logs.flat_map(&:message).count
|
|
58
|
+
src_count = report_logs.flat_map(&:source).count
|
|
59
|
+
assert(msg_count > 0)
|
|
60
|
+
assert_equal msg_count, src_count
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
test "should not duplicate messages" do
|
|
64
|
+
dates = [Time.new(1984, 9, 15), Time.new(1932, 3, 27)]
|
|
65
|
+
ForemanOpenscap::Helper.stubs(:get_asset).returns(@asset)
|
|
66
|
+
2.times do |num|
|
|
67
|
+
post :create,
|
|
68
|
+
@from_json.merge(:cname => @cname,
|
|
69
|
+
:policy_id => @policy.id,
|
|
70
|
+
:date => dates[num].to_i),
|
|
71
|
+
set_session_user
|
|
72
|
+
end
|
|
73
|
+
assert_equal Message.where(:digest => ForemanOpenscap::ArfReport.unscoped.last.logs.first.message.digest).count, 1
|
|
74
|
+
end
|
|
75
|
+
|
|
76
|
+
test "should recognize changes in messages" do
|
|
77
|
+
ForemanOpenscap::Helper.stubs(:get_asset).returns(@asset)
|
|
78
|
+
post :create,
|
|
79
|
+
@from_json.merge(:cname => @cname,
|
|
80
|
+
:policy_id => @policy.id,
|
|
81
|
+
:date => Time.new(2017, 5, 6).to_i),
|
|
82
|
+
set_session_user
|
|
83
|
+
assert_response :success
|
|
84
|
+
|
|
85
|
+
changed_from_json = arf_from_json "#{ForemanOpenscap::Engine.root}/test/files/arf_report/arf_report_msg_desc_changed.json"
|
|
86
|
+
post :create,
|
|
87
|
+
changed_from_json.merge(:cname => @cname,
|
|
88
|
+
:policy_id => @policy.id,
|
|
89
|
+
:date => Time.new(2017, 6, 6).to_i),
|
|
90
|
+
set_session_user
|
|
91
|
+
|
|
92
|
+
assert_response :success
|
|
93
|
+
|
|
94
|
+
src_ids = Source.where(:value => "xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure").pluck(:id)
|
|
95
|
+
msgs = Log.where(:source_id => src_ids).map(&:message)
|
|
96
|
+
assert_equal 2, msgs.count
|
|
97
|
+
msg_a, msg_b = msgs.sort_by(&:id)
|
|
98
|
+
assert_equal msg_a.description, msg_b.description
|
|
99
|
+
assert_equal "Disable ROT-13 encoding by setting general.config.obscure_value\nto 42, not 0 as before.", msg_a.description
|
|
100
|
+
end
|
|
101
|
+
|
|
102
|
+
test "should recognize change in message title/value" do
|
|
103
|
+
reports_cleanup
|
|
104
|
+
ForemanOpenscap::Helper.stubs(:get_asset).returns(@asset)
|
|
105
|
+
post :create,
|
|
106
|
+
@from_json.merge(:cname => @cname,
|
|
107
|
+
:policy_id => @policy.id,
|
|
108
|
+
:date => Time.new(2017, 7, 6).to_i),
|
|
109
|
+
set_session_user
|
|
110
|
+
|
|
111
|
+
assert_response :success
|
|
112
|
+
|
|
113
|
+
changed_from_json = arf_from_json "#{ForemanOpenscap::Engine.root}/test/files/arf_report/arf_report_msg_value_changed.json"
|
|
114
|
+
post :create,
|
|
115
|
+
changed_from_json.merge(:cname => @cname,
|
|
116
|
+
:policy_id => @policy.id,
|
|
117
|
+
:date => Time.new(2017, 8, 6).to_i),
|
|
118
|
+
set_session_user
|
|
119
|
+
|
|
120
|
+
assert_response :success
|
|
121
|
+
|
|
122
|
+
reports = ForemanOpenscap::ArfReport.unscoped.all
|
|
123
|
+
assert_equal reports.count, 2
|
|
124
|
+
|
|
125
|
+
new_msgs = Message.where(:value => "Disable Firefox Configuration File ROT-13 Encoding Changed For Test")
|
|
126
|
+
old_msgs = Message.where(:value => "Disable Firefox Configuration File ROT-13 Encoding")
|
|
127
|
+
assert_equal new_msgs.count, 1
|
|
128
|
+
assert_equal old_msgs.count, 0
|
|
129
|
+
assert_equal new_msgs.first.digest, Digest::SHA1.hexdigest("Disable Firefox Configuration File ROT-13 Encoding Changed For Test")
|
|
130
|
+
end
|
|
131
|
+
|
|
132
|
+
private
|
|
133
|
+
|
|
134
|
+
def reports_cleanup
|
|
135
|
+
reports = ForemanOpenscap::ArfReport.unscoped.all
|
|
136
|
+
report_ids = reports.pluck(:id)
|
|
137
|
+
all_logs = Log.where(:report_id => report_ids)
|
|
138
|
+
Source.where(:id => all_logs.pluck(:source_id)).map(&:destroy)
|
|
139
|
+
Message.where(:id => all_logs.pluck(:message_id)).map(&:destroy)
|
|
140
|
+
all_logs.map(&:destroy)
|
|
141
|
+
reports.map(&:destroy)
|
|
142
|
+
end
|
|
143
|
+
|
|
144
|
+
def arf_from_json(path)
|
|
145
|
+
file_content = File.read path
|
|
146
|
+
JSON.parse file_content
|
|
147
|
+
end
|
|
38
148
|
end
|
|
@@ -15,7 +15,7 @@ class Api::V2::Compliance::PoliciesControllerTest < ActionController::TestCase
|
|
|
15
15
|
FactoryGirl.create(:policy)
|
|
16
16
|
get :index, {}, set_session_user
|
|
17
17
|
response = ActiveSupport::JSON.decode(@response.body)
|
|
18
|
-
assert response['results'].
|
|
18
|
+
assert !response['results'].empty?
|
|
19
19
|
assert_response :success
|
|
20
20
|
end
|
|
21
21
|
|
|
@@ -25,8 +25,8 @@ class Api::V2::Compliance::TailoringFilesControllerTest < ActionController::Test
|
|
|
25
25
|
test "should create tailoring_file" do
|
|
26
26
|
tf = FactoryGirl.build(:tailoring_file)
|
|
27
27
|
tf_params = { :name => tf.name, :original_filename => tf.original_filename, :scap_file => tf.scap_file }
|
|
28
|
-
ForemanOpenscap::OpenscapProxyVersionCheck.any_instance.stubs(:openscap_proxy_versions)
|
|
29
|
-
|
|
28
|
+
ForemanOpenscap::OpenscapProxyVersionCheck.any_instance.stubs(:openscap_proxy_versions)
|
|
29
|
+
.returns({})
|
|
30
30
|
post :create, tf_params, set_session_user
|
|
31
31
|
assert_response :success
|
|
32
32
|
end
|
|
@@ -55,8 +55,8 @@ class Api::V2::Compliance::TailoringFilesControllerTest < ActionController::Test
|
|
|
55
55
|
test "should not create tailoring file when there is outdated proxy version" do
|
|
56
56
|
tf = FactoryGirl.build(:tailoring_file)
|
|
57
57
|
tf_params = { :name => tf.name, :original_filename => tf.original_filename, :scap_file => tf.scap_file }
|
|
58
|
-
ForemanOpenscap::OpenscapProxyVersionCheck.any_instance.stubs(:openscap_proxy_versions)
|
|
59
|
-
|
|
58
|
+
ForemanOpenscap::OpenscapProxyVersionCheck.any_instance.stubs(:openscap_proxy_versions)
|
|
59
|
+
.returns('test-proxy' => '0.5.4')
|
|
60
60
|
post :create, tf_params, set_session_user
|
|
61
61
|
assert_response :unprocessable_entity
|
|
62
62
|
end
|
data/test/test_plugin_helper.rb
CHANGED
|
@@ -22,10 +22,10 @@ module ScapTestProxy
|
|
|
22
22
|
versions = { "version" => "1.11.0", "modules" => { "openscap" => "0.5.3" } }
|
|
23
23
|
ProxyAPI::Version.any_instance.stubs(:proxy_versions).returns(versions)
|
|
24
24
|
ProxyAPI::Openscap.any_instance.stubs(:validate_scap_file).returns({'errors' => []})
|
|
25
|
-
ProxyAPI::Openscap.any_instance.stubs(:fetch_policies_for_scap_content)
|
|
26
|
-
|
|
27
|
-
ProxyAPI::Openscap.any_instance.stubs(:fetch_profiles_for_tailoring_file)
|
|
28
|
-
|
|
25
|
+
ProxyAPI::Openscap.any_instance.stubs(:fetch_policies_for_scap_content)
|
|
26
|
+
.returns({'xccdf_org.ssgproject.content_profile_common' => 'Common Profile for General-Purpose Fedora Systems'})
|
|
27
|
+
ProxyAPI::Openscap.any_instance.stubs(:fetch_profiles_for_tailoring_file)
|
|
28
|
+
.returns({'xccdf_org.ssgproject.test_profile_common' => 'Stubbed test profile'})
|
|
29
29
|
end
|
|
30
30
|
end
|
|
31
31
|
|