Check: FFOX-00-000017
Mozilla Firefox STIG:
FFOX-00-000017
(in versions v6 r5 through v6 r1)
Title
Firefox must be configured to not delete data upon shutdown. (Cat II impact)
Discussion
For diagnostic purposes, data must remain behind when the browser is closed. This is required to meet non-repudiation controls.
Check Content
Type "about:policies" in the browser address bar. If "SanitizeOnShutdown" is not displayed under Policy Name or the Policy Value does not have {"Cache":false,"Cookies":false,"Downloads":false,"FormData":false,"Sessions":false,"History":false,"OfflineApps":false,"SiteSettings":false,"Locked":true}, this is a finding.
Fix Text
Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\Clear data when browser is closed Policy Name: Cache, Cookies, Download History, Form & Search History, Browsing History, Active Logins, Site Preferences, Offline Website Data Policy State: Disabled Policy Name: Locked Policy State: Enabled macOS "plist" file: Add the following: <key>SanitizeOnShutdown</key> <dict> <key>Cache</key> <false/> <key>Cookies</key> <false/> <key>Downloads</key> <false/> <key>FormData</key> <false/> <key>History</key> <false/> <key>Sessions</key> <false/> <key>SiteSettings</key> <false/> <key>OfflineApps</key> <false/> <key>Locked</key> <true/> </dict> Linux "policies.json" file: Add the following in the policies section: "SanitizeOnShutdown": { "Cache": false, "Cookies": false, "Downloads": false, "FormData": false, "History": false, "Sessions": false, "SiteSettings": false, "OfflineApps": false, "Locked": true }
Additional Identifiers
Rule ID: SV-252881r879587_rule
Vulnerability ID: V-252881
Group Title: SRG-APP-000141
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
Configure the system to provide only organization-defined mission essential capabilities. |
CCI-002355 |
Enforce access control decisions based on organization-defined security or privacy attributes that do not include the identity of the user or process acting on behalf of the user. |