Secure Firefox - DISA STIG

1. #!/bin/bash
2. ##########
3. # Secure Firefox
4. #
5. # This script will bring Firefox browser on Red Hat Linux into DISA STIG compliance.
6. #
7. ######
8.  
9. # Create local-setttings file so Firefox knows how to find our .cfg file
10. echo "pref(\"general.config.obscure_value\", 0); > /usr/lib64/firefox/defaults/preferences/local-settings.js
11. echo "pref(\"general.config.filename\", \"mozilla.cfg\"); >> /usr/lib64/firefox/defaults/preferences/local-settings.js
12.  
13. # Set appropriate permissions on local-settings.js
14. chmod 644 /usr/lib64/firefox/defaults/preferences/local-settings.js
15.  
16. # Set startup page to blank since we're probably on an air-gapped network.
17. sed -i 's%www.redhat.com%about:blank%' /usr/lib64/firefox/defaults/preferences/all-redhat.js
18. sed -i 's%file:///usr/share/doc/HTML/index.html%about:blank%' /usr/lib64/firefox/defaults/preferences/all-redhat.js
19.  
20. # Create our secure configuration file
21. cat > /usr/lib64/firefox/mozilla.cfg <<'MOZEOF'
22. //
23. lockPref("browser.urlbar.placeholderName", "unexpected results");
24. lockPref("browser.newtabpage.enabled", "false");
25. lockPref("browser.newtabpage.activity-stream.default.sites", "");
26. lockPref("browser.newtabpage.activity-stream.discoverystream.enabled", false);
27. lockPref("browser.newtabpage.activity-stream.showSearch", false);
28. lockPref("browser.newtabpage.activity-stream.showSponsoredTopSites", false);
29. lockPref("browser.search.suggest.enabled", false);
30. lockPref("browser.urlbar.showSearchSuggestionsFirst", false);
31. lockPref("browser.urlbar.suggest.searches", false);
32. lockPref(network.protocol-handler.external.shell", flase);
33. lockPref("privacy.sanitize.sanitizeOnShutdown", false);
34. lockPref("privacy.sanitize.promptOnSanitize", false);
35. lockPref("extensions.update.enabled", false);
36. lockPref("browser.formfill.enable", false);
37. lockPref("devtools.policiy.disabled", true);
38. lockPref("toolkit.telemetry.enabled", false);
39. lockPref("toolkit.telemetry.archive.enabled", false);
40. lockPref("privacy.trackingprotection.fingerprinting.enabled", true);
41. lockPref("privacy.trackingprotection.cryptomining.enabled", true);
42. lockPref("browser.contentblocking.category", "strict");
43. lockPref("extensions.htmlaboutaddons.recommendations.enabled", false);
44. lockPref("signon.prefillForms", false);
45. lockPref("signon.autofillForms", false);
46. lockPref("app.update.enabled", false);
47. lockPref("signon.rememberSignons", false );
48. lockPref("browser.search.update", false);
49. lockPref("datareporting.policy.dataSubmissionEnabled", false);
50. lockPref("xpinstall.enabled", false);
51. lockPref("security.enable_ssl2", false);
52. lockPref("security.enable.ssl2", false);
53. lockPref("security.tls.version.min", 2);
54. lockPref("security.tls.version.max", 4);
55. lockPref("security.default_personal_cert", "Ask Every Time");
56. lockPref("security.ssl3.rsa_des_ede3_sha", false);
57. lockPref("security.enable.ssl3", false);
58. lockPref("browser.startup.homepage", "about:blank");
59. lockPref("dom.disable_window_open_feature.status", true);
60. lockPref("dom.disable_windo_move_resize", true);
61. lockPref("dom.event.contextmenu.enabled", false);
62. lockPref("dom.disable_window_flip", true);
63. lockPref("security.warn_leaving_secure", true);
64. lockPref("extension.pocket.enabled", false);
65. lockPref("browser.helperApps.alwaysAsk.force", true);
66. lockPref("privacy.item.history", false);
67. lockPref("plugin.disable_full_page_plugin_for_types", "application/pdf,application/fdf,application/xfdf,application/lso,application/lss,application/iqy,application/rqy,application/lsl,application/xlk,application/xls,application/xlt,application/pot,application/pps,application/ppt,application/dos,application/dot,application/wks,application/bat,application/ps,application/eps,application/wch,application/wcm,application/wb1,application/wb3,application/rtf,application/doc,application/mdb,application/mde,application/wbk,application/ad,application/adp");
68.  
69. # Set appropriate permissions on mozilla.cfg
70. chmod 644 /usr/lib64/firefox/mozilla.cfg
71.  
72. # Build secure policies.json file
73. cat > /usr/lib64/firefox/distribution/policies.json <<'FFEOF'
74. {
75.     "policies": {
76.         "DisableFirefoxAccounts": true,
77.         "DisablePocket": true,
78.         "DisableAppUpdate": true,
79.         "DontCheckDefaultBrowser": true,
80.         "OfferToSaveLogins": false,
81.         "SSLVersionMin": "tls1.2",
82.         "ExtensionUpdate": false,
83.         "DisableFormHistory": true,
84.         "PasswordManagerEnabled": false,
85.         "PopupBlocking": { "Default": true, "Locked": true},
86.         "InstallAddonsPermission": { "Default": false},
87.         "DisableTelemetry": true,
88.         "DisableDeveloperTools": true,
89.         "DisableForgetButton": true,
90.         "DisablePrivateBrowsing": true,
91.         "SearchSuggestEnabled": false,
92.         "NetworkPrediction": false,
93.         "Permissions:"{ "Autoplay":{ "Default":"block-audio-video" }},
94.         "EnableTrackingProtection": { "Fingerprinting": true},
95.         "EnableTrackingProtection": { "Cryptomining": true},
96.         "SanitizeOnShutdown": { "Cache": false, "Cookies": false, "Downloads": false, "FormData": false,
97.         "History": false, "Sessions": false, "SiteSettings": false, "OfflineApps": false, "Locked": true},
98.     "Preferences": {
99.         "security.default_personal_cert": { "Value": "Ask Every Time", "Status": "locked"},
100.         "browser.search.update": { "Value": false, "Status": "locked"},
101.         "dom.disable_window_move_resize": { "Value": true, "Status": "locked"},
102.         "dom_disable_window_flip": { "Value": true, "Status": "locked"}
103.     }
104.     }
105. }
106. FFEOF
107. chmod 644 /usr/lib64/firefox/distribution/policies.json
108.  
109. echo "Secure Firefox completed."