Mozilla Firefox STIG Version 6, Release 5 Checklist Details (Checklist Revisions)
NOTE
This is not the current revision of this Checklist, view the current revision.
SCAP 1.2 Content:
-
Download SCAP 1.2 Content - Mozilla Firefox for Linux STIG Benchmark - Ver 6, Rel 3
- Author: Defense Information Systems Agency
-
Download SCAP 1.2 Content - Mozilla Firefox for Windows STIG Benchmark - Ver 6, Rel 3
- Author: Defense Information Systems Agency
Supporting Resources:
-
Download Standalone XCCDF 1.1.4 - Mozilla Firefox STIG - Ver 6, Rel 4
- Defense Information Systems Agency
-
Download GPOs - Group Policy Objects (GPOs) - July 2022
- Defense Information Systems Agency
-
Download Automated Content - SCC 5.6 Windows
- Defense Information Systems Agency
-
Download Automated Content - SCC 5.6 RHEL 6 i686
- Defense Information Systems Agency
-
Download Automated Content - SCC 5.6 RHEL 6 x86 64
- Defense Information Systems Agency
-
Download Automated Content - SCC 5.6 RHEL 7/Oracle Linux 7/SLES12 x86 64
- Defense Information Systems Agency
-
Download Automated Content - SCC 5.6 RHEL 8 Aarch 64
- Defense Information Systems Agency
-
Download Automated Content - SCC 5.6 RHEL 8 x86 64
- Defense Information Systems Agency
-
Download Automated Content - SCC 5.6 RHEL 9 x86 64
- Defense Information Systems Agency
Target:
Target | CPE Name |
---|---|
Mozilla Firefox | cpe:/a:mozilla:firefox (View CVEs) |
Checklist Highlights
- Checklist Name:
- Mozilla Firefox STIG
- Checklist ID:
- 356
- Version:
- Version 6, Release 5
- Type:
- Compliance
- Review Status:
- Final
- Authority:
- Governmental Authority: Defense Information Systems Agency
- Original Publication Date:
- 04/28/2017
Checklist Summary:
This Mozilla Firefox Technology Overview provides the technical security policies, requirements, and implementation details for applying security concepts to Commercial-Off-The-Shelf (COTS) applications. The nearly universal presence of systems on the desktops of all levels of staff provides tremendous opportunities for office automation, communication, data sharing, and collaboration. Unfortunately, this presence also brings about dependence and vulnerabilities. Malicious and mischievous forces have attempted to take advantage of the vulnerabilities and dependencies to disrupt the work processes of the Government. Compounding this problem is the fact that the vendors of software applications have not expended sufficient effort to provide strong security in their applications. Where applications do offer security options, the default settings typically do not provide a strong security posture.
Checklist Role:
- Web Browser
Known Issues:
Not provided.
Target Audience:
The requirements and recommendations set forth in this document will assist IAOs and Information Assurance Managers (IAMs) in protecting desktop applications in DoD locations hereafter referred to as sites. The responsible Configuration Control Board (CCB) will approve revisions to site systems that could have a security impact. Therefore, before implementing desktop application security measures, the IAO or will submit a change notice to the CCB for review and approval.
Target Operational Environment:
- Managed
- Specialized Security-Limited Functionality (SSLF)
Testing Information:
Although there are a few different operating system platforms for desktop environments, this document addresses applications running on Microsoft Windows platforms. This document does not include specific guidance for UNIX or Linux or Apple desktop environments at this time. The security requirements detailed in this document apply to applications installed on Microsoft Windows Server platforms as well as Microsoft Windows Workstation platforms. On server platforms, the security configuration parameters will be set to at least as restrictive values as those listed in this document. It must be noted that the guidelines specified should be evaluated in a local, representative test environment before implementation within large user populations. The extensive variety of environments makes it impossible to test these guidelines for all potential software configurations. For some environments, failure to test before implementation may lead to a loss of required functionality.
Regulatory Compliance:
DoD Directive (DoDD) 8500.1
Comments/Warnings/Miscellaneous:
NOTE - Resource fails validation for XCCDF 1.1.4 content. Workaround - Edit the XCCDF file and change the ID element within the xml, replacing the " " (space values) with an "_" (underscore) Example: id="Mozilla Firefox STIG" would become id="Mozilla_Firefox_STIG"
Disclaimer:
It should be noted that Field Security Operations (FSO) support for the STIGs, Checklists, and Tools is only available to DoD customers. Comments or proposed revisions to this document should be sent via e-mail to disa.stig_spt@mail.mil. DISA FSO will coordinate all change requests with the relevant DoD organizations before inclusion in this document.
Product Support:
Comments or proposed revisions to this document should be sent via e-mail to disa.stig_spt@mail.mil
Point of Contact:
Comments or proposed revisions to this document should be sent via e-mail to disa.stig_spt@mail.mil
Sponsor:
DoD
Licensing:
DoD has clarified policy on the use of open source software (OSS) to take advantage of the capabilities available in the Open Source community as long as certain prerequisites are met. DoD no longer requires that operating system software be obtained through a valid vendor channel and have a formal support path, if the source code for the operating system is publicly available for review. From the DoD Chief Information Officer (CIO) memo, Open Source Software (OSS) in Department of Defense (DoD), 28 May 2003: DoD Components acquiring, using or developing OSS must ensure that the OSS complies with the same DoD policies that govern Commercial off the Shelf (COTS) and Government off the Shelf (GOTS) software. This includes, but is not limited to, the requirements that all information assurance (IA) or IA-enabled IT hardware, firmware and software components or products incorporated into DoD information systems whether acquired of originated within DoD: Comply with the evaluation and validation requirements of National Security Telecommunications and Information Systems Security Policy Number 11 and be configured in accordance with DoD approved security and configuration guidelines at http://iase.disa.mil/ and http://www.nsa.gov/ OSS takes several forms and may be acceptable or unacceptable depending on the form: 1. A utility that has publicly available source code is acceptable. 2. A commercial product that incorporates OSS is acceptable because the commercial vendor provides a warranty. 3. Vendor supported OSS is acceptable. 4. A utility that comes compiled and has no warranty is not acceptable. The DoDD 8500.1 states Public domain software products, and other software products with limited or no warranty, such as those commonly known as freeware or shareware, shall only be used in DoD information systems to meet compelling operational requirements. Such products shall be thoroughly assessed for risk and accepted for use by the responsible DAA.
Change History:
Version 4, Release 12 - 03 August 2015 Changed status from "Under Review" to "Final" - 03 June 2015 Version 4, Release 10 - 25 July 2014 Version 4, Release 9 - 25 April 2014 Version 4, Release 8 - 24 January 2014 Version 4, Release 7 - 24 July 2013 Version 4, Release 6 - 26 April 2013 Version 4, Release 5 - 26 October 2012 Version 4, Release 4 - 27 April 2012 Version 4, Release 3 - 29 July 2011 Version 4, Release 2 - 23 April 2010 Version 4, Release 1 - 09 December 2010 Updated "Point of Contact", "Product Support" and "Comments" Sectons - 08 January 2015 Changed status from "under review" to "final" - 11 September 2015 Version 4, Release 13 - 28 October 2015 Changed status from "Under Review" to "Final" - 04 December 2015 Version 4, Release 14 - 29 January 2016 3/8/2016 - Promote to Final UPDATED - Mozilla Firefox STIG - Version 4, Release 15 - 07/22/2016 Updated to FINAL - 09/12/2016 Updated STIG to V4, R16 - 10-28-2016 updated to FINAL - 12/07/2016 Updated to Version 4, Release 17 - 01/27/2017 Updated to FINAL - 03/08/2017 updated to Version 4, Release 18 - 04/28/2017 Updated to FINAL - 05/30/2017 null Updated URL to reflect change to the DISA website - http --> https updated to v4,r20 - 02/16/2018 Updated to FINAL - 3/18/2018 updated to Version 4, Release 21 - 4/25/18 Update to FINAL - 5/25/18 Updated to v4,r22 - 8/22/18 Updated "Comments/Warnings/Miscellaneous" under the General Tab - 8/22/18 Updated to FINAL - 9/24/18 Updated to Version 4, Release 23 - 10/25/18 Updated to FINAL - 11/26/18 updated to Version 4, Release 24- 1/22/19 Updated to FINAL - 2/19/19 updated to Ver 4, Rel 25 - 4/30/19 Updated URLs - 6/12/19 Updated Benchmarks - 6/26/19 Updated URLs - 8/9/19 updated URLs - 11/1/19 updated resource title - 11/6/19 updated URLs per DISA - 1/21/2020 corrected resource - 1/22/2020 updated benchmark - 4/24/2020 updated URLs - 8/3/2020 Updated resources per DISA - 1/26/2021 added SCC links per DISA guidance - 4/20/2021 updated links per DISA - 5/12/2021 Updated resources per DISA - 5/25/21 null updated URLs - 7/28/2021 Updated SCC per DISA - 9/16/21 updated URLs - 12/15/2021 updated SCAP resources - 4/8/2022 removed draft content - 4/8/2022 Updated resource per DISA - 4/24/22 Added GPO per DISA - 5/29/22 null Updated resource per DISA - 6/13/22 Updated SCC per DISA - 6/14/22 Updated SCC per DISA - 6/15/22 Updated resource per DISA - 8/1/22 null null SCC - 10/13/22 SCC - 10/23/22 Updated resource per DISA - 10/26/22
Dependency/Requirements:
URL | Description |
---|
References:
Reference URL | Description |
---|