Smart Group to check Firefox STIG

c_archibald
Contributor II

So I had to STIG Firefox a ways back. Whenever updates come out I have to reSTIG after the new package installs finish. My problem is, I want the STIG to run Re-occuring based on the STIG missing. That way if the STIG Policy can be changed from Once to Ongoing.

In short, I want to create a Smart Group that checks INSIDE the Firefox.app for the 2 files I added to STIG it, and if not, it adds the STIG.

6 REPLIES 6

golbiga
Contributor III
Contributor III

How are you applying the STIG settings to Firefox? If you're using AutoConfig then you can use autopkg, there is a recipe for FirefoxAutoConfig. Then every time you update Firefox the settings should remain. If you aren't using AutoConfig then you'll have to create an extension attribute to check for those files and then create a Smart Group based on the EA status. Hope this helps.

Allen

Taylor_Armstron
Valued Contributor

Would love more details on how you're applying this, as we're probably going to have to go down that road soon.

In the meantime, an EA like @golbiga described should work... something along the lines of

#!/bin/sh
if [ -f "/Applications/Firefox.app/<file> ]; then
echo "<result> Yes </result>"
else
echo "<result> Nope! </result>"
fi

Then scope your group to all machines reporting "Nope!".

c_archibald
Contributor II

After doing some trial & error from old How Tos on how to STIG Firefox, it requires 2 files added into the APP.

Firefox.app/Contents/Resources/firefox.cfg Which has the actual settings
Firefox.app/Contents/Resources/defaults/pref/autoconfig.js Which references the other files to load

Using these I STIGed Firefox to DoD specs.

golbiga
Contributor III
Contributor III

If you use the FirefoxAutoConfig AutoPkg recipe you can generate a Firefox installer with the AutoConfig files added in. This way you wouldn't need to use the EA and re-add the files every time you upgrade Firefox.

c_archibald
Contributor II

I can package the STIG files inside Firefox no problem. What I want is a way to detect when/if they are missing.

thoule
Valued Contributor II

This is written online and not tested, but should be a good start for you.

#!/bin/sh
#get md5 hash of files
   md5ffcfg=$(md5 /Applications/Firefox.app/Contents/Resources/firefox.cfg|awk -F= '{print $2}')
   md5ffjs=$(md5  /Applications/Firefox.app/Contents/Resources/defaults/pref/autoconfig.js |awk -F= '{print $2}')

#compare md5 has to expected values. If you update files, calculate a new hash and update EA.
if [ "$md5ffcfg" == "0e8cbc54636de95109c887eea8f04d3f" ] && [ $md5ffjs" == "a86a0e0fe4314c19d6743b37ee62e659" ]; then
echo "<result> Valid </result>"
else
echo "<result> Invalid or Missing </result>"
fi