Help

Smart Group to check Firefox STIG

c_archibald
Contributor II

Posted on ‎06-26-2018 10:16 AM

So I had to STIG Firefox a ways back. Whenever updates come out I have to reSTIG after the new package installs finish. My problem is, I want the STIG to run Re-occuring based on the STIG missing. That way if the STIG Policy can be changed from Once to Ongoing.

In short, I want to create a Smart Group that checks INSIDE the Firefox.app for the 2 files I added to STIG it, and if not, it adds the STIG.

Labels:
6 REPLIES 6

golbiga
Contributor III
Contributor III

Posted on ‎06-26-2018 10:35 AM

How are you applying the STIG settings to Firefox? If you're using AutoConfig then you can use autopkg, there is a recipe for FirefoxAutoConfig. Then every time you update Firefox the settings should remain. If you aren't using AutoConfig then you'll have to create an extension attribute to check for those files and then create a Smart Group based on the EA status. Hope this helps.

Allen

0 Kudos

Taylor_Armstron
Valued Contributor

Posted on ‎06-26-2018 11:32 AM

Would love more details on how you're applying this, as we're probably going to have to go down that road soon.

In the meantime, an EA like @golbiga described should work... something along the lines of 

#!/bin/sh
if [ -f "/Applications/Firefox.app/<file> ]; then
echo "<result> Yes </result>"
else
echo "<result> Nope! </result>"
fi

Then scope your group to all machines reporting "Nope!".

c_archibald
Contributor II

Posted on ‎06-26-2018 05:39 PM

After doing some trial & error from old How Tos on how to STIG Firefox, it requires 2 files added into the APP.

Firefox.app/Contents/Resources/firefox.cfg Which has the actual settings
Firefox.app/Contents/Resources/defaults/pref/autoconfig.js Which references the other files to load

Using these I STIGed Firefox to DoD specs.

0 Kudos

golbiga
Contributor III
Contributor III

Posted on ‎06-26-2018 06:03 PM

If you use the FirefoxAutoConfig AutoPkg recipe you can generate a Firefox installer with the AutoConfig files added in. This way you wouldn't need to use the EA and re-add the files every time you upgrade Firefox.

0 Kudos

c_archibald
Contributor II

Posted on ‎06-27-2018 08:11 AM

I can package the STIG files inside Firefox no problem. What I want is a way to detect when/if they are missing.

0 Kudos

thoule
Valued Contributor II

Posted on ‎06-27-2018 09:57 AM

This is written online and not tested, but should be a good start for you. 

#!/bin/sh
#get md5 hash of files
   md5ffcfg=$(md5 /Applications/Firefox.app/Contents/Resources/firefox.cfg|awk -F= '{print $2}')
   md5ffjs=$(md5  /Applications/Firefox.app/Contents/Resources/defaults/pref/autoconfig.js |awk -F= '{print $2}')

#compare md5 has to expected values. If you update files, calculate a new hash and update EA.
if [ "$md5ffcfg" == "0e8cbc54636de95109c887eea8f04d3f" ] && [ $md5ffjs" == "a86a0e0fe4314c19d6743b37ee62e659" ]; then
echo "<result> Valid </result>"
else
echo "<result> Invalid or Missing </result>"
fi