Re: [Fed-Talk] STIG Viewer 3 on MacOS
Re: [Fed-Talk] STIG Viewer 3 on MacOS
- Subject: Re: [Fed-Talk] STIG Viewer 3 on MacOS
- From: "Baker, Sean via Fed-talk" <email@hidden>
- Date: Thu, 12 Oct 2023 13:59:51 -0500
A few thoughts here --
1. I absolutely laud killing client Java as a dependency for system
control assessment. It always reminded me of the days when Cyber Awareness
training was served over HTTP, in Flash, asked you to practice 'creating'
(because no one used their existing *eyeroll*) passwords, and transmitted
them in cleartext to the server. Good riddance.
2. As to how to improve the situation -- IMO this probably has to go up
both ways -- file the tickets so that it's done; but brief institutional
leadership on the additional time which reviews are going to take,
recognizing that they [*leadership*] will need to (pick one):
1. Provide additional resources to support the new work this
alternative method represents [I assume lugging a Windows laptop around
when assessing Macs?].
2. Discontinue institutional support for Macs.
3. Convince DISA to change this policy [or reimplement -- see below].
3. IMO and based on the facts available this should be reimplemented.
1. Nothing about the STIG Viewer *couldn't* be done as a Single Page
Application (i.e. a portable website / HTML + JS / etc.). It's not been
done that way because it would require having a browser on the system [a
control violation for servers].
2. The problem is that this implementation *is* a effectively that
and is embedding a browser (+ lots of unnecessary libraries) into the
solution (an Electron <https://www.electronjs.org/> application).
Meaning that even though it won't run as Chrome.exe, it *is* effectively
Chrome.exe -- it just won't be receiving automatic updates to
itself or its
dependencies.
3. Electron supports Mac. So from the same codebase, it could be
cross-compiled to make it work [honestly, any super-developers here
*may* be able to repackage it, since, you know, Electron is OSS, and
is embedding the HTML + JS].
4. So, DISA *could* add macOS as a build target for the Electron repo
they're using. Or distribute the web application as a web app archive and
leave it to the organization to figure out which
browser-delivery modality
they want to use -- i.e. some folks have virtual remote browsers
available;
others will be evaluating endpoints where having the browser *isn't* a
finding (*ahem* - Macs!); others may be comfortable authorizing portable
versions of particular browsers to use during evals; etc.
All to say that FWIW, I would recommend submitting the tickets and asking
for release of the web application as an alternative implementation for
client evaluations and browser access is assumed [which I hope are most of
us here].
$.02.
On Thu, Oct 12, 2023 at 1:19 PM Ken Hornstein via Fed-talk <
email@hidden> wrote:
> >I have had this conversation many times with DISA. I have found
> >this workaround to function, but don’t make any claim on its
> >implementation. The right this is for DISA to do the work and get
> >STIGViewer back on macOS (this community can help show the need.)
>
> Unfortunately this doesn't help; that's just the instructions to run
> the Java STIG viewer (which AFAIK is just what everyone is doing
> right now). That doesn't support the new JSON-format checklists
> which are only on the STIGViewer 3 (but as far as I can tell all of
> the other tooling that slurps in checklists doesn't support the
> new format either, so at least for us it's not urgent).
>
> I can appreciate that some of the responsibility is on _us_, the
> collective MacOS X user community, to push DISA to support MacOS. But
> what I'm unclear on is exactly what is the most effective mechanism to
> accomplish that. It seems like the strategies tried so far, which
> include (a) filing a support request with DISA, (b) complaining on
> fed-talk, and (c) screaming at the heavens, hasn't been successful
> so far. I'm open to suggestions!
>
> --Ken
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
>
--
Sean R. Baker
Chief Technology Officer
Senior Information Security Officer
Office of the CIO
Uniformed Services University
Phone: (301) 319-0712
Email: email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden