Re: [Fed-Talk] STIG Viewer 3 on MacOS
Re: [Fed-Talk] STIG Viewer 3 on MacOS
- Subject: Re: [Fed-Talk] STIG Viewer 3 on MacOS
- From: "Gendler, Bob \(Fed\) via Fed-talk" <email@hidden>
- Date: Tue, 17 Oct 2023 23:08:11 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=VnNOQJ9CN2U/AXaI0SUUo1ZEbuMoFL+AEnU4nj7ZYVU=; b=hpOiAxSIAtDpmAajAR6VoB1mKIJ5/t4II4NJTrFC7pWvw+2SFOLbi0Sjnm22z9jS7KWQcXcpJmnpXtlHPqQ4AlIQA1894QULP+ebDES2YdYysCotamlhLzv53fFam2mZrT23Eb/U3RPyEhL4xWRT1Xiu2+MOUImLli/iMT50lUEVMV0vsys13BQpAC0Ob2kfd66TQnMSKwQEJSNPcEMj/h5fCHMJKbzRl2HosVn68i/qVX2eJNdY+uPP0JA3SByw9ZzRUXqgMxd1rCpmCeHdryFqAhPeQTb0ca9fw9JsSLEt6s+fzjPDlc5C5pgxXsCEYhd0lLNSB0KCcSa26eDpAA==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nUM3QN1luTBwh3DcXWmwnTuqro0DI0J+RSnw11B0fjHLi4t5T4zswkkEl2yGXF5x2dkdWSqh/CQuGC5OLC6O00vsc8BPZDp+RgZ2BQBtSzUAgp2azX0RGOrt8gZWJADC56x7Dz1Q3sU2x0G+5T29bNj69H+673BfDZLYaAkSRw2iAmyoOeC4KAb3t/aauK8t27jt2kNMp+IYADVaa15+oKGuEOmXL1DnfxZCtPZVKdFoVdLxJm43TQtahkSxl37+dig3UWfqASc3y7BnYFgbg/SXNHMvKcAgCge4StCJdKyWU/SC3Ia+MbU5/0cUoQv4RBLZI3FcjyR3u0AInJRIZw==
- Thread-topic: [Fed-Talk] STIG Viewer 3 on MacOS
I believe the stig viewer just uses xccdf. The mscp can create xccdf. The mscp
doesn’t have all the fields they include because the project doesn’t contain
the vul or some of the other identifiers.
If you’re talking about the cki file that actually can be exported. That would
require someone to make a generate_cki script.
________________________________
From: William Cerniuk via Fed-talk <email@hidden>
Sent: Tuesday, October 17, 2023 6:14 PM
To: Todd Cole <email@hidden>
Cc: Apple Fed-Talk <email@hidden>
Subject: Re: [Fed-Talk] STIG Viewer 3 on MacOS
(Hi Todd, long time!)
Apologies if the answer is buried in the email threads but is there any intel
on the data format that the STIG reader uses? Perhaps a link or a kind soul who
might provide the machine readable data the STIG Viewer consumes?
—
V/R,
Wm. Cerniuk
On Oct 17, 2023, at 10:57, Todd Cole via Fed-talk <email@hidden>
wrote:
I agree on the support for MSCP.
DISA has agreed this summer to work with the MSCP teams on the new STIG but I
am not aware of where they are in the process currently. I know that the
Dev_Sonoma DISA STIG is on the MSCP site as well as the Ventura STIG.
According to the DISA FAQ page in the absence of a STIG for the current OS a
previous one is acceptable (hence the Ventura reference) and then you can
compare the DEV info as a note on a package to an AO.
Alternative path would be to use the Sonoma 800-53 Baseline and then diff out
the 5or so items that are STIG specific (I believe that is the number still)
and let your AO know that the Baseline via 800-53 (High/Moderate/Low) is
already the NIST standard/mandate and then show the delta to the STIG so they
can understand the risk.
Just a few thoughts on how to move forward while we wait for DISA to finish.
Thanks
T
Todd Cole CISSP
US DoD and Intelligence Team
iPhone - (703) 343-6762
email@hidden<mailto:email@hidden>
Sent from my Mac
Built Secure, Designed to Work
Apple DC Office
700 K Street NW, 7th Floor
Washington, DC 20001
Apple Platform Deployment Guide:
https://support.apple.com/guide/deployment/welcome/web
Online Apple Training Content:
https://it-training.apple.com/tutorials/apt-deployment
Apple Platform Security: https://support.apple.com/guide/security/welcome/web
Apple Platform
Certifications:r:https://support.apple.com/guide/certifications/welcome/web
Network Settings Needed for Apple Products:
https://support.apple.com/en-us/HT210060
Ports and Addresses for Push Notifications:
https://support.apple.com/en-us/HT203609
AppleCare OS Support Information:
https://www.apple.com/support/professional/it-departments/
Distributing Custom Apps: https://developer.apple.com/custom-apps/
889 Compliance Statement: https://www.apple.com/legal/more-resources/gtc.html
Enterprise AppleCare support number: 877-218-1190
Apple Support site for Unlocking a device (Not supervised/managed device, do
that via AppleCare)
https://al-support.apple.com/#/additional-support
On Oct 17, 2023, at 9:02 AM, Rowe, Walter P. (Fed) via Fed-talk
<email@hidden> wrote:
DISA should adopt support for OSCAL (https://pages.nist.gov/OSCAL/).
Perhaps DISA also should participate in this project.
https://github.com/usnistgov/macos_security/tree/main
It would seem smarter to leverage a tool that already addresses numerous
baselines.
Walter
--
Walter Rowe, Div. Chief, Infrastructure Services
National Institute of Standards and Technology
United States Department of Commerce
On Oct 12, 2023, at 2:18 PM, Ken Hornstein via Fed-talk
<email@hidden> wrote:
I have had this conversation many times with DISA. I have found
this workaround to function, but don’t make any claim on its
implementation. The right this is for DISA to do the work and get
STIGViewer back on macOS (this community can help show the need.)
Unfortunately this doesn't help; that's just the instructions to run
the Java STIG viewer (which AFAIK is just what everyone is doing
right now). That doesn't support the new JSON-format checklists
which are only on the STIGViewer 3 (but as far as I can tell all of
the other tooling that slurps in checklists doesn't support the
new format either, so at least for us it's not urgent).
I can appreciate that some of the responsibility is on _us_, the
collective MacOS X user community, to push DISA to support MacOS. But
what I'm unclear on is exactly what is the most effective mechanism to
accomplish that. It seems like the strategies tried so far, which
include (a) filing a support request with DISA, (b) complaining on
fed-talk, and (c) screaming at the heavens, hasn't been successful
so far. I'm open to suggestions!
--Ken
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
https://gcc02.safelinks.protection.outlook.com/?url=https://lists.apple.com/mailman/options/fed-talk/walter.rowe%40nist.gov&data=05|01|email@hidden|f756a72c5d8f4082d0a608dbcb4fc2df|2ab5d82fd8fa4797a93e054655c61dec|1|0|638327315674050548|Unknown|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=|3000|||&sdata=Fn7mSoD7v/1oAlFti0LQt9a2vRd50XecGHhjJBr82qw=&reserved=0
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden