Re: [Fed-Talk] STIG Viewer 3 on MacOS
Re: [Fed-Talk] STIG Viewer 3 on MacOS
- Subject: Re: [Fed-Talk] STIG Viewer 3 on MacOS
- From: "Baker, Sean via Fed-talk" <email@hidden>
- Date: Fri, 20 Oct 2023 10:33:12 -0500
*Proof of Concept Only*
*Use at your own risk*
*No warranty offered or implied*
*Not an official product*
*Etc., etc.*
But I have repackaged the current STIG-Viewer 3 as Mac-native here:
https://drive.google.com/file/d/19f6uCLglxrxEnnUcJ1zejsTi8dRy0VBT/view?usp=share_link
It's slow to launch via Rosetta because I've not bothered to make a dual
binary yet, but that could be done (I'm an x86 holdout).
To be clear -- I do *not* mean to make maintenance of this a 'thing'. But
having done the work once I thought it was worth sharing, if only to prove
that it can be done.
Sean
On Tue, Oct 17, 2023 at 6:08 PM Gendler, Bob (Fed) via Fed-talk <
email@hidden> wrote:
> I believe the stig viewer just uses xccdf. The mscp can create xccdf. The
> mscp doesn’t have all the fields they include because the project doesn’t
> contain the vul or some of the other identifiers.
>
> If you’re talking about the cki file that actually can be exported. That
> would require someone to make a generate_cki script.
>
> ------------------------------
> *From:* William Cerniuk via Fed-talk <email@hidden>
> *Sent:* Tuesday, October 17, 2023 6:14 PM
> *To:* Todd Cole <email@hidden>
> *Cc:* Apple Fed-Talk <email@hidden>
> *Subject:* Re: [Fed-Talk] STIG Viewer 3 on MacOS
>
> (Hi Todd, long time!)
>
> Apologies if the answer is buried in the email threads but is there any
> intel on the data format that the STIG reader uses? Perhaps a link or a
> kind soul who might provide the machine readable data the STIG Viewer
> consumes?
>
> —
> V/R,
> Wm. Cerniuk
>
>
>
> On Oct 17, 2023, at 10:57, Todd Cole via Fed-talk <
> email@hidden> wrote:
>
> I agree on the support for MSCP.
>
> DISA has agreed this summer to work with the MSCP teams on the new STIG
> but I am not aware of where they are in the process currently. I know that
> the Dev_Sonoma DISA STIG is on the MSCP site as well as the Ventura STIG.
> According to the DISA FAQ page in the absence of a STIG for the current OS
> a previous one is acceptable (hence the Ventura reference) and then you can
> compare the DEV info as a note on a package to an AO.
>
> Alternative path would be to use the Sonoma 800-53 Baseline and then diff
> out the 5or so items that are STIG specific (I believe that is the number
> still) and let your AO know that the Baseline via 800-53
> (High/Moderate/Low) is already the NIST standard/mandate and then show the
> delta to the STIG so they can understand the risk.
>
> Just a few thoughts on how to move forward while we wait for DISA to
> finish.
>
> Thanks
>
> T
>
> Todd Cole CISSP
> *US DoD and Intelligence Team*
> iPhone - (703) 343-6762
> email@hidden <email@hidden>
>
> Sent from my Mac
> Built Secure, Designed to Work
>
> Apple DC Office
> 700 K Street NW, 7th Floor
> Washington, DC 20001
>
> *Apple Platform Deployment Guide: *
> https://support.apple.com/guide/deployment/welcome/web
>
> Online Apple Training Content:
> https://it-training.apple.com/tutorials/apt-deployment
>
> Apple Platform Security:
> https://support.apple.com/guide/security/welcome/web
>
> Apple Platform
> Certifications:r:*https://support.apple.com/guide/certifications/welcome/web
> <https://support.apple.com/guide/certifications/welcome/web>*
>
> Network Settings Needed for Apple Products:
> https://support.apple.com/en-us/HT210060
>
> Ports and Addresses for Push Notifications:
> https://support.apple.com/en-us/HT203609
>
> AppleCare OS Support Information:
> https://www.apple.com/support/professional/it-departments/
>
> Distributing Custom Apps: https://developer.apple.com/custom-apps/
>
> 889 Compliance Statement:
> https://www.apple.com/legal/more-resources/gtc.html
>
> Enterprise AppleCare support number: 877-218-1190
>
> Apple Support site for Unlocking a device (Not supervised/managed device,
> do that via AppleCare)
> https://al-support.apple.com/#/additional-support
>
>
>
> On Oct 17, 2023, at 9:02 AM, Rowe, Walter P. (Fed) via Fed-talk <
> email@hidden> wrote:
>
> DISA should adopt support for OSCAL (https://pages.nist.gov/OSCAL/).
>
> Perhaps DISA also should participate in this project.
>
> https://github.com/usnistgov/macos_security/tree/main
>
> It would seem smarter to leverage a tool that already addresses numerous
> baselines.
>
> Walter
> --
> Walter Rowe, Div. Chief, Infrastructure Services
> National Institute of Standards and Technology
> United States Department of Commerce
>
> On Oct 12, 2023, at 2:18 PM, Ken Hornstein via Fed-talk <
> email@hidden> wrote:
>
> I have had this conversation many times with DISA. I have found
> this workaround to function, but don’t make any claim on its
> implementation. The right this is for DISA to do the work and get
> STIGViewer back on macOS (this community can help show the need.)
>
>
> Unfortunately this doesn't help; that's just the instructions to run
> the Java STIG viewer (which AFAIK is just what everyone is doing
> right now). That doesn't support the new JSON-format checklists
> which are only on the STIGViewer 3 (but as far as I can tell all of
> the other tooling that slurps in checklists doesn't support the
> new format either, so at least for us it's not urgent).
>
> I can appreciate that some of the responsibility is on _us_, the
> collective MacOS X user community, to push DISA to support MacOS. But
> what I'm unclear on is exactly what is the most effective mechanism to
> accomplish that. It seems like the strategies tried so far, which
> include (a) filing a support request with DISA, (b) complaining on
> fed-talk, and (c) screaming at the heavens, hasn't been successful
> so far. I'm open to suggestions!
>
> --Ken
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> https://gcc02.safelinks.protection.outlook.com/?url=https://lists.apple.com/mailman/options/fed-talk/walter.rowe%40nist.gov&data=05|01|email@hidden|f756a72c5d8f4082d0a608dbcb4fc2df|2ab5d82fd8fa4797a93e054655c61dec|1|0|638327315674050548|Unknown|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=|3000|||&sdata=Fn7mSoD7v/1oAlFti0LQt9a2vRd50XecGHhjJBr82qw=&reserved=0
>
> This email sent to email@hidden
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
>
--
Sean R. Baker
Chief Technology Officer
Senior Information Security Officer
Office of the CIO
Uniformed Services University
Phone: (301) 319-0712
Email: email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden