STIG Viewer on MacOS

A Security Technical Implementation Guide (STIG) is a config guide that tells you what configs you need to secure a product. When implemented, STIGs keep your implementation of a product secure to a standard and allow it to interoperate with other STIG’d products that expect that config. Read more at https://public.cyber.mil/stigs/

Like a lot of things, it’s hard to understand without viewing — and this is how I viewed a STIG on my Mac. The official STIG Viewer from cyber.mil is packaged for Linux and Windows but is also published as a vanilla JAR that can be run from your Macbook.

Prerequisites

1. MacOS Ventura (that’s it!)

Steps

1. Install the JDK
2. Install JavaFX
3. Download & run the STIG Viewer
4. Download & view a STIG

1/4 Install the latest JDK 19

I searched for the macOS JDK in Oct 2022 to find that JDK 19 is the most recent, released in Sept. To get this JDK, I browsed to https://www.oracle.com/java/technologies/downloads/#jdk19-mac and download/install the JDK. For my Intel MacBook, I used the x64 DMG Installer.

I confirmed that the JDK was installed correctly by running these commands

# Use this command or something like it to set the JAVA_HOME var
# $ export JAVA_HOME=`/usr/libexec/java_home -v 1.9`
$ echo $JAVA_HOME
/Library/Java/JavaVirtualMachines/jdk-19.jdk/Contents/Home
$ java --version
java 19.0.1 2022-10-18
Java(TM) SE Runtime Environment (build 19.0.1+10-21)
Java HotSpot(TM) 64-Bit Server VM (build 19.0.1+10-21, mixed mode, sharing)

2/4 Install JavaFX

The next step was to get JavaFX (JFX), and you can download it from GluonHQ https://gluonhq.com/products/javafx/

I downloaded the Architecture:x64 Type:SDK version (from the screenshot in the below page) and this was the direct link https://download2.gluonhq.com/openjfx/19/openjfx-19_osx-x64_bin-sdk.zip

3/4 Download the STIGViewer and run it

Browse to https://public.cyber.mil/stigs/srg-stig-tools/ and get the STIG Viewer without an OS. For this demo it was this one highlighted (title:STIG Viewer 2.17, size:1.14 MB, updated:21 Sep 2022)

BE VERY CAREFUL WITH PATHS — download the STIG Viewer zip to the Desktop, which was also where we downloaded JFX. You can move the modules/files and change paths if you’re comfortable

I downloaded the STIG Viewer 2.17.zip to my Desktop where I had also downloaded JFX. I also looked at the STIG Viewer 2.17 Hashes file and ensured that the hashes matched.

$ sha256sum U_STIGViewer_2-17.zip
09638fdb5f7447c3a5ec1ec216b26db4ad3019c0911c823fd6a4b9c2e262bb8e  U_STIGViewer_2-17.zip
$ unzip U_STIGViewer_2-17.zip
Archive:  U_STIGViewer_2-17.zip
  inflating: STIGViewer-2.17.jar
   creating: SWIDTAG/
  inflating: SWIDTAG/mil.disa.stigviewer-2.17.swidtag

Now you’re ready to run the STIG Viewer, use this command that references the JFX module you just downloaded:

java --module-path javafx-sdk-19/lib --add-modules javafx.controls,javafx.web -jar STIGViewer-2.17.jar

This is the expected output and a screenshot of the STIG Viewer

$ java --module-path javafx-sdk-19/lib --add-modules javafx.controls,javafx.web -jar STIGViewer-2.17.jar
Nov 02, 2022 11:40:44 PM stigviewer.STIGViewer start
INFO: INFO: SV: Local Data Cache Setup
IPC: Watching directory /Users/jyee/STIGV_AppData/ipc
2022-11-02 23:41:41.543 java[34405:8338377] +[CATransaction synchronize] called within transaction
2022-11-02 23:41:41.909 java[34405:8338377] +[CATransaction synchronize] called within transaction
2022-11-02 23:41:50.961 java[34405:8338377] TSM AdjustCapsLockLEDForKeyTransitionHandling - _ISSetPhysicalKeyboardCapsLockLED Inhibit

AGAIN BE VERY CAREFUL WITH PATHS — download the STIG Viewer zip to the Desktop, which was also where we downloaded JFX. You can move the modules/files and change paths if you’re comfortable

If you tried to run the JAR without JFX, you’d get this error because you’re not including the modules.

$ java -jar STIGViewer-2.17.jar
Error: Could not find or load main class stigviewer.STIGViewer
Caused by: java.lang.NoClassDefFoundError: javafx/application/Application

4/4 Download & view a STIG

Download a STIG zip file, like the one that shows how to configure RKE. I browsed to https://public.cyber.mil/stigs/downloads/ and then searched for “rancher” to find some STIGs.

Once you’ve got that STIG zip, go to the STIG Viewer and choose Import STIG…

Now you can browse the configs!

Also published at https://jyeee.medium.com/stig-viewer-on-macos-1aa0ccffb978