I apologize if this is a little off-topic for this list, but a question: what are others who use STIG Viewer planning to do once Oracle JDK 8 / JavaFX go EOL in January 2019?
Any Oracle Java 8 security updates released after January 2019 will require a commercial support license from Oracle:
https://developers.redhat.com/blog/2018/11/05/migrating-from-oracle-jdk-to-o...
STIG Viewer requires Oracle JDK 8 and JavaFX 8 in order to function. Oracle JDK 11 is the next LTS (long term support) version of Java. (Java 9 and Java 10 are not LTS releases, and are already EOL.) But in Java 11, Oracle removed JavaFX:
https://www.infoworld.com/article/3305073/java/removed-from-jdk-11-javafx-11...
The OpenJFX project provides a JavaFX 11 implementation that works with OpenJDK 11:
But: I tested the latest STIG Viewer (version 2.8) with OpenJDK 11 / OpenJFX 11, and it does not work; it simply crashes at startup.
This will shortly place all STIG Viewer users in the situation where they must purchase a commercial support contract from Oracle in order to run STIG Viewer, because STIG Viewer requires outdated / EOL technology.
I asked DISA/IASE what their intentions were with STIG Viewer in light of this. As of 2018-11-27, this was their response:
There are currently no plans on creating a non-Oracle java version of STIG Viewer at this time. We also have no information regarding how DoD will be addressing the licensing requirement for Oracle java going forward.
So.
Ideally, I'd like to find a Linux replacement for STIG Viewer—something that can read, annotate, and write STIG Viewer checklist (*.ckl) files. But although SCAP Workbench can load and check STIGs, unless I'm missing something, it has no support for STIG Viewer checklist files.
I can't be the only person in this boat. What are others doing?
This would be a great RFE to file upstream as well as with Red Hat for SCAP-workbench to support this workflow.
Gabe
On Tuesday, November 27, 2018, James Ralston ralston@pobox.com wrote:
I apologize if this is a little off-topic for this list, but a question: what are others who use STIG Viewer planning to do once Oracle JDK 8 / JavaFX go EOL in January 2019?
Any Oracle Java 8 security updates released after January 2019 will require a commercial support license from Oracle:
https://developers.redhat.com/blog/2018/11/05/migrating-
from-oracle-jdk-to-openjdk-on-red-hat-enterprise-linux-what- you-need-to-know/
STIG Viewer requires Oracle JDK 8 and JavaFX 8 in order to function. Oracle JDK 11 is the next LTS (long term support) version of Java. (Java 9 and Java 10 are not LTS releases, and are already EOL.) But in Java 11, Oracle removed JavaFX:
https://www.infoworld.com/article/3305073/java/removed-
from-jdk-11-javafx-11-arrives-as-a-standalone-module.html
The OpenJFX project provides a JavaFX 11 implementation that works with OpenJDK 11:
https://openjfx.io/
But: I tested the latest STIG Viewer (version 2.8) with OpenJDK 11 / OpenJFX 11, and it does not work; it simply crashes at startup.
This will shortly place all STIG Viewer users in the situation where they must purchase a commercial support contract from Oracle in order to run STIG Viewer, because STIG Viewer requires outdated / EOL technology.
I asked DISA/IASE what their intentions were with STIG Viewer in light of this. As of 2018-11-27, this was their response:
There are currently no plans on creating a non-Oracle java version of STIG Viewer at this time. We also have no information regarding how DoD will be addressing the licensing requirement for Oracle java going forward.
So.
Ideally, I'd like to find a Linux replacement for STIG Viewer—something that can read, annotate, and write STIG Viewer checklist (*.ckl) files. But although SCAP Workbench can load and check STIGs, unless I'm missing something, it has no support for STIG Viewer checklist files.
I can't be the only person in this boat. What are others doing? _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap- security-guide@lists.fedorahosted.org
On 11/27/18 2:06 PM, James Ralston wrote:
I apologize if this is a little off-topic for this list, but a question: what are others who use STIG Viewer planning to do once Oracle JDK 8 / JavaFX go EOL in January 2019?
Any Oracle Java 8 security updates released after January 2019 will require a commercial support license from Oracle:
https://developers.redhat.com/blog/2018/11/05/migrating-from-oracle-jdk-to-openjdk-on-red-hat-enterprise-linux-what-you-need-to-know/
STIG Viewer requires Oracle JDK 8 and JavaFX 8 in order to function. Oracle JDK 11 is the next LTS (long term support) version of Java. (Java 9 and Java 10 are not LTS releases, and are already EOL.) But in Java 11, Oracle removed JavaFX:
https://www.infoworld.com/article/3305073/java/removed-from-jdk-11-javafx-11-arrives-as-a-standalone-module.html
The OpenJFX project provides a JavaFX 11 implementation that works with OpenJDK 11:
https://openjfx.io/
But: I tested the latest STIG Viewer (version 2.8) with OpenJDK 11 / OpenJFX 11, and it does not work; it simply crashes at startup.
This will shortly place all STIG Viewer users in the situation where they must purchase a commercial support contract from Oracle in order to run STIG Viewer, because STIG Viewer requires outdated / EOL technology.
I asked DISA/IASE what their intentions were with STIG Viewer in light of this. As of 2018-11-27, this was their response:
There are currently no plans on creating a non-Oracle java version of STIG Viewer at this time. We also have no information regarding how DoD will be addressing the licensing requirement for Oracle java going forward.
So.
Ideally, I'd like to find a Linux replacement for STIG Viewer—something that can read, annotate, and write STIG Viewer checklist (*.ckl) files. But although SCAP Workbench can load and check STIGs, unless I'm missing something, it has no support for STIG Viewer checklist files.
Not being snide, should this come across wrongly.... genuine question: Why use STIG Viewer in the first place?
I can't be the only person in this boat. What are others doing?
Wonder if this is something that could be incorporated into Security Central?
/me glances at @Gabe Alford
Functionality should really be in scap-workbench first.
On Tuesday, November 27, 2018, Shawn Wells shawn@redhat.com wrote:
On 11/27/18 2:06 PM, James Ralston wrote:
I apologize if this is a little off-topic for this list, but a question: what are others who use STIG Viewer planning to do once Oracle JDK 8 / JavaFX go EOL in January 2019?
Any Oracle Java 8 security updates released after January 2019 will require a commercial support license from Oracle:
https://developers.redhat.com/blog/2018/11/05/migrating-from-oracle-jdk-to-openjdk-on-red-hat-enterprise-linux-what-you-need-to-know/
STIG Viewer requires Oracle JDK 8 and JavaFX 8 in order to function. Oracle JDK 11 is the next LTS (long term support) version of Java. (Java 9 and Java 10 are not LTS releases, and are already EOL.) But in Java 11, Oracle removed JavaFX:
https://www.infoworld.com/article/3305073/java/removed-from-jdk-11-javafx-11-arrives-as-a-standalone-module.html
The OpenJFX project provides a JavaFX 11 implementation that works with OpenJDK 11:
https://openjfx.io/
But: I tested the latest STIG Viewer (version 2.8) with OpenJDK 11 / OpenJFX 11, and it does not work; it simply crashes at startup.
This will shortly place all STIG Viewer users in the situation where they must purchase a commercial support contract from Oracle in order to run STIG Viewer, because STIG Viewer requires outdated / EOL technology.
I asked DISA/IASE what their intentions were with STIG Viewer in light of this. As of 2018-11-27, this was their response:
There are currently no plans on creating a non-Oracle java version of STIG Viewer at this time. We also have no information regarding how DoD will be addressing the licensing requirement for Oracle java going forward.
So.
Ideally, I'd like to find a Linux replacement for STIG Viewer—something that can read, annotate, and write STIG Viewer checklist (*.ckl) files. But although SCAP Workbench can load and check STIGs, unless I'm missing something, it has no support for STIG Viewer checklist files.
Not being snide, should this come across wrongly.... genuine question: Why use STIG Viewer in the first place?
I can't be the only person in this boat. What are others doing?
Wonder if this is something that could be incorporated into Security Central?
/me glances at @Gabe Alford
On Tue, Nov 27, 2018, at 6:21 PM, Shawn Wells wrote:
On 11/27/18 2:06 PM, James Ralston wrote:
I apologize if this is a little off-topic for this list, but a question: what are others who use STIG Viewer planning to do once Oracle JDK 8 / JavaFX go EOL in January 2019?
[...]
Ideally, I'd like to find a Linux replacement for STIG Viewer—something that can read, annotate, and write STIG Viewer checklist (*.ckl) files. But although SCAP Workbench can load and check STIGs, unless I'm missing something, it has no support for STIG Viewer checklist files.
Not being snide, should this come across wrongly.... genuine question: Why use STIG Viewer in the first place?
The STIG Viewer produces *.ckl checklist files, which some auditors and many security departments want.
V/r, James Cassell
The .ckl issue is the answer to why use. I know not everyone works for gov't entities, but they typically require it, with very little options for other products. Management likes graphs and charts.
On Tue, Nov 27, 2018, 8:22 PM James Cassell <fedoraproject@cyberpear.com wrote:
On Tue, Nov 27, 2018, at 6:21 PM, Shawn Wells wrote:
On 11/27/18 2:06 PM, James Ralston wrote:
I apologize if this is a little off-topic for this list, but a question: what are others who use STIG Viewer planning to do once Oracle JDK 8 / JavaFX go EOL in January 2019?
[...]
Ideally, I'd like to find a Linux replacement for STIG Viewer—something that can read, annotate, and write STIG Viewer checklist (*.ckl) files. But although SCAP Workbench can load and check STIGs, unless I'm missing something, it has no support for STIG Viewer checklist files.
Not being snide, should this come across wrongly.... genuine question: Why use STIG Viewer in the first place?
The STIG Viewer produces *.ckl checklist files, which some auditors and many security departments want.
V/r, James Cassell _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
Yep, this is the one.
That said, if you dig through the archives of this mailing list, I figured out how to create the bare minimum .ckl file that you need for reporting so that should give people a head start.
On Wed, Nov 28, 2018 at 1:31 AM Matthew simontek@gmail.com wrote:
The .ckl issue is the answer to why use. I know not everyone works for gov't entities, but they typically require it, with very little options for other products. Management likes graphs and charts.
On Tue, Nov 27, 2018, 8:22 PM James Cassell <fedoraproject@cyberpear.com wrote:
On Tue, Nov 27, 2018, at 6:21 PM, Shawn Wells wrote:
On 11/27/18 2:06 PM, James Ralston wrote:
I apologize if this is a little off-topic for this list, but a question: what are others who use STIG Viewer planning to do once Oracle JDK 8 / JavaFX go EOL in January 2019?
[...]
Ideally, I'd like to find a Linux replacement for STIG Viewer—something that can read, annotate, and write STIG Viewer checklist (*.ckl) files. But although SCAP Workbench can load and check STIGs, unless I'm missing something, it has no support for STIG Viewer checklist files.
Not being snide, should this come across wrongly.... genuine question: Why use STIG Viewer in the first place?
The STIG Viewer produces *.ckl checklist files, which some auditors and many security departments want.
V/r, James Cassell _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
Where can I find the controlled schema / ICD / metadata for the checklist file format?
From: Trevor Vaughan [mailto:tvaughan@onyxpoint.com] Sent: Wednesday, November 28, 2018 9:02 AM To: SCAP Security Guide scap-security-guide@lists.fedorahosted.org Subject: Re: alternatives to STIG Viewer once Oracle JDK 8 / JavaFX 8 is EOL in January 2019?
Yep, this is the one.
That said, if you dig through the archives of this mailing list, I figured out how to create the bare minimum .ckl file that you need for reporting so that should give people a head start.
On Wed, Nov 28, 2018 at 1:31 AM Matthew <simontek@gmail.commailto:simontek@gmail.com> wrote: The .ckl issue is the answer to why use. I know not everyone works for gov't entities, but they typically require it, with very little options for other products. Management likes graphs and charts.
On Tue, Nov 27, 2018, 8:22 PM James Cassell <fedoraproject@cyberpear.commailto:fedoraproject@cyberpear.com wrote: On Tue, Nov 27, 2018, at 6:21 PM, Shawn Wells wrote:
On 11/27/18 2:06 PM, James Ralston wrote:
I apologize if this is a little off-topic for this list, but a question: what are others who use STIG Viewer planning to do once Oracle JDK 8 / JavaFX go EOL in January 2019?
[...]
Ideally, I'd like to find a Linux replacement for STIG Viewer—something that can read, annotate, and write STIG Viewer checklist (*.ckl) files. But although SCAP Workbench can load and check STIGs, unless I'm missing something, it has no support for STIG Viewer checklist files.
Not being snide, should this come across wrongly.... genuine question: Why use STIG Viewer in the first place?
The STIG Viewer produces *.ckl checklist files, which some auditors and many security departments want.
V/r, James Cassell _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.orgmailto:scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor... _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.orgmailto:scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information -- THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.
“genuine question: Why use STIG Viewer in the first place?”
This is the tool DISA uses to conduct line by line audits of manual & automated results during readiness inspections.
We use it for regular internal review of STIG posture, benchmark and manual, in order that we are familiar with the tool. It provides a common tool to use between the various customers locally that require and review the information to determine the security posture of their own systems. There may be other tools that may in fact be better, but I’d much rather be familiar and competent with what the auditors will use when crawling over the systems.
Thanks,
Mark Salowitz, CTR CTS II PaaS Engineer USCG Operations Systems Center
From: Shawn Wells shawn@redhat.com Sent: Tuesday, November 27, 2018 6:22 PM To: scap-security-guide@lists.fedorahosted.org Subject: [Non-DoD Source] Re: alternatives to STIG Viewer once Oracle JDK 8 / JavaFX 8 is EOL in January 2019?
On 11/27/18 2:06 PM, James Ralston wrote:
I apologize if this is a little off-topic for this list, but a
question: what are others who use STIG Viewer planning to do once
Oracle JDK 8 / JavaFX go EOL in January 2019?
Any Oracle Java 8 security updates released after January 2019 will
require a commercial support license from Oracle:
https://developers.redhat.com/blog/2018/11/05/migrating-from-oracle-jdk-to-o...https://urldefense.proofpoint.com/v2/url?u=https-3A__developers.redhat.com_blog_2018_11_05_migrating-2Dfrom-2Doracle-2Djdk-2Dto-2Dopenjdk-2Don-2Dred-2Dhat-2Denterprise-2Dlinux-2Dwhat-2Dyou-2Dneed-2Dto-2Dknow_&d=DwMFaQ&c=0NKfg44GVknAU-XkWXjNxQ&r=iohgjlRx8rzsacNUP-p6Uoa5Wl3Ea1utSdxGRRALEQk&m=ee143K_3q_PB8fPXV-S2q16abFMI6Ci9ELdA_oZCDBo&s=gKLn2J3rSGqILRS8jz146SXWNO8EvBg8cj3crrXYWKQ&e=
STIG Viewer requires Oracle JDK 8 and JavaFX 8 in order to function.
Oracle JDK 11 is the next LTS (long term support) version of Java.
(Java 9 and Java 10 are not LTS releases, and are already EOL.) But
in Java 11, Oracle removed JavaFX:
https://www.infoworld.com/article/3305073/java/removed-from-jdk-11-javafx-11...https://urldefense.proofpoint.com/v2/url?u=https-3A__www.infoworld.com_article_3305073_java_removed-2Dfrom-2Djdk-2D11-2Djavafx-2D11-2Darrives-2Das-2Da-2Dstandalone-2Dmodule.html&d=DwMFaQ&c=0NKfg44GVknAU-XkWXjNxQ&r=iohgjlRx8rzsacNUP-p6Uoa5Wl3Ea1utSdxGRRALEQk&m=ee143K_3q_PB8fPXV-S2q16abFMI6Ci9ELdA_oZCDBo&s=K6Eewboljc_O-qsEesU7LE8L4peHLtrDdsyJUIZHh4Y&e=
The OpenJFX project provides a JavaFX 11 implementation that works
with OpenJDK 11:
https://openjfx.io/https://urldefense.proofpoint.com/v2/url?u=https-3A__openjfx.io_&d=DwMFaQ&c=0NKfg44GVknAU-XkWXjNxQ&r=iohgjlRx8rzsacNUP-p6Uoa5Wl3Ea1utSdxGRRALEQk&m=ee143K_3q_PB8fPXV-S2q16abFMI6Ci9ELdA_oZCDBo&s=VrW2eXobPZYi9OQUItJ8aHaPPX9pm5O4AjdYg4H4z6c&e=
But: I tested the latest STIG Viewer (version 2.8) with OpenJDK 11 /
OpenJFX 11, and it does not work; it simply crashes at startup.
This will shortly place all STIG Viewer users in the situation where
they must purchase a commercial support contract from Oracle in order
to run STIG Viewer, because STIG Viewer requires outdated / EOL
technology.
I asked DISA/IASE what their intentions were with STIG Viewer in light
of this. As of 2018-11-27, this was their response:
There are currently no plans on creating a non-Oracle java version
of STIG Viewer at this time. We also have no information regarding
how DoD will be addressing the licensing requirement for Oracle java
going forward.
So.
Ideally, I'd like to find a Linux replacement for STIG
Viewer—something that can read, annotate, and write STIG Viewer
checklist (*.ckl) files. But although SCAP Workbench can load and
check STIGs, unless I'm missing something, it has no support for STIG
Viewer checklist files.
Not being snide, should this come across wrongly.... genuine question: Why use STIG Viewer in the first place?
I can't be the only person in this boat. What are others doing? Wonder if this is something that could be incorporated into Security Central?
/me glances at @Gabe Alford
scap-security-guide@lists.fedorahosted.org