You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@openoffice.apache.org by "Saunders, Thomas D. II" <TH...@saic.com> on 2014/01/30 21:22:54 UTC
RE: Quarterly release: STIG_Library.zip
To Whom it may concern:
I have questions in regarding how to configure Open Office securely to conform to DOD guidelines and policies. Do you have some guide in how to configure Open Office to a secure environment?
v/r
Tom Saunders
Senior Information Assurance & Security Engineer / Security Specialist
Mobile: 540-408-3087
Classification: UNCLASSIFIED//FOR OFFICIAL USE ONLY
-----Original Message-----
From: Rob Weir [mailto:robweir@apache.org]
Sent: Thursday, January 30, 2014 3:15 PM
To: Saunders, Thomas D. II
Cc: security@openoffice.apache.org; disa.tinker.esd.mbx.okc-service-desk@mail.mil; Lange, Ann T.; Kirby, Wayne; Quade, Tracey; Mayonado, Mary
Subject: Re: Quarterly release: STIG_Library.zip
On Thu, Jan 30, 2014 at 3:02 PM, Saunders, Thomas D. II <TH...@saic.com> wrote:
> Rob,
> Do you have a guide in regards to securing Open Office?
The normal documentation covers things like macro security, document
encryption, etc. I don't know the DOD guidelines, but if I had to
guess you might want to disable macro execution for unsigned documents and turn default encryption to use AES256 rather than Blowfish.
In any case, could you please send any follow up questions of this nature to our normal user support mailing list:
users@openoffice.apache.org? The security list is only for reporting vulnerabilities.
Thanks,
-Rob
> v/r
> Tom Saunders
> Senior Information Assurance & Security Engineer / Security Specialist
> Mobile: 540-408-3087
>
> Classification: UNCLASSIFIED//FOR OFFICIAL USE ONLY
>
>
> -----Original Message-----
> From: Rob Weir [mailto:robweir@apache.org]
> Sent: Thursday, January 30, 2014 2:59 PM
> To: security@openoffice.apache.org
> Cc: disa.tinker.esd.mbx.okc-service-desk@mail.mil; Lange, Ann T.;
> Kirby, Wayne; Quade, Tracey; Mayonado, Mary; Saunders, Thomas D. II
> Subject: Re: Quarterly release: STIG_Library.zip
>
> On Thu, Jan 30, 2014 at 1:15 PM, Saunders, Thomas D. II <TH...@saic.com> wrote:
>> To Whom it may concern:
>> I have questions in regarding how to configure Open Office securely to conform to DOD guidelines and policies. This is starting to be a hot topic within the community. Any and all assistance would be greatly appreciated. Also are your vulnerabilities reported to CVE and CERT? Is there a special mailing list in regards to receiving security updates for Open Office or would that be through the main apache site?
>
>
> Hello Tom,
>
> Yes, we report vulnerabilities to CERT. You can see an index of our past security bulletins here:
>
> http://www.openoffice.org/security/bulletin.html
>
> We have an low-volume announcements mailing list where we announce new releases as well as security bulletins. You can learn how to subscribe to this mailing list here:
>
> http://openoffice.apache.org/mailing-lists.html#announce-mailing-list
>
> Regards,
>
> -Rob Weir, Apache OpenOffice Security Team
>
>> Thanks in advance,
>> Tom Saunders
>> Senior Information Assurance & Security Engineer / Security
>> Specialist
>> Mobile: 540-408-3087
>>
>> Classification: UNCLASSIFIED//FOR OFFICIAL USE ONLY
>>
>>
>> -----Original Message-----
>> From: Kirby, Wayne
>> Sent: Wednesday, January 29, 2014 5:15 PM
>> To: Saunders, Thomas D. II
>> Cc: Lange, Ann T.
>> Subject: Re: Quarterly release: STIG_Library.zip
>>
>> Ann is looking for DOD guidance to lock down OOG and I would be interested my self as I use Open Office at home.
>>
>> Any guidance you can come up with would be greatly appreciated.
>>
>> R,
>>
>> Wayne
>> Sent from my Blackberry
>>
>> ----- Original Message -----
>> From: Saunders, Thomas D. II
>> Sent: Wednesday, January 29, 2014 04:40 PM
>> To: Kirby, Wayne
>> Cc: Quade, Tracey
>> Subject: RE: Quarterly release: STIG_Library.zip
>>
>> No I didn’t, you need help with locking down Open Office?
>>
>> Tom Saunders
>> Senior Information Assurance & Security Engineer / Security
>> Specialist
>> Mobile: 540-408-3087
>>
>> Classification: UNCLASSIFIED//FOR OFFICIAL USE ONLY
>>
>>
>> -----Original Message-----
>> From: Kirby, Wayne
>> Sent: Wednesday, January 29, 2014 4:29 PM
>> To: Saunders, Thomas D. II
>> Subject: Re: Quarterly release: STIG_Library.zip
>>
>> Thanks Tom.
>>
>> By the way, did you see the email from Ann Lange looking for guidance for securing Open Office?
>>
>> R,
>>
>> Wayne
>> Sent from my Blackberry
>>
>> ----- Original Message -----
>> From: Saunders, Thomas D. II
>> Sent: Wednesday, January 29, 2014 04:22 PM
>> To: Frazier, Bryce M.; Kirby, Wayne; Pearson, Michael S.; Quade,
>> Tracey; Thompson, Anthony; Alexander, Janet L CTR NAVAIR, PMA 262
>> <ja...@navy.mil> (janet.l.alexander.ctr@navy.mil)
>> <ja...@navy.mil>; PMA 262'
>> <ja...@navy.mil>; Jantsch, Christian D.; Thompson,
>> Anthony; Barnhart, Tom
>> Subject: FW: Quarterly release: STIG_Library.zip
>>
>> FYI
>>
>> Tom Saunders
>> Senior Information Assurance & Security Engineer / Security
>> Specialist
>> Mobile: 540-408-3087
>>
>> Classification: UNCLASSIFIED//FOR OFFICIAL USE ONLY
>>
>> -----Original Message-----
>> From: DISA Ft Meade FSO Mailbox IASE Mailing List
>> [mailto:disa.meade.FSO.mbx.iase-mailing-list@mail.mil]
>> Sent: Wednesday, January 29, 2014 4:19 PM
>> Subject: Quarterly release: STIG_Library.zip
>>
>> FSO has released updates to the STIG Library Compilations in .ZIP format to correspond with the latest quarterly SRG/STIG update cycle. This release also includes newly released SRGs and STIGs published since the last quarterly release of the STIG Library Compilations.
>>
>> The STIG_Library.zip is a compilation of DoD Security Requirements Guides (SRGs), DoD Security Technical Implementation Guides (STIGs) ( provided in XCCDF or .pdf format), Checklists, Security Readiness Review (SRR) Tools that are available through the IASE web site's STIG pages.
>>
>> Two versions of the compilation are produced, an FOUO version and a NON-FOUO version entitled U_STIG_Library_[date].zip and FOUO _STIG_Library_[date].zip. The file name preceded by FOUO_ contains STIGs and related content that has been designated as FOUO. As such a DoD PKI certificate is required to download it. The file name preceded by U_ is the NON-FOUO version which does not contain FOUO. It is therefore downloadable by the general public. These compilations may be used and distributed in the same manner as the individually downloaded documents. The FOUO compilation as a whole and any separated FOUO content must be handled in accordance with customary FOUO handling and dissemination guidelines.
>>
>> Please see "STIG Library Compilation READ ME" for additional information to include download / extraction instructions and a FAQ.
>>
>> All related files are available on IASE at: http://iase.disa.mil/stigs/dod_purpose-tool/index.html.
>>
>>
>> NOTE: DISA Field Security Operations (FSO) has retired the SRR_Lite CD image.
>>
>>
>>
>>
>> To unsubscribe from this mailing, go to http://iase.disa.mil/stigs/unsubscribe.
>>
>>
Re: Quarterly release: STIG_Library.zip
Posted by Rob Weir <ro...@apache.org>.
On Thu, Jan 30, 2014 at 3:22 PM, Saunders, Thomas D. II
<TH...@saic.com> wrote:
> To Whom it may concern:
> I have questions in regarding how to configure Open Office securely to conform to DOD guidelines and policies. Do you have some guide in how to configure Open Office to a secure environment?
Hi Tom,
I'm stripping the longer cc list. You can fill them in when you have
the info you need.
First, I want to make sure that you know that OpenOffice is an open
source software application. It is developed by a community of
volunteers. I'm pretty sure that none of us works for the DOD, and
I'd be surprised if any of us was intimately familiar with DOD
guidelines and policies. The same would go for the internal security
policies of any organization.
The intent is for Apache OpenOffice to be secure out-of-the-box for
most users and most uses.
If I had to guess, hardening OpenOffice would entail things like:
1) Disabling macro execution for unsigned documents
2) Changing default encryption algorithm to AES256
3) Disabling automatic update notifications, with the idea of the
organization managing updates themselves.
(Maybe other list members have additional ideas?)
But this is only speculation, since I'm not an expert on DOD requirements.
To really answer your question, about DOD requirements specifically,
you'll need to figure out what these requirements are, and ask
specific questions regarding OpenOffice capabilities. Or find a
consultant able to do this analysis for you. We have a list of
consultants on our website here:
http://www.openoffice.org/bizdev/consultants.html
Regards,
-Rob
> v/r
> Tom Saunders
> Senior Information Assurance & Security Engineer / Security Specialist
> Mobile: 540-408-3087
>
> Classification: UNCLASSIFIED//FOR OFFICIAL USE ONLY
>
>
-------------------------------------------
List Conduct Guidelines: http://openoffice.apache.org/list-conduct.html
To unsubscribe, e-mail: users-unsubscribe@openoffice.apache.org
For additional commands, e-mail: users-help@openoffice.apache.org