To Whom it may concern: I have questions in regarding how to configure Open Office securely to conform to DOD guidelines and policies. Do you have some guide in how to configure Open Office to a secure environment? v/r Tom Saunders Senior Information Assurance & Security Engineer / Security Specialist Mobile: 540-408-3087
Classification: UNCLASSIFIED//FOR OFFICIAL USE ONLY -----Original Message----- From: Rob Weir [mailto:robw...@apache.org] Sent: Thursday, January 30, 2014 3:15 PM To: Saunders, Thomas D. II Cc: secur...@openoffice.apache.org; disa.tinker.esd.mbx.okc-service-d...@mail.mil; Lange, Ann T.; Kirby, Wayne; Quade, Tracey; Mayonado, Mary Subject: Re: Quarterly release: STIG_Library.zip On Thu, Jan 30, 2014 at 3:02 PM, Saunders, Thomas D. II <thomas.d.saunders...@saic.com> wrote: > Rob, > Do you have a guide in regards to securing Open Office? The normal documentation covers things like macro security, document encryption, etc. I don't know the DOD guidelines, but if I had to guess you might want to disable macro execution for unsigned documents and turn default encryption to use AES256 rather than Blowfish. In any case, could you please send any follow up questions of this nature to our normal user support mailing list: users@openoffice.apache.org? The security list is only for reporting vulnerabilities. Thanks, -Rob > v/r > Tom Saunders > Senior Information Assurance & Security Engineer / Security Specialist > Mobile: 540-408-3087 > > Classification: UNCLASSIFIED//FOR OFFICIAL USE ONLY > > > -----Original Message----- > From: Rob Weir [mailto:robw...@apache.org] > Sent: Thursday, January 30, 2014 2:59 PM > To: secur...@openoffice.apache.org > Cc: disa.tinker.esd.mbx.okc-service-d...@mail.mil; Lange, Ann T.; > Kirby, Wayne; Quade, Tracey; Mayonado, Mary; Saunders, Thomas D. II > Subject: Re: Quarterly release: STIG_Library.zip > > On Thu, Jan 30, 2014 at 1:15 PM, Saunders, Thomas D. II > <thomas.d.saunders...@saic.com> wrote: >> To Whom it may concern: >> I have questions in regarding how to configure Open Office securely to >> conform to DOD guidelines and policies. This is starting to be a hot topic >> within the community. Any and all assistance would be greatly appreciated. >> Also are your vulnerabilities reported to CVE and CERT? Is there a special >> mailing list in regards to receiving security updates for Open Office or >> would that be through the main apache site? > > > Hello Tom, > > Yes, we report vulnerabilities to CERT. You can see an index of our past > security bulletins here: > > http://www.openoffice.org/security/bulletin.html > > We have an low-volume announcements mailing list where we announce new > releases as well as security bulletins. You can learn how to subscribe to > this mailing list here: > > http://openoffice.apache.org/mailing-lists.html#announce-mailing-list > > Regards, > > -Rob Weir, Apache OpenOffice Security Team > >> Thanks in advance, >> Tom Saunders >> Senior Information Assurance & Security Engineer / Security >> Specialist >> Mobile: 540-408-3087 >> >> Classification: UNCLASSIFIED//FOR OFFICIAL USE ONLY >> >> >> -----Original Message----- >> From: Kirby, Wayne >> Sent: Wednesday, January 29, 2014 5:15 PM >> To: Saunders, Thomas D. II >> Cc: Lange, Ann T. >> Subject: Re: Quarterly release: STIG_Library.zip >> >> Ann is looking for DOD guidance to lock down OOG and I would be interested >> my self as I use Open Office at home. >> >> Any guidance you can come up with would be greatly appreciated. >> >> R, >> >> Wayne >> Sent from my Blackberry >> >> ----- Original Message ----- >> From: Saunders, Thomas D. II >> Sent: Wednesday, January 29, 2014 04:40 PM >> To: Kirby, Wayne >> Cc: Quade, Tracey >> Subject: RE: Quarterly release: STIG_Library.zip >> >> No I didn’t, you need help with locking down Open Office? >> >> Tom Saunders >> Senior Information Assurance & Security Engineer / Security >> Specialist >> Mobile: 540-408-3087 >> >> Classification: UNCLASSIFIED//FOR OFFICIAL USE ONLY >> >> >> -----Original Message----- >> From: Kirby, Wayne >> Sent: Wednesday, January 29, 2014 4:29 PM >> To: Saunders, Thomas D. II >> Subject: Re: Quarterly release: STIG_Library.zip >> >> Thanks Tom. >> >> By the way, did you see the email from Ann Lange looking for guidance for >> securing Open Office? >> >> R, >> >> Wayne >> Sent from my Blackberry >> >> ----- Original Message ----- >> From: Saunders, Thomas D. II >> Sent: Wednesday, January 29, 2014 04:22 PM >> To: Frazier, Bryce M.; Kirby, Wayne; Pearson, Michael S.; Quade, >> Tracey; Thompson, Anthony; Alexander, Janet L CTR NAVAIR, PMA 262 >> <janet.l.alexander....@navy.mil> (janet.l.alexander....@navy.mil) >> <janet.l.alexander....@navy.mil>; PMA 262' >> <janet.l.alexander....@navy.mil>; Jantsch, Christian D.; Thompson, >> Anthony; Barnhart, Tom >> Subject: FW: Quarterly release: STIG_Library.zip >> >> FYI >> >> Tom Saunders >> Senior Information Assurance & Security Engineer / Security >> Specialist >> Mobile: 540-408-3087 >> >> Classification: UNCLASSIFIED//FOR OFFICIAL USE ONLY >> >> -----Original Message----- >> From: DISA Ft Meade FSO Mailbox IASE Mailing List >> [mailto:disa.meade.fso.mbx.iase-mailing-l...@mail.mil] >> Sent: Wednesday, January 29, 2014 4:19 PM >> Subject: Quarterly release: STIG_Library.zip >> >> FSO has released updates to the STIG Library Compilations in .ZIP format to >> correspond with the latest quarterly SRG/STIG update cycle. This release >> also includes newly released SRGs and STIGs published since the last >> quarterly release of the STIG Library Compilations. >> >> The STIG_Library.zip is a compilation of DoD Security Requirements Guides >> (SRGs), DoD Security Technical Implementation Guides (STIGs) ( provided in >> XCCDF or .pdf format), Checklists, Security Readiness Review (SRR) Tools >> that are available through the IASE web site's STIG pages. >> >> Two versions of the compilation are produced, an FOUO version and a NON-FOUO >> version entitled U_STIG_Library_[date].zip and FOUO >> _STIG_Library_[date].zip. The file name preceded by FOUO_ contains STIGs >> and related content that has been designated as FOUO. As such a DoD PKI >> certificate is required to download it. The file name preceded by U_ is the >> NON-FOUO version which does not contain FOUO. It is therefore downloadable >> by the general public. These compilations may be used and distributed in the >> same manner as the individually downloaded documents. The FOUO compilation >> as a whole and any separated FOUO content must be handled in accordance with >> customary FOUO handling and dissemination guidelines. >> >> Please see "STIG Library Compilation READ ME" for additional information to >> include download / extraction instructions and a FAQ. >> >> All related files are available on IASE at: >> http://iase.disa.mil/stigs/dod_purpose-tool/index.html. >> >> >> NOTE: DISA Field Security Operations (FSO) has retired the SRR_Lite CD image. >> >> >> >> >> To unsubscribe from this mailing, go to >> http://iase.disa.mil/stigs/unsubscribe. >> >>
