Only DoD PKI issued or DoD approved software authentication certificates may be installed on DoD mobile operating system devices.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-33169 | SRG-OS-000179-MOS-000101 | SV-43567r1_rule | High |
| Description |
|---|
| If unauthorized software authentication certificates are installed on the device, then the operating system would not block malware signed by the entity that published these certificates. Such malware could be used to obtain sensitive DoD information or to further breach system security. Eliminating unapproved software authentication certificates greatly mitigates the risk of malware passing authentication controls. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-41430r1_chk ) |
|---|
| Review the mobile operating system certificate store for the software authentication certificates. In some cases, the certificates may not be visible. In this situation, consult system documentation to determine what certificates are installed on the device. Match the certificates present against a list of approved certificates. Verify there are no unapproved certificates present. If there are unapproved software authentication certificates installed on the device, this is a finding. |
| Fix Text (F-37069r2_fix) |
|---|
| Remove unapproved software authentication certificates from the device. |