Only DoD PKI issued or DoD approved server authentication certificates must be installed on DoD mobile operating system devices.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-33171 | SRG-OS-000179-MOS-000102 | SV-43569r2_rule | Medium |
| Description |
|---|
| If unauthorized device authentication certificates are installed on the device, there is the potential that the device may connect to a rogue device or network. Rogue devices can mimic the behavior of authorized equipment to trick the user into providing authentication credentials, which could then in turn be used to compromise DoD information and networks. Restricting device authentication certificates to an authorized list mitigates the risk of attaching to rogue devices and networks. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-41431r1_chk ) |
|---|
| Review the mobile operating system certificate store for the device authentication certificates. In some cases, the certificates may not be visible. In this situation, consult system documentation to determine what certificates are installed on the device. Match the certificates present against a list of approved certificates. Verify there are no unapproved certificates present. If there are unapproved device authentication certificates installed on the device, this is a finding. |
| Fix Text (F-37070r2_fix) |
|---|
| Remove unapproved software authentication certificates from the device. |