The mobile operating system must not cache smartcard or certificate store passwords for more than an organizationally-defined time period.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33293	SRG-OS-999999-MOS-000136	SV-43712r2_rule		Medium

Description
The longer passwords remain in the cache, the more likely it is that malware or other mechanisms will discover them. Once an adversary has obtained a password from the cache, the adversary can further compromise the device and networks to which the device is attached. Minimizing the time passwords are stored in the cache mitigates the risk of this attack. The absence of caching altogether eliminates the risk. If caching is available, the caching period should be configurable with organizations.

Description

The longer passwords remain in the cache, the more likely it is that malware or other mechanisms will discover them. Once an adversary has obtained a password from the cache, the adversary can further compromise the device and networks to which the device is attached. Minimizing the time passwords are stored in the cache mitigates the risk of this attack. The absence of caching altogether eliminates the risk. If caching is available, the caching period should be configurable with organizations.

STIG	Date
Mobile Operating System Security Requirements Guide	2013-07-03

Details

Check Text ( C-41590r3_chk )
Review the operating system configuration to verify smartcard and certificate store passwords are not cached for longer than an organizationally-defined time period. If this is not apparent from the configuration, perform a transaction requiring CAC. After entering the CAC PIN, perform another transaction to check that the system does not prompt for re-entry of the PIN. If it does not prompt for the PIN, caching is active. Then wait the organization defined time limit and perform the same transaction. If the system does not prompt for a PIN, then the system is caching credentials in excess of the time limit. Repeat this process for another service requiring access to the certificate store (e.g., web site using password protected soft certificate authentication). If the caching period is longer than organization defined time limit for either the smart card or the certificate store, this is finding.

Check Text ( C-41590r3_chk )

Review the operating system configuration to verify smartcard and certificate store passwords are not cached for longer than an organizationally-defined time period. If this is not apparent from the configuration, perform a transaction requiring CAC. After entering the CAC PIN, perform another transaction to check that the system does not prompt for re-entry of the PIN. If it does not prompt for the PIN, caching is active. Then wait the organization defined time limit and perform the same transaction. If the system does not prompt for a PIN, then the system is caching credentials in excess of the time limit. Repeat this process for another service requiring access to the certificate store (e.g., web site using password protected soft certificate authentication). If the caching period is longer than organization defined time limit for either the smart card or the certificate store, this is finding.

Fix Text (F-37223r3_fix)
Configure the operating system to prohibit caching of smartcard and certificate store passwords for longer than an organizationally-defined time period.