Samsung Android Work Environment must be configured to enable Certificate Revocation checking.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-231049	KNOX-11-022600	SV-231049r608683_rule		Medium

Description
A Certificate Revocation List (CRL) allows a certificate issuer to revoke a certificate for any reason, including improperly issued certificates and compromise of the private keys. Checking the revocation status of the certificate mitigates the risk associated with using a compromised certificate. Online Certificate Status Protocol (OCSP) is a protocol for obtaining the revocation status of a certificate. It addresses problems associated with using CRLs. When OCSP is enabled, it is used prior to CRL checking. If OCSP could not obtain a decisive response about a certificate, it will then try to use CRL checking. The OCSP response server must be listed in the certificate information under Authority Info Access. This feature must be enabled for a Samsung Android device to be in the NIAP-certified CC Mode of operation. SFR ID: FMT_SMF_EXT.1.1 #47

Description

A Certificate Revocation List (CRL) allows a certificate issuer to revoke a certificate for any reason, including improperly issued certificates and compromise of the private keys. Checking the revocation status of the certificate mitigates the risk associated with using a compromised certificate. Online Certificate Status Protocol (OCSP) is a protocol for obtaining the revocation status of a certificate. It addresses problems associated with using CRLs. When OCSP is enabled, it is used prior to CRL checking. If OCSP could not obtain a decisive response about a certificate, it will then try to use CRL checking. The OCSP response server must be listed in the certificate information under Authority Info Access. This feature must be enabled for a Samsung Android device to be in the NIAP-certified CC Mode of operation. SFR ID: FMT_SMF_EXT.1.1 #47

STIG	Date
Samsung Android 11 with Knox 3.x Legacy Security Technical Implementation Guide	2020-12-08

Details

Check Text ( C-33979r592761_chk )
Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure. This validation procedure is performed on the management tool Administration Console only. ** Validation Procedure for Method #1: CRL Checking On the management tool, in the Work profile certificate section, verify that "Revocation check" is set to "enable for all apps". If on the management tool "Revocation check" is not set to "enable for all apps", this is a finding. ** Validation Procedure for Method #2: OCSP with CRL Fallback On the management tool: 1. In the Work profile certificate section, verify that "Revocation check" is set to "enable for all apps". 2. In the Work profile restrictions section, verify that "OCSP check" is set to "enable for all apps". If on the management tool "Revocation check" is not set to "enable for all apps" or if "OCSP check" is not set to "enable for all apps", this is a finding.

Check Text ( C-33979r592761_chk )

Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure.

This validation procedure is performed on the management tool Administration Console only.

****

Validation Procedure for Method #1: CRL Checking

On the management tool, in the Work profile certificate section, verify that "Revocation check" is set to "enable for all apps".

If on the management tool "Revocation check" is not set to "enable for all apps", this is a finding.

****

Validation Procedure for Method #2: OCSP with CRL Fallback

On the management tool:
1. In the Work profile certificate section, verify that "Revocation check" is set to "enable for all apps".
2. In the Work profile restrictions section, verify that "OCSP check" is set to "enable for all apps".

If on the management tool "Revocation check" is not set to "enable for all apps" or if "OCSP check" is not set to "enable for all apps", this is a finding.

Fix Text (F-33952r592762_fix)
Configure Samsung Android Work Environment to enable Certificate Revocation checking by either of the following methods: Method #1: CRL Checking On the management tool, in the Work profile certificate section, set "Revocation check" to "enable for all apps". ** Method #2: OCSP with CRL Fallback On the management tool: 1. In the Work profile certificate section, set "Revocation check" to "enable for all apps". 2. In the Work profile restrictions section, set "OCSP check" to "enable for all apps". ** Refer to the management tool documentation to determine how to configure Revocation and OCSP checking to "enable for all apps". Some may, for example, allow a wildcard string: "*".

Fix Text (F-33952r592762_fix)

Configure Samsung Android Work Environment to enable Certificate Revocation checking by either of the following methods:

Method #1: CRL Checking

On the management tool, in the Work profile certificate section, set "Revocation check" to "enable for all apps".

****

Method #2: OCSP with CRL Fallback

On the management tool:
1. In the Work profile certificate section, set "Revocation check" to "enable for all apps".
2. In the Work profile restrictions section, set "OCSP check" to "enable for all apps".

****

Refer to the management tool documentation to determine how to configure Revocation and OCSP checking to "enable for all apps". Some may, for example, allow a wildcard string: "*".