Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-99953 | KNOX-10-004600 | SV-109057r1_rule | Medium |
Description |
---|
App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant risk that unauthorized users or apps will obtain access to DoD sensitive information. Data sharing restrictions mitigate this risk. If a user is allowed to make exceptions to the data sharing restriction policy, the user could enable unauthorized sharing of data, leaving it vulnerable to breach. Limiting the granting of exceptions to either the Administrator or common application developer mitigates this risk. Copy/paste of data between applications in different application processes or groups of application processes is considered an exception to the access control policy and therefore, the Administrator must be able to enable/disable the feature. Other exceptions include allowing any data or application sharing between process groups. SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2 |
STIG | Date |
---|---|
Samsung Android OS 10 with Knox 3.x Security Technical Implementation Guide | 2020-03-24 |
Check Text ( C-98803r1_chk ) |
---|
Review Samsung Android Work Environment configuration settings to determine if the access control policy prevents groups of application processes from accessing all data stored by other groups of application processes. This procedure is for verifying that the moving of files to the Personal Environment is disabled and is applicable only to COPE only. This procedure is performed on the management tool Administration console only. This configuration is the default configuration. If the management tool does not provide the capability to configure "Move files to personal", there is NO finding because the default setting cannot be changed. On the management tool, in the Work Environment KPE RCP section, verify "Move files to personal" is set to "Disallow". If the management tool provides the capability to configure the "Move files to personal" policy and it is not set to "Disallow", this is a finding. If the management tool does not provide the capability to configure the policy, this requirement is inherently met and there is NO finding. |
Fix Text (F-105637r1_fix) |
---|
Configure Samsung Android Work Environment to enable the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes. This guidance is for disabling the moving of files to the Personal Environment and is applicable to COPE only. The configuration of "Move files to personal" is the default required configuration. No configuration is required. On the management tool, in the device restrictions section, set "Move files to personal" to "Disallow". Note: "Move files to workspace" may be configured if there is a DoD mission need for this feature. |