UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Samsung Android Work Environment must be configured to enable Certificate Revocation checking.


Overview

Finding ID Version Rule ID IA Controls Severity
V-99989 KNOX-10-012000 SV-109093r1_rule Medium
Description
A Certificate Revocation List (CRL) allows a certificate issuer to revoke a certificate for any reason, including improperly issued certificates and compromise of the private keys. Checking the revocation status of the certificate mitigates the risk associated with using a compromised certificate. Online Certificate Status Protocol (OCSP) is a protocol for obtaining the revocation status of a certificate. It addresses problems associated with using CRLs. When OCSP is enabled, it is used prior to CRL checking. If OCSP could not obtain a decisive response about a certificate, it will then try to use CRL checking. The OCSP response server must be listed in the certificate information under Authority Info Access. This feature must be enabled for a Samsung Android device to be in the NIAP-certified CC Mode of operation. SFR ID: FMT_SMF_EXT.1.1 #47
STIG Date
Samsung Android OS 10 with Knox 3.x Security Technical Implementation Guide 2020-03-24

Details

Check Text ( C-98839r1_chk )
Review Samsung Android Work Environment configuration settings to determine if Certificate Revocation checking is enabled.

Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure.

This validation procedure is performed on the management tool Administration Console only.

****

Method #1: CRL checking

On the management tool, in the Work profile KPE certificate section, verify that "Revocation check" is set to "enable for all apps".

If on the management tool "Revocation check" is not set to "enable for all apps", this is a finding.

****

Method #2: OCSP with CRL fallback

On the management tool, do the following:
1. In the Work profile KPE certificate section, verify that "Revocation check" is set to "enable for all apps".
2. In the Work profile KPE restrictions section, verify that "OCSP check" is set to "enable for all apps".

If on the management tool "Revocation check" is not set to "enable for all apps" or if "OCSP check" is not set to "enable for all apps", this is a finding.
Fix Text (F-105673r1_fix)
Configure Samsung Android Work Environment to enable Certificate Revocation checking.

Do one of the following:
- Method #1: CRL checking
- Method #2: OCSP with CRL fallback

****

Method #1: CRL checking

On the management tool, in the Work profile KPE certificate section, set "Revocation check" to "enable for all apps".

Refer to the management tool documentation to determine how to configure Revocation checking to "enable for all apps". Some may, for example, allow a wildcard string: "*".

****

Method #2: OCSP with CRL fallback

On the management tool, do the following:
1. In the Work profile KPE certificate section, set "Revocation check" to "enable for all apps".
2. In the Work profile KPE restrictions section, set "OCSP check" to "enable for all apps".

Refer to the management tool documentation to determine how to configure Revocation and OCSP checking to "enable for all apps". Some may, for example, allow a wildcard string: "*".