UCF STIG Viewer Logo

Samsung Android OS 8 with Knox 3.x COBO Use Case Security Technical Implementation Guide


Overview

Date Finding Count (53)
2019-10-01 CAT I (High): 3 CAT II (Med): 39 CAT III (Low): 11
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. This set of requirements is for the Corporate Owned Business Only (COBO) use case and assumes no personal data or applications are installed on the Samsung device and the full device is a secure work environment.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-80233 High Samsung Android 8 with Knox must implement the management setting: Enable CC mode.
V-80259 High Samsung Android 8 with Knox must be configured to enable encryption for information at rest on removable storage media or alternately, the use of removable storage media must be disabled.
V-80257 High The Samsung Android 8 with Knox device must have the latest available Samsung Android operating system (OS) installed.
V-80207 Medium Samsung Android 8 with Knox must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including biometric fingerprint, iris, face, voice, hybrid authentication factor: Disable Trust Agents. Note: This requirement is Not Applicable (NA) if the non-Password Authentication Factor mechanism is included in the products Common Criteria evaluation (fingerprint and iris scan are allowed).
V-80213 Medium Samsung Android 8 with Knox must implement the management setting: Disable automatic completion of browser text input.
V-80191 Medium Samsung Android 8 with Knox must be configured to not display the following notifications when the device is locked: All notifications.
V-80211 Medium Samsung Android 8 with Knox must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including biometric fingerprint, iris, face, voice, and hybrid authentication factor: Disable Face Recognition. Note: This requirement is Not Applicable (NA) if the non-Password Authentication Factor mechanism is included in the products Common Criteria evaluation (fingerprint and iris scan are allowed).
V-80193 Medium Samsung Android 8 mobile device users must complete required training.
V-80195 Medium The Samsung DeX Station/Pad multimedia dock must not be connected directly to a DoD network.
V-80215 Medium Samsung Android 8 with Knox must be configured to disable multi-user modes.
V-80235 Medium Samsung Android 8 with Knox must implement the management setting: Disable Manual Date Time Changes.
V-80231 Medium Samsung Android 8 with Knox must be configured to disable USB mass storage mode.
V-80237 Medium Samsung Android 8 with Knox must implement the management setting: USB host mode whitelist.
V-80255 Medium Samsung Android 8 with Knox must be configured to enable authentication of personal hotspot connections to the device using a pre-shared key.
V-80253 Medium Samsung Android 8 with Knox must be configured to disable developer modes.
V-80251 Medium Samsung Android 8 with Knox must be configured to not allow backup of [all applications, configuration data] to remote systems: Deselect Allow Google Backup.
V-80179 Medium The Samsung Android 8 with Knox whitelist must be configured to not include applications with the following characteristics: Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other mobile devices (MDs) or printers.
V-80177 Medium The Samsung Android 8 with Knox whitelist must be configured to not include applications with the following characteristics: Allows synchronization of data or applications between devices associated with user.
V-80175 Medium The Samsung Android 8 with Knox whitelist must be configured to not include applications with the following characteristics: Voice dialing application if available when MD is locked.
V-80173 Medium The Samsung Android 8 with Knox whitelist must be configured to not include applications with the following characteristics: Voice assistant application if available when mobile device (MD) is locked.
V-80171 Medium The Samsung Android 8 with Knox whitelist must be configured to not include applications with the following characteristics: Back up mobile device (MD) data to non-DoD cloud servers (including user and application access to cloud backup services).
V-80183 Medium Samsung Android 8 with Knox must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoD-approved commercial app repository, MDM server, mobile application store]: Disable unknown sources.
V-80201 Medium Samsung Android 8 with Knox must implement the management setting: Configure minimum password complexity.
V-80181 Medium The Samsung Android 8 with Knox whitelist must be configured to not include applications with the following characteristics: Transmit mobile device (MD) diagnostic data to non-DoD servers.
V-80203 Medium Samsung Android 8 with Knox must be configured to lock the display after 15 minutes (or less) of inactivity.
V-80261 Medium Samsung Android 8 with Knox must implement the management setting: Enable Certificate Revocation Status (CRL) Check.
V-80209 Medium Samsung Android 8 with Knox must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including biometric fingerprint, iris, face, voice, and hybrid authentication factor: Disable Intelligent Scanning. Note: This requirement is Not Applicable (NA) if the non-Password Authentication Factor mechanism is included in the products Common Criteria evaluation (fingerprint and iris scan are allowed).
V-80189 Medium Samsung Android 8 with Knox must implement the management setting: Enable Audit Log.
V-80227 Medium Samsung Android 8 with Knox must implement the management setting: Disable Admin Remove.
V-80225 Medium Samsung Android 8 with Knox must implement the management setting: Disable Allow New Admin Install.
V-80249 Medium Samsung Android 8 with Knox must be configured to not allow backup of [all applications, configuration data] to locally connected systems.
V-80245 Medium Samsung Android 8 with Knox for Android must implement the management setting: Disable Samsung Wi-Fi Sharing.
V-80247 Medium Samsung Android 8 with Knox must be configured to not allow backup of [all applications, configuration data] to remote systems: Disable Allow Google Accounts Auto Sync.
V-80241 Medium Samsung Android 8 with Knox must implement the management setting: Disable Android Beam.
V-80161 Medium Samsung Android 8 with Knox must implement the management setting: Account whitelist.
V-80163 Medium Samsung Android 8 with Knox must implement the management setting: Account blacklist.
V-80229 Medium Samsung Android 8 with Knox must implement the management setting: Disable S Voice.
V-80165 Medium Samsung Android 8 with Knox must implement the management setting: Configure application disable list.
V-80167 Medium Samsung Android 8 with Knox must implement the management setting: Configure application install blacklist.
V-80169 Medium Samsung Android 8 with Knox must be configured to enforce an application installation policy by specifying an application whitelist that restricts applications by either of the following characteristics: List of digital signatures or list of package names.
V-80239 Medium Samsung Android 8 with Knox must implement the management setting: Configure disable Share Via List.
V-80263 Medium Samsung Android 8 with Knox must implement the management setting: Install DoD root and intermediate PKI certificates on the device.
V-80217 Low Samsung Android 8 with Knox must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Disable Google Crash Report.
V-80197 Low Samsung Android 8 with Knox must be configured to enforce a minimum password length of six characters.
V-80199 Low Samsung Android 8 with Knox must be configured to not allow passwords that include more than two repeating or sequential characters.
V-80219 Low Samsung Android 8 with Knox must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Disable Report Diagnostic Info.
V-80187 Low Samsung Android 8 with Knox must be configured to: Disable Bixby Vision.
V-80205 Low Samsung Android 8 with Knox must be configured to not allow more than 10 consecutive failed authentication attempts.
V-80185 Low Samsung Android 8 with Knox must be configured to: Add the MDM Client application to the Battery optimizations modes Whitelist.
V-80221 Low Samsung Android 8 with Knox must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Disable Google Usage and diagnostics.
V-80243 Low Samsung Android 8 with Knox must be configured to: Disable upload of DoD contact information.
V-80223 Low Samsung Android 8 with Knox must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (HandsFree Profile), and SPP (Serial Port Profile).
V-80265 Low Samsung Android 8 with Knox must be configured to display the DoD advisory warning message at start-up or each time the user unlocks the device.