Samsung Android 8 with Knox must implement the management setting: Enable Certificate Revocation Status (CRL) Check.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-80261	KNOX-08-019100	SV-94965r1_rule		Medium

Description
A CRL allows a certificate issuer to revoke a certificate for any reason, including improperly issued certificates and compromise of the private keys. Checking the revocation status of the certificate mitigates the risk associated with using a compromised certificate. SFR ID: FMT_SMF_EXT.1.1 #47

STIG	Date
Samsung Android OS 8 with Knox 3.x COBO Use Case Security Technical Implementation Guide	2019-10-01

Details

Check Text ( C-79933r1_chk )
Review Samsung Android 8 with Knox configuration settings to determine if the mobile device is configured to enable a Certificate Revocation Status (CRL) Check. This validation procedure is performed on the MDM Administration Console only. On the MDM console, do the following: 1. Ask the MDM Administrator to display the package list in the "Certificate Revocation Check (CRL)" settings in the "Android Certificate" rule. 2. Verify the string is "*" (asterisk). 3. Ask the MDM Administrator to display the enable check box in the "Certificate Revocation Check (CRL)" settings in the "Android Certificate" rule. 4. Verify the check box is selected. If the MDM console "Certificate Revocation Check (CRL)" settings are not enabled for all packages, this is a finding.

Check Text ( C-79933r1_chk )

Review Samsung Android 8 with Knox configuration settings to determine if the mobile device is configured to enable a Certificate Revocation Status (CRL) Check.

This validation procedure is performed on the MDM Administration Console only.

On the MDM console, do the following:
1. Ask the MDM Administrator to display the package list in the "Certificate Revocation Check (CRL)" settings in the "Android Certificate" rule.
2. Verify the string is "*" (asterisk).
3. Ask the MDM Administrator to display the enable check box in the "Certificate Revocation Check (CRL)" settings in the "Android Certificate" rule.
4. Verify the check box is selected.

If the MDM console "Certificate Revocation Check (CRL)" settings are not enabled for all packages, this is a finding.

Fix Text (F-87067r1_fix)
Configure Samsung Android 8 with Knox to enable a Certificate Revocation Status (CRL) Check. On the MDM console, do the following: 1. Enter the string "*" (asterisk) in the package list in the "Certificate Revocation Check (CRL)" settings in the "Android Certificate" rule. 2. Select the enable check box in the "Certificate Revocation Check (CRL)" settings in the "Android Certificate" rule.