UCF STIG Viewer Logo

Samsung Android OS 8 with Knox 3.x COPE Use Case Security Technical Implementation Guide


Overview

Date Finding Count (78)
2018-05-14 CAT I (High): 3 CAT II (Med): 59 CAT III (Low): 16
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. This set of requirements is for the Corporate Owned Personally Enabled (COPE) use case and assumes the Authorizing Authority (AO) has approved unrestricted use of the personal space/container on Samsung devices. If the AO has not approved unrestricted use of the personal space/container on Samsung devices, additional device-wide controls should be implemented (see Section 3 of the STIG Supplemental document for more information).

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-80391 High The Samsung Android 8 with Knox device must have the latest available Samsung Android operating system (OS) installed.
V-80307 High Samsung Android 8 with Knox must use a NIAP-certified CONTAINER for work data and applications.
V-80393 High Samsung Android 8 with Knox must be configured to enable encryption for information at rest on removable storage media or alternately, the use of removable storage media must be disabled.
V-80379 Medium Samsung Android 8 with Knox for Android must implement the management setting: Disable Samsung Wi-Fi Sharing.
V-80305 Medium Samsung Android 8 with Knox must be configured to implement the management setting: Enable CONTAINER.
V-80381 Medium The Samsung Android 8 with Knox CONTAINER must be configured to not allow backup of [all applications, configuration data] to remote systems: Disable Allow Google Accounts Auto Sync.
V-80285 Medium The Samsung Android 8 with Knox CONTAINER whitelist must be configured to not include applications with the following characteristics: Voice assistant application if available when mobile device (MD) is locked.
V-80317 Medium Samsung Android 8 with Knox must implement the management setting: Configure to enforce a minimum CONTAINER password length of four characters.
V-80313 Medium The Samsung DeX Station/Pad multimedia dock must not be connected directly to a DoD network.
V-80311 Medium Samsung Android 8 mobile device users must complete required training.
V-80287 Medium The Samsung Android 8 with Knox CONTAINER whitelist must be configured to not include applications with the following characteristics: Voice dialing application if available when mobile device (MD) is locked.
V-80373 Medium Samsung Android 8 with Knox must implement the management setting: USB host mode whitelist.
V-80279 Medium The Samsung Android 8 with Knox whitelist must be configured to not include applications with the following characteristics: Transmit mobile device (MD) diagnostic data to non-DoD servers.
V-80407 Medium Samsung Android 8 with Knox must implement the management setting: Disable sharing of calendar information outside the CONTAINER.
V-80405 Medium Samsung Android 8 with Knox must implement the management setting: Disable Move Files from CONTAINER to Personal.
V-80401 Medium The Samsung Android 8 with Knox CONTAINER must implement the management setting: Install DoD root and intermediate PKI certificates on the device.
V-80271 Medium Samsung Android 8 with Knox must implement the management setting: Configure application disable list.
V-80335 Medium Samsung Android 8 with Knox must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including biometric fingerprint, iris, face, voice, hybrid authentication factor: Disable Trust Agents. Note: This requirement is Not Applicable (NA) if the non-Password Authentication Factor mechanism is included in the products Common Criteria evaluation (fingerprint and iris scan are allowed).
V-80273 Medium The Samsung Android 8 with Knox CONTAINER must implement the management setting: Configure CONTAINER application disable list.
V-80337 Medium The Samsung Android 8 with Knox CONTAINER must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including biometric fingerprint, iris, face, voice, and hybrid authentication factor: Disable Trust Agents. Note: This requirement is Not Applicable (NA) if the non-Password Authentication Factor mechanism is included in the products Common Criteria evaluation (fingerprint and iris scan are allowed).
V-80275 Medium Samsung Android 8 with Knox must implement the management setting: Configure CONTAINER application install blacklist.
V-80277 Medium Samsung Android 8 with Knox must be configured to enforce a CONTAINER application installation policy by specifying an application whitelist that restricts applications by the following characteristics: List of digital signatures, names.
V-80399 Medium Samsung Android 8 with Knox must implement the management setting: Install DoD root and intermediate PKI certificates on the device.
V-80293 Medium Samsung Android 8 with Knox must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoD-approved commercial app repository, MDM server, mobile application store]: Disable unknown sources.
V-80397 Medium The Samsung Android 8 with Knox CONTAINER must implement the management setting: Enable Certificate Revocation Status (CRL) Check.
V-80291 Medium The Samsung Android 8 with Knox CONTAINER whitelist must be configured to not include applications with the following characteristics: Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other mobile devices (MDs) or printers.
V-80421 Medium If a third-party VPN client is installed in the personal space, it must not be configured with a DoD network (work) VPN profile.
V-80387 Medium Samsung Android 8 with Knox must be configured to disable developer modes.
V-80363 Medium The Samsung Android 8 with Knox CONTAINER must implement the management setting: Disable Allow New Admin Install.
V-80267 Medium Samsung Android 8 with Knox must implement the management setting: CONTAINER Account whitelist.
V-80361 Medium Samsung Android 8 with Knox must implement the management setting: Disable Admin Remove.
V-80365 Medium The Samsung Android 8 with Knox CONTAINER must implement the management setting: Disable S Voice.
V-80281 Medium The Samsung Android 8 with Knox CONTAINER whitelist must be configured to not include applications with the following characteristics: Back up mobile device (MD) data to non-DoD cloud servers (including user and application access to cloud backup services).
V-80345 Medium Samsung Android 8 with Knox must be configured to disable multi-user modes.
V-80341 Medium Samsung Android 8 with Knox must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including biometric fingerprint, iris, face, voice, and hybrid authentication factor: Disable Face Recognition. Note: This requirement is Not Applicable (NA) if the non-Password Authentication Factor mechanism is included in the products Common Criteria evaluation (fingerprint and iris scan are allowed).
V-80343 Medium Samsung Android 8 with Knox must implement the management setting: Disable automatic completion of CONTAINER browser text input.
V-80339 Medium Samsung Android 8 with Knox must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including biometric fingerprint, iris, face, voice, and hybrid authentication factor: Disable Intelligent Scanning. Note: This requirement is Not Applicable (NA) if the non-Password Authentication Factor mechanism is included in the products Common Criteria evaluation (fingerprint and iris scan are allowed).
V-80309 Medium Samsung Android 8 with Knox must implement the management setting: Disable sharing of notification details outside the CONTAINER when the CONTAINER is locked.
V-80395 Medium Samsung Android 8 with Knox must implement the management setting: Enable Certificate Revocation Status (CRL) Check.
V-80327 Medium Samsung Android 8 with Knox must be configured to lock the display after 15 minutes (or less) of inactivity.
V-80329 Medium Samsung Android 8 with Knox must be configured to lock the CONTAINER after 15 minutes (or less) of inactivity.
V-80269 Medium Samsung Android 8 with Knox must implement the management setting: CONTAINER Account blacklist.
V-80371 Medium Samsung Android 8 with Knox must implement the management setting: Disable Manual Date Time Changes.
V-80301 Medium Samsung Android 8 with Knox must implement the management setting: Enable Audit Log.
V-80303 Medium Samsung Android 8 with Knox must be configured to disable exceptions to the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes.
V-80325 Medium Samsung Android 8 with Knox must implement the management setting: Configure minimum CONTAINER password complexity.
V-80323 Medium Samsung Android 8 with Knox must implement the management setting: Configure minimum password complexity.
V-80369 Medium Samsung Android 8 with Knox must implement the management setting: Enable CC mode.
V-80419 Medium The Samsung Android 8 with Knox VPN client must be configured in one of the following configurations: 1. Disabled; 2. Configured for CONTAINER use only; or 3. Configured for per app use for the personal side.
V-80289 Medium The Samsung Android 8 with Knox CONTAINER whitelist must be configured to not include applications with the following characteristics: Allows synchronization of data or applications between devices associated with user.
V-80383 Medium Samsung Android 8 with Knox must be configured to not allow backup of [all applications, configuration data] to locally connected systems.
V-80359 Medium Samsung Android 8 with Knox must implement the management setting: Disable Allow New Admin Install.
V-80385 Medium Samsung Android 8 with Knox must be configured to not allow backup of [all applications, configuration data] to remote systems: Deselect Allow Google Backup.
V-80409 Medium Samsung Android 8 with Knox must implement the management setting: Disable sharing of clipboard information outside the CONTAINER.
V-80411 Medium Samsung Android 8 with Knox must be configured to disable sharing of contact information outside the CONTAINER.
V-80367 Medium Samsung Android 8 with Knox must be configured to disable USB mass storage mode.
V-80413 Medium Samsung Android 8 with Knox must implement the management setting: Disable Move Applications to CONTAINER.
V-80283 Medium The Samsung Android 8 with Knox CONTAINER whitelist must be configured to not include applications with the following characteristics: Transmit mobile device (MD) diagnostic data to non-DoD servers.
V-80415 Medium The Samsung Android 8 with Knox VPN client must be configured in one of the following configurations: 1. Disabled; 2. Configured for CONTAINER use only; or 3. Configured for per app use for the personal side.
V-80389 Medium Samsung Android 8 with Knox must be configured to enable authentication of personal hotspot connections to the device using a pre-shared key.
V-80417 Medium The Samsung Android 8 with Knox VPN client must be configured in one of the following configurations: 1. Disabled; 2. Configured for CONTAINER use only; or 3. Configured for per app use for the personal side.
V-80375 Medium The Samsung Android 8 with Knox CONTAINER must implement the management setting: Configure disable Share Via List.
V-80377 Low The Samsung Android 8 with Knox CONTAINER must be configured to: Disable upload of DoD contact information.
V-80315 Low Samsung Android 8 with Knox must be configured to enforce a minimum password length of six characters.
V-80353 Low Samsung Android 8 with Knox must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Disable Google Usage and diagnostics.
V-80351 Low The Samsung Android 8 with Knox CONTAINER must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Disable Google Crash Report.
V-80357 Low Samsung Android 8 with Knox must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (HandsFree Profile), and SPP (Serial Port Profile).
V-80319 Low Samsung Android 8 with Knox must be configured to not allow passwords that include more than two repeating or sequential characters.
V-80403 Low Samsung Android 8 with Knox must be configured to display the DoD advisory warning message at start-up or each time the user unlocks the device.
V-80331 Low Samsung Android 8 with Knox must be configured to not allow more than 10 consecutive failed authentication attempts.
V-80333 Low Samsung Android 8 with Knox must implement the management setting: Configure to prohibit more than 10 consecutive failed CONTAINER authentication attempts.
V-80299 Low The Samsung Android 8 with Knox CONTAINER must be configured to: Disable Bixby Vision.
V-80355 Low The Samsung Android 8 with Knox CONTAINER must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Disable Google Usage and diagnostics.
V-80297 Low Samsung Android 8 with Knox must be configured to: Add the MDM Client application to the CONTAINER Battery optimizations modes Whitelist.
V-80295 Low Samsung Android 8 with Knox must be configured to: Add the MDM Client application to the Battery optimizations modes Whitelist.
V-80349 Low Samsung Android 8 with Knox must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Disable Report Diagnostic Info.
V-80347 Low Samsung Android 8 with Knox must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled: Disable Google Crash Report.
V-80321 Low Samsung Android 8 with Knox must be configured to not allow CONTAINER passwords that include more than two repeating or sequential characters.