The mobile operating system must include organization defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
KNOX-04-001200	KNOX-04-001200	KNOX-04-001200_rule		Low

Description
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. The audit configuration must be adaptable to include organization defined additional, more detailed information in the audit records for audit events identified by type, location, or subject. Examples of this information include VPN state, communications interface, and duration of event.

Description

Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. The audit configuration must be adaptable to include organization defined additional, more detailed information in the audit records for audit events identified by type, location, or subject. Examples of this information include VPN state, communications interface, and duration of event.

STIG	Date
Samsung Knox Android 1.0 STIG	2013-05-03

Details

Check Text ( C-KNOX-04-001200_chk )
This check procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Check that the appropriate setting is configured on the MDM server. For, example, on the Fixmo Sentinel Administration Console: 1. Ask the MDM administrator to display the "Disable USB Debugging" checkbox in the "Android Knox Base Restrictions" rule. 2. Verify the checkbox is selected. On the Samsung Knox Android device: 1. Open the device settings. 2. Select "Developer Options". 3. Verify the "USB debugging" checkbox is not selected. If either the "Disable USB Debugging" checkbox is not selected on the MDM administration console or the "USB debugging" checkbox is selected on the device, this is a finding. Note: Knox Android complies with this requirement by disabling features that would require more detailed information in the audit logs. Privileged text-based commands can only be performed via the Android Debug Bridge, which is disabled by selecting the "Disable USB Debugging" checkbox as described above.

Check Text ( C-KNOX-04-001200_chk )

This check procedure is performed on both the MDM Administration Console and the Samsung Knox Android device.

Check that the appropriate setting is configured on the MDM server.

For, example, on the Fixmo Sentinel Administration Console:
1. Ask the MDM administrator to display the "Disable USB Debugging" checkbox in the "Android Knox Base Restrictions" rule.
2. Verify the checkbox is selected.

On the Samsung Knox Android device:
1. Open the device settings.
2. Select "Developer Options".
3. Verify the "USB debugging" checkbox is not selected.

If either the "Disable USB Debugging" checkbox is not selected on the MDM administration console or the "USB debugging" checkbox is selected on the device, this is a finding.

Note: Knox Android complies with this requirement by disabling features that would require more detailed information in the audit logs. Privileged text-based commands can only be performed via the Android Debug Bridge, which is disabled by selecting the "Disable USB Debugging" checkbox as described above.

Fix Text (F-KNOX-04-001200_fix)
Disable the ability to enter privileged text-based commands, thereby eliminating the need to audit them. For example, on the Fixmo Sentinel Administration Console, check the "Disable USB Debugging" checkbox in the "Android Knox Base Restrictions" rule.