The mobile operating system must authenticate tethered connections to the device.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
KNOX-04-001300	KNOX-04-001300	KNOX-04-001300_rule		Medium

Description
Authentication may occur either by reentry of the device unlock passcode at the time of connection, through another passcode with the same or stronger complexity, or through PKI certificates. Authentication mitigates the risk that an adversary who obtains physical possession of the device is not able to use the tethered connection to access sensitive data on the device or otherwise tamper with its operating system or applications.

Description

Authentication may occur either by reentry of the device unlock passcode at the time of connection, through another passcode with the same or stronger complexity, or through PKI certificates. Authentication mitigates the risk that an adversary who obtains physical possession of the device is not able to use the tethered connection to access sensitive data on the device or otherwise tamper with its operating system or applications.

STIG	Date
Samsung Knox Android 1.0 STIG	2013-05-03

Details

Check Text ( C-KNOX-04-001300_chk )
This check procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Check that the appropriate setting is configured on the MDM server. For example, on the Fixmo Sentinel Administration Console: 1. Ask the MDM administrator to display the "Disable USB Debugging", "Disable Vendor USB Protocol", and "Disable USB Media Player" checkboxes in the "Android Knox Base Restrictions" rule. 2. Verify all of the checkboxes are selected. On the Samsung Knox Android device: 1. With the device locked, connect the device to another device via a USB cable. 2. Verify the MOS file system is not accessible. 3. Unlock the device and open the device settings. 4. Select "Developer Options". 5. Ensure the "USB debugging" checkbox is not checked and cannot be checked by the user. If any one of the "Disable USB debugging", "Disable Vendor USB Protocol", or "Disable USB Media Player" checkboxes is not selected in Fixmo Sentinel; or if the file system is accessible via a USB connection when the device is locked; or the user can select the "USB debugging" checkbox within Samsung Knox, this is a finding.

Check Text ( C-KNOX-04-001300_chk )

This check procedure is performed on both the MDM Administration Console and the Samsung Knox Android device.

Check that the appropriate setting is configured on the MDM server.

For example, on the Fixmo Sentinel Administration Console:
1. Ask the MDM administrator to display the "Disable USB Debugging", "Disable Vendor USB Protocol", and "Disable USB Media Player" checkboxes in the "Android Knox Base Restrictions" rule.
2. Verify all of the checkboxes are selected.

On the Samsung Knox Android device:
1. With the device locked, connect the device to another device via a USB cable.
2. Verify the MOS file system is not accessible.
3. Unlock the device and open the device settings.
4. Select "Developer Options".
5. Ensure the "USB debugging" checkbox is not checked and cannot be checked by the user.

If any one of the "Disable USB debugging", "Disable Vendor USB Protocol", or "Disable USB Media Player" checkboxes is not selected in Fixmo Sentinel; or if the file system is accessible via a USB connection when the device is locked; or the user can select the "USB debugging" checkbox within Samsung Knox, this is a finding.

Fix Text (F-KNOX-04-001300_fix)
Configure the operating system to require authentication of tethered connections. For example, on the Fixmo Sentinel Administration Console, check the "Disable USB Debugging", "Disable Vendor USB Protocol", and "Disable USB Media Player" checkboxes in the "Android Knox Base Restrictions" rule.