STIGQter STIGQter: STIG Summary: Samsung OS 9 with Knox 3.x COBO Use Case KPE(AE) Deployment Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Apr 2020:

Samsung Android must be configured to not allow backup of [all applications, configuration data] to remote systems.

DISA Rule

SV-102997r1_rule

Vulnerability Number

V-92909

Group Title

PP-MDF-301230

Rule Version

KNOX-09-000860

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the Samsung Android to disable backup to remote systems (including commercial clouds).

Refer to the guidance in KNOX-09-000050 for Method #1 and #2 for configuring the "application disable list".

On the MDM console, for the device, do the following:
1. In the "Android device owner" group, unselect "enable backup service".
2. In the "Knox restrictions" group, unselect "allow google accounts auto sync".
3. Add all preinstalled public cloud backup system apps to the system application disable list if not already configured.

Note: The guidance for disablement of system apps that have the characteristic "back up MD data to non-DoD cloud servers (including user and application access to cloud backup services)" is covered by KNOX-09-000100.

Check Contents

Review device configuration settings to confirm that backup to a remote system has been disabled.

This procedure is performed on the MDM Administration console and the Samsung device.

Refer to the procedure in KNOX-09-000050 for Method #1 and #2 for verifying the "application disable list".

On the MDM console, for the device, do the following:
1. In the "Android device owner", verify that "enable backup service" is not selected.
2. In the "Knox restrictions" group, verify that "allow google accounts auto sync" is not selected.
3. Verify that the system application disable list contains all preinstalled cloud backup system apps.

On the Samsung Android device:
1. Open Settings.
2. Tap "Accounts and backup".
3. Tap "Backup and restore".
4. Verify that "Backup service not available" is listed.
5. Tap back and tap "Accounts".
6. Tap a listed Google account.
7. Tap "Sync account" and verify that all sync options are disabled and cannot be enabled.
8. Review the apps on the "Personal" App screen and confirm that none of the cloud backup system apps are present.

If on the MDM console "enable backup service" is selected or "allow google accounts auto sync" is selected, or on the Samsung Android device "Backup service not available" is not listed, "sync options" are enabled for a Google Account, or a "cloud backup" system app is present on the "Personal" App screen, this is a finding.

Vulnerability Number

V-92909

Documentable

False

Rule Version

KNOX-09-000860

Severity Override Guidance

Review device configuration settings to confirm that backup to a remote system has been disabled.

This procedure is performed on the MDM Administration console and the Samsung device.

Refer to the procedure in KNOX-09-000050 for Method #1 and #2 for verifying the "application disable list".

On the MDM console, for the device, do the following:
1. In the "Android device owner", verify that "enable backup service" is not selected.
2. In the "Knox restrictions" group, verify that "allow google accounts auto sync" is not selected.
3. Verify that the system application disable list contains all preinstalled cloud backup system apps.

On the Samsung Android device:
1. Open Settings.
2. Tap "Accounts and backup".
3. Tap "Backup and restore".
4. Verify that "Backup service not available" is listed.
5. Tap back and tap "Accounts".
6. Tap a listed Google account.
7. Tap "Sync account" and verify that all sync options are disabled and cannot be enabled.
8. Review the apps on the "Personal" App screen and confirm that none of the cloud backup system apps are present.

If on the MDM console "enable backup service" is selected or "allow google accounts auto sync" is selected, or on the Samsung Android device "Backup service not available" is not listed, "sync options" are enabled for a Google Account, or a "cloud backup" system app is present on the "Personal" App screen, this is a finding.

Check Content Reference

M

Target Key

3495

Comments