STIGQter STIGQter: STIG Summary: Samsung Android OS 9 with Knox 3.x COBO Use Case KPE(Legacy) Deployment Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 24 Jul 2020:

Samsung Android must be configured to enforce an application installation policy by specifying an application whitelist that restricts applications by the following characteristics: list of digital signatures, list of package names.

DISA Rule

SV-103045r1_rule

Vulnerability Number

V-92957

Group Title

PP-MDF-301090

Rule Version

KNOX-09-000075

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure Samsung Android to enforce an application installation whitelist.

The application installation whitelist does not control user access to/execution of all core and preinstalled applications, and guidance for doing so is covered in KNOX-09-000055.

On the MDM console, for the device, in the "Knox application" group, add each AO-approved package to the application installation whitelist.

Refer to the MDM documentation to determine the following:
- If an application installation blacklist is also required to be configured when enforcing an application installation whitelist.
- If the MDM supports adding packages to the application installation whitelist by package name and/or digital signature or supports a combination of the two.

Note: Refer to the "System Apps That Must Not Be Disabled" table in the Supplemental document for this STIG. These apps must be included in the application installation whitelist to allow updates.

Check Contents

Review device configuration settings to confirm that an application installation whitelist has been configured.

This procedure is performed only on the MDM Administration console.

On the MDM console, for the device, in the "Knox application" group, verify that each package listed on the application installation whitelist has been approved for DoD use by the Authorizing Official (AO).

If the application installation whitelist contains non-AO-approved packages, this is a finding.

Vulnerability Number

V-92957

Documentable

False

Rule Version

KNOX-09-000075

Severity Override Guidance

Review device configuration settings to confirm that an application installation whitelist has been configured.

This procedure is performed only on the MDM Administration console.

On the MDM console, for the device, in the "Knox application" group, verify that each package listed on the application installation whitelist has been approved for DoD use by the Authorizing Official (AO).

If the application installation whitelist contains non-AO-approved packages, this is a finding.

Check Content Reference

M

Target Key

3497

Comments