STIGQter: STIG Summary: Samsung Android OS 10 with Knox 3.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Mar 2020:

Samsung Android must be configured to require the user to present the Password Authentication Factor prior to decryption of protected data, encrypted DEKs, KEKs, and [selection: long-term trusted channel key material, all software-based key storage, no other keys] at startup.

DISA Rule

SV-109101r1_rule

Vulnerability Number

V-99997

Group Title

PP-MDF-991000

Rule Version

KNOX-10-012700

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Configure Samsung Android to require the user to present the Password Authentication Factor prior to decryption of protected data, encrypted DEKs, KEKs, and [selection: long-term trusted channel key material, all software-based key storage, no other keys] at startup.

Do one of the following:
- Method #1: For Samsung Android devices that implement FDE: enable "Secure Startup".
- Method #2: For Samsung Android devices that implement FBE: enable "Strong Protection".

****

Method #1: For Samsung Android devices that implement FDE: enable "Secure Startup".

On the Samsung Android device, do the following:
1. Open Settings >> Biometrics and security >> Other security settings.
2. Tap "Secure Startup".
3. Tap option "Require password when device powers on".
4. Tap "Apply".
5. Enter current password.

****

Method #2: For Samsung Android devices that implement FBE: enable "Strong Protection".

Strong Protection is enabled by default.

On the Samsung Android device, do the following:
1. Open Settings >> Biometrics and security >> Other security settings.
2. Tap "Strong Protection".
3. Tap to enable.
4. Enter current password.

Check Contents

Review Samsung Android device configuration settings to determine if the user is required to present the Password Authentication Factor prior to decryption of protected data, encrypted DEKs, KEKs, and [selection: long-term trusted channel key material, all software-based key storage, no other keys] at startup.

Confirm if Method #1 or #2 is used for the Samsung Android device and follow the appropriate procedure.

This procedure is performed on the Samsung Android device only.

This setting cannot be managed by the management tool Administrator and is a UBE requirement.

****

Method #1: For Samsung Android devices that implement FDE: enable "Secure Startup".

On the Samsung Android device, do the following:
1. Open Settings >> Biometrics and security >> Other security settings >> Secure Startup.
2. Verify that "Require password when device powers on" is already selected and that "Do not require" is not selected.

If on the Samsung Android device "Do not require" is selected, this is a finding.

****

Method #2: For Samsung Android devices that implement FBE: enable "Strong Protection".

On the Samsung Android device, do the following:
1. Open Settings >> Biometrics and security >> Other security settings.
2. Verify that "Strong Protection" is enabled.

If on the Samsung Android device "Strong Protection" is not enabled, this is a finding.

Vulnerability Number

V-99997

Documentable

False

Rule Version

KNOX-10-012700

Severity Override Guidance

Check Content Reference

Target Key

3613

Samsung Android must be configured to require the user to present the Password Authentication Factor prior to decryption of protected data, encrypted DEKs, KEKs, and [selection: long-term trusted channel key material, all software-based key storage, no other keys] at startup.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments