UCF STIG Viewer Logo

Samsung Android OS 7 with Knox 2.x Security Technical Implementation Guide


Overview

Date Finding Count (71)
2019-10-01 CAT I (High): 3 CAT II (Med): 56 CAT III (Low): 12
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-76545 High The Samsung Android 7 with Knox must be configured to enable encryption for information at rest on removable storage media or alternately, the use of removable storage media must be disabled.
V-76571 High The Samsung Android 7 with Knox must implement the management setting: Enable CC mode.
V-76625 High The Samsung Android 7 with Knox must use a NIAP certified container for work data and applications.
V-76623 Medium The Samsung Android 7 with Knox must implement the management setting: Enable Audit Log.
V-76619 Medium The Samsung Android 7 with Knox must implement the management setting: Configure application disable list.
V-76589 Medium The Samsung Android 7 with Knox must implement the management setting: Enable Certificate Revocation Status (CRL) Check.
V-76649 Medium The Samsung Android 7 with Knox must implement the management setting: Configure Container application install blacklist.
V-76607 Medium The Samsung Android 7 with Knox must be configured to disable Phone Visibility.
V-76645 Medium The Samsung Android 7 with Knox must be configured to disable sharing of contact information outside the Container.
V-76583 Medium The Samsung Android 7 with Knox must implement the management setting: Disable S Voice.
V-76647 Medium The Samsung Android 7 with Knox must implement the management setting: Disable sharing of notification details outside the Container when the container is locked.
V-76581 Medium The Samsung Android 7 with Knox must implement the management setting: Disable USB host storage.
V-76641 Medium The Samsung Android 7 with Knox must implement the management setting: Disable sharing of calendar information outside the Container.
V-76587 Medium The Samsung Android 7 with Knox must implement the management setting: Disable Admin Remove.
V-76585 Medium The Samsung Android 7 with Knox must be configured to implement the management setting: Enable Container.
V-76609 Medium The Samsung Android 7 with Knox must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor. Disable Face Recognition.
V-76629 Medium The Samsung Android 7 with Knox platform must implement the management setting Disable Nearby devices.
V-76529 Medium The Samsung Android 7 with Knox whitelist must be configured to not include applications with the following characteristics: - Back up MD data to non-DoD cloud servers (including user and application access to cloud backup services).
V-76601 Medium The Samsung Android 7 with Knox VPN client must be configured in one of the following configurations: 1. Disabled 2. Configured for container use only 3. Configured for per app use for the personal side
V-76603 Medium The Samsung Android 7 with Knox VPN client must be configured in one of the following configurations: 1. Disabled 2. Configured for container use only. 3. Configured for per app use for the personal side.
V-76605 Medium If a third-party VPN client is installed in the personal space/container, it must not be configured with a DoD network (work) VPN profile.
V-76575 Medium The Samsung Android 7 with Knox must implement the management setting: Disable Allow New Admin Install.
V-76621 Medium The Samsung Android 7 with Knox must implement the management setting: Configure minimum password complexity.
V-76561 Medium The Samsung Android 7 with Knox must be configured to enable authentication of personal hotspot connections to the device using a preshared key.
V-76553 Medium The Samsung Android 7 with Knox must be configured to disable USB mass storage mode.
V-76549 Medium The Samsung Android 7 with Knox must be configured to disable developer modes.
V-76547 Medium The Samsung Android 7 with Knox must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor and fingerprint authentication. Disable Trust Agents.
V-76569 Medium The Samsung Android 7 with Knox must be configured to disable multi-user modes.
V-76557 Medium The Samsung Android 7 with Knox must be configured to not allow backup of [all applications, configuration data] to remote systems: Deselect Allow Google Backup.
V-76533 Medium The Samsung Android 7 with Knox whitelist must be configured to not include applications with the following characteristics: - Voice assistant application if available when MD is locked.
V-76555 Medium The Samsung Android 7 with Knox must be configured to not allow backup of [all applications, configuration data] to locally connected systems.
V-76599 Medium The Samsung Android 7 with Knox VPN client must be configured in one of the following configurations: 1. Disabled 2. Configured for container use only. 3. Configured for per app use for the personal side.
V-76595 Medium The Samsung Android 7 with Knox must implement the management setting: Container Account whitelist.
V-76653 Medium The Samsung Android 7 with Knox must implement the management setting: Configure Container application disable list.
V-76597 Medium The Samsung DeX Station multimedia dock must not be connected directly to a DoD network.
V-76651 Medium The Samsung Android 7 with Knox must implement the management setting: Disable Move Applications to Container.
V-76591 Medium The Samsung Android 7 with Knox must implement the management setting: Disable Manual Date Time Changes.
V-76657 Medium The Samsung Android 7 with Knox must implement the management setting: Container Account blacklist.
V-76593 Medium The Samsung Android 7 with Knox must implement the management setting: Disable Move Files from Container to Personal.
V-76655 Medium The Samsung Android 7 with Knox must implement the management setting: Disable automatic completion of Container browser text input.
V-76523 Medium The Samsung Android 7 with Knox must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoD-approved commercial app repository, MDM server, mobile application store]. Disable Google Play.
V-76639 Medium The Samsung Android 7 with Knox must implement the management setting: Configure to enforce a minimum Container password length of 4 characters.
V-76627 Medium Samsung Android 7 mobile device users must complete required training.
V-76635 Medium The Samsung Android 7 with Knox must be configured to enforce a Container application installation policy by specifying an application whitelist that restricts applications by the following characteristics list of digital signatures, names.
V-76637 Medium The Samsung Android 7 with Knox must be configured to lock the container after 15 minutes (or less) of inactivity.
V-76519 Medium The Samsung Android 7 with Knox must be configured to lock the display after 15 minutes (or less) of inactivity.
V-76631 Medium The Samsung Android 7 with Knox platform must implement the management setting: Disable Samsung WiFi Sharing.
V-76543 Medium The Samsung Android 7 with Knox must be configured to not display the following notifications when the device is locked: All notifications.
V-76577 Medium The Samsung Android 7 with Knox must implement the management setting: Configure application install blacklist.
V-76525 Medium The Samsung Android 7 with Knox must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [selection: DoD-approved commercial app repository, MDM server, mobile application store]. Disable unknown sources.
V-76539 Medium The Samsung Android 7 with Knox whitelist must be configured to not include applications with the following characteristics: - Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
V-76659 Medium The Samsung Android 7 with Knox must implement the management setting: Configure minimum Container password complexity.
V-76573 Medium The Samsung Android 7 with Knox must implement the management setting: Install DoD root and intermediate PKI certificates on the device.
V-76563 Medium The Samsung Android 7 with Knox must be configured to disable exceptions to the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes.
V-76559 Medium The Samsung Android 7 with Knox must be configured to not allow backup of [all applications, configuration data] to remote systems: Disable Allow Google Accounts Auto Sync.
V-76531 Medium The Samsung Android 7 with Knox whitelist must be configured to not include applications with the following characteristics: - Transmit MD diagnostic data to non-DoD servers.
V-76527 Medium The Samsung Android 7 with Knox must be configured to enforce an application installation policy by specifying an application whitelist that restricts applications by either of the following characteristics: list of digital signatures, list of package names.
V-76537 Medium The Samsung Android 7 with Knox whitelist must be configured to not include applications with the following characteristics: - Allows synchronization of data or applications between devices associated with user.
V-76535 Medium The Samsung Android 7 with Knox whitelist must be configured to not include applications with the following characteristics: - Voice dialing application if available when MD is locked.
V-76643 Low The Samsung Android 7 with Knox must implement the management setting: Configure to prohibit more than 10 consecutive failed Container authentication attempts.
V-76551 Low The Samsung Android 7 with Knox must be configured to display the DoD advisory warning message at start-up or each time the user unlocks the device.
V-76565 Low The Samsung Android 7 with Knox must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled. Disable Google Crash Report.
V-76567 Low The Samsung Android 7 with Knox must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled. Disable Report Diagnostic Info.
V-76541 Low The Samsung Android 7 with Knox must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (HandsFree Profile), and SPP (Serial Port Profile).
V-76633 Low The Samsung Android 7 with Knox must be configured to not allow Container passwords that include more than two repeating or sequential characters.
V-76617 Low The Samsung Android 7 with Knox must be configured to Add the MDM Client application to the Battery optimizations modes Whitelist.
V-76615 Low The Samsung Android 7 with Knox must be configured to Disable Smart Call.
V-76613 Low The Samsung Android 7 with Knox must be configured to Disable Bixby.
V-76521 Low The Samsung Android 7 with Knox must be configured to not allow more than 10 consecutive failed authentication attempts.
V-76515 Low The Samsung Android 7 with Knox must be configured to enforce a minimum password length of six characters.
V-76517 Low The Samsung Android 7 with Knox must be configured to not allow passwords that include more than two repeating or sequential characters.