The mobile operating system must enforce a maximum lifetime of 120 days for the device unlock password (password age).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| KNOX-02-000800 | KNOX-02-000800 | KNOX-02-000800_rule | Low |
| Description |
|---|
| Changing passcodes regularly prevents an attacker who has compromised the password from re-using it to regain access. This is an unlikely scenario, but is addressed by setting a password expiration. The IA control only needs to be enforced in product level STIGs if there is a need for such rotation based on the expected operational use of the device. |
| STIG | Date |
|---|---|
| Samsung Knox Android 1.0 STIG | 2013-05-03 |
Details
| Check Text ( C-KNOX-02-000800_chk ) |
|---|
| If the local command determines that there is not a need for password rotation based on the expected operational use of the device, this requirement does not apply. This check procedure is performed using an MDM tool. Check that the appropriate setting is configured on the MDM server. For example, on the Fixmo Sentinel Administration Console: 1. Ask the MDM administrator to display the configured value for "Exp Timeout" in the "Android Honeycomb Password Restrictions" rule. 2. Verify the value is set to 120 or less. If the "Exp Timeout" value is not set to 120 days or less, this is a finding. |
| Fix Text (F-KNOX-02-000800_fix) |
|---|
| Configure the mobile operating system to have a maximum lifetime of 120 days for the device unlock password. For example, on the Fixmo Sentinel Administration Console, set the "Exp Timeout" value to 120 or less in the "Android Honeycomb Password Restrictions" rule. |