STIGQter STIGQter: STIG Summary: Samsung Android OS 9 with Knox 3.x COPE Use Case KPE(AE) Deployment Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Apr 2020:

Samsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity.

DISA Rule

SV-103927r2_rule

Vulnerability Number

V-93841

Group Title

PP-MDF-301030

Rule Version

KNOX-09-001440

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure Samsung Android to enforce a screen-lock policy that will lock the display after a period of inactivity, with a lock type that is configured with a minimum password quality.

On the MDM console, for the device, in the "Android password constraints" group, set "minimum password quality" (or password type) to "PIN".

Note: Some MDM consoles may display “Numeric” and “Numeric-Complex” instead of “PIN”. Either selection is acceptable but “Numeric-Complex” is recommended. Alphabetic, Alphanumeric, and Complex are also acceptable selections but these selections will cause the user to select a complex password, which is not required by the STIG.

Check Contents

Review device configuration settings to confirm that the device uses a screen-lock policy that will lock the display after a period of inactivity and that the lock type is configured with a minimum password quality.

This procedure is performed on both the MDM Administration console and the Samsung Android device.

On the MDM console, for the device, in the "Android password constraints" group, verify that the "minimum password quality" is "PIN" (see note).

On the Samsung Android device, do the following:
1. Open Settings.
2. Tap "Lock screen".
3. Tap "Screen lock type".
4. Verify that "Swipe”, :Pattern”, and “None" cannot be enabled.

If on the MDM console "minimum password quality" is not set to "PIN", or on the Samsung Android device the user can select a screen lock type other than "password", this is a finding.

Note: Some MDM consoles may display “Numeric” and “Numeric-Complex” instead of “PIN”. Either selection is acceptable but “Numeric-Complex” is recommended. Alphabetic, Alphanumeric, and Complex are also acceptable selections but these selections will cause the user to select a complex password, which is not required by the STIG.

Vulnerability Number

V-93841

Documentable

False

Rule Version

KNOX-09-001440

Severity Override Guidance

Review device configuration settings to confirm that the device uses a screen-lock policy that will lock the display after a period of inactivity and that the lock type is configured with a minimum password quality.

This procedure is performed on both the MDM Administration console and the Samsung Android device.

On the MDM console, for the device, in the "Android password constraints" group, verify that the "minimum password quality" is "PIN" (see note).

On the Samsung Android device, do the following:
1. Open Settings.
2. Tap "Lock screen".
3. Tap "Screen lock type".
4. Verify that "Swipe”, :Pattern”, and “None" cannot be enabled.

If on the MDM console "minimum password quality" is not set to "PIN", or on the Samsung Android device the user can select a screen lock type other than "password", this is a finding.

Note: Some MDM consoles may display “Numeric” and “Numeric-Complex” instead of “PIN”. Either selection is acceptable but “Numeric-Complex” is recommended. Alphabetic, Alphanumeric, and Complex are also acceptable selections but these selections will cause the user to select a complex password, which is not required by the STIG.

Check Content Reference

M

Target Key

3507

Comments