STIGQter STIGQter: STIG Summary: Samsung Android OS 9 with Knox 3.x COPE Use Case KPE(Legacy) Deployment Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 24 Jul 2020:

Samsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity.

DISA Rule

SV-104025r2_rule

Vulnerability Number

V-93939

Group Title

PP-MDF-301030

Rule Version

KNOX-09-001445

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure Samsung Android to enforce a screen-lock policy that will lock the display after a period of inactivity with a lock type that is configured with a minimum password quality.

On the MDM console, for the device, in the "Android password constraints" group, set "minimum password quality" (or password type) to "PIN".

Note: Some MDM consoles may display “Numeric” and “Numeric-Complex” instead of “PIN”. Either selection is acceptable but “Numeric-Complex” is recommended. Alphabetic, Alphanumeric, and Complex are also acceptable selections but these selections will cause the user to select a complex password, which is not required by the STIG.

Check Contents

Review device configuration settings to confirm that the device uses a screen-lock policy that will lock the display after a period of inactivity and that the lock type is configured with a minimum password quality.

This procedure is performed on both the MDM Administration console and the Samsung Android device.

On the MDM console, for the device, in the "Android password constraints" group, verify that the "minimum password quality" is "PIN" (see note).

On the Samsung Android device, do the following:
1. Open Settings.
2. Tap "Lock screen".
3. Tap "Screen lock type".
4. Verify that "Swipe”, “Pattern”, and “None" cannot be enabled.

If on the MDM console "minimum password quality" is not set to "PIN", or on the Samsung Android device the user can select a screen lock type other than "password", this is a finding.

Note: Some MDM consoles may display “Numeric” and “Numeric-Complex” instead of “PIN”. Either selection is acceptable but “Numeric-Complex” is recommended. Alphabetic, Alphanumeric, and Complex are also acceptable selections but these selections will cause the user to select a complex password, which is not required by the STIG.

Vulnerability Number

V-93939

Documentable

False

Rule Version

KNOX-09-001445

Severity Override Guidance

Review device configuration settings to confirm that the device uses a screen-lock policy that will lock the display after a period of inactivity and that the lock type is configured with a minimum password quality.

This procedure is performed on both the MDM Administration console and the Samsung Android device.

On the MDM console, for the device, in the "Android password constraints" group, verify that the "minimum password quality" is "PIN" (see note).

On the Samsung Android device, do the following:
1. Open Settings.
2. Tap "Lock screen".
3. Tap "Screen lock type".
4. Verify that "Swipe”, “Pattern”, and “None" cannot be enabled.

If on the MDM console "minimum password quality" is not set to "PIN", or on the Samsung Android device the user can select a screen lock type other than "password", this is a finding.

Note: Some MDM consoles may display “Numeric” and “Numeric-Complex” instead of “PIN”. Either selection is acceptable but “Numeric-Complex” is recommended. Alphabetic, Alphanumeric, and Complex are also acceptable selections but these selections will cause the user to select a complex password, which is not required by the STIG.

Check Content Reference

M

Target Key

3509

Comments