STIGQter STIGQter: STIG Summary: Samsung Android OS 10 with Knox 3.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Mar 2020:

Samsung Android must be configured to enable encryption for data at rest on removable storage media or alternatively, the use of removable storage media must be disabled.

DISA Rule

SV-109037r1_rule

Vulnerability Number

V-99933

Group Title

PP-MDF-301140

Rule Version

KNOX-10-001900

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Configure Samsung Android to enable data-at-rest protection for removable media, or alternatively, disable the use of removable storage media.

Do one of the following:
- Method #1: Disable SD card (if not using SD card).
- Method #2: Enable data-at-rest protection.

****

Method #1: Disable SD card (if not using SD card).

On the management tool, in the device restrictions section, set "SD Card" to "Disable".

****

Method #2: Enable data-at-rest protection.

On the management tool, in the device KPE encryption section, set "External storage encryption" to "Enable".

Check Contents

If the mobile device does not support removable media, this requirement is not applicable.

Review Samsung Android configuration settings to determine if data in the mobile device is removable storage media is encrypted, or alternatively, the use of removable storage media is disabled.

Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure.

This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.

****

Method #1: Disable SD card (if not using SD card).

On the management tool, in the device restrictions section, verify that "SD Card" is set to "Disable".

On the Samsung Android device, verify that a Micro SD card cannot be mounted.

If on the management tool "SD Card" is not set to "Disable", or on the Samsung Android device a microSD card can be mounted, this is a finding.

****

Method #2: Enable data-at-rest protection.

On the management tool, in the device KPE encryption section, verify that "External storage encryption" is set to "Enable".

On the Samsung Android device, do the following:
1. Insert a freshly formatted microSD card.
2. Verify that a prompt appears to encrypt the microSD card.
3. Perform the encryption.
4. Remove and reinsert the microSD card and verify that a notification appears stating that the mounted microSD card is encrypted.

If on the management tool "External storage encryption" is not set to "Enable", or on the Samsung Android device a microSD card can be used without first being encrypted, this is a finding.

Vulnerability Number

V-99933

Documentable

False

Rule Version

KNOX-10-001900

Severity Override Guidance

If the mobile device does not support removable media, this requirement is not applicable.

Review Samsung Android configuration settings to determine if data in the mobile device is removable storage media is encrypted, or alternatively, the use of removable storage media is disabled.

Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure.

This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.

****

Method #1: Disable SD card (if not using SD card).

On the management tool, in the device restrictions section, verify that "SD Card" is set to "Disable".

On the Samsung Android device, verify that a Micro SD card cannot be mounted.

If on the management tool "SD Card" is not set to "Disable", or on the Samsung Android device a microSD card can be mounted, this is a finding.

****

Method #2: Enable data-at-rest protection.

On the management tool, in the device KPE encryption section, verify that "External storage encryption" is set to "Enable".

On the Samsung Android device, do the following:
1. Insert a freshly formatted microSD card.
2. Verify that a prompt appears to encrypt the microSD card.
3. Perform the encryption.
4. Remove and reinsert the microSD card and verify that a notification appears stating that the mounted microSD card is encrypted.

If on the management tool "External storage encryption" is not set to "Enable", or on the Samsung Android device a microSD card can be used without first being encrypted, this is a finding.

Check Content Reference

M

Target Key

3613

Comments