STIGQter: STIG Summary: Samsung Android OS 10 with Knox 3.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Mar 2020:

Samsung Android Work Environment must be configured to disable exceptions to the access control policy that prevents application processes, groups of application processes from accessing all, private data stored by other application processes, groups of application processes. - Disable Move files to personal

DISA Rule

SV-109057r1_rule

Vulnerability Number

V-99953

Group Title

PP-MDF-301260

Rule Version

KNOX-10-004600

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.
• CCI-002191 - The organization defines the information flow control policies to be enforced by the information system using protected processing domains.

Weight

10

Fix Recommendation

Configure Samsung Android Work Environment to enable the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes.

This guidance is for disabling the moving of files to the Personal Environment and is applicable to COPE only.

The configuration of "Move files to personal" is the default required configuration. No configuration is required.

On the management tool, in the device restrictions section, set "Move files to personal" to "Disallow".

Note: "Move files to workspace" may be configured if there is a DoD mission need for this feature.

Check Contents

Review Samsung Android Work Environment configuration settings to determine if the access control policy prevents groups of application processes from accessing all data stored by other groups of application processes.

This procedure is for verifying that the moving of files to the Personal Environment is disabled and is applicable only to COPE only.

This procedure is performed on the management tool Administration console only.

This configuration is the default configuration. If the management tool does not provide the capability to configure "Move files to personal", there is NO finding because the default setting cannot be changed.

On the management tool, in the Work Environment KPE RCP section, verify "Move files to personal" is set to "Disallow".

If the management tool provides the capability to configure the "Move files to personal" policy and it is not set to "Disallow", this is a finding.

If the management tool does not provide the capability to configure the policy, this requirement is inherently met and there is NO finding.

Vulnerability Number

V-99953

Documentable

False

Rule Version

KNOX-10-004600

Severity Override Guidance

Review Samsung Android Work Environment configuration settings to determine if the access control policy prevents groups of application processes from accessing all data stored by other groups of application processes.

This procedure is for verifying that the moving of files to the Personal Environment is disabled and is applicable only to COPE only.

This procedure is performed on the management tool Administration console only.

This configuration is the default configuration. If the management tool does not provide the capability to configure "Move files to personal", there is NO finding because the default setting cannot be changed.

On the management tool, in the Work Environment KPE RCP section, verify "Move files to personal" is set to "Disallow".

If the management tool provides the capability to configure the "Move files to personal" policy and it is not set to "Disallow", this is a finding.

If the management tool does not provide the capability to configure the policy, this requirement is inherently met and there is NO finding.

Check Content Reference

M

Target Key

3613

Comments