STIGQter: STIG Summary: Samsung SDS EMM Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 11 Sep 2020:

The Samsung SDS EMM must be configured to audit DoD or site-defined auditable events. Note: See VulDiscussion for a list of DoD required auditable events.

DISA Rule

SV-225647r547760_rule

Vulnerability Number

V-225647

Group Title

PP-MDM-411065

Rule Version

SSDS-00-000640

Severity

CAT II

CCI(s)

CCI-000168 - The organization defines the time period for retention of audit records, which is consistent with its records retention policy, to provide support for after-the-fact investigations of security incidents and meet regulatory and organizational information retention requirements.

Weight

Fix Recommendation

Configure the Samsung SDS EMM to implement the required audit events.
- Change in enrollment status
- Failure to apply policies to a mobile device
- Startup and shutdown of the MDM System
- All administrative actions

On the MDM console, do the following to define audit events:
1. Log in to the Admin Console using a web browser.
2. Go to Service Overview >> Log and Event >> Audit Event.
3. Search on "Enrollment" and select each "Console" and "Device" audit event to audit Change in enrollment status.
4. Search on "Policy" and select events "Agent Policy Apply Success on a Device" (Event ID CPLC0029) and "Failed to apply Agent policy on Device" (Event ID CPLC0030) to audit Failure to apply policies to a mobile device.
5. Search on "Start" and select event "Start up EMM Server" (Event ID CACS0001) and search on "shut down" and select event "Shut Down EMM Server" (Event ID CACS0002) to audit startup and shutdown of the MDM System.
6. Select all audit events with the event category of Admin Login, Administrators, Alerts, Dashboard, Device, Devices, Group, Logs, Profiles, and User Management to audit all Administrative actions.

Check Contents

Review the event log to verify the following events are logged:
- Change in enrollment status
- Failure to apply policies to a mobile device
- Startup and shutdown of the MDM System
- All administrative actions

On the MDM console, do the following:
1. Log in to the Admin Console using a web browser.
2. Go to Service Overview >> Log and Event >> Audit Event.
3. Search on "Enrollment" and verify each "Console" and "Device" audit event are selected to audit Change in enrollment status.
4. Search on "Policy" and verify "Agent Policy Apply Success on a Device" (Event ID CPLC0029) and "Failed to apply Agent policy on Device" (Event ID CPLC0030) are selected to audit Failure to apply policies to a mobile device.
5. Search on "Start" and verify "Start up EMM Server" (Event ID CACS0001) is selected. Search on "shut down" and verify "Shut Down EMM Server" (Event ID CACS0002) is selected to audit startup and shutdown of the MDM System.
6. Verify all audit events with the event category of Admin Login, Administrators, Alerts, Dashboard, Device, Devices, Group, Logs, Profiles, and User Management are selected to audit all Administrative actions.

If the following required audit events have not been selected, this is a finding.
- Change in enrollment status
- Failure to apply policies to a mobile device
- Startup and shutdown of the MDM System
- All administrative actions

Vulnerability Number

V-225647

Documentable

False

Rule Version

SSDS-00-000640

Severity Override Guidance

Check Content Reference

Target Key

4216

The Samsung SDS EMM must be configured to audit DoD or site-defined auditable events. Note: See VulDiscussion for a list of DoD required auditable events.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments