STIGQter: STIG Summary: Samsung Android 11 with Knox 3.x AE Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020:

Samsung Android Work Environment must be configured to enable Certificate Revocation checking.

DISA Rule

SV-231009r607691_rule

Vulnerability Number

V-231009

Group Title

PP-MDF-991000

Rule Version

KNOX-11-022500

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure Samsung Android Work Environment to enable Certificate Revocation checking by either of the following methods:

Method #1: CRL Checking

On the management tool, in the Work profile certificate section, set "Revocation check" to "enable for all apps".

****

Method #2: OCSP with CRL Fallback

On the management tool:
1. In the Work profile certificate section, set "Revocation check" to "enable for all apps".
2. In the Work profile restrictions section, set "OCSP check" to "enable for all apps".

****

Refer to the management tool documentation to determine how to configure Revocation and OCSP checking to "enable for all apps". Some may, for example, allow a wildcard string: "*".

Check Contents

Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure.

This validation procedure is performed on the management tool Administration Console only.

****

Validation Procedure for Method #1: CRL Checking

On the management tool, in the Work profile certificate section, verify that "Revocation check" is set to "enable for all apps".

If on the management tool "Revocation check" is not set to "enable for all apps", this is a finding.

****

Validation Procedure for Method #2: OCSP with CRL Fallback

On the management tool:
1. In the Work profile certificate section, verify that "Revocation check" is set to "enable for all apps".
2. In the Work profile restrictions section, verify that "OCSP check" is set to "enable for all apps".

If on the management tool "Revocation check" is not set to "enable for all apps" or if "OCSP check" is not set to "enable for all apps", this is a finding.

Vulnerability Number

V-231009

Documentable

False

Rule Version

KNOX-11-022500

Severity Override Guidance

Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure.

This validation procedure is performed on the management tool Administration Console only.

****

Validation Procedure for Method #1: CRL Checking

On the management tool, in the Work profile certificate section, verify that "Revocation check" is set to "enable for all apps".

If on the management tool "Revocation check" is not set to "enable for all apps", this is a finding.

****

Validation Procedure for Method #2: OCSP with CRL Fallback

On the management tool:
1. In the Work profile certificate section, verify that "Revocation check" is set to "enable for all apps".
2. In the Work profile restrictions section, verify that "OCSP check" is set to "enable for all apps".

If on the management tool "Revocation check" is not set to "enable for all apps" or if "OCSP check" is not set to "enable for all apps", this is a finding.

Check Content Reference

M

Target Key

5247

Comments