STIGQter STIGQter: STIG Summary: Samsung Android OS 7 with Knox 2.x Security Technical Implementation Guide Version: 1 Release: 6 Benchmark Date: 25 Oct 2019: The Samsung Android 7 with Knox must implement the management setting: Configure minimum Container password complexity.

DISA Rule

SV-91355r2_rule

Vulnerability Number

V-76659

Group Title

PP-MDF-991000

Rule Version

KNOX-07-914500

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the Samsung Android 7 with Knox to enforce minimum Container password complexity.

On the MDM console, set the "Minimum Password Complexity" value to "PIN" in the "Android Knox Container >> Container Password Restrictions" rule.

Note: Some MDM consoles may display “Numeric” and “Numeric-Complex” instead of “PIN”. Either selection is acceptable but “Numeric-Complex” is recommended. Some MDM consoles may display “Numeric” and “Numeric-Complex” instead of “PIN”. Either selection is acceptable but “Numeric-Complex” is recommended. Alphabetic, Alphanumeric, and Complex are also acceptable selections but these selections will cause the user to select a complex password, which is not required by the STIG.

Check Contents

Not Applicable for the COBO use case.

Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is enforcing minimum Container password complexity.

This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.

On the MDM console, do the following:
1. Ask the MDM administrator to display the "Minimum Password Complexity" setting in the "Android Knox Container >> Container Password Restrictions" rule.
2. Verify the value of the setting is PIN. (see Note)

On the Samsung Android 7 with Knox device, do the following:
1. Open the Knox Container.
2. Select "Knox Settings".
3. Select "Lock type".
4. Enter current password.
5. Verify "Pattern" are grayed out and cannot be selected.

If the MDM console "Minimum Password Complexity" is not set to "Alphanumeric" or on the Samsung Android 7 with Knox device, the user is able to select "Pattern" from the "Lock Type" setting, this is a finding.

Note: This configuration setting will allow users to implement fingerprint unlock for the container, which is approved for use. However, this approval does not extend to fingerprint unlock for the Samsung device or any other DoD mobile device.

Note: Some MDM consoles may display “Numeric” and “Numeric-Complex” instead of “PIN”. Either selection is acceptable but “Numeric-Complex” is recommended. Alphabetic, Alphanumeric, and Complex are also acceptable selections but these selections will cause the user to select a complex password, which is not required by the STIG.

Vulnerability Number

V-76659

Documentable

False

Rule Version

KNOX-07-914500

Severity Override Guidance

Not Applicable for the COBO use case.

Review Samsung Android 7 with Knox configuration settings to determine if the mobile device is enforcing minimum Container password complexity.

This validation procedure is performed on both the MDM Administration Console and the Samsung Android 7 with Knox device.

On the MDM console, do the following:
1. Ask the MDM administrator to display the "Minimum Password Complexity" setting in the "Android Knox Container >> Container Password Restrictions" rule.
2. Verify the value of the setting is PIN. (see Note)

On the Samsung Android 7 with Knox device, do the following:
1. Open the Knox Container.
2. Select "Knox Settings".
3. Select "Lock type".
4. Enter current password.
5. Verify "Pattern" are grayed out and cannot be selected.

If the MDM console "Minimum Password Complexity" is not set to "Alphanumeric" or on the Samsung Android 7 with Knox device, the user is able to select "Pattern" from the "Lock Type" setting, this is a finding.

Note: This configuration setting will allow users to implement fingerprint unlock for the container, which is approved for use. However, this approval does not extend to fingerprint unlock for the Samsung device or any other DoD mobile device.

Note: Some MDM consoles may display “Numeric” and “Numeric-Complex” instead of “PIN”. Either selection is acceptable but “Numeric-Complex” is recommended. Alphabetic, Alphanumeric, and Complex are also acceptable selections but these selections will cause the user to select a complex password, which is not required by the STIG.

Check Content Reference

M

Target Key

3253

Comments