STIGQter STIGQter: STIG Summary: Samsung Android OS 8 with Knox 3.x COPE Use Case Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 25 Oct 2019: Samsung Android 8 with Knox must be configured to enforce a CONTAINER application installation policy by specifying an application whitelist that restricts applications by the following characteristics: List of digital signatures, names.

DISA Rule

SV-94981r1_rule

Vulnerability Number

V-80277

Group Title

PP-MDF-301090

Rule Version

KNOX-08-001400

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure Samsung Android 8 with Knox to whitelist application installations into the CONTAINER based on one of the following characteristics:
- Digital signature
- Package name

Both whitelists apply to user installable applications only and do not control user access/execution of core and pre-installed applications. To restrict user access/execution to core and pre-installed applications, the MDM Administrator must configure the "application disable list".

It is important to note that if the MDM Administrator has not blacklisted an application characteristic (package name, digital signature), it is implicitly whitelisted, as whitelists are exceptions to blacklists. If an application characteristic appears in both the blacklist and whitelist, the whitelist (as the exception to the blacklist) takes priority, and the user will be able to install the application. Therefore, the MDM Administrator must configure the blacklists to include all package names or digital signatures for whitelisting to behave as intended.

On the MDM console, do one of the following:
1. Add each AO-approved package name to the "Package Name Whitelist" in the "Android Knox CONTAINER >> CONTAINER Applications" rule.
2. Add each AO-approved digital signature to the "Signature Whitelist" in the "Android Knox CONTAINER >> CONTAINER Applications" rule.

Note: Either list may be empty if the AO has not approved any app.

Note: Refer to the Supplemental document for additional information.

Note: The application Whitelist must be implemented so that only approved applications can be downloaded from the Google Play Store. Access to the Google Play Store must be enabled so that apps used by Google Play Services can be updated. The following app packages must be included in the CONTAINER app whitelist so that Google Play services can be updated:

• com.android.vending
• com.google.android.finsky
• com.google.android.gm
• com.google.android.gms
• com.google.android.gsf.login
• com.google.android.setupwizard
• com.google.android.gsf

Check Contents

Review Samsung Android 8 with Knox configuration settings to determine if the mobile device has been configured to whitelist application installations into the CONTAINER based on one of the following characteristics:
- Digital signature
- Package name

Verify all applications listed on the whitelist have been approved by the Authorizing Official (AO).

This validation procedure is performed only on the MDM Administration Console.

On the MDM console, perform Steps 1 and 2 or Steps 3 and 4:
1. Ask the MDM Administrator to display the "Package Name Whitelist" in the "Android Knox CONTAINER >> CONTAINER Applications" rule.
2. Verify the whitelist includes only package names that the AO has approved.
3. Ask the MDM Administrator to display the "Signature Whitelist" in the "Android Knox CONTAINER >> CONTAINER Applications" rule.
4. Verify the whitelist includes only digital signatures the AO has approved.

Note: Either list may be empty if the AO has not approved any app.

Note: Refer to the Supplemental document for additional information.

If the MDM console "Package Name Whitelist" or "Signature Whitelist" contains non-AO-approved entries, this is a finding.

Note: The application Whitelist must be implemented so that only approved applications can be downloaded from the Google Play Store. Access to the Google Play Store must be enabled so that apps used by Google Play Services can be updated. The following app packages must be included in the CONTAINER app whitelist so that Google Play services can be updated:

• com.android.vending
• com.google.android.finsky
• com.google.android.gm
• com.google.android.gms
• com.google.android.gsf.login
• com.google.android.setupwizard
• com.google.android.gsf

Vulnerability Number

V-80277

Documentable

False

Rule Version

KNOX-08-001400

Severity Override Guidance

Review Samsung Android 8 with Knox configuration settings to determine if the mobile device has been configured to whitelist application installations into the CONTAINER based on one of the following characteristics:
- Digital signature
- Package name

Verify all applications listed on the whitelist have been approved by the Authorizing Official (AO).

This validation procedure is performed only on the MDM Administration Console.

On the MDM console, perform Steps 1 and 2 or Steps 3 and 4:
1. Ask the MDM Administrator to display the "Package Name Whitelist" in the "Android Knox CONTAINER >> CONTAINER Applications" rule.
2. Verify the whitelist includes only package names that the AO has approved.
3. Ask the MDM Administrator to display the "Signature Whitelist" in the "Android Knox CONTAINER >> CONTAINER Applications" rule.
4. Verify the whitelist includes only digital signatures the AO has approved.

Note: Either list may be empty if the AO has not approved any app.

Note: Refer to the Supplemental document for additional information.

If the MDM console "Package Name Whitelist" or "Signature Whitelist" contains non-AO-approved entries, this is a finding.

Note: The application Whitelist must be implemented so that only approved applications can be downloaded from the Google Play Store. Access to the Google Play Store must be enabled so that apps used by Google Play Services can be updated. The following app packages must be included in the CONTAINER app whitelist so that Google Play services can be updated:

• com.android.vending
• com.google.android.finsky
• com.google.android.gm
• com.google.android.gms
• com.google.android.gsf.login
• com.google.android.setupwizard
• com.google.android.gsf

Check Content Reference

M

Target Key

3367

Comments