STIGQter STIGQter: STIG Summary: Samsung OS 9 with Knox 3.x COBO Use Case KPE(AE) Deployment Security Technical Implementation Guide

Version: 1

Release: 2 Benchmark Date: 25 Oct 2019

CheckedNameTitle
SV-102945r1_ruleSamsung Android must be configured to prevent users from adding personal email accounts to the work email app.
SV-102947r1_ruleSamsung Android must be configured to enforce the system application disable list.
SV-102949r1_ruleSamsung Android must be configured to enforce an application installation policy by specifying an application whitelist that restricts applications by the following characteristics: list of digital signatures, list of package names.
SV-102951r1_ruleThe Samsung Android whitelist must be configured to not include applications with the following characteristics: - back up mobile device data to non-DoD cloud servers (including user and application access to cloud backup services); - transmit mobile device diagnostic data to non-DoD servers; - voice assistant application if available when the mobile device is locked; - voice dialing application if available when the mobile device is locked; - allows synchronization of data or applications between devices associated with the user; and - allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other mobile devices or printers.
SV-102953r1_ruleSamsung Android must be configured to enforce an application installation policy by specifying one or more authorized application repositories, including [DoD-approved commercial app repository, MDM server, mobile application store]: - disallow unknown app installation sources.
SV-102955r1_ruleSamsung Android must be configured to enable the Knox audit log.
SV-102957r1_ruleSamsung Android must be configured to not display the following notifications when the device is locked: all notifications.
SV-102959r1_ruleSamsung Android device users must complete required training.
SV-102961r1_ruleAny accessory that provides wired networking capabilities to a Samsung Android device must not be connected to a DoD network (for example: DeX Station [LAN port], USB to Ethernet adapter, etc.).
SV-102963r1_ruleSamsung Android must be configured to enforce a minimum password length of six characters.
SV-102965r1_ruleSamsung Android must be configured to not allow passwords that include more than two repeating or sequential characters.
SV-102967r1_ruleSamsung Android must be configured to lock the display after 15 minutes (or less) of inactivity.
SV-102969r1_ruleSamsung Android must be configured to not allow more than 10 consecutive failed authentication attempts.
SV-102971r1_ruleSamsung Android must be configured to disable trust agents. Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the products Common Criteria evaluation.
SV-102973r1_ruleSamsung Android must be configured to disable Face Recognition. Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the products Common Criteria evaluation.
SV-102975r1_ruleSamsung Android must be configured to disable automatic completion of Samsung Internet browser text input.
SV-102977r1_ruleSamsung Android must be configured to disable the autofill services.
SV-102979r1_ruleSamsung Android must be configured to disable all Bluetooth profiles except HSP (Headset Profile), HFP (HandsFree Profile), and SPP (Serial Port Profile).
SV-102981r1_ruleSamsung Android must be configured to disable USB mass storage mode.
SV-102983r1_ruleSamsung Android must be configured to enable Knox Common Criteria (CC) Mode.
SV-102985r1_ruleSamsung Android must be configured to disallow configuration of date and time.
SV-102987r1_ruleSamsung Android must be configured to enforce a USB host mode exception list. Note: This configuration allows DeX mode (with input devices), which is DoD-approved for use.
SV-102989r1_ruleSamsung Android must be configured to disallow the Share Via List feature.
SV-102991r1_ruleSamsung Android must be configured to disallow outgoing beam.
SV-102993r1_ruleSamsung Android must be configured to enforce that Wi-Fi Sharing is disabled.
SV-102995r1_ruleSamsung Android must be configured to not allow backup of [all applications, configuration data] to locally connected systems.
SV-102997r1_ruleSamsung Android must be configured to not allow backup of [all applications, configuration data] to remote systems.
SV-102999r1_ruleSamsung Android must be configured to disable developer modes.
SV-103001r1_ruleSamsung Android must be configured to enable authentication of personal hotspot connections to the device using a preshared key.
SV-103003r1_ruleSamsung Android must be configured to enable encryption for data at rest on removable storage media or alternately, the use of removable storage media must be disabled.
SV-103005r1_ruleSamsung Android must be configured to enable Certificate Revocation List (CRL) status checking.
SV-103007r1_ruleSamsung Android must have the DoD root and intermediate PKI certificates installed.
SV-103009r1_ruleSamsung Android must be configured to display the DoD advisory warning message at startup or each time the user unlocks the device.
SV-103011r1_ruleSamsung Android devices must have the latest available Samsung Android operating system installed.
SV-103013r1_ruleSamsung Android must be configured to enable the Online Certificate Status Protocol (OCSP).
SV-103015r1_ruleSamsung Android must be configured to not enable Microsoft Exchange ActiveSync (EAS) password recovery. This requirement is not applicable if not using Microsoft EAS.
SV-103017r1_ruleSamsung Android must be configured to set the password history with a length of 0.
SV-103019r1_ruleSamsung Android must be configured to enforce that Secure Startup is enabled. This requirement is Not Applicable (NA) to Galaxy S10 (or newer) devices.
SV-103021r2_ruleSamsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity.
SV-103023r1_ruleSamsung Android must be configured to enforce that Strong Protection is enabled. This requirement is Not Applicable (NA) for devices older than Galaxy S10.