An error occurred:

Check: LGA6-20-100701

LG Android 6-x STIG: LGA6-20-100701 (in versions v1 r2 through v1 r1)

Title

LG Android 6.x must enforce an application installation policy by specifying an application whitelist. (Cat II impact)

Discussion

Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core applications (included in the operating system (OS) by the OS vendor) and pre-installed applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. SFR ID: FMT_SMF_EXT.1.1 #10b

Check Content

This validation procedure is performed on the MDM Administration Console. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Application whitelist configuration (install)" setting. 2. Verify the "Application whitelist configuration (install)" setting is enabled. 3. Verify all applications on the list of white-listed applications have been approved by the Authorizing Official (AO). 4. Verify an application white list policy has been assigned to all groups. Note: This list can be empty if no applications have been approved. If the "Application whitelist configuration (install)" setting is disabled, or if applications listed in the MDM console "Application whitelist configuration (install)" are not approved by the AO, this is a finding.

Fix Text

Configure the mobile operating system to use an application whitelist. On the MDM Administration Console, set "Application whitelist configuration (install)".

Additional Identifiers

Rule ID: SV-81307r2_rule

Vulnerability ID: V-66817

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

The organization implements the security configuration settings.
CCI-001806

The organization defines methods to be employed to enforce the software installation policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings
CM-11

User-Installed Software