Check: KNOX-09-000505
Samsung Android OS 9 with Knox 3.x COPE Use Case KPE(Legacy) Deployment STIG:
KNOX-09-000505
(in versions v1 r5 through v1 r1)
Title
Samsung Android must be configured to disable Face Recognition. Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the products Common Criteria evaluation. (Cat II impact)
Discussion
The Face Recognition feature allows a user's face to be registered and used to unlock the device. This technology would allow unauthorized users to have access to DoD sensitive data if compromised. By not permitting the use of non-password authentication mechanisms, users are forced to use passcodes that meet DoD passcode requirements. SFR ID: FMT_SMF_EXT.1.1 #23, FIA_UAU.5.1
Check Content
Review device configuration settings to confirm that Face Recognition is disabled. This procedure is performed on both the MDM Administration console and the Samsung Android device. On the MDM console, for the device, in the "Knox password constraints" group, verify that "disable face" is selected. On the Samsung Android device, do the following: 1. Open Settings. 2. Tap "Lock screen". 3. Tap "Screen lock type". 4. Enter current password. 5. Verify that "Face" is disabled and cannot be enabled. If on the MDM console "disable face" is not selected, or on the Samsung Android device "Face" can be enabled, this is a finding.
Fix Text
Configure Samsung Android to disable Face Recognition. On the MDM console, for the device, in the "Knox password constraints" group, select "disable face".
Additional Identifiers
Rule ID: SV-217812r617455_rule
Vulnerability ID: V-217812
Group Title: PP-MDF-301150
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
CCI-000370 |
The organization employs automated mechanisms to centrally manage configuration settings for organization-defined information system components. |
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |