Check: KNOX-09-001340
Samsung OS 9 with Knox 3.x COBO Use Case KPE(AE) Deployment STIG:
KNOX-09-001340
(in versions v1 r4 through v1 r1)
Title
Samsung Android must be configured to enable the Online Certificate Status Protocol (OCSP). (Cat II impact)
Discussion
OCSP is a protocol for obtaining the revocation status of a certificate. It addresses problems associated with using Certificate Revocation Lists (CRLs). When OCSP is enabled, it is used prior to CRL checking. If OCSP could not get a decisive response about a certificate, it will then try to use CRL checking. The OCSP response server must be listed in the certificate information under Authority Info Access. This feature must be enabled for a Samsung Android device to be in the NIAP-certified Common Criteria (CC) mode of operation. SFR ID: FMT_SMF_EXT.1.1 #47
Check Content
Review device configuration settings to confirm that OCSP checking is enabled for all apps. This procedure is performed on the MDM Administration console only. On the MDM console, for the device, in the "Knox certificate" group, verify that "OCSP check" is configured to "enable for all apps". If on the MDM console "OCSP check" is not configured to "enable for all apps", this is a finding.
Fix Text
Configure Samsung Android to enable OCSP checking for all apps. On the MDM, for the device, in the "Knox certificate" group, configure "OCSP check" to "enable for all apps". Refer to the MDM documentation to determine how to configure OCSP checking to "enable for all apps". Some may, for example, allow a wildcard string: "*" (asterisk).
Additional Identifiers
Rule ID: SV-217694r388482_rule
Vulnerability ID: V-217694
Group Title: PP-MDF-991000
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
Implement the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |