Check: KNOX-09-001480
Samsung OS 9 with Knox 3.x COBO Use Case KPE(AE) Deployment STIG:
KNOX-09-001480
(in versions v1 r4 through v1 r1)
Title
Samsung Android must be configured to enforce that Strong Protection is enabled. This requirement is Not Applicable (NA) for devices older than Galaxy S10. (Cat II impact)
Discussion
Strong Protection protects the Samsung Android devices that use File Based Encryption (FBE). When Strong Protection is enabled, the default cryptographic keys used to protect the user's apps and data are replaced with keys derived from the user password. This feature must be enabled for a Samsung Android device to be in the NIAP-certified CC mode of operation. SFR ID: FMT_SMF_EXT.1.1 #47
Check Content
Review device configuration settings to confirm that Strong Protection is enabled. This procedure is performed on the Samsung Android Galaxy S10 (or newer) devices only. This setting cannot be managed by the MDM administrator and is a User-Based Enforcement (UBE) requirement. On the Samsung Android device, do the following: 1. Open Settings. 2. Tap "Biometric and security". 3. Tap "Other security settings". 4. Verify "Strong Protection" is enabled. If on the Samsung Android device "Strong Protection" is disabled, this is a finding.
Fix Text
Configure Samsung Android to enable Strong Protection. This guidance is only applicable to Galaxy S10 (or newer) devices. On the Samsung Android device, do the following: 1. Open Settings. 2. Tap "Biometrics and security". 3. Tap "Other security settings". 4. Tap "Strong Protection". 5. Tap to enable. 6. Enter the current password.
Additional Identifiers
Rule ID: SV-217699r388482_rule
Vulnerability ID: V-217699
Group Title: PP-MDF-991000
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |