An error occurred:

Check: KNOX-11-000600

Samsung Android 11 with Knox 3.x Legacy STIG: KNOX-11-000600 (in versions v1 r2 through v1 r1)

Title

Samsung Android must be configured to lock the display after 15 minutes (or less) of inactivity. (Cat II impact)

Discussion

The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. The maximum timeout period of 15 minutes has been selected to balance functionality and security; shorter timeout periods may be appropriate depending on the risks posed to the mobile device. Satisfies: PP-MDF-301030, PP-MDF-301040 SFR ID: FMT_SMF_EXT.1.1 #2a, FMT_SMF_EXT.1.1 #2b

Check Content

Review Samsung Android configuration settings to determine if the mobile device has the screen lock timeout set to 15 minutes or less. This validation procedure is performed on both the management tool Administration Console and the Samsung Android device. On the management tool: 1. Open the device password policies. 2. Verify "minimum password quality" is set to "Numeric" (or better). 3. Verify the "max time to screen lock" is set to "15 minutes" or less. On the Samsung Android device: 1. Open Settings >> Lock screen. 2. Verify "Secure lock settings" is present and tap it. 3. Enter current password. 4. Tap "Lock automatically". 5. Verify the listed timeout values are 15 minutes or less. If on the management tool the "minimum password quality" is not set to "Numeric" (or better) and "max time to screen lock" is not set to "15 minutes" or less, or on the Samsung Android device "Secure lock settings" is not present and the listed Screen timeout values include durations of more than 15 minutes, this is a finding.

Fix Text

Configure Samsung Android to lock the device display after 15 minutes (or less) of inactivity. On the management tool: 1. Open the device password policies. 2. Set "minimum password quality" to "Numeric" (or better). 3. Set the "max time to screen lock" to "15 minutes" or less.

Additional Identifiers

Rule ID: SV-231015r958402_rule

Vulnerability ID: V-231015

Group Title: PP-MDF-301030

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000057

Prevent further access to the system by initiating a device lock after organization-defined time period of inactivity; and/or requiring the user to initiate a device lock before leaving the system unattended.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-11

Session Lock