Samsung Android OS 13 with Knox 3.x COBO STIG Version Comparison
Samsung Android OS 13 with Knox 3.x COBO Security Technical Implementation Guide
Comparison
There are 2 differences between versions v1 r1 (Nov. 9, 2022) (the "left" version) and v1 r2 (Jan. 26, 2023) (the "right" version).
Check KNOX-13-110130 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.
The regular view of the left check and right check may be easier to read.
Text Differences
Title
Samsung Android must be configured to enable encryption for data at rest on removable storage media or, alternately, the use of removable storage media must be disabled.
Check Content
Review the configuration to determine if the Samsung Android devices are either enabling data-at-rest data at rest protection for removable media, or are disabling their use. This requirement is not applicable for devices that do not support removable storage media. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device restrictions, verify that "Mount physical media" is set to "Disallow". On the Samsung Android device, verify that a microSD card cannot be mounted. The device should ignore the inserted SD card and no notifications for the transfer of media files should appear, nor should any files be listed using a file browser, such as Samsung My Files. If on the management tool "Mount physical media" is not set to "Disallow", or on the Samsung Android device a microSD card can be mounted, this is a finding. If the deployment requires the use of micro SD cards, follow this alternative procedure: On the management tool, in the device restrictions, verify "Enforce external storage encryption" is set to "Enable". On the Samsung Android device, do the following: 1. Insert a freshly formatted microSD card. 2. Verify that a prompt appears to encrypt the microSD card. 3. Perform the encryption. 4. Remove and reinsert the microSD card and verify that a notification appears stating that the mounted microSD card is encrypted. If on the management tool "External storage encryption" is not set to "Enable", or on the Samsung Android device a microSD card can be used without first being encrypted, this is a finding. finding
Discussion
The MOS must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read removable media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running. SFR ID: FMT_SMF_EXT.1.1 #20, #47d
Fix
Configure the Samsung Android devices to enable data-at-rest data at rest protection for removable media, or alternatively, disable their use. This requirement is not applicable for devices that do not support removable storage media. On the management tool, in the device restrictions, set "Mount physical media" to "Disallow". This disables the use of all removable storage, e.g., micro SD cards, USB thumb drives, etc. If the deployment requires the use of micro SD cards, KPE can be used to allow its usage in a STIG-approved configuration. In this case, do not configure this the policy, policy above, and instead: On instead replace with KPE policy (innately by the management tool tool, or via KSP) in the device restrictions, set "Enforce external storage encryption" to with value "enable".