KNOX-07-901500 - The Samsung must be configured to enforce a Container application install policy by specifying an application whitelist.

Information

The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. Core application - any application integrated into the operating system (OS) by the OS or mobile device (MD) vendors. Pre-installed application - additional non-core applications included in the OS build by the OS vendor, MD vendor, or wireless carrier.

Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications.

The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core applications (included in the operating system (OS) by the OS vendor) and pre-installed applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications.

SFR ID: FMT_SMF_EXT.1.1 #8b

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Configure the Samsung Android 7 with Knox to whitelist application installations into the container based on one of the following characteristics:
- Digital signature
- Package Name

Both whitelists apply to user installable applications only, and do not control user access/execution of core and preinstalled applications. To restrict user access/execution to core and pre-installed applications, the MDM administrator must configure the "application disable list".

It is important to note that if the MDM administrator has not blacklisted an application characteristic (package name, digital signature) then it is implicitly whitelisted, as whitelists are exceptions to blacklists. If an application characteristic appears in both the blacklist and whitelist, the white list (as the exception to the blacklist) takes priority, and the User will be able to install the application. Therefore, the MDM administrator must configure the blacklists to include all package names or digital signatures for whitelisting to behave as intended.

On the MDM console, do one of the following:
1. Add each AO-approved package name to the "Package Name Whitelist" in the "Android Knox Container >> Container Applications" rule.
OR
2. Add each AO-approved digital signature to the "Signature Whitelist" in the "Android Knox Container >> Container Applications" rule.

Note: Either list may be empty if the Authorizing Official (AO) has not approved any app.

Note: Refer to the Supplemental document for additional information.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Samsung_Android_OS_7_with_Knox_2-x_V1R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., 800-53|CM-11b., CAT|II, CCI|CCI-000366, CCI|CCI-001806, Rule-ID|SV-91331r1_rule, STIG-ID|KNOX-07-901500, Vuln-ID|V-76635

Plugin: MDM

Control ID: 901189c108c26d63f37997f8807719dffeeb4e93ee263ca3a4299daa56cab060