Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-66995 | TANS-CN-000001 | SV-81485r1_rule | High |
Description |
---|
The Tanium Console, by default, can cache console users' credentials for convenience so that operators are not required to re-enter their passwords when logging back into the console. When this feature is enabled, there is a risk of access by individuals other than the original console user. Depending upon the original console user's privileges, such access could result in irreversible or malicious manipulation of the Tanium configuration. Although this option is not an impact when CAC is enabled, this feature should be explicitly disabled in the event CAC authentication is ever broken or removed. |
STIG | Date |
---|---|
Tanium 6.5 Security Technical Implementation Guide | 2016-09-29 |
Check Text ( C-67631r1_chk ) |
---|
Using a web browser on a system which has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and logon with CAC. Click on "Administration". Select the "Global Settings" tab. In the search box beside "Show Settings Containing:" type "console_prohibitSavedLogin". Enter. If no results are returned, this is a finding. If results are returned for "console_prohibitSavedLogin", but the value is not "1", this is a finding. |
Fix Text (F-73095r1_fix) |
---|
Using a web browser on a system which has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and logon with CAC. Click on "Administration". Select the "Global Settings" tab. Click on "+ Add New Setting". In "Create New Setting" dialog box enter "console_prohibitSavedLogin" for "Setting Name:". Enter "1" for "Setting Value:". Select "Numeric" from "Value Type" drop-down list. Select "Server" from "Affects drop-down list. Click Save. |