Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-67015 | TANS-CN-000011 | SV-81505r2_rule | Medium |
Description |
---|
To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication uses two or more factors to achieve authentication. Factors include: (i) Something you know (e.g., password/PIN); (ii) Something you have (e.g., cryptographic identification device, token); or (iii) Something you are (e.g., biometric). A non-privileged account is any information system account with authorizations of a non-privileged user. Network access is any access to an application by a user (or process acting on behalf of a user) where said access is obtained through a network connection. Applications integrating with the DoD Active Directory and utilize the DoD CAC are examples of compliant multifactor authentication solutions. |
STIG | Date |
---|---|
Tanium 6.5 Security Technical Implementation Guide | 2016-09-29 |
Check Text ( C-67651r2_chk ) |
---|
Access the Tanium server interactively and log on as an Administrator. Run regedit as Administrator. Navigate to HKLM\Software\Wow6432Node\Tanium\Tanium Server. Validate the value for REG_DWORD "ForceSOAPSSLClientCert" is set to "1". Navigate to HKLM\Software\Wow6432Node\Tanium\Tanium Server Validate the following keys exist and are configured: REG_SZ "ClientCertificateAuthField" For example: X509v3 Subject Alternative Name. REG_SZ "ClientCertificateAuthRegex" For example-DoD: .*\:\s*([^@]+)@.*$ Note: This regex should be valid for any Subject Alternative Name entry. REG_SZ "ClientCertificateAuth" Note: This registry value defines which certificate file to use for authentication. For example: C:\Program Files\Tanium\Tanium Server\dod.pem REG_SZ "cac_ldap_server_url" Note: This registry value requires that Tanium validate every CAC/PIV authentication attempt with AD to determine the state of the account that’s logging in. It must use the syntax of LDAP:// If the value for REG_DWORD "ForceSOAPSSLClientCert" is not set to "1" and the remaining registry values are not configured, this is a finding. |
Fix Text (F-73115r1_fix) |
---|
Use the vendor documentation titled "Enabling SmartCard Authentication in Tanium 6.5+" to implement correct configuration settings for this requirement. Vendor documentation can be downloaded from the following URL: https://kb.tanium.com/Smart_Card_Authentication. |