The Tanium Server certificate must be signed by a DoD Certificate Authority.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-67113 | TANS-SV-000036 | SV-81603r1_rule | Medium |
| Description |
|---|
| The Tanium Server has the option to use a "self-signed" certificate or a Trusted Certificate Authority signed certificate for SSL connections. During evaluations of Tanium in Lab settings, customers often conclude that a "self-signed" certificate is an acceptable risk. However, in production environments it is critical that a SSL certificate signed by a Trusted Certificate Authority be used on the Tanium Server in lieu of an untrusted and insecure "self-signed" certificate. |
| STIG | Date |
|---|---|
| Tanium 6.5 Security Technical Implementation Guide | 2016-09-29 |
Details
| Check Text ( C-67749r1_chk ) |
|---|
| Access the Tanium Server console via a web browser. When connected, review the Certificate for the Tanium Server. (In Internet Explorer, right-click on the page, select “Properties”, click on the “Certificates” tab.) On the “General” tab, validate the Certificate shows as issued by DOD CA-##. On Certification “Path” tab, validate the path top-level is DoD Root CA 2. If the certificate authority is not DoD Root, this is a finding. |
| Fix Text (F-73213r1_fix) |
|---|
| Request or regenerate the certificate from a DoD Certificate Authority. |