UCF STIG Viewer Logo

Tanium 7.0 Security Technical Implementation Guide


Overview

Date Finding Count (132)
2017-12-05 CAT I (High): 3 CAT II (Med): 129 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-78689 High The Tanium Server certificate and private/public keys directory must be protected with appropriate permissions.
V-78609 High Role-based system access must be configured to least privileged access to Tanium Server functions through the Tanium interface.
V-78617 High Common Access Card (CAC)-based authentication must be enforced and enabled on the Tanium Server for network and local access with privileged and non-privileged accounts.
V-78831 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78833 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78835 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78837 Medium The Tanium soap_max_keep_alive setting must be explicitly enabled to limit the number of simultaneous sessions.
V-78839 Medium The SSLCipherSuite must be configured to disable weak encryption algorithms on the Tanium Server.
V-78747 Medium The Tanium SQL Server RDBMS must be configured with sufficient free space to ensure audit logging is not impacted.
V-78745 Medium The bandwidth consumption for the Tanium Server must be limited.
V-78629 Medium Tanium must notify system administrators and ISSO when accounts are modified.
V-78743 Medium Tanium must be configured in a High-Availability (HA) setup to ensure minimal loss of data and minimal disruption to mission processes in the event of a system failure.
V-78741 Medium Tanium Comply must be configured to receive OVAL feeds only from trusted sources.
V-78625 Medium Flaw remediation Tanium applications must employ automated mechanisms to determine the state of information system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
V-78627 Medium Tanium must notify system administrators and ISSO when accounts are created.
V-78621 Medium The publicly accessible Tanium application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.
V-78623 Medium Tanium must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
V-78749 Medium Tanium must limit the bandwidth used in communicating with endpoints to prevent a denial-of-service (DoS) condition at the server.
V-78649 Medium The access to the Tanium SQL database must be restricted. Only the designated database administrator(s) can have elevated privileges to the Tanium SQL database.
V-78647 Medium The Tanium SQL server must be dedicated to the Tanium database.
V-78645 Medium The Tanium SQL database must be installed on a separate system.
V-78643 Medium Tanium must provide the capability to centrally review and analyze audit records from multiple components within the system.
V-78641 Medium Tanium must prohibit user installation of software without explicit privileged status and enforce access restrictions associated with changes to application configuration.
V-78809 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78805 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78807 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78801 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78803 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78733 Medium The Tanium IOC Detect Folder streams must be configured to restrict access to only authorized maintainers of IOCs.
V-78731 Medium The Tanium documentation identifying recognized and trusted folders for IOC Detect Folder streams must be maintained.
V-78639 Medium Tanium must notify System Administrators and Information System Security Officers for account removal actions.
V-78737 Medium The Tanium documentation identifying recognized and trusted OVAL feeds must be maintained.
V-78735 Medium The Tanium documentation identifying recognized and trusted SCAP feeds must be maintained.
V-78633 Medium Tanium must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.
V-78739 Medium Tanium Comply must be configured to receive SCAP feeds only from trusted sources.
V-78631 Medium Tanium must notify the SA and ISSO of account enabling actions.
V-78637 Medium Tanium must notify System Administrators and Information System Security Officers for account disabling actions.
V-78635 Medium Common Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.
V-78795 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78797 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78791 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78659 Medium The Tanium Server console must be configured to initiate a session lock after a 15-minute period of inactivity.
V-78793 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78655 Medium SQL stored queries or procedures installed during Tanium installation must be removed from the Tanium Server.
V-78657 Medium The Tanium Server must protect the confidentiality and integrity of transmitted information with cryptographic signing capabilities enabled to ensure the authenticity of communications sessions when making requests from Tanium Clients.
V-78799 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78651 Medium The Tanium Server installers account SQL database permissions must be reduced from sysadmin to db_owner.
V-78653 Medium Firewall rules must be configured on the Tanium Server for Server-to-Database communications.
V-78589 Medium The permissions on the Tanium Client directory must be restricted to only the SYSTEM account on all managed clients.
V-78819 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78813 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78811 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78817 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78815 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78579 Medium Access to Tanium logs on each endpoint must be restricted by permissions.
V-78723 Medium The Tanium Server console must be configured to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
V-78725 Medium Tanium Server files must be protected from file encryption actions.
V-78727 Medium The Tanium max_soap_sessions_total setting must be explicitly enabled to limit the number of simultaneous sessions.
V-78729 Medium The Tanium max_soap_sessions_per_user setting must be explicitly enabled to limit the number of simultaneous sessions.
V-78669 Medium The Tanium documentation identifying recognized and trusted IOC Detect streams must be maintained.
V-78783 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78781 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78787 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78577 Medium The Tanium endpoint must have the Tanium Servers public key in its installation, which will allow it to authenticate and uniquely identify all network-connected endpoint devices before establishing any connection.
V-78785 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78661 Medium Tanium Trusted Content providers must be documented.
V-78663 Medium Content providers must provide their public key to the Tanium administrator to import for validating signed content.
V-78789 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78665 Medium Tanium public keys of content providers must be validated against documented trusted content providers.
V-78667 Medium The Tanium Action Approval feature must be enabled for two person integrity when deploying actions to endpoints.
V-78719 Medium Tanium Server files must be excluded from on-access antivirus actions.
V-78715 Medium The Tanium Server certificate must be signed by a DoD Certificate Authority.
V-78717 Medium Any Tanium configured EMAIL RESULTS connectors must be configured to enable TLS/SSL to encrypt communications.
V-78711 Medium Firewall rules must be configured on the Tanium Server for Server-to-Zone Server communications.
V-78713 Medium The SSLHonorCipherOrder must be configured to disable weak encryption algorithms on the Tanium Server.
V-78779 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78777 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78775 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78773 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78771 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78709 Medium Firewall rules must be configured on the Tanium Server for Server-to-Module Server communications.
V-78703 Medium A Tanium connector must be configured to send log data to an external audit log reduction-capable system and provide alerts.
V-78701 Medium All Active Directory accounts synchronized with Tanium for non-privileged functions must be non-privileged domain accounts.
V-78707 Medium Firewall rules must be configured on the Tanium module server to allow Server-to-Module Server communications from the Tanium Server.
V-78705 Medium File integrity monitoring of critical executables that Tanium uses must be configured.
V-78769 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78765 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78767 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78761 Medium The Tanium web server must be tuned to handle the operational requirements of the hosted application.
V-78763 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78683 Medium Firewall rules must be configured on the Tanium Zone Server for Client-to-Zone Server communications.
V-78681 Medium Firewall rules must be configured on the Tanium Server for Client-to-Server communications.
V-78687 Medium The Tanium Server certificates must have Extended Key Usage entries for the serverAuth object TLS Web Server Authentication and the clientAuth object TLS Web Client Authentication.
V-78685 Medium The Tanium Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
V-78677 Medium The Tanium Server must be configured to only allow signed content to be imported.
V-78675 Medium The Tanium Server must protect audit tools from unauthorized access, modification, or deletion.
V-78673 Medium The Tanium Connect module must be configured to forward Tanium IOC Detect events to identified destinations.
V-78671 Medium The Tanium IOC Detect must be configured to receive IOC streams only from trusted sources.
V-78679 Medium All installation files originally downloaded to the Tanium Server must be configured to download to a location other than the Tanium Server directory.
V-78759 Medium Tanium service must be protected from being stopped by a non-privileged user.
V-78751 Medium Tanium Server must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
V-78753 Medium Tanium Server files must be excluded from host-based intrusion prevention intervention.
V-78755 Medium Tanium must set an absolute timeout for sessions.
V-78757 Medium Tanium must set an inactive timeout for sessions.
V-78699 Medium The Tanium Server Logs and TDL_Logs directories must be restricted with appropriate permissions.
V-78691 Medium The Tanium Module server must be installed on a separate system.
V-78693 Medium The Tanium Server directory must be restricted with appropriate permissions.
V-78695 Medium The Tanium Server http directory and sub-directories must be restricted with appropriate permissions.
V-78697 Medium The permissions on the Tanium Server registry keys must be restricted to only the Tanium service account and the [Tanium Admins] group.
V-78593 Medium The Tanium Client Deployment Tool (CDT) must not be configured to use the psexec method of deployment.
V-78591 Medium Tanium endpoint files must be excluded from on-access antivirus actions.
V-78597 Medium Tanium must restrict the ability of individuals to place too much impact upon the network, which might result in a denial-of-service (DoS) event on the network by using RandomSensorDelayInSeconds.
V-78595 Medium Tanium endpoint files must be protected from file encryption actions.
V-78599 Medium Tanium endpoint files must be excluded from host-based intrusion prevention intervention.
V-78603 Medium The Tanium Server must be configured to only use Microsoft Active Directory for account management functions.
V-78601 Medium The Tanium Server must be configured with a connector to sync to Microsoft Active Directory for account management functions, must isolate security functions from non-security functions, and must terminate shared/group account credentials when members leave the group.
V-78607 Medium Documentation identifying Tanium console users and their respective User Roles must be maintained.
V-78605 Medium Tanium Computer Groups must be used to restrict console users from affecting changes to unauthorized computers.
V-78823 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78581 Medium The Tanium cryptographic signing capabilities must be enabled on the Tanium Clients, which will ensure the authenticity of communications sessions when answering requests from the Tanium Server.
V-78821 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78583 Medium Firewall rules must be configured on the Tanium Endpoints for Client-to-Server communications.
V-78827 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78585 Medium Control of the Tanium Client service must be restricted to SYSTEM access only for all managed clients.
V-78825 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78587 Medium The ability to uninstall the Tanium Client service must be disabled on all managed clients.
V-78721 Medium The Tanium Server console must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to The Tanium Server.
V-78829 Medium Tanium must be configured to communicate using TLS 1.2 Strict Only.
V-78611 Medium Tanium console users User Roles must be validated against the documentation for User Roles.
V-78613 Medium Documentation identifying Tanium console users and their respective Computer Group rights must be maintained.
V-78615 Medium Tanium console users Computer Group rights must be validated against the documentation for Computer Group rights.
V-78619 Medium Firewall rules must be configured on the Tanium Server for Console-to-Server communications.