UCF STIG Viewer Logo

Tanium 7.x Security Technical Implementation Guide


Overview

Date Finding Count (99)
2022-08-24 CAT I (High): 4 CAT II (Med): 95 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-253821 High Multifactor authentication must be enabled on the Tanium Server for network access with privileged accounts.
V-253875 High The Tanium Application, SQL, and Module servers must all be configured to communicate using TLS 1.2 Strict Only.
V-253876 High The SchUseStrongCrypto registry value must be set.
V-253877 High The SSLCipherSuite registry value must be set.
V-253845 Medium The Tanium cryptographic signing capabilities must be enabled on the Tanium Server.
V-253823 Medium The publicly accessible Tanium application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.
V-253847 Medium All installation files originally downloaded to the Tanium Server must be configured to download to a location other than the Tanium Server directory.
V-253846 Medium The Tanium Server must be configured to allow only signed content to be imported.
V-253841 Medium The Tanium Action Approval feature must be enabled for two-person integrity when deploying actions to endpoints.
V-253840 Medium Tanium public keys of content providers must be validated against documented trusted content providers.
V-253843 Medium Tanium Threat Response must be configured to receive IOC streams only from trusted sources.
V-253787 Medium The Tanium application must manage bandwidth throttles to limit the effects of information flooding types of denial-of-service (DoS) attacks.
V-253849 Medium Firewall rules must be configured on the Tanium Zone Server for Client-to-Zone Server communications.
V-253848 Medium Firewall rules must be configured on the Tanium Server for client-to-server communications.
V-253785 Medium The Tanium Server and Client applications must have logging enabled.
V-253782 Medium The Tanium application must be configured for LDAP user/group synchronization to map the authenticated identity to the individual user or group account for PKI-based authentication.
V-253783 Medium The Tanium application must uniquely identify and authenticate nonorganizational users (or processes acting on behalf of nonorganizational users).
V-253780 Medium The application must, at a minimum, offload interconnected systems in real time and offload standalone systems weekly.
V-253781 Medium Tanium Client processes must be excluded from On-Access scan.
V-253784 Medium The Tanium application must separate user functionality (including user interface services) from information system management functionality.
V-253830 Medium Tanium must notify system administrators and the information system security officer (ISSO) for account removal actions.
V-253831 Medium The Tanium application must prohibit user installation, modification, or deletion of software without explicit privileged status.
V-253832 Medium The Tanium database(s) must be installed on a separate system.
V-253833 Medium The Tanium application database must be dedicated to only the Tanium application.
V-253834 Medium The access to the Tanium SQL database must be restricted. Only the designated database administrator(s) can have elevated privileges to the Tanium SQL database.
V-253835 Medium The Tanium Server installer's account database permissions must be reduced to an appropriate level.
V-253836 Medium Firewall rules must be configured on the Tanium Server for server-to-database communications.
V-253837 Medium The Tanium Application Server console must be configured to initiate a session lock after a 15-minute period of inactivity.
V-253838 Medium Tanium Trusted Content providers must be documented.
V-253839 Medium Content providers must provide their public key to the Tanium administrator to import for validating signed content.
V-253842 Medium The Tanium documentation identifying recognized and trusted indicator of compromise (IOC) streams must be maintained.
V-253786 Medium The Tanium application must restrict the ability of individuals to use information systems to launch organization-defined denial-of-service (DoS) attacks against other information systems.
V-253822 Medium Firewall rules must be configured on the Tanium Server for Console-to-Server communications.
V-253820 Medium Documentation identifying Tanium console users and their respective Computer Group rights must be maintained.
V-253827 Medium Tanium must notify the system administrator and information system security officer (ISSO) of account enabling actions.
V-253826 Medium Tanium must notify system administrators and the information system security officer (ISSO) when accounts are modified.
V-253825 Medium Tanium must notify system administrator and information system security officer (ISSO) when accounts are created.
V-253824 Medium The Tanium application must alert the information system security officer and system administrator (at a minimum) in the event of an audit processing failure.
V-253829 Medium Tanium must notify system administrators and the information system security officer (ISSO) for account disabling actions.
V-253828 Medium Multifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.
V-253788 Medium The Tanium application must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
V-253789 Medium The Tanium application must reveal error messages only to the information system security officer (ISSO), information system security manager (ISSM), and system administrator (SA).
V-253844 Medium The Tanium applications must be configured to filter audit records for events of interest based on organization-defined criteria.
V-253799 Medium The Tanium application must electronically verify Personal Identity Verification (PIV) credentials.
V-253798 Medium The Tanium application must accept Personal Identity Verification (PIV) credentials.
V-253791 Medium The Tanium application must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
V-253790 Medium The Tanium application must employ automated mechanisms to determine the state of information system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
V-253793 Medium The Tanium application must provide an immediate warning to the system administrator and information system security officer (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.
V-253792 Medium The Tanium application must offload audit records onto a different system or media than the system being audited.
V-253795 Medium The Tanium application must prohibit user installation of software without explicit privileged status.
V-253794 Medium The Tanium application must provide an immediate real-time alert to the system administrator and information system security officer, at a minimum, of all audit failure events requiring real-time alerts.
V-253797 Medium The application must employ a deny-all, permit-by-exception (allowlist) policy to allow the execution of authorized software programs.
V-253796 Medium The application must enforce access restrictions associated with changes to application configuration.
V-253816 Medium The Tanium Application Server must be configured to only use LDAP for account management functions.
V-253817 Medium Tanium Computer Groups must be used to restrict console users from effecting changes to unauthorized computers.
V-253814 Medium The Tanium application must retain the session lock until the user reestablishes access using established identification and authentication procedures.
V-253815 Medium The Tanium Application Server must be configured with a connector to sync to Microsoft Active Directory for account management functions.
V-253812 Medium Tanium Client directory and subsequent files must be excluded from On-Access scan.
V-253813 Medium Tanium endpoint files must be excluded from host-based intrusion prevention system (HIPS) intervention.
V-253810 Medium The ability to uninstall the Tanium Client service must be disabled on all managed clients.
V-253811 Medium The permissions on the Tanium Client directory must be restricted to only the SYSTEM account on all managed clients.
V-253818 Medium Documentation identifying Tanium console users, their respective User Groups, Computer Groups, and Roles must be maintained.
V-253819 Medium The Tanium application must be configured to use Tanium User Groups in a manner consistent with the model outlined in the environment's system documentation.
V-253779 Medium The Tanium application must be configured to send audit records from multiple components within the system to a central location for review and analysis.
V-253809 Medium Control of the Tanium Client service must be restricted to SYSTEM access only for all managed clients.
V-253808 Medium Firewall rules must be configured on the Tanium endpoints for client-to-server communications.
V-253801 Medium The Tanium application must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
V-253800 Medium The Tanium application must accept Personal Identity Verification (PIV) credentials from other federal agencies.
V-253803 Medium Tanium Server processes must be excluded from On-Access scan.
V-253802 Medium Tanium must alert the ISSO, ISSM, and other individuals designated by the local organization when the following Indicators of Compromise (IOCs) or potential compromise are detected: real-time intrusion detection; threats identified by authoritative sources (e.g., CTOs); and Category I, II, IV, and VII incidents in accordance with CJCSM 6510.01B.
V-253805 Medium The Tanium endpoint must have the Tanium Server's pki.db in its installation.
V-253804 Medium The Tanium application must authenticate endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
V-253807 Medium The Tanium cryptographic signing capabilities must be enabled on the Tanium Clients to safeguard the authenticity of communications sessions when answering requests from the Tanium Server.
V-253806 Medium Access to Tanium logs on each endpoint must be restricted by permissions.
V-253874 Medium The Tanium application service must be protected from being stopped by a nonprivileged user.
V-253870 Medium Tanium Comply must be configured to receive Open Vulnerability and Assessment Language (OVAL) feeds only from trusted sources.
V-253871 Medium The Tanium application must limit the bandwidth used in communicating with endpoints to prevent a denial-of-service (DoS) condition at the server.
V-253872 Medium Tanium Server files must be excluded from host-based intrusion prevention intervention.
V-253873 Medium The Tanium application must set an inactive timeout for sessions.
V-253869 Medium Tanium Comply must be configured to receive Security Content Automation Protocol (SCAP) content only from trusted sources.
V-253868 Medium The Tanium documentation identifying recognized and trusted Open Vulnerability and Assessment Language (OVAL) feeds must be maintained.
V-253867 Medium The Tanium documentation identifying recognized and trusted Security Content Automation Protocol (SCAP) sources must be maintained.
V-253866 Medium The Tanium Threat Response Local Directory Source must be configured to restrict access to only authorized maintainers of threat intel.
V-253865 Medium The Tanium documentation identifying recognized and trusted folders for Threat Response Local Directory Source must be maintained.
V-253864 Medium The Tanium "max_soap_sessions_per_user" setting must be explicitly enabled to limit the number of simultaneous sessions.
V-253863 Medium The Tanium "max_soap_sessions_total" setting must be explicitly enabled to limit the number of simultaneous sessions.
V-253862 Medium The SSLCipherSuite must be configured to disable weak encryption algorithms on the Tanium Server.
V-253861 Medium Tanium Server directory and subsequent files must be excluded from On-Access scan.
V-253860 Medium The Tanium Server certificate must be signed by a DoD certificate authority (CA).
V-253852 Medium The Tanium Server directory must be restricted with appropriate permissions.
V-253853 Medium The Tanium Server http directory and subdirectories must be restricted with appropriate permissions.
V-253850 Medium The Tanium Application Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM Category Assurance List (CAL) and vulnerability assessments.
V-253851 Medium The Tanium Server certificates must have Extended Key Usage entries for the serverAuth object TLS Web Server Authentication and the clientAuth object TLS Web Client Authentication.
V-253856 Medium Firewall rules must be configured on the Tanium module server to allow Server-to-Module Server communications from the Tanium Server.
V-253857 Medium Firewall rules must be configured on the Tanium Server for Server-to-Module Server communications.
V-253854 Medium The permissions on the Tanium Server registry keys must be restricted to only the Tanium service account and the [Tanium Admins] group.
V-253855 Medium The Tanium Server Logs and TDL_Logs directories must be restricted with appropriate permissions.
V-253858 Medium Firewall rules must be configured on the Tanium Server for Server-to-Zone Server communications.
V-253859 Medium The SSLHonorCipherOrder must be configured to disable weak encryption algorithms on the Tanium Server.