The Tanium application must prohibit password reuse for a minimum of five generations.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-254911	TANS-AP-000430	SV-254911r867633_rule		Medium

Description
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. To meet password policy requirements, passwords need to be changed at specific policy-based intervals. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.

Description

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. To meet password policy requirements, passwords need to be changed at specific policy-based intervals. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.

STIG	Date
Tanium 7.x Application on TanOS Security Technical Implementation Guide	2022-10-31

Details

Check Text ( C-58524r867631_chk )
Console Users: Per guidance, Enterprise Console users are inherited via LDAP synchronization as such passwords are not managed or enforced at the Tanium application level. Local TanOS account: 1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "C" for "User Administration Menu," and then press "Enter". 4. Press "L" for "Local Tanium User Management," and then press "Enter". 5. Press "B" for "Security Policy Local Authentication Service," and then press "Enter". If the value of "Password History:" is less than "5", this is a finding.

Check Text ( C-58524r867631_chk )

Fix Text (F-58468r867632_fix)
Console Users: Per guidance, Enterprise Console users are inherited via LDAP synchronization as such passwords are not managed or enforced at the Tanium application level. Local TanOS account: 1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "C" for "User Administration Menu," and then press "Enter". 4. Press "L" for "Local Tanium User Management," and then press "Enter". 5. Press "B" for "Security Policy Local Authentication Service," and then press "Enter". 6. Type "yes" and press "Enter". 7. Input the following settings, pressing "Enter" after every value: a) Minimum Password Lifetime - 1 b) Maximum Password Lifetime - 60 c) Minimum Password Length - 15 d) Minimum Password History - 5 e) Password Lockout - TRUE f) Maximum Password Attempts - 3 8. Type "yes" to accept the new password policy.

Fix Text (F-58468r867632_fix)

Console Users:

Per guidance, Enterprise Console users are inherited via LDAP synchronization as such passwords are not managed or enforced at the Tanium application level.

Local TanOS account:

1. Access the Tanium Server interactively.

2. Log on to the TanOS server with the tanadmin role.

3. Press "C" for "User Administration Menu," and then press "Enter".

4. Press "L" for "Local Tanium User Management," and then press "Enter".

5. Press "B" for "Security Policy Local Authentication Service," and then press "Enter".

6. Type "yes" and press "Enter".

7. Input the following settings, pressing "Enter" after every value:
a) Minimum Password Lifetime - 1
b) Maximum Password Lifetime - 60
c) Minimum Password Length - 15
d) Minimum Password History - 5
e) Password Lockout - TRUE
f) Maximum Password Attempts - 3

8. Type "yes" to accept the new password policy.