UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Tanium must enforce 24 hours/1 day as the minimum password lifetime.


Overview

Finding ID Version Rule ID IA Controls Severity
V-254912 TANS-AP-000470 SV-254912r867636_rule Medium
Description
Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement.
STIG Date
Tanium 7.x Application on TanOS Security Technical Implementation Guide 2022-10-31

Details

Check Text ( C-58525r867634_chk )
Console Users:

Per guidance, Enterprise Console users are inherited via LDAP synchronization as such passwords are not managed or enforced at the Tanium application level.

Local TanOS account:

1. Access the Tanium Server interactively.

2. Log on to the TanOS server with the tanadmin role.

3. Press "C" for "User Administration Menu," and then press "Enter".

4. Press "L" for " Local Tanium User Management," and then press "Enter".

5. Press "B" for " Security Policy Local Authentication Service," and then press "Enter".

If the value of "Password Minimum Age (days):" is greater than "1", this is a finding.
Fix Text (F-58469r867635_fix)
Console Users:

Per guidance, Enterprise Console users are inherited via LDAP synchronization as such passwords are not managed or enforced at the Tanium application level.

Local TanOS account:

1. Access the Tanium Server interactively.

2. Log on to the TanOS server with the tanadmin role.

3. Press "C" for "User Administration Menu," and then press "Enter".

4. Press "L" for "Local Tanium User Management," and then press "Enter".

5. Press "B" for "Security Policy Local Authentication Service," and then press "Enter".

6. Type "yes" and press "Enter".

7. Input the following settings, pressing "Enter" after every value:
a) Minimum Password Lifetime - 1
b) Maximum Password Lifetime - 60
c) Minimum Password Length - 15
d) Minimum Password History - 5
e) Password Lockout - TRUE
f) Maximum Password Attempts - 3

8. Type "yes" to accept the new password policy.