The Tanium Server certificates must have Extended Key Usage entries for the serverAuth object TLS Web Server Authentication and the clientAuth object TLS Web Client Authentication.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-254914	TANS-AP-000480	SV-254914r867642_rule		Medium

Description
Restricting this setting limits the user's ability to change their password. Passwords need to be changed at specific policy based intervals; however, if the application allows the user to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

STIG	Date
Tanium 7.x Application on TanOS Security Technical Implementation Guide	2022-10-31

Details

Check Text ( C-58527r867640_chk )
From Browser: 1. Navigate to the Tanium Console URI and log in using multi-factor authentication. 2. Click the lock to the left of the URI in the address bar. 3. Select the lock on the left of the URI in the address bar: a) Chrome: Select "Certificate". b) Edge: Select "Connection is Secure," and then select the certificate icon on the right. 4. Select the "Details" tab. 5. Scroll down through the details to find and select the "Enhanced Key Usage" field. If there is no "Enhanced Key Usage" field, this is a finding. In the bottom screen, verify "Server Authentication" and "Client Authentication" are both identified. If "Server Authentication" and "Client Authentication" are not both identified, this is a finding. From Server: 1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "2" for "Tanium Operations Menu," and then press "Enter". 4. Press "7" for "Download SOAP Certificate," and then press "Enter". 5. In a browser with access to the Tanium Server Console, navigate to https:///pub/SOAPServer.crt. 6. Download the SOAPServer.crt file when prompted. 7. Double-click on the file to open the certificate. 8. Select the "Details" tab. 9. Scroll down through the details to find and select the "Enhanced Key Usage" field. If there is no "Enhanced Key Usage" field, this is a finding. In the bottom screen, verify "Server Authentication" and "Client Authentication" are both identified. If "Server Authentication" and "Client Authentication" are not both identified, this is a finding.

Check Text ( C-58527r867640_chk )

From Browser:

1. Navigate to the Tanium Console URI and log in using multi-factor authentication.

2. Click the lock to the left of the URI in the address bar.

3. Select the lock on the left of the URI in the address bar:
a) Chrome: Select "Certificate".
b) Edge: Select "Connection is Secure," and then select the certificate icon on the right.

4. Select the "Details" tab.

5. Scroll down through the details to find and select the "Enhanced Key Usage" field.

If there is no "Enhanced Key Usage" field, this is a finding.

In the bottom screen, verify "Server Authentication" and "Client Authentication" are both identified.

If "Server Authentication" and "Client Authentication" are not both identified, this is a finding.

From Server:

1. Access the Tanium Server interactively.

2. Log on to the TanOS server with the tanadmin role.

3. Press "2" for "Tanium Operations Menu," and then press "Enter".

4. Press "7" for "Download SOAP Certificate," and then press "Enter".

5. In a browser with access to the Tanium Server Console, navigate to https:///pub/SOAPServer.crt.

6. Download the SOAPServer.crt file when prompted.

7. Double-click on the file to open the certificate.

8. Select the "Details" tab.

9. Scroll down through the details to find and select the "Enhanced Key Usage" field.

If there is no "Enhanced Key Usage" field, this is a finding.

In the bottom screen, verify "Server Authentication" and "Client Authentication" are both identified.

If "Server Authentication" and "Client Authentication" are not both identified, this is a finding.

Fix Text (F-58471r867641_fix)
Request or regenerate the certificate being used to include both the "Server Authentication" and "Client Authentication" objects.