Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
The Tanium endpoint makes a connection to the Tanium Server, the endpoint's copy of the Tanium Server's public key is used to verify the validity of the registration day coming from the Tanium Server. If any endpoint systems do not have the correct Tanium Server public key in its configuration, they will not perform any instructions from the Tanium Server and a record of those endpoints will be listed in the Tanium Server's System Status. To validate, Review in console--Administration, System Status, to determine if any endpoints connected with an invalid key. If any systems are listed with "No" under the column for "Valid Key", this is a finding.
For systems which do not have a valid key for the Tanium Server, re-deploy the client software from Tanium.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. On the Dashboard, select "Client Hardening Tool". Select the "Set Client Directory Permissions". Tanium will parse the script and return a row for "Restricted" and a row for "Not Restricted", with their respective client counts. If the "Not Restricted" row shows a client count of more than "0", this is a finding.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. On the Dashboard, select "Client Hardening Tool". Select the "Set Client Directory Permissions". Tanium will parse the script and return a row for "Restricted" and a row for "Not Restricted", with their respective client counts. Click on the "Not Restricted" row and right-click. Select "Deploy Action". In the "Deploy Action" dialog box, the package "Client Service Hardening - Set SYSTEM only permissions on Tanium Client directory" will be selected. The clients which have their Tanium Client directory "Not Restricted" will be displayed in the bottom window. Click on "Target & Schedule". Choose a schedule to deploy the hardening. Click on "Finish". Verify settings and click on "Confirm".
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Global Settings" tab. In the search box beside "Show Settings Containing:" type "AllQuestionsRequireSignatureFlag". Enter. If no results are returned, this is a finding since this setting needs to be explicitly set. If results are returned for “AllQuestionsRequireSignatureFlag” but the value is not "1", this is a finding.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Global Settings" tab. Click on "+ Add New Setting". In "Create New Setting" dialog box enter "sign_all_questions_flag" for "Setting Name:". Enter "1" for "Setting Value:". Select "Numeric" from "Value Type" drop-down list. Select "Clients" from "Affects" drop-down list. Click “Save”. Click on "Administration". Select the "Global Settings" tab. Click on "+ Add New Setting". In "Create New Setting" dialog box, enter "AllQuestionsRequireSignatureFlag" for "Setting Name:". Enter "1" for "Setting Value:". Select "Numeric" from "Value Type" drop-down list. Select "Clients" from "Affects" drop-down list. Click “Save”.
Note: This check is performed for the Tanium Endpoints and must be validated against the HBSS desktop firewall policy applied to the Endpoints. Consult with the HBSS administration for assistance. Validate a rule exists within the HBSS HIPS firewall policies for managed clients for the following: Port Needed: Tanium Clients or Zone Clients over TCP port 17472, bi-directionally. If a host-based firewall rule does not exist to allow TCP port 17472, bi-directionally, this is a finding. Consult with the network firewall administrator and validate rules exist for the following: Allow TCP traffic on port 17472 from any computer to be managed on a local area network to any other computer to be managed on the same local area network. If a network firewall rule does not exist to allow TCP port 17472 from any managed computer to any other managed computer on the same local area network, this is a finding.
Configure host-based and network firewall rules as required.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. From the Dashboard, under "Client Service Hardening", click on "Control Service State Permissions". The results will show a "Count" of clients matching the "Service Control is set to default permissions" query. If the "Count" shows any quantity other than zero, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. From the Dashboard, under "Client Service Hardening", click on "Control Service State Permissions". The results will show a "Count" of clients matching the "Service Control is set to default permissions" query. Select the result line for "Service Control is set to default permissions". Right-click on the number under "Count". Choose "Deploy Action...". The "Deploy Action" dialog box will display "Client Service Hardening - Set Service Permissions to Defaults" as the package. -> Client Service Hardening - Set SYSTEM only permissions on Tanium Client directory. The computer names comprising the "Count" of non-compliant systems will be displayed in the bottom. Click on "Target & Schedule". Configure the schedule for the requested action depending upon internal organizational procedures and policies for maintenance. Click on "Finish". Verify settings are correct. Click on the "Confirm..." button at the bottom of the screen which will respond with a dialog box "Your action has been scheduled. It can be viewed on the actions tab."
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. From the Dashboard, under "Client Service Hardening", click on "Hide From Add-Remove Programs". The results will show a "Count" of clients matching the "Tanium Client Visible in Add-Remove Programs" query. If the "Count" shows any quantity other than zero, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. From the Dashboard, under "Client Service Hardening", click on "Hide From Add-Remove Programs". The results will show a "Count" of clients matching the "Tanium Client Visible in Add-Remove Programs" query. Select the result line. Right-click on the number under "Count". Choose "Deploy Action...". The "Deploy Action" dialog box will display "Client Service Hardening - Hide Client from Add-Remove Programs" as the package. The computer names comprising the "Count" of non-compliant systems will be displayed in the bottom. Click on "Target & Schedule". Configure the schedule for the requested action depending upon internal organizational procedures and policies for maintenance. Click on "Finish". Verify settings are correct. Click on the "Confirm..." button at the bottom of the screen which will respond with a dialog box "Your action has been scheduled. It can be viewed on the actions tab."
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. From the Dashboard, under "Client Service Hardening", click on "Control Service State Permissions". The results will show a "Count" of clients with restricted and non-restricted permissions for "Tanium Client Service". Non-compliant clients will have a count other than 0 for "Service Control is set to default permissions" or "Unknown Service Control Permissions. If there is a "Count" other than "0" for "Service Control is set to default permissions" or "Unknown Service Control Permissions", this is a finding.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. From the Dashboard, under "Client Service Hardening", click on "Control Service State Permissions". The results will show a "Count" of clients' compliant and non-compliant hardening for the "Tanium Client Service". Non-compliant clients will have a count other than 0 for "Service Control is set to default permissions" or "Unknown Service Control Permissions. Select each of the ""Service Control is set to default permissions" or "Unknown Service Control Permissions." statuses, right-click and select "Deploy Action...." The "Deploy Action" dialog box will display "Client Service Hardening - Control Service State Permissions" as the package. The computer names comprising the "Count" of non-compliant systems will be displayed in the bottom. Click on "Target & Schedule". Configure the schedule for the requested action depending upon internal organizational procedures and policies for maintenance. Click on "Finish". Verify settings are correct. Click on the "Confirm..." button at the bottom of the screen which will respond with a dialog box "Your action has been scheduled. It can be viewed on the actions tab."
Consult with the Tanium System Administrator to determine the antivirus used on the Tanium clients. Review the settings of the antivirus software. Validate exclusions exist which exclude the Tanium program files from being scanned by antivirus. If exclusions do not exist, this is a finding.
Implement exclusion policies within the antivirus software solution to exclude the scanning of Tanium program files.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. In the “Home” tab, locate the Tanium Administration dashboard. Click on “Client Configuration”. The results will display two windows. One window will show "Clients that can take actions - Action Lock Off" and the other window will show "Clients that cannot take actions - Action Lock On". If any systems are listed in the "Clients that cannot take actions - Action Lock Off" window and it is not an official maintenance window timeframe for those systems, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. In the “Home” tab, locate the Tanium Administration dashboard. Click on “Client Configuration”. The results will display two windows. One window will show "Clients that can take actions - Action Lock Off" and the other window will show "Clients that cannot take actions - Action Lock On". In the windows displaying systems with Action Lock Off, highlight to select all systems displayed. Right-click and choose "Deploy Action".
NOTE: The Tanium Server uses a renamed version of the psexec tool to be used when deploying packages to clients. In order to ensure psexec is not used, the renamed psexect.exe must be removed from the Tanium Server directory. Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Navigate to \Program Files(x86)\Tanium\Tanium Client Deployment Tool folder. If the file "psexect.exe" exists, this is a finding.
Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Navigate to \Program Files(x86)\Tanium\Tanium Client Deployment Tool folder. Remove the file "psexect.exe".
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Global Settings" tab. In the search box beside "Show Settings Containing:" type "AllQuestionsRequireSignatureFlag". Enter. If no results are returned, this is a finding since this setting needs to be explicitly set. If results are returned for "AllQuestionsRequireSignatureFlag" but the value is not "1", this is a finding.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Global Settings" tab. Click on "+ Add New Setting". In "Create New Setting" dialog box, enter "AllQuestionsRequireSignatureFlag" for "Setting Name:". Enter "1" for "Setting Value:". Select "Numeric" from "Value Type" drop-down list. Select "Clients" from "Affects" drop-down list. Click “Save”.
Consult with the Tanium System Administrator to determine the file encryption software used on the Tanium clients. Review the settings for the file encryption software. Validate exclusions exist which exclude the Tanium program files from being encrypted by the file encryption software. If exclusions do not exist, this is a finding.
Implement excluding policies within the file encryption software solution to exclude the file level encryption of the Tanium program files.
Using a web browser on a system which has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and logon with CAC. Click on "Administration". Select the "Global Settings" tab. In the search box beside "Show Settings Containing:" type "console_prohibitSavedLogin". Enter. If no results are returned, this is a finding. If results are returned for "console_prohibitSavedLogin", but the value is not "1", this is a finding.
Using a web browser on a system which has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and logon with CAC. Click on "Administration". Select the "Global Settings" tab. Click on "+ Add New Setting". In "Create New Setting" dialog box enter "console_prohibitSavedLogin" for "Setting Name:". Enter "1" for "Setting Value:". Select "Numeric" from "Value Type" drop-down list. Select "Server" from "Affects drop-down list. Click Save.
Access the Tanium Module server interactively and log on as an Administrator. Click “Start” and click the down arrow to view Apps. Find "Tanium Connection Manager", right-click on the icon and choose to Run-as administrator and confirm at the User Account Control window prompt. In the "Tanium Connection Manager" configuration window, select the "Connector Plug-Ins" tab. Verify a plug-in exists for the "Type of Active Directory Sync". If no plug-in exists with the "Type of Active Directory Sync", this is a finding.
Access the Tanium Module server interactively and log on as an Administrator. Click “Start” and click the down arrow to view Apps. Find Tanium Connection Manager, right-click on the icon and choose to Run-as administrator and confirm. In the Tanium Connection Manager configuration window, select the "Connector Plug-Ins" tab. Click the + to add a connector For Connector Type:, choose Active Directory Sync Assign a unique Connector Name: Click “OK”. Configure Active Directory and configuration tabs with variables according to site's Active Directory configuration.
Access the Tanium App server through interactive logon. Run regedit as Administrator. Navigate to HKLM\Software\Wow6432Node\Tanium\Tanium Server. Validate the "cac_ldap_server_url" value exists and is configured to point to the site's Active Directory instance. This registry value requires that Tanium validate every CAC/PIV authentication attempt with AD to determine the state of the account that is logging in. It must use the syntax of LDAP://<AD instance FQDN> (Note: All CAPS for LDAP). If the value for "cac_ldap_server_url" does not exist or is not configured to the site's AD instance, this is a finding.
Access the Tanium App server through interactive logon. Run regedit as Administrator. Navigate to HKLM\Software\Wow6432Node\Tanium\Tanium Server. Set the value for "cac_ldap_server_url" to reference the site's AD instance. It must use the syntax of LDAP://<AD instance FQDN> (Note: All CAPS for LDAP).
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Computer Groups" tab. Under the "Group Name" column, verify specific groups exist other than the default "All Computers" and "No Computers". If site or organization specific computer groups do not exist, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Computer Groups" tab. Configure specific Computer Groups in order to facilitate the management of computers by authorized individuals for those computers. Note: Active Directory Computer Groups may also be used to sync with Tanium Computer Groups as a means to satisfy this requirement.
Consult with the Tanium System Administrator to review the documented list of Tanium users. The users' respective, approved roles, as well as the correlated Active Directory security group for the User Roles, must be documented. If the site does not have the Tanium users and their respective, approved roles and AD security groups documented, this is a finding.
Prepare and maintain documentation identifying the Tanium console users and their respective User Roles and AD security groups.
Consult with the Tanium System Administrator to review the documented list of Tanium users. Review the users' respective approved roles, as well as the correlated Active Directory security group for the User Roles. Validate Active Directory security groups/Tanium roles are documented to assign least privileged access to the functions of the Tanium Server through the Tanium interface. If the documentation does not reflect a granular, least privileged access approach to the Active Directory Groups/Tanium Roles assignment, this is a finding.
Analyze the users configured in the Tanium interface. Determine least privileged access required for each user to perform their respective duties. Move users to the appropriate Active Directory security group in order to ensure the user is synced to the appropriate Tanium User Role. If appropriate Active Directory security groups are not already configured, create the groups and add the appropriate users. Ensure AD sync re-populates the Tanium Users' associated Roles accordingly.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Users" tab. Verify each user against the provided list, and review the assigned roles for each user against the "User Role" column. If any user exists in Tanium but is not on the documented list and/or if any user exists in Tanium at a more elevated User Role than that documented on the list, this is a finding.
When using Active Directory synchronization, as is required by this STIG, User Roles assignments are via the AD Sync connector. AD security groups correlate, one to one, to Tanium User Roles. To change a Tanium user's User Role, their Active Directory account needs to be moved to the AD security group which correlates with the applicable User Role. Access the Active Directory server. Locate the account(s) which have been determined to have the incorrect User Roles in Tanium. Review the Tanium-related AD Security Groups to which the user account(s) belong which directly correlate to the incorrect Tanium User Roles. Remove the user account(s) from the incorrect Tanium User Roles, ensuring the user account(s) are still members of the Tanium-related AD Security Groups for which they have been documented to be authorized.
Consult with the Tanium System Administrator to review the documented list of Tanium users and their respective, approved Computer Groups rights. If the site does not have the Tanium users and their respective, approved Computer Groups rights documented, this is a finding.
Prepare and maintain documentation identifying the Tanium console users and their respective Computer Groups rights.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Users" tab. Verify each user against the provided list, and review the assigned group rights for each user against the "Group Rights" column. If any user exists in Tanium but is not on the documented list and/or if any user exists in Tanium with more Group Rights than documented on the list, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Users" tab. For any user(s) in Tanium which is not on the approved, documented list, access the Microsoft Windows Active Directory Management and remove the respective user(s) from the AD Security Group in which those user(s) are members. For any user in Tanium which has not been assigned one or more Computer Groups as has been documented in the Computer Groups list, access the Microsoft Windows Active Directory Management and add the respective user(s) to the AD Security Groups applicable for the roles for which the user(s) have been documented to be authorized. Click “Save”.
Access the Tanium server interactively and logon as an Administrator. Run regedit as Administrator. Navigate to HKLM\Software\Wow6432Node\Tanium\Tanium Server. Validate the value for REG_DWORD "ForceSOAPSSLClientCert" is set to "1". Navigate to HKLM\Software\Wow6432Node\Tanium\Tanium Server Validate the following keys exist and are configured: REG_SZ "ClientCertificateAuthField" For example: X509v3 Subject Alternative Name. REG_SZ "ClientCertificateAuthRegex" For example-DoD: .*\:\s*([^@]+)@.*$ Note: This regedit should be valid for any Subject Alternative Name entry. REG_SZ "ClientCertificateAuth" Note: This registry value defines which certificate file to use for authentication. For example: C:\Program Files\Tanium\Tanium Server\dod.pem REG_SZ "cac_ldap_server_url" Note: This registry value requires that Tanium validate every CAC/PIV authentication attempt with AD to determine the state of the account that’s logging in. It must use the syntax of LDAP://<AD instance FQDN> If the value for REG_DWORD "ForceSOAPSSLClientCert" is not set to "1" and the remaining registry values are not configured, this is a finding.
Use the vendor documentation titled "Enabling SmartCard Authentication in Tanium 6.5+" to implement correct configuration settings for this requirement. Vendor documentation can be downloaded from the following URL: https://kb.tanium.com/Smart_Card_Authentication.
Access the Tanium server interactively and log on as an Administrator. Run regedit as Administrator. Navigate to HKLM\Software\Wow6432Node\Tanium\Tanium Server. Validate the value for REG_DWORD "ForceSOAPSSLClientCert" is set to "1". Navigate to HKLM\Software\Wow6432Node\Tanium\Tanium Server Validate the following keys exist and are configured: REG_SZ "ClientCertificateAuthField" For example: X509v3 Subject Alternative Name. REG_SZ "ClientCertificateAuthRegex" For example-DoD: .*\:\s*([^@]+)@.*$ Note: This regex should be valid for any Subject Alternative Name entry. REG_SZ "ClientCertificateAuth" Note: This registry value defines which certificate file to use for authentication. For example: C:\Program Files\Tanium\Tanium Server\dod.pem REG_SZ "cac_ldap_server_url" Note: This registry value requires that Tanium validate every CAC/PIV authentication attempt with AD to determine the state of the account that’s logging in. It must use the syntax of LDAP://<AD instance FQDN> If the value for REG_DWORD "ForceSOAPSSLClientCert" is not set to "1" and the remaining registry values are not configured, this is a finding.
Use the vendor documentation titled "Enabling SmartCard Authentication in Tanium 6.5+" to implement correct configuration settings for this requirement. Vendor documentation can be downloaded from the following URL: https://kb.tanium.com/Smart_Card_Authentication.
Access the Tanium server interactively and log on as an Administrator. Run regedit as Administrator. Navigate to HKLM\Software\Wow6432Node\Tanium\Tanium Server. Validate the value for REG_DWORD "ForceSOAPSSLClientCert" is set to "1". Navigate to HKLM\Software\Wow6432Node\Tanium\Tanium Server Validate the following keys exist and are configured: REG_SZ "ClientCertificateAuthField" For example: X509v3 Subject Alternative Name. REG_SZ "ClientCertificateAuthRegex" For example-DoD: .*\:\s*([^@]+)@.*$ Note: This regex should be valid for any Subject Alternative Name entry. REG_SZ "ClientCertificateAuth" Note: This registry value defines which certificate file to use for authentication. For example: C:\Program Files\Tanium\Tanium Server\dod.pem REG_SZ "cac_ldap_server_url" Note: This registry value requires that Tanium validate every CAC/PIV authentication attempt with AD to determine the state of the account that’s logging in. It must use the syntax of LDAP://<AD instance FQDN> If the value for REG_DWORD "ForceSOAPSSLClientCert" is not set to "1" and the remaining registry values are not configured, this is a finding.
Use the vendor documentation titled "Enabling SmartCard Authentication in Tanium 6.5+" to implement correct configuration settings for this requirement. Vendor documentation can be downloaded from the following URL: https://kb.tanium.com/Smart_Card_Authentication.
Access the Tanium Module server interactively and log on as an Administrator. Run regedit as Administrator. Navigate to HKLM\Software\Wow6432Node\Tanium\Tanium Server. Validate the value for REG_DWORD "ForceSOAPSSLClientCert" is set to "1". Navigate to HKLM\Software\Wow6432Node\Tanium\Tanium Server Validate the following keys exist and are configured: REG_SZ "ClientCertificateAuthField" For example: X509v3 Subject Alternative Name. REG_SZ "ClientCertificateAuthRegex" For example-DoD: .*\:\s*([^@]+)@.*$ Note: This regex should be valid for any Subject Alternative Name entry. REG_SZ "ClientCertificateAuth" Note: This registry value defines which certificate file to use for authentication. For example: C:\Program Files\Tanium\Tanium Server\dod.pem REG_SZ "cac_ldap_server_url" Note: This registry value requires that Tanium validate every CAC/PIV authentication attempt with AD to determine the state of the account that’s logging on. It must use the syntax of LDAP://<AD instance FQDN> If the value for REG_DWORD "ForceSOAPSSLClientCert" is not set to "1" and the remaining registry values are not configured, this is a finding.
Use the vendor documentation titled "Enabling SmartCard Authentication in Tanium 6.5+" to implement correct configuration settings for this requirement. Vendor documentation can be downloaded from the following URL: https://kb.tanium.com/Smart_Card_Authentication.
Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Server. Access the host-based firewall configuration on the Tanium Server. Validate a rule exists for the following: Port Needed: From only designated Tanium console user clients to Tanium Server over TCP ports 443, 17440, and 17441. If a host-based firewall rule does not exist to allow only designated Tanium console user clients to Tanium Server over TCP ports 443, 17440, and 17441, this is a finding. Consult with the network firewall administrator and validate rules exist for the following: Allow TCP traffic from only designated Tanium console user clients to Tanium Server over TCP ports 443, 17440, and 17441. If a network firewall rule does not exist to allow traffic from only designated Tanium console user clients to Tanium Server over TCP ports 443, 17440, and 17441, this is a finding.
Configure host-based and network firewall rules as required.
Consult with the Tanium System Administrator to determine the server to which the SQL database has been installed and is configured. If the SQL database is installed on the same server as the Tanium Server, this is a finding.
Move the Tanium SQL database from the Tanium Server to a separate SQL server system.
With the Tanium administrator's assistance, access the server on which the Tanium SQL database is installed. Review the databases hosted by that SQL server. If more databases exist on the SQL server than the Tanium database, this is a finding.
Move the Tanium SQL database from the SQL server hosting multiple databases to a dedicated SQL server or remove other databases co-located with Tanium on the existing SQL server.
Access the Tanium SQL server interactively. Log on with an account with administrative privileges to the server. Open SQL Server Management Studio and connect to a Tanium instance of SQL Server. In the left pane, click “Databases”, select the Tanium database, click “Security”, and then click “Users”. In the “Users” pane, review the roles assigned to the user accounts. If any user account has an elevated privilege role other than the assigned database administrator, this is a finding.
Access the Tanium SQL server interactively. Log on with an account with administrative privileges to the server. Open SQL Server Management Studio and connect to a Tanium instance of SQL Server. In the left pane, click “Databases”, select the Tanium database, click “Security”, and then click “Users”. In the “Users” pane, review the roles assigned to the user accounts. For any user accounts with elevated privileges, reduce the role assigned to a least privileged role.
Access the Tanium SQL server interactively. Log on with an account with administrative privileges to the server. Open SQL Server Management Studio and connect to Tanium instance of SQL Server. In the left pane, click “Databases”, select the Tanium database, click “Security”, and then click “Users”. In the “Users” pane, review the role assign to the Tanium Server installer's user account. If the role assigned to the Tanium Server installer's account is not db_owner, this is a finding.
Access the Tanium SQL server interactively. Log on with an account with administrative privileges to the server. Open SQL Server Management Studio and connect to Tanium instance of SQL Server. In the left pane, click “Databases”, select the Tanium database, click “Security”, and then click “Users”. In the “Users” pane, right-click the Tanium Server installer's user account, and on the shortcut menu, click “Properties”. Under Database role membership, change role from sysadmin to db_owner. Click “OK”.
Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Server. Access the host-based firewall configuration on the Tanium Server. Validate a rule exists for the following: Port Needed: Tanium Server to Remote SQL Server over TCP port 1433. If a host-based firewall rule does not exist to allow Tanium Server to Remote SQL Server over TCP port 1433, this is a finding. Consult with the network firewall administrator and validate rules exist for the following: Allow traffic from Tanium Server to Remote SQL Server over TCP port 1433. If a network firewall rule does not exist to allow traffic from Tanium Server to Remote SQL Server over TCP port 1433, this is a finding.
Configure host-based and network firewall rules as required.
Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Review the folder to which the Tanium installation package was downloaded and, if different, the folder from which the Tanium installation was run. If any SQL stored queries or procedures are found in the folder to which the Tanium installation package was downloaded and, if different, the folder from which the Tanium installation was run, this is a finding.
Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Locate and remove the SQL queries or procedures from the folder to which the Tanium installation package was downloaded and, if different, the folder from which the Tanium installation was run.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Global Settings" tab. In the search box beside "Show Settings Containing:" type "sign_all_questions_flag". Enter. If no results are returned, this is a finding since this setting needs to be explicitly set. If results are returned for sign_all_questions_flag but the value is not "1", this is a finding.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Global Settings" tab. Click on "+ Add New Setting". In "Create New Setting" dialog box, enter "sign_all_questions_flag" for "Setting Name:". Enter "1" for "Setting Value:". Select "Numeric" from "Value Type" drop-down list. Select "Server" from "Affects" drop-down list. Click “Save”.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. After logging in, click on "Preferences" in the top right corner of the UI. Verify the "Suspend console automatically if no activity detected for:" is configured to a value of "15" minutes or less. If the "Suspend console automatically if no activity detected for:" is not configured to a value of "15" minutes or less, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. After logging in, click on "Preferences" in the top right corner of the UI. For "Suspend console automatically if no activity detected for:", select a value of 15 minutes or less. Click the “x” to close the "Preferences" box.
Note: If only using Tanium provided content and not accepting content from any other content providers, this is Not Applicable. Consult with the Tanium System Administrator to review the documented list of trusted content providers along with the HASH for their respective public keys. If the site does not have the Tanium trusted content providers documented along with the HASH for their respective public keys, this is a finding.
Prepare and maintain documentation identifying the Tanium trusted content providers along with the HASH from their respective public keys.
Note: If only using Tanium provided content and not accepting content from any other content providers, this is Not Applicable. Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Open an Explorer window. Navigate to the \Program Files\Tanium\Tanium Server\content_public_keys\content folder. If the Tanium default content-release.pub key is the only key in the folder, and there are content providers other than Tanium, this is a finding.
Obtain .XML content from trusted provider, including their public key. If trusted provider can't provide their signed content along with their public key, remove their respective content from the Tanium Server and from the trusted provider list until it can be provided. Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Open an Explorer window. Navigate to the \Program Files\Tanium\Tanium Server\content_public_keys\content folder. Copy Trusted Source's .pub key into the folder. Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and logon with CAC. From the console's “Authoring” tab, click the "Import From XML" link in the upper right corner. Browse to the signed xml file and select it. If a “Content Import Review” screen is displayed, verify content being imported is the most recent content from this provider and select “Overwrite database duplicates”.
Note: If only using Tanium provided content and not accepting content from any other content providers, this is Not Applicable. Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Open an Explorer window. Navigate to the \Program Files\Tanium\Tanium Server\content_public_keys\content folder. If a public key, other than the default Tanium public key, resides in the content folder and is not documented on the trusted content provider list, this is a finding.
Remove the content from Tanium for which a public key is imported into Tanium and which is not documented as a trusted content provider.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Global Settings" tab. In the search box beside "Show Settings Containing:" type "require_action_approval". Enter. If no results are returned, this is a finding. If results are returned for "require_action_approval", but the value is not "1", this is a finding.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Global Settings" tab. Click on "+ Add New Setting". In "Create New Setting" dialog box, enter "require_action_approval" for "Setting Name:". Enter "1" for "Setting Value:". Select "Numeric" from "Value Type" drop-down list. Select "Server" from "Affects drop-down list. Click “Save”.
Consult with the Tanium System Administrator to review the documented list of IOC trusted stream sources. If the site does not have IOC trusted stream sources documented, this is a finding.
Prepare and maintain documentation identifying the Tanium IOC trusted stream sources.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "IOC Detect". Along the right column of the interface, click on the icon with the down arrow. Verify all configured IOC Detect Streams are configured to a documented trusted source. If any configured IOC Detect Stream is configured to a stream which has not been documented as trusted, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "IOC Detect". Along the right column of the interface, click on the icon with the down arrow. Delete IOC streams which are configured to non-trusted source, or re-configured to point to a trusted source.
Access the Tanium App server through interactive logon. Run regedit as Administrator. Navigate to HKLM\Software\Wow6432Node\Tanium\Tanium Server. Validate the value for REG_DWORD "LogFileSizeInBytes" is set to "104857600" or greater. If the value for REG_DWORD "LogFileSizeInBytes" is not set to "104857600" or greater, this is a finding.
Access the Tanium App server through interactive logon. Run regedit as Administrator. Navigate to HKLM\Software\Wow6432Node\Tanium\Tanium Server. Set the value for REG_DWORD "LogFileSizeInBytes" to "104857600" or greater.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "IOC Detect". Along the right column of the interface, click on the “gear” icon. The “Workbench Settings” menu will be displayed. Click on the “wrench” icon under "Event Forwarding". If "Forwarding Target" is "Disabled", this is a finding.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "IOC Detect". Along the right column of the interface, click on the “gear” icon. The “Workbench Settings” menu will be displayed. Click on the “wrench” icon under "Event Forwarding". Configured the "Event Forwarding" to be configured for "Syslog". If a syslog is already configured under Tanium Connect, the value for "Event Forwarding" may be configured to "Tanium Connect". Click on "Save Changes".
Consult with the Tanium System Administrator to determine the antivirus software used on the Tanium Server. Review the settings of the antivirus software. Validate exclusions exist which exclude the Tanium program files from being scanned by antivirus. If exclusions do not exist, this is a finding.
Implement exclusion policies within the antivirus software solution to exclude the scanning of Tanium program files.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI). If a DoD-approved use notification banner does not display prior to logon, this is a finding.
Create an .html file composed of the DoD-authorized warning banner verbiage. Name the file “warning_banner.html”. Copy the .html file to the Tanium Server’s http folder. Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Global Settings" tab. Click on "+ Add New Setting". In "Create New Setting" dialog box enter "console_PreLoginBannerHTML" for "Setting Name:". Enter “warning_banner.html” for “Setting Value:”. Enter Text for “Value Type:”. Enter Server for “Affects:”. Click Save.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI). If a DoD-approved use notification banner does not display prior to logon, this is a finding.
Create an .html file composed of the DoD-authorized warning banner verbiage. Name the file “warning_banner.html”. Copy the .html file to the Tanium Server’s http folder. Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Global Settings" tab. Click on "+ Add New Setting". In "Create New Setting" dialog box, enter "console_PreLoginBannerHTML" for "Setting Name:". Enter “warning_banner.html” for “Setting Value:”. Enter Text for “Value Type:”. Enter Server for “Affects:”. Click "Save".
Consult with the Tanium System Administrator to determine the file encryption software used on the Tanium Server. Review the settings for the file encryption software. Validate exclusions exist which exclude the Tanium program files from being encrypted by the file encryption software. If exclusions do not exist, this is a finding.
Implement excluding policies within the file encryption software solution to exclude the file level encryption of the Tanium program files.
Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Access the server's registry by typing: "regedit". Enter. Navigate to HKLM >> Software >> Wow6432Node >> Tanium >> Tanium Server. Verify the existence of a String "SSLCipherSuite" with a value of: AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-CCM:AES1 28-CCM:AES256-CCM8:AES128-CCM8:AES256-SHA256:AES128-SHA256:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA If the String "SSLCipherSuite" does not exist with the appropriate list values, this is a finding.
Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Access the server's registry by typing: regedit <enter> Navigate to HKLM >> Software >> Wow6432Node >> Tanium >> Tanium Server. Add or modify the String "SSLCipherSuite" to have a value of: AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-CCM:AES1 28-CCM:AES256-CCM8:AES128-CCM8:AES256-SHA256:AES128-SHA256:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
Consult with the Tanium System Administrator to review the documented list of Tanium users. Review the users' respective approved roles, as well as the correlated Active Directory security group for the User Roles. Validate Active Directory security groups/Tanium roles are documented to assign a least privileged access to the functions of the Tanium Server through the Tanium interface. If the documentation does not reflect a granular, least privileged access approach to the Active Directory Groups/Tanium Roles assignment, this is a finding.
Analyze the users configured in the Tanium interface. Determine least privileged access required for each user to perform their respective duties. Move users to the appropriate Active Directory security group in order to ensure the user is synced to the appropriate Tanium User Role. If appropriate Active Directory security groups are not already configured, create the groups and add the appropriate users. Ensure AD sync re-populates the Tanium Users' associated Roles accordingly.
Consult with the Tanium System Administrator to review the documented list of Tanium users. Review the users' respective approved roles, as well as the correlated Active Directory security group for the User Roles. Validate Active Directory security groups/Tanium roles are documented to assign a least privileged access to the functions of the Tanium Server through the Tanium interface. If the documentation does not reflect a granular, least privileged access approach to the Active Directory Groups/Tanium Roles assignment, this is a finding.
Analyze the users configured in the Tanium interface. Determine least privileged access required for each user to perform their respective duties. Move users to the appropriate Active Directory security group in order to ensure the user is synced to the appropriate Tanium User Role. If appropriate Active Directory security groups are not already configured, create the groups and add the appropriate users. Ensure AD sync re-populates the Tanium Users' associated Roles accordingly.
Consult with the Tanium System Administrator to review the documented list of Tanium users. Review the users' respective approved roles, as well as the correlated Active Directory security group for the User Roles. Validate Active Directory security groups/Tanium roles are documented to assign a least privileged access to the functions of the Tanium Server through the Tanium interface. If the documentation does not reflect a granular, least privileged access approach to the Active Directory Groups/Tanium Roles assignment, this is a finding.
Analyze the users configured in the Tanium interface. Determine least privileged access required for each user to perform their respective duties. Move users to the appropriate Active Directory security group in order to ensure the user is synced to the appropriate Tanium User Role. If appropriate Active Directory security groups are not already configured, create the groups and add the appropriate users. Ensure AD sync re-populates the Tanium Users' associated Roles accordingly.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Global Settings" tab. In the search box beside "Show Settings Containing:" type "sign_all_questions_flag". Enter. If no results are returned, this is a finding since this setting needs to be explicitly set. If results are returned for “sign_all_questions_flag” but the value is not "1", this is a finding.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Global Settings" tab. Click on "+ Add New Setting". In "Create New Setting" dialog box, enter "sign_all_questions_flag" for "Setting Name:". Enter "1" for "Setting Value:". Select "Numeric" from "Value Type" drop-down list. Select "Server" from "Affects" drop-down list. Click “Save”.
NOTE: This requirement only applies to Tanium implementations in production. If implementation being evaluated is in development, this requirement is Not Applicable. Access the Tanium Server through interactive logon as an Administrator. Open an Explorer window. Navigate to C:\Program Files\Tanium\Tanium Server. Find the tanium.license file, right-click on the file and choose to Open with WordPad. When the contents are opened in WordPad, search for "allow unsigned _import". If "allow unsigned_import" is followed by ":true", this is not a finding.
Contact the Tanium vendor to obtain correct copy of Tanium license file.
Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Run regedit as Administrator. Navigate to HKLM\Software\Wow6432Node\Tanium\Tanium Server. Validate the DownloadPath REG_SZ value does not point to a location off of the Tanium Server directory. If the DownloadPath REG_SZ value points to a location off of the Tanium Server directory, this is a finding.
Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Configure a directory elsewhere on the server to relocate the installation package files. Run regedit as Administrator. Navigate to HKLM\Software\Wow6432Node\Tanium\Tanium Server. Change the DownloadPath REG_SZ value to point to the location of the relocated installation package files. Move the files from the original directory to the location created for the installation package files.
Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Server. Access the host-based firewall configuration on the Tanium Server. Validate rules exist, as required, to include: Between Tanium Clients or Zone Clients over TCP port 17472, bi-directionally. If a host-based firewall rule does not exist to allow TCP port 17472, bi-directionally, this is a finding. Consult with the network firewall administrator and validate rules exist for the following: Allow TCP traffic on port 17472 from any computer to be managed on a local area network to any other computer to be managed on the same local area network. If a network firewall rule does not exist to allow TCP port 17472 from any managed computer to any other managed computer on the same local area network, this is a finding.
Configure host-based and network firewall rules as required, to include Tanium Clients or Zone Clients over TCP port 17472, bi-directionally and Allow TCP traffic on port 17472 from any computer to be managed on a local area network to any other computer to be managed on the same local area network.
Note: If a zone server is not being used, this is Not Applicable. Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Zone Server. Access the host-based firewall configuration on the Tanium Zone Server. Validate a rule exists for the following: Port Needed: Tanium Clients to Zone Server over TCP port 17472. If a host-based firewall rule does not exist to allow TCP port 17472, bi-directionally, from Tanium Clients to the Tanium Zone Server, this is a finding.
Configure host-based firewall rules as required, to include Tanium Clients to Zone Server over TCP port 17472.
Review the PPSM CAL to ensure the Tanium application has been registered with all of the TCP ports required for functionality to include (but not limited to) TCP 17472, 17477, 17440, 17441, 443 and 1433. If any TCP ports are being utilized on the Tanium Server which have been deemed as restricted by the PPSM CAL, this is a finding.
Submit a formal request to have the Tanium communication ports evaluated and added to the PPSM CAL.
Access the Tanium Module server interactively and log on as an Administrator. Navigate to the \Program Files\Tanium\Tanium Server directory. Locate the SOAPServer.crt file and double-click on it to open the certificate. Select the “Details” tab. Scroll down through the details to find and select the “Extended Key Usage” Field. If there is no “Extended Key Usage” field, this is a finding. In the bottom screen, verify "TLS Web Server Authentication" and "TLS Web Client Authentication" are both identified. If "TLS Web Server Authentication" and "TLS Web Client Authentication" are not both identified, this is a finding.
Request or regenerate the certificate being used to include both the serverAuth and clientAuth objects.
Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Open an Explorer window. Navigate to the \Program Files\Tanium\Tanium Server folder. Right-click on the \Certs folder and choose “Properties”. Select the “Security” tab and click on the “Advanced” button. Validate the owner of the directory is the [Tanium service account]. Validate System has Read Only permissions. If the owner of the directory is not the [Tanium service account] and/or System has more privileges than Read Only, this is a finding. Navigate to the \Program Files\Tanium\Tanium Server\Certs folder. Right-click on each of the following files, select “Properties”. Select the “Security” tab and click on the “Advanced” button. Installedcacert.crt Installed-server.crt Installed-server.key SOAPServer.crt SOAPServer.key Validate System and the [Tanium service account] have Read-Only permissions to each of the individual files. If System and the [Tanium service account] have more than Read-Only permissions to any of the individual files, this is a finding. Navigate to the \Program Files\Tanium\Tanium Server\content_public_keys folder. Right-click on each of the following files, select “Properties”. Select the “Security” tab and click on the “Advanced” button. Validate the [Tanium service account] privileges to Read-Only. Validate system privileges to Read-Only Validate System has Read-Only permissions and is applied to child objects. Validate [Tanium service account] has Read-Only permissions and is applied to child objects. If the [Tanium service account] and system permissions to the \content_public_keys folder is greater than Read-Only and/or the Read-Only permissions have not been applied to child objects, this is a finding.
Access the Tanium Server interactively. Logon with an account with administrative privileges to the server. Open an Explorer window. Navigate to the \Program Files\Tanium\Tanium Server folder. Right-click on the \Certs folder and choose “Properties”. Select the “Security” tab and click on the “Advanced” button. Change the owner of the directory to the [Tanium service account]. Reduce System to Read-Only permissions. Navigate to the \Program Files\Tanium\Tanium Server\Certs folder. Right-click on each of the following files, select “Properties”. Select the “Security” tab and click on the “Advanced” button. For the following files, reduce System and the [Tanium service account] to Read-Only: Installedcacert.crt Installed-server.crt Installed-server.key SOAPServer.crt SOAPServer.key Navigate to the \Program Files\Tanium\Tanium Server folder. Right-click on the \content_public_keys folder, select “Properties”. Select the “Security” tab and click on the “Advanced” button. Reduce [Tanium service account] privileges to Read-Only. Reduce system privileges to Read-Only. Reduce System to Read-Only permissions. – apply to child objects. Reduce [Tanium service account] to Read-Only permissions. – apply to child objects.
Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Access Settings >> Control Panel >> Programs >> Programs and Features. Review the installed programs. If Adobe Flash Player is installed, this is a finding.
Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Access Settings >> Control Panel >> Programs >> Programs and Features. Click on the Adobe Flash Player to select it. Select “Uninstall”.
Note: If the server being validated is the Module server, this check is Not Applicable. Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Click “Start” and access Server Manager. Select Local Server. Click "Tools". Select "Services". If the Tanium Module Server service is "Running", this is a finding.
Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Click “Start” and access Server Manager. Select Local Server. Click "Tools" Select "Services". Disable the Tanium Module Server service.
Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Open an Explorer window. Navigate to the C:\Program Files\Tanium folder. Right-click on the Tanium Server folder, select “Properties”. Select the “Security” tab, click on the “Advanced” button. Validate the owner of the Tanium Server folder is the service account [Tanium service account]. Validate the [Tanium service account] is the only account with full permissions to the Tanium Server folder. Validate Users have no permissions to the Tanium Server folder. If any account other than the [Tanium service account] has any full permission to the Tanium Server folder and/or the [Tanium service account] is not the owner of the Tanium Server folder, this is a finding.
Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Open an Explorer window. Navigate to the C:\Program Files\Tanium folder. Right-click on the Tanium Server folder, select "Properties". Select the “Security” tab, click on the “Advanced” button. Disable folder inheritance. Change the owner of the directory to the service account [Tanium service account]. Remove User permissions. Give [Tanium service account] full permissions.
Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Open an Explorer window. Navigate to the C:\Program Files\Tanium folder\Tanium Server\http folder. Right-click on the \http folder, select “Properties”. Select the “Security” tab, click on the “Advanced” button. Validate the owner of the directory is the [Tanium service account]. Validate System has Read-Only permissions. Right-click on the \legacy folder. Select the “Security” tab, click on the “Advanced” button. Validate the owner of the directory is the [Tanium service account]. Validate the System has Read-Only permissions. Validate the [Tanium service account] has Read-Only permissions. Navigate into the \legacy folder. Validate the \legacy\index.html.bak file does not exist. Right-click on the \libraries folder. Select the “Security” tab, click on the “Advanced” button. Validate the owner of the directory is the [Tanium service account]. Validate System has Read-Only permissions. Validate the [Tanium service account] has Read-Only permissions. Right-click on the \taniumjs folder. Select the “Security” tab, click on the “Advanced” button. Validate the owner of the directory is the [Tanium service account]. Validate System has Read-Only permissions. Validate the [Tanium service account] has Read-Only permissions. Right-click on the \tux folder. Select the “Security” tab, click on the “Advanced” button. Validate the owner of the directory is the [Tanium service account]. Validate System has Read-Only permissions. Validate the [Tanium service account] has Read Only permissions. Right-click on the \tux-console folder. Select the “Security” tab, click on the “Advanced” button. Validate the owner of the directory is the [Tanium service account]. Validate System has Read-Only permissions. Validate the [Tanium service account] has Read-Only permissions. If any of the above permissions are not configured correctly, this is a finding.
Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Open an Explorer window. Navigate to the C:\Program Files\Tanium folder\Tanium Server\http folder. Right-click on the \http folder, select “Properties”. Select the “Security” tab, click on the “Advanced” button. Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce System to Read-Only permissions. Right-click on the \legacy folder. Select the “Security” tab, click on the “Advanced” button. Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Delete index.html.bak. Reduce System to Read-Only permissions. Reduce [Tanium service account] to Read-Only permissions. Right-click on the \libraries folder. Select the “Security” tab, click on the “Advanced” button. Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce System to Read-Only permissions. Reduce [Tanium service account] to Read-Only permissions. Right-click on the \taniumjs folder. Select the “Security” tab, click on the “Advanced” button. Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce System to Read-Only permissions. Reduce [Tanium service account] to Read-Only permissions. Right-click on the \tux folder. Select the “Security” tab, click on the “Advanced” button. Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce System to Read-Only permissions. Reduce [Tanium service account] to Read-Only permissions. Right-click on the \tux-console folder. Select the “Security” tab, click on the “Advanced” button. Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce System to Read-Only permissions. Reduce [Tanium service account] to Read-Only permissions.
Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Run regedit as Administrator. Navigate to HKLM\Local_Machine\Software\Wow6432Node. Right-click on \Tanium, select “Properties”. Click on the “Security” tab, “Advanced” button. Validate the [Tanium service account] is only account with full permissions. Validate the User accounts do not have any permissions. If any other account has full permissions and/or the User account has any permissions, this is a finding.
Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Run regedit as Administrator. Navigate to HKLM\Local_Machine\Software\Wow6432Node. Right-click on \Tanium, select “Properties”. Click on the “Security” tab, “Advanced” button. Provide the [Tanium service account] with full permissions. Reduce permissions for any other accounts with full permissions. Remove permissions for User accounts.
Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Open an Explorer window. Navigate to the C:\Program Files\Tanium folder\Tanium Server folder. Right-click on the \Logs folder, select “Properties”. Click on the “Security” tab, “Advanced” button. Validate the owner of the directory is the [Tanium service account]. Validate the [Tanium service account] privileges is only account with modify permissions on the directory. Validate Administrators have full permissions on the directory. Navigate to the C:\Program Files\Tanium folder\Tanium Server folder. Right-click on the \TDL_Logs folder, select “Properties”. Click on the “Security” tab, “Advanced” button. Validate the owner of the directory is the [Tanium service account]. Validate the [Tanium service account] privileges is only account with modify permissions on the directory. Validate Administrators have full permissions on the directory. If any of the specified permissions are not set as required, this is a finding.
Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Open an Explorer window. Navigate to the C:\Program Files\Tanium folder\Tanium Server folder. Right-click on the \Logs folder, select “Properties”. Click on the “Security” tab, “Advanced” button. Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce [Tanium service account] privileges to modify permissions on the directory. Ensure Administrators have full permissions on the directory. Navigate to the C:\Program Files\Tanium folder\Tanium Server folder. Right-click on the \TDL_Logs folder, select “Properties”. Click on the “Security” tab, “Advanced” button. Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce [Tanium service account] privileges to modify permissions on the directory. Ensure Administrators have full permissions on the directory.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on the “Administration” tab. Click on the “Users” tab. Review each of the users listed and determine their Active Directory synced account. Access one of the domain's Active Directory Domain Controller servers with a Domain Administrator account. Review each of the Users for which a synced account is in the Tanium console as a user. Validate whether any of the users have Domain Admin, Enterprise Admin, or any other elevated privileges in the domain. If any of the Active Directory accounts have elevated privileges and are synced as a Tanium user account, this is a finding.
Access one of the domain's Active Directory Domain Controller servers with a Domain Administrator account. For each of the Users for which a synced account is in the Tanium console as a user and for which the account has elevated privileges, remove those accounts from the Tanium synced security group in Active Directory. Verify, after syncing with Tanium, the user account is no longer in Tanium as a User.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Connect" tab. Click on "Configured Connectors". Review for any configured "ArcSight", “McAfee SIEM", "SIEM", "Splunk" or "LogRhythm" connectors. If SIEM connectors are not configured for send log data to offline log collection, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Connect" tab. Click on "Connector Templates". Choose and configure a template for a SIEM located at the site.
Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Module Server. Access the host-based firewall configuration on the Tanium Module Server. Validate a rule exists for the following: Port Needed: Tanium Server to Tanium Module Server over TCP port 17477. If a host-based firewall rule does not exist to allow TCP port 17477, from the Tanium Server to the Tanium Module Server, this is a finding. Consult with the network firewall administrator and validate rules exist for the following: Allow TCP traffic on port 17477 from the Tanium Server to the Tanium Module Server. If a network firewall rule does not exist to allow TCP traffic on port 17477 from the Tanium Server to the Tanium Module Server, this is a finding.
Configure host-based firewall rules on the Tanium Module server to include the following required traffic: Allow TCP traffic on port 17477 from the Tanium Server. Configure the network firewall to allow the above traffic.
Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Server. Access the host-based firewall configuration on the Tanium Server. Validate a rule exists for the following: Port Needed: Tanium Server to Tanium Module Server over TCP port 17477. If a host-based firewall rule does not exist to allow TCP port 17477, from the Tanium Server to the Tanium Module Server, this is a finding. Consult with the network firewall administrator and validate rules exist for the following: Allow TCP traffic on port 17477 from the Tanium Server to the Tanium Module Server. If a network firewall rule does not exist to allow TCP traffic on port 17477 from the Tanium Server to the Tanium Module Server, this is a finding.
Configure host-based firewall rules on the Tanium Server to allow the following required traffic: Allow TCP traffic on port 17477 to the Tanium Module Server. Configure the network firewall to allow the above traffic.
Note: If a Zone Server is not being used, this is Not Applicable. Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Server. Access the host-based firewall configuration on the Tanium Server. Validate a rule exists for the following: Port Needed: Tanium Server to Zone Server over TCP port 17472. If a host-based firewall rule does not exist to allow TCP port 17472, bi-directionally, from Tanium Server to the Tanium Zone Server, this is a finding.
Configure host-based firewall rules on the Tanium Zone server to include the following required traffic: Allow Tanium Server to Zone Server over TCP port 17472. Configure the network firewall to allow the above traffic.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Global Settings" tab. In the search box beside "Show Settings Containing:" type "sign_all_questions_flag". Enter. If no results are returned, this is a finding since this setting needs to be explicitly set. If results are returned for sign_all_questions_flag but the value is not "1", this is a finding.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Global Settings" tab. Click on "+ Add New Setting". In "Create New Setting" dialog box, enter "sign_all_questions_flag" for "Setting Name:". Enter "1" for "Setting Value:". Select "Numeric" from "Value Type" drop-down list. Select "Server" from "Affects" drop-down list. Click “Save”.
Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Access the server's registry by typing: regedit <enter> Navigate to HKLM >> Software >> Wow6432Node >> Tanium >> Tanium Server. Verify the existence of a DWORD "SSLHonorCipherOrder" with a value of "0x00000001" (hex). If the DWORD "SSLHonorCipherOrder" does not exist with a value of "0x00000001" (hex), this is a finding.
Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Access the server's registry by typing: regedit <enter> Navigate to HKLM >> Software >> Wow6432Node >> Tanium >> Tanium Server. Add or modify the DWORD "SSLHonorCipherOrder" to have a value of 0x00000001 (hex).
Access the Tanium Server console via a web browser. When connected, review the Certificate for the Tanium Server. (In Internet Explorer, right-click on the page, select “Properties”, click on the “Certificates” tab.) On the “General” tab, validate the Certificate shows as issued by DOD CA-##. On Certification “Path” tab, validate the path top-level is DoD Root CA 2. If the certificate authority is not DoD Root, this is a finding.
Request or regenerate the certificate from a DoD Certificate Authority.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Connect" tab. Click on "Configured Connectors". If no "Email Results" connectors are configured, this is Not Applicable. For each "Email Results" connector, select the connector to reveal its properties. Validate the "Enable TLS/SSL" is set to "true". If any configured "Email Results" connectors are configured for "Enable TLS/SSL" set to "false", this is a finding.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Connect" tab. Click on "Configured Connectors". Select each "Email Results" connector which is configured with "Enable TLS/SSL" set to "false". Click the "Edit" button at the top right of the screen. Place a check in the "Enable TLS/SSL" check box. Click on “Save Changes”.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Global Settings" tab. In the search box beside "Show Settings Containing:" type "sign_all_questions_flag". Enter. If no results are returned, this is a finding since this setting needs to be explicitly set. If results are returned for sign_all_questions_flag but the value is not "1", this is a finding.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Global Settings" tab. Click on "+ Add New Setting". In "Create New Setting" dialog box, enter "sign_all_questions_flag" for "Setting Name:". Enter "1" for "Setting Value:". Select "Numeric" from "Value Type" drop-down list. Select "Server" from "Affects" drop-down list. Click “Save”.
If the site is using Tanium Index, Index should be used to monitor the file integrity of Tanium critical files. If Tanium Index is not installed, a third-party file integrity monitoring tool must be used to monitor Tanium critical executables, defined as all files in the Tanium Server installed path. If the file integrity of Tanium critical executables is not monitored, this is a finding.
Implement a file integrity monitoring system to monitor the Tanium critical executable files.
Validate Tanium version. If running version 6.5, this is a finding.
Upgrade to Tanium 7 or higher.