Tanium 7.x Operating System on TanOS Security Technical Implementation Guide

Description

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V1R1

Published: 2022-10-31

Updated At: 2023-01-25 00:47:51

Actions

Download

Filter

Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-254839r866058_rule TANS-OS-000070 CCI-000044 MEDIUM The Tanium Operating System (TanOS) must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period. By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
    SV-254840r870367_rule TANS-OS-000075 CCI-000048 MEDIUM The Tanium Operating System (TanOS) must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system. Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations,
    SV-254841r866064_rule TANS-OS-000095 CCI-000054 MEDIUM The Tanium Operating System (TanOS) must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types. Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks. This requi
    SV-254842r870377_rule TANS-OS-000165 CCI-000139 MEDIUM The Tanium operating system (TanOS) must alert the ISSO and SA (at a minimum) in the event of an audit processing failure. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system opera
    SV-254843r866070_rule TANS-OS-000270 CCI-000198 MEDIUM The Tanium Operating System (TanOS) must enforce 24 hours/1 day as the maximum password lifetime. Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeate
    SV-254844r866073_rule TANS-OS-000275 CCI-000199 MEDIUM The Tanium Operating System (TanOS) must enforce a 60-day maximum password lifetime restriction. Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. One method of minimizing this risk is to use complex passwords and periodically change them. If the operating system does not limit the
    SV-254845r866076_rule TANS-OS-000280 CCI-000200 MEDIUM The Tanium Operating System (TanOS) must prohibit password reuse for a minimum of five generations. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password
    SV-254846r866079_rule TANS-OS-000285 CCI-000205 MEDIUM The Tanium Operating System (TanOS) must enforce a minimum 15-character password length. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and bru
    SV-254847r870368_rule TANS-OS-000325 CCI-000765 HIGH The Tanium Operating System (TanOS) must use multifactor authentication for network access to privileged accounts. Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. Factors include: (i) Something a user knows (e.g.,
    SV-254848r866085_rule TANS-OS-000330 CCI-000766 MEDIUM The Tanium Operating System (TanOS) must use multifactor authentication for network access to nonprivileged accounts. To assure accountability and prevent unauthenticated access, nonprivileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication uses two or more factors to achieve authenticat
    SV-254849r870369_rule TANS-OS-000385 CCI-000803 MEDIUM The Tanium Operating System (TanOS) must use FIPS-validated SHA-2 or higher hash function to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications. To protect the integrity of the authenticator and authentication mechanism used for the cryptographic module used by the network device, the application, operating system, or protocol must be configured to use one of the following hash functions for hashi
    SV-254850r866091_rule TANS-OS-000410 CCI-000879 MEDIUM The Tanium Operating System (TanOS) must terminate all sessions and network connections when nonlocal maintenance is completed. Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly term
    SV-254851r866094_rule TANS-OS-000455 CCI-001095 MEDIUM The Tanium Operating System (TanOS) must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks. DoS is a condition that occurs when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures sufficient capacity is a
    SV-254852r866097_rule TANS-OS-000465 CCI-001133 MEDIUM Tanium Operating System (TanOS) must terminate all network connections associated with a communications session at the end of the session, or as follows: For in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; for user sessions (nonprivileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat
    SV-254853r866100_rule TANS-OS-000515 CCI-001199 MEDIUM The Tanium Operating System (TanOS) must use FIPS-validated encryption and hashing algorithms to protect the confidentiality and integrity of operating system configuration and user-generated data stored on the host. Confidentiality and integrity protections are intended to address the confidentiality and integrity of system information at rest when it is located on a storage device within the network device or as a component of the network device. This protection is
    SV-254854r870378_rule TANS-OS-000535 CCI-001294 MEDIUM The Tanium Operating System (TanOS) must notify the ISSO and ISSM of failed security verification tests. If personnel are not notified of failed security verification tests, they will not be able to take corrective action and the unsecure condition(s) will remain. Security function is defined as the hardware, software, and/or firmware of the information syst
    SV-254855r870372_rule TANS-OS-000605 CCI-001384 MEDIUM The publicly accessible Tanium Operating System (TanOS) must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system. Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, po
    SV-254856r870379_rule TANS-OS-000710 CCI-001683 MEDIUM The Tanium Operating System (TanOS) must notify system administrators and ISSOs when accounts are created. Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create a new account. Notification of account creation is one method for
    SV-254857r870380_rule TANS-OS-000715 CCI-001684 MEDIUM The Tanium Operating System (TanOS) must audit and notify system administrators and ISSOs when accounts are modified. Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Notification of account modification is one
    SV-254858r866115_rule TANS-OS-000725 CCI-001686 MEDIUM The Tanium Operating System (TanOS) must notify system administrators and ISSOs when accounts are removed. When operating system accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes themselves. Sending notification of account removal event
    SV-254859r866118_rule TANS-OS-000735 CCI-002361 MEDIUM Tanium Operating System (TanOS) must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect. Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, net
    SV-254860r870381_rule TANS-OS-000860 CCI-002132 MEDIUM Tanium must audit and notify system administrators and ISSOs when accounts are enabled. Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable an existing disabled account. Sending notification of account ena
    SV-254861r866124_rule TANS-OS-000985 CCI-002238 MEDIUM Tanium must automatically lock accounts and require them be unlocked by an administrator when three unsuccessful login attempts in 15 minutes are exceeded. By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
    SV-254862r866127_rule TANS-OS-001030 CCI-000169 MEDIUM The Tanium operating system (TanOS) must offload audit records onto a different system or media than the system being audited. Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. Satisfies: SRG-OS-000342, SRG-OS-000479, SRG-OS-000215, SRG-
    SV-254863r866130_rule TANS-OS-001035 CCI-001855 MEDIUM The Tanium operating system (TanOS) must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity. If security personnel are not notified immediately when storage volume reaches 75 percent, they are unable to plan for audit record storage capacity expansion.
    SV-254864r866133_rule TANS-OS-001040 CCI-001858 MEDIUM The Tanium operating system (TanOS) must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation
    SV-254865r870374_rule TANS-OS-001095 CCI-001891 MEDIUM The Tanium operating system (TanOS) must, for networked systems, compare internal information system clocks at least every 24 hours with a server synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. S
    SV-254866r866139_rule TANS-OS-001100 CCI-002046 MEDIUM The Tanium Operating System (TanOS) must synchronize internal information system clocks to the authoritative time source when the time difference is greater than the organization-defined time period. Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events.
    SV-254867r870376_rule TANS-OS-001105 CCI-001893 MEDIUM The Tanium Operating System (TanOS) must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources. The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by i
    SV-254868r866145_rule TANS-OS-001325 CCI-002467 MEDIUM The Tanium operating system (TanOS) must perform data integrity verification on the name/address resolution responses the system receives from authoritative sources. If data origin authentication and data integrity verification is not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records c
    SV-254869r866148_rule TANS-OS-001330 CCI-002468 MEDIUM The Tanium operating system (TanOS) must perform data origin verification authentication on the name/address resolution responses the system receives from authoritative sources. If data origin authentication and data integrity verification is not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records c
    SV-254870r866151_rule TANS-OS-001420 CCI-002385 MEDIUM The Tanium Operating System (TanOS) must protect against or limit the effects of denial of service (DoS) attacks by employing organization-defined security safeguards. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of the operating system t
    SV-254871r866154_rule TANS-OS-001515 CCI-002605 MEDIUM The Tanium operating system (TanOS) must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs). Security flaws with operating systems are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to prom
    SV-254872r866157_rule TANS-OS-001520 CCI-002607 MEDIUM The Tanium operating system (TanOS) must install security-relevant firmware updates within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs). Security flaws with firmware are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly inst
    SV-254873r866160_rule TANS-OS-001760 CCI-000185 HIGH The Tanium Operating System (TanOS) must use a FIPS-validated cryptographic module to provision digital signatures. FIPS 140-2 precludes the use of invalidated cryptography for the cryptographic protection of sensitive or valuable data within federal systems. Un-validated cryptography is viewed by NIST as providing no protection to the information or data - in effect t