Tanium 7.3 Security Technical Implementation Guide

Version

TANS-CL-000004

Vuln IDs

V-234038
V-92047

Rule IDs

SV-234038r612749_rule
SV-102149

In addition to the client-to-server TCP communication that takes place over port 17472, Tanium Clients also communicate to other Tanium-managed computers over port 17472. The Tanium environment can perform hundreds or thousands of times faster than other security or systems management tools because the Tanium Clients communicate in secure, linearly-controlled peer-to-peer rings. Because clients dynamically communicate with other nearby agents based on proximity and latency, rings tend to form automatically to match a customer's topology--endpoints in California will form one ring while endpoints in Germany will form a separate ring. https://docs.tanium.com/platform_install/platform_install/reference_network_ports.html.

Checks: C-37223r610614_chk

Note: This check is performed for the Tanium Endpoints and must be validated against the HBSS desktop firewall policy applied to the Endpoints. Consult with the HBSS administration for assistance. Validate a rule exists within the HBSS HIPS firewall policies for managed clients for the following: Port Needed: Tanium Clients or Zone Clients over TCP port 17472, bi-directionally. If a host-based firewall rule does not exist to allow TCP port 17472, bi-directionally, this is a finding. Consult with the network firewall administrator and validate rules exist for the following: Allow TCP traffic on port 17472 from any computer to be managed on a local area network to any other computer to be managed on the same local area network. If a network firewall rule does not exist to allow TCP port 17472 from any managed computer to any other managed computer on the same local area network, this is a finding.

Fix: F-37188r610615_fix

Configure host-based and network firewall rules as required.

b

Control of the Tanium Client service must be restricted to SYSTEM access only for all managed clients.

AC-3 - Medium - CCI-002165 - V-234039 - SV-234039r612749_rule

RMF Control

AC-3

Severity

M

CCI

Version

TANS-CL-000005

Vuln IDs

V-234039
V-92049

Rule IDs

SV-234039r612749_rule
SV-102151

The reliability of the Tanium client's ability to operate depends upon controlling access to the Tanium client service. By restricting access to SYSTEM access only, the non-Tanium system administrator will not have the ability to impact operability of the service.

Checks: C-37224r610617_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Scheduled Actions" tab. Look for a scheduled action titled "Client Service Hardening - Allow Only Local SYSTEM to Control Service". If a scheduled action titled "Client Service Hardening - Allow Only Local SYSTEM to Control Service" does not exist, this is a finding. If the scheduled action exists, select it and if it is not approved (the "Approve" button at the top of the section will be displayed if not approved), this is a finding. If the scheduled action exists and has been approved but does not restrict control of the Tanium Client service to Allow Only Local SYSTEM to Control Service, this is a finding. If the action is not configured to repeat at least every hour, this is a finding. If the scheduled action is not targeted at an "All Computers" Action Group, this is a finding.

Fix: F-37189r610618_fix

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. From the Dashboard, under "Client Service Hardening", click on "Control Service State Permissions". The results will show a "Count" of clients matching the "Service Control is set to default permissions" query. Select the result line for "Service Control is set to default permissions". Choose "Deploy Action". Deployment Package drop-down select "Client Service Hardening - Allow Only Local SYSTEM to Control Service". Configure the schedule to repeat at least every hour for the requested action. Under "Targeting Criteria", in the Action Group, select "All Computers" from the drop-down. Click on "Show preview to continue". Non-compliant systems will be displayed at the bottom. Click on "Deploy Action". Verify settings. Click on "Show Client Status Details".

b

The ability to uninstall the Tanium Client service must be disabled on all managed clients.

AC-3 - Medium - CCI-002165 - V-234040 - SV-234040r612749_rule

RMF Control

AC-3

Severity

M

CCI

Version

TANS-CL-000006

Vuln IDs

V-234040
V-92051

Rule IDs

SV-234040r612749_rule
SV-102153

By default, end users have the ability to uninstall software on their clients. In the event the Tanium Client software is uninstalled, the Tanium Server is unable to manage the client and must redeploy to the client. Preventing the software from being displayed in the client's Add/Remove Programs will lessen the risk of the software being uninstalled by non-Tanium System Administrators.

Checks: C-37225r610620_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Scheduled Actions" tab. Look for a scheduled action titled "Client Service Hardening - Hide Client from Add-Remove Programs". If a scheduled action titled "Client Service Hardening - Hide Client from Add-Remove Programs" does not exist, this is a finding. If the scheduled action exists, select it and if it is not approved (the "Approve" button at the top of the section will be displayed if not approved), this is a finding. If the scheduled action exists and has been approved but does not disable the visibility of the client in Add-Remove Programs, this is a finding. If the action is not configured to repeat at least every hour, this is a finding. If the scheduled action is not targeted at an "All Computers" Action Group, this is a finding.

Fix: F-37190r610621_fix

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. From the Dashboard, under "Client Service Hardening", click on "Hide From Add-Remove Programs". The results will show a "Count" of clients matching the "Tanium Client Visible in Add-Remove Programs" query. Select the result line. Choose "Deploy Action". The "Deploy Action" dialog box will display "Client Service Hardening - Hide Client from Add-Remove Programs" as the package. The computer names comprising the "Count" of non-compliant systems will be displayed in the bottom. Deployment Package drop-down select "Client Service Hardening - Hide Client from Add-Remove Programs". Configure the schedule to repeat at least every hour for the requested action. Under "Targeting Criteria", in the Action Group, select "All Computers" from the drop-down. Click on "Show preview to continue". Non-compliant systems will be displayed in the bottom. Click on "Deploy Action". Verify settings. Click on "Show Client Status Details".

b

The permissions on the Tanium Client directory must be restricted to only the SYSTEM account on all managed clients.

AC-3 - Medium - CCI-002165 - V-234041 - SV-234041r612749_rule

RMF Control

AC-3

Severity

M

CCI

Version

TANS-CL-000007

Vuln IDs

V-234041
V-92053

Rule IDs

SV-234041r612749_rule
SV-102155

By restricting access to the Tanium Client directory on managed clients, the Tanium client's ability to operate and function as designed will be protected from malicious attack and unintentional modifications by end users.

Checks: C-37226r610623_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Scheduled Actions" tab. Look for a scheduled action titled "Client Service Hardening - Set SYSTEM only permissions on the Tanium Client directory". If a scheduled action titled "Client Service Hardening - Set SYSTEM only permissions on the Tanium Client directory" does not exist, this is a finding. If the scheduled action exists, select it and if it is not approved (the "Approve" button at the top of the section will be displayed if not approved), this is a finding. If the scheduled action exists and has been approved but does not disable the visibility of the client in Add-Remove Programs, this is a finding. If the action is not configured to repeat at least every hour, this is a finding. If the scheduled action is not targeted at an "All Computers" Action Group, this is a finding.

Fix: F-37191r610624_fix

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. From the Dashboard, under "Client Service Hardening", click on "Set Client Directory Permissions". The results will show a "Count" of clients' compliant and non-compliant hardening for the "Tanium Client Directory Permissions". Non-compliant clients will have a count other than "0" for "Not Restricted" or "Error: No Permissions". Select each of the "Not Restricted" or "Error: No Permissions" statuses. Select "Deploy Action". In the "Deploy Action" dialog box, change the package to "Client Service Hardening - Set SYSTEM only permissions on the Tanium Client directory" as the package. Configure the schedule to repeat at least every hour for the requested action. Under "Targeting Criteria", in the Action Group, select "All Computers" from the drop-down. Click on "Show preview to continue". Non-compliant systems will be displayed in the bottom. Click on "Deploy Action". Verify settings. Click on "Show Client Status Details".

b

Tanium endpoint files must be excluded from on-access antivirus actions.

CM-6 - Medium - CCI-000366 - V-234042 - SV-234042r612749_rule

RMF Control

CM-6

Severity

M

CCI

Version

TANS-CL-000008

Vuln IDs

V-234042
V-92055

Rule IDs

SV-234042r612749_rule
SV-102157

Similar to any other host-based applications, the Tanium Client is subject to the restrictions other System-level software may place on an operating environment. That is to say that Antivirus, IPS, Encryption, or other security and management stack software may disallow the Client from working as expected. https://docs.tanium.com/platform_install/platform_install/reference_host_system_security_exceptions.html.

Checks: C-37227r610626_chk

Consult with the Tanium System Administrator to determine the antivirus used on the Tanium clients. Review the settings of the antivirus software. Validate exclusions exist which exclude the Tanium program files from being scanned by antivirus on-access scans. If exclusions do not exist, this is a finding.

Fix: F-37192r610627_fix

Implement exclusion policies within the antivirus software solution to exclude the on-access scanning of Tanium client program files.

b

The Tanium Client Deployment Tool (CDT) must not be configured to use the psexec method of deployment.

CM-6 - Medium - CCI-000366 - V-234043 - SV-234043r612749_rule

RMF Control

CM-6

Severity

M

CCI

Version

TANS-CL-000010

Vuln IDs

V-234043
V-92057

Rule IDs

SV-234043r612749_rule
SV-102159

When using the Tanium Client Deployment Tool (CDT), using psexec represents an increased vulnerability as the NTLM hash and clear text passwords of the authenticating user is exposed in the memory of the remote system. To mitigate this vulnerability, the psexec method of deployment must not be used.

Checks: C-37228r610629_chk

Access the Tanium Module Server interactively. Log on to the server with an account that has administrative privileges. Navigate to Program Files(x86) >> Tanium >> Tanium Client Deployment Tool. If the file "psexec.exe" exists, this is a finding.

Fix: F-37193r610630_fix

Access the Tanium Module Server interactively. Log on to the server with an account that has administrative privileges. Navigate to Program Files(x86) >> Tanium >> Tanium Client Deployment Tool. Remove the file "psexec.exe".

b

Tanium endpoint files must be protected from file encryption actions.

CM-6 - Medium - CCI-000366 - V-234044 - SV-234044r612749_rule

RMF Control

CM-6

Severity

M

CCI

Version

TANS-CL-000012

Vuln IDs

V-234044
V-92059

Rule IDs

SV-234044r612749_rule
SV-102161

Similar to any other host-based applications, the Tanium Client is subject to the restrictions other System-level software may place on an operating environment. That is to say that Antivirus, Encryption, or other security and management stack software may disallow the Client from working as expected. https://docs.tanium.com/platform_install/platform_install/reference_host_system_security_exceptions.html.

Checks: C-37229r610632_chk

Consult with the Tanium System Administrator to determine the file-based encryption software used on the Tanium clients. Review the settings for the file-based encryption software. Validate exclusions exist which exclude the Tanium program files from being encrypted by the file-based encryption software. If exclusions do not exist, this is a finding.

Fix: F-37194r610633_fix

Implement excluding policies within the file-based encryption software solution to exclude the file level encryption of the Tanium client program files.

b

The Tanium application must restrict the ability of individuals to place too much impact upon the network, which might result in a Denial of Service (DoS) event on the network by using RandomSensorDelayInSeconds.

SC-5 - Medium - CCI-001094 - V-234045 - SV-234045r612749_rule

RMF Control

SC-5

Severity

M

CCI

CCI-001094

Version

TANS-CL-000013

Vuln IDs

V-234045
V-92061

Rule IDs

SV-234045r612749_rule
SV-102163

DoS is a condition where a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Individuals of concern can include hostile insiders or external adversaries that have successfully breached the information system and are using the system as a platform to launch cyberattacks on third-parties. Applications and application developers must take the steps needed to ensure users cannot use an authorized application to launch DoS attacks against other systems and networks. For example, applications may include mechanisms that throttle network traffic so users are not able to generate unlimited network traffic via the application. Limiting system resources that are allocated to any user to a bare minimum may also reduce the ability of users to launch some DoS attacks. The methods employed to counter this risk will be dependent upon the application layer methods that can be used to exploit it.

Checks: C-37230r610635_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. In the "Show Settings Containing:" search box type "RandomSensorDelayInSeconds". Click "Enter". If no results are returned, this is a finding. If results are returned for "RandomSensorDelayInSeconds", but do not match the defined value in the system documentation, this is a finding.

Fix: F-37195r610636_fix

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. Click on "New Setting". In "New System Setting" dialog box, enter "RandomSensorDelayInSeconds" for "Setting Name:". Consult with a Tanium TAM for an appropriate value for a given network. Enter the value for "Setting Value:". Select "Clients" from "Affects" drop-down list. Select "Numeric" from "Value Type" drop-down list. Click "Save". Document the value for later use.

b

Tanium endpoint files must be excluded from host-based intrusion prevention intervention.

CM-6 - Medium - CCI-000366 - V-234046 - SV-234046r612749_rule

RMF Control

CM-6

Severity

M

CCI

Version

TANS-CL-000014

Vuln IDs

V-234046
V-92063

Rule IDs

SV-234046r612749_rule
SV-102165

Similar to any other host-based applications, the Tanium Client is subject to the restrictions other System-level software may place on an operating environment. Antivirus, IPS, Encryption, or other security and management stack software may disallow the Tanium Server from working as expected. https://docs.tanium.com/platform_install/platform_install/reference_host_system_security_exceptions.html.

Checks: C-37231r610638_chk

Consult with the Tanium System Administrator to determine the HIPS software used on the Tanium Clients. Review the settings of the HIPS software. Validate exclusions exist which exclude the Tanium program files from being restricted by HIPS. If exclusions do not exist, this is a finding.

Fix: F-37196r610639_fix

Implement exclusion policies within the HIPS software solution to exclude the Tanium client program files from HIPS intervention.

b

The Tanium application must retain the session lock until the user reestablishes access using established identification and authentication procedures.

AC-11 - Medium - CCI-000060 - V-234047 - SV-234047r612749_rule

RMF Control

AC-11

Severity

M

CCI

CCI-000060

Version

TANS-CN-000001

Vuln IDs

V-234047
V-92065

Rule IDs

SV-234047r612749_rule
SV-102167

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. This is typically determined and performed at the operating system-level, but in some instances it may be at the application-level. Regardless of where the session lock is determined and implemented, once invoked the session lock shall remain in place until the user re-authenticates. No other system or application activity aside from re-authentication shall unlock the system.

Checks: C-37232r610641_chk

Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Run regedit as Administrator. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Validate the value for REG_DWORD "ForceSOAPSSLClientCert" is set to "1". Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Validate the following keys exist and are configured: REG_SZ "ClientCertificateAuthField" For example: X509v3 Subject Alternative Name. REG_SZ "ClientCertificateAuthRegex" For example-DoD: .*\:\s*([^@]+)@.* $Note: This regedit should be valid for any Subject Alternative Name entry. REG_SZ "ClientCertificateAuth" Note: This registry value defines which certificate file to use for authentication. For example: C:\Program Files\Tanium\Tanium Server\dod.pem REG_SZ "cac_ldap_server_url" Note: This registry value requires that Tanium validate every CAC/PIV authentication attempt with AD to determine the state of the account that is logging in. It must use the syntax similar to LDAP://<AD instance FQDN> If the value for REG_DWORD "ForceSOAPSSLClientCert" is not set to "1" and the remaining registry values are not configured, this is a finding.

Fix: F-37197r610642_fix

Use the vendor documentation titled "Reference: Smartcard authentication" to implement correct configuration settings for this requirement. If assistance is required, contact the Tanium Technical Account Manager (TAM). Vendor documentation can be downloaded from the following URL: https://docs.tanium.com/platform_install/platform_install/reference_smart_card_authentication.html.

b

The Tanium Application Server must be configured with a connector to sync to Microsoft Active Directory for account management functions.

SC-3 - Medium - CCI-001084 - V-234048 - SV-234048r612749_rule

RMF Control

SC-3

Severity

M

CCI

CCI-001084

Version

TANS-CN-000002

Vuln IDs

V-234048
V-92067

Rule IDs

SV-234048r612749_rule
SV-102169

By restricting access to the Tanium Server to only Microsoft Active Directory, user accounts and related permissions can be strictly monitored. Account management will be under the operational responsibility of the System Administrator for the Windows Operation System Active Directory. Satisfies: SRG-APP-000233, SRG-APP-000317

Checks: C-37233r610644_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console, then click on "Configuration". Click the down arrow to view Apps. Find "LDAP Sync". Verify a sync exists under "Enabled Servers". If no sync exists, this is a finding. If sync exists under "Disabled Servers", this is a finding.

Fix: F-37198r610645_fix

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console, then click on "Configuration". Click the down arrow to view Apps. Find "LDAP Sync". Click "Add Server". Complete the settings using guidance from https://docs.tanium.com/platform_user/platform_user/console_using_ldap.html. Click "Show Preview to Continue". Review the users and groups to be imported. Save the configuration.

b

The Tanium Application Server must be configured to only use Microsoft Active Directory for account management functions.

AC-2 - Medium - CCI-000015 - V-234049 - SV-234049r612749_rule

RMF Control

AC-2

Severity

M

CCI

CCI-000015

Version

TANS-CN-000003

Vuln IDs

V-234049
V-92069

Rule IDs

SV-234049r612749_rule
SV-102171

By restricting access to the Tanium Server to only Microsoft Active Directory, user accounts and related permissions can be strictly monitored. Account management will be under the operational responsibility of the System Administrator for the Windows Operation System Active Directory.

Checks: C-37234r610647_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Users" tab. Consult with the Tanium System Administrator to review the documented list of Tanium users. Compare the list of Tanium users versus the users found in the appropriate Active Directory security groups for the User Roles. If there are any console users who are listed in the Tanium console that are not found in a synced Active Directory security group, this is a finding. Alternatively, the ISSO can document the non-synced Active Directory security group users and accept the risk for the users. If this is the case, this would no longer be a finding.

Fix: F-37199r610648_fix

Consult with the Tanium System Administrator to review the documented list of Tanium users. Compare the list of Tanium users versus the users found in the appropriate Active Directory security groups for the User Roles. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on "Administration". Select the "Users" tab. Any users populated manually, select the user's name, and then click on the ""trashcan"" icon at the top of the console to delete this user. Note: Consult with the Tanium System Administrator before deleting any user accounts to ensure any scheduled actions or other content is reassigned to another user. This will prevent any potential issues arising from the deletion of a user.

b

Tanium Computer Groups must be used to restrict console users from affecting changes to unauthorized computers.

AC-3 - Medium - CCI-000213 - V-234050 - SV-234050r612749_rule

RMF Control

AC-3

Severity

M

CCI

Version

TANS-CN-000004

Vuln IDs

V-234050
V-92071

Rule IDs

SV-234050r612749_rule
SV-102173

Computer Groups allow a site running Tanium to assign responsibility of specific Computer Groups to specific Tanium console users. By doing so, a desktop administrator, for example, will not have the ability to enforce an action against a high visibility server. For large sites, it is crucial to have the Computer Groups and while a smaller site might not seem to require Computer Groups, creating them provides for a cleaner implementation. All sites will be required to have some kind of Computer Groups configured other than the default "All Computers".

Checks: C-37235r610650_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Computer Groups" tab. Under the "Name" column, verify specific groups exist other than the default "All Computers" and "No Computers". If site or organization specific computer groups do not exist, this is a finding.

Fix: F-37200r610651_fix

Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Computer Groups" tab. Configure specific Computer Groups in order to facilitate the management of computers by authorized individuals for those computers. Note: Tanium offers two ways to define computer groups. Refer to documentation for explanation found here: https://docs.tanium.com/platform_user/platform_user/console_computer_groups.html#Computer_Group_types. Note: Active Directory Computer Groups may also be used to sync with Tanium Computer Groups as a means to satisfy this requirement.

b

Documentation identifying Tanium console users, their respective functional roles, and computer groups must be maintained.

AC-3 - Medium - CCI-000213 - V-234051 - SV-234051r612749_rule

RMF Control

AC-3

Severity

M

CCI

Version

TANS-CN-000005

Vuln IDs

V-234051
V-92073

Rule IDs

SV-234051r612749_rule
SV-102175

System access should be reviewed periodically to verify that all Tanium users are assigned the appropriate functional role, with the least privileged access possible to perform assigned tasks being the recommended best practice. Users who have been removed from the documentation should no longer be configured as a Tanium Console User. Consider removing users that have not logged onto the system within a predetermined time frame. When using Active Directory synchronization, as is required by this STIG, User Roles assignments are via the LDAP Sync. To change a Tanium user's functional role, their Active Directory account needs to be assigned to the AD security group, which correlates with the applicable functional role.

Checks: C-37236r610653_chk

Consult with the Tanium System Administrator to review the documented list of Tanium users. The users' functional roles, computer groups, and correlated Active Directory security groups must be documented. If the site does not have the Tanium users and their respective functional roles, computer groups, and correlated Active Directory security groups documented, this is a finding.

Fix: F-37201r610654_fix

Prepare and maintain documentation identifying the Tanium console users and their respective User Roles and AD security groups.

c

Role-based system access must be configured to least privileged access to Tanium Server functions through the Tanium interface.

AC-3 - High - CCI-000213 - V-234052 - SV-234052r612749_rule

RMF Control

AC-3

Severity

H

CCI

Version

TANS-CN-000006

Vuln IDs

V-234052
V-92075

Rule IDs

SV-234052r612749_rule
SV-102177

User accessibility to various Tanium Server functions performed via the console can be restricted by functional roles, a combination of User Role(s), and Content Set(s) assigned through User Group membership. Functional roles are assigned to users via Active Directory Group membership. System access should be reviewed periodically to verify that all Tanium users are assigned the appropriate functional role, with the least privileged access possible to perform assigned tasks being the recommended best practice. Consider removing users that have not logged onto the system within a predetermined time frame.

Checks: C-37237r610656_chk

Consult with the Tanium System Administrator to review the documented list of Tanium users. Analyze the users configured in the Tanium interface. Review the users' respective approved roles, as well as the correlated Active Directory Group for the Tanium functional roles. Validate Active Directory Groups/Tanium functional roles are documented to assign least privileged access to the functions of the Tanium Server through the Tanium interface. If the documentation does not reflect a granular, least privileged access approach to the Active Directory Groups/Tanium functional roles assignment, this is a finding.

Fix: F-37202r610657_fix

Analyze the users configured in the Tanium interface. Determine least privileged access required for each user to perform their respective duties. Move users to the appropriate Active Directory Group in order to ensure the user is synced to the appropriate Tanium functional role. If appropriate Active Directory Groups are not already configured, create the Groups and add the appropriate users. Ensure LDAP sync repopulates the Tanium Users' associated functional roles accordingly.

b

Tanium console users User Roles must be validated against the documentation for User Roles.

AC-3 - Medium - CCI-000213 - V-234053 - SV-234053r612749_rule

RMF Control

AC-3

Severity

M

CCI

Version

TANS-CN-000007

Vuln IDs

V-234053
V-92077

Rule IDs

SV-234053r612749_rule
SV-102179

System access should be reviewed periodically to verify that all Tanium users are assigned the appropriate role, with the least privileged access possible to perform assigned tasks being the recommended best practice. Users who have been removed from the documentation should no longer be configured as a Tanium Console User. Consider removing users that have not logged onto the system within a predetermined time frame. When using Active Directory synchronization, as is required by this STIG, User Roles assignments are via the LDAP Sync, AD security groups correlate, one to one, to Tanium User Roles. To change a Tanium user's User Role, their Active Directory account needs to be moved to the AD security group, which correlates with the applicable User Role.

Checks: C-37238r610659_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Users" tab. Verify each user against the Tanium-approved users list. Review the assigned roles for each user against the "User Functional Role" column. If any user exists in Tanium but is not on the Tanium-approved users list and/or if any user exists in Tanium at a more elevated User Functional Role than that documented on the list, this is a finding.

Fix: F-37203r610660_fix

When using Active Directory synchronization, as is required by this STIG, User Roles assignments are assigned by LDAP sync. AD security groups correlate, one to one, to Tanium User Roles. To change a Tanium user's User Functional Role, their Active Directory account needs to be moved to the AD security group, which correlates with the applicable User Functional Role. Access the Active Directory server. Locate the account(s), which have been determined to have the incorrect User Functional Roles in Tanium. Review the Tanium-related AD Security Groups to which the user account(s) belong that directly correlate to the incorrect Tanium User Functional Roles. Remove the user account(s) from the incorrect Tanium User Roles, ensuring the user account(s) are still members of the Tanium-related AD Security Groups for which they have been documented to be authorized.

b

Documentation identifying Tanium console users and their respective Computer Group rights must be maintained.

AC-3 - Medium - CCI-000213 - V-234054 - SV-234054r612749_rule

RMF Control

AC-3

Severity

M

CCI

Version

TANS-CN-000008

Vuln IDs

V-234054
V-92079

Rule IDs

SV-234054r612749_rule
SV-102181

System access should be reviewed periodically to verify that all Tanium users are assigned the appropriate role, with the least privileged access possible to perform assigned tasks being the recommended best practice. Users who have been removed from the documentation should no longer be configured as a Tanium Console User. Consider removing users that have not logged onto the system within a predetermined time frame.

Checks: C-37239r610662_chk

Consult with the Tanium System Administrator to review the documented list of Tanium users and their respective, approved Computer Group rights. If the documented list does not have the Tanium users and their respective, approved Computer Group rights documented, this is a finding.

Fix: F-37204r610663_fix

Prepare and maintain documentation identifying the Tanium console users and their respective Computer Group rights.

b

Tanium console users Computer Group rights must be validated against the documentation for Computer Group rights.

AC-3 - Medium - CCI-000213 - V-234055 - SV-234055r612749_rule

RMF Control

AC-3

Severity

M

CCI

Version

TANS-CN-000009

Vuln IDs

V-234055
V-92081

Rule IDs

SV-234055r612749_rule
SV-102183

System access should be reviewed periodically to verify that all Tanium users are assigned the appropriate role, with the least privileged access possible to perform assigned tasks being the recommended best practice. Users who have been removed from the documentation should no longer be configured as a Tanium Console User. Consider removing users that have not logged onto the system within a predetermined time frame.

Checks: C-37240r610665_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Users" tab. Verify each user against the approved users list. Review the assigned Computer Groups for each user by selecting the user then clicking view user. View Computer Groups for the user. If any user exists in Tanium but is not on the Tanium-approved users list and/or if any user exists in Tanium with more Computer Groups than documented, this is a finding.

Fix: F-37205r610666_fix

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Users" tab. For any user(s) in Tanium, which is not on the approved, documented Tanium user list, access Microsoft Windows Active Directory Management. Remove, the respective user(s) from the AD Security Group in which those user(s) are members. For any user in Tanium which has not been assigned one or more Computer Groups as has been documented in the Computer Groups list, access the Microsoft Windows Active Directory Management. Add the respective user(s) to the AD Security Groups applicable for the functional roles for which the user(s) have been documented to be authorized. Click "Save".

c

Common Access Card (CAC)-based authentication must be enabled on the Tanium Server for network access with privileged accounts.

IA-2 - High - CCI-000765 - V-234056 - SV-234056r612749_rule

RMF Control

IA-2

Severity

H

CCI

CCI-000765

Version

TANS-CN-000010

Vuln IDs

V-234056
V-92083

Rule IDs

SV-234056r612749_rule
SV-102185

To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses, except the following: (i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and (ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. This not only meets a common requirement in the Federal space but adds a critical layer of security to the user authentication process. Satisfies: SRG-APP-000149, SRG-APP-000151

Checks: C-37241r610668_chk

Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Run regedit as Administrator. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Validate the value for REG_DWORD "ForceSOAPSSLClientCert" is set to "1". Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Validate the following keys exist and are configured: REG_SZ "ClientCertificateAuthField" For example: X509v3 Subject Alternative Name. REG_SZ "ClientCertificateAuthRegex" For example-DoD: .*\:\s*([^@]+)@.* $Note: This regedit should be valid for any Subject Alternative Name entry. REG_SZ "ClientCertificateAuth" Note: This registry value defines which certificate file to use for authentication. For example: C:\Program Files\Tanium\Tanium Server\dod.pem REG_SZ "cac_ldap_server_url" Note: This registry value requires that Tanium validate every CAC/PIV authentication attempt with AD to determine the state of the account that is logging on. It must use the syntax similar to LDAP://<AD instance FQDN>. If the value for REG_DWORD "ForceSOAPSSLClientCert" is not set to "1" and the remaining registry values are not configured, this is a finding.

Fix: F-37206r610669_fix

Use the vendor documentation titled "Reference: Smart card authentication" to implement correct configuration settings for this requirement. If assistance is required, contact the Tanium Technical Account Manager (TAM). Vendor documentation can be downloaded from the following URL: https://docs.tanium.com/platform_install/platform_install/reference_smart_card_authentication.html.

b

Firewall rules must be configured on the Tanium Server for Console-to-Server communications.

CM-7 - Medium - CCI-001762 - V-234057 - SV-234057r612749_rule

RMF Control

CM-7

Severity

M

CCI

Version

TANS-CN-000014

Vuln IDs

V-234057
V-92085

Rule IDs

SV-234057r612749_rule
SV-102187

An HTML5 based application, the Tanium Console runs from any device with a browser that supports HTML5. For security, the HTTP and SOAP communication to the Tanium Server is SSL encrypted, so the Tanium Server installer configures the server to listen for HTTP and SOAP requests on port 443. Without a proper connection to the Tanium Server, access to the system capabilities could be denied. Port Needed: To Tanium Server over TCP port 443. Network firewall rules: Allow HTTP traffic on TCP port 443 from any computer on the internal network to the Tanium Server device. https://docs.tanium.com/platform_install/platform_install/reference_network_ports.html.

Checks: C-37242r610671_chk

Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Server. Access the host-based firewall configuration on the Tanium Server. Validate a rule exists for the following: Port Needed: From only designated Tanium console user clients to Tanium Server over TCP port 443. If a host-based firewall rule does not exist to allow only designated Tanium console user clients to Tanium Server over TCP port 443, this is a finding. Consult with the network firewall administrator and validate rules exist for the following: Allow TCP traffic from only designated Tanium console user clients to Tanium Server over TCP ports 443. If a network firewall rule does not exist to allow traffic from only designated Tanium console user clients to Tanium Server over TCP port 443, this is a finding.

Fix: F-37207r610672_fix

Configure host-based firewall rules on the Tanium Server to include the following required traffic: Allow TCP traffic on port 433 to the Tanium Server from designated Tanium console user clients. Configure the network firewall to allow the above traffic.

b

The publicly accessible Tanium application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.

AC-8 - Medium - CCI-001384 - V-234058 - SV-234058r612749_rule

RMF Control

AC-8

Severity

M

CCI

CCI-001384

Version

TANS-CN-000015

Vuln IDs

V-234058
V-92087

Rule IDs

SV-234058r612749_rule
SV-102189

Display of a standardized and approved use notification before granting access to the publicly accessible application ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for desktops, laptops, and other devices accommodating banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." Satisfies: SRG-APP-000070, SRG-APP-000068, SRG-APP-000069

Checks: C-37243r610674_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). If a DoD-approved use notification banner does not display prior to logon, this is a finding.

Fix: F-37208r610675_fix

Create an .html file composed of the DoD-authorized warning banner verbiage. Name the file "warning_banner.html". Copy the .html file to the Tanium Server’s http folder. Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. Click on "New Setting". In "New System Setting" dialog box, enter "console_PreLoginBannerHTML" for "Setting Name:". Enter "warning_banner.html" for "Setting Value:". Enter Server for "Affects:". Enter Text for "Value Type:". Click "Save".

b

Tanium must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

AU-5 - Medium - CCI-000139 - V-234059 - SV-234059r612749_rule

RMF Control

AU-5

Severity

M

CCI

CCI-000139

Version

TANS-CN-000016

Vuln IDs

V-234059
V-92089

Rule IDs

SV-234059r612749_rule
SV-102191

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.

Checks: C-37244r610677_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Review the configured Sources. If no "Sources" exist to send audit logs from the Tanium SQL Server to a SIEM tool, this is a finding. Work with the SIEM administrator to determine if an alert is configured when audit data is no longer received as expected. If there is no alert configured, this is a finding.

Fix: F-37209r610678_fix

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Configure "Sources" to send audit logs from the Tanium SQL Server to a SIEM tool. Work with the SIEM administrator to configure an alert when no audit data is received from Tanium based on the defined schedule of connections.

b

Flaw remediation Tanium applications must employ automated mechanisms to determine the state of information system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).

SI-2 - Medium - CCI-001233 - V-234060 - SV-234060r612749_rule

RMF Control

SI-2

Severity

M

CCI

CCI-001233

Version

TANS-CN-000018

Vuln IDs

V-234060
V-92091

Rule IDs

SV-234060r612749_rule
SV-102193

Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the system components may remain vulnerable to the exploits presented by undetected software flaws. To support this requirement, the flaw remediation application may have automated mechanisms that perform automated scans for security-relevant software updates (e.g., patches, service packs, and hot fixes) and security vulnerabilities of the information system components being monitored. For example, a method of compliance would be an integrated solution incorporating continuous scanning using HBSS and periodic scanning using other tools as specified in the requirement.

Checks: C-37245r610680_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Scheduled Actions" tab. Look for a scheduled action targeting all machines that is titled either "Patch - Distribute Scan Configuration" or "Patch Management - Run Patch Scan". If there is no Scheduled Action for patching or the Scheduled Action is less frequent than every "30" days, this is a finding.

Fix: F-37210r610681_fix

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Scheduled Actions" tab. Look for a scheduled action targeting all machines that is titled either "Patch - Distribute Scan Configuration" or "Patch Management - Run Patch Scan". Make sure the action is enabled, and configure it to reissue at a minimum, every "30" days.

b

Tanium must notify SA and ISSO when accounts are created.

AC-2 - Medium - CCI-001683 - V-234061 - SV-234061r612749_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001683

Version

TANS-CN-000019

Vuln IDs

V-234061
V-92093

Rule IDs

SV-234061r612749_rule
SV-102195

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail, which documents the creation of application user accounts and notifies administrators and Information System Security Officers (ISSO) exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.

Checks: C-37246r610683_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Review the configured sources. If no sources exists to send audit logs from Tanium to a SIEM tool or Email Destination, this is a finding. Work with the SIEM administrator to determine if an alert is configured when accounts are created. If there is no alert configured, this is a finding.

Fix: F-37211r610684_fix

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Configure sources to send audit logs from the Tanium SQL Server to a SIEM tool or Email Destination. Work with Email administrator to configure Email destination. Work with the SIEM administrator to configure an alert when accounts are created.

b

Tanium must notify SA and ISSO when accounts are modified.

AC-2 - Medium - CCI-001684 - V-234062 - SV-234062r612749_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001684

Version

TANS-CN-000020

Vuln IDs

V-234062
V-92095

Rule IDs

SV-234062r612749_rule
SV-102197

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account. Notification of account modification is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail, which documents the creation of application user accounts and notifies administrators and Information System Security Officers (ISSO) exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.

Checks: C-37247r610686_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Review the configured sources. If no sources exists to send audit logs from the Tanium SQL Server to a SIEM tool or Email Destination, this is a finding. Work with the SIEM administrator to determine if an alert is configured when accounts are modified. If there is no alert configured, this is a finding.

Fix: F-37212r610687_fix

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Configure a source to send audit logs from the Tanium SQL Server to a SIEM tool or Email Destination. Work with Email administrator to configure Email destination. Work with the SIEM administrator to configure an alert when accounts are modified.

b

The Tanium application must notify SA and ISSO of account enabling actions.

AC-2 - Medium - CCI-002132 - V-234063 - SV-234063r612749_rule

RMF Control

AC-2

Severity

M

CCI

CCI-002132

Version

TANS-CN-000021

Vuln IDs

V-234063
V-92097

Rule IDs

SV-234063r612749_rule
SV-102199

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure the existence of an audit trail, which documents the creation of application user accounts and notifies administrators and ISSOs. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes. In order to detect and respond to events that affect user accessibility and application processing, applications must audit account enabling actions and, as required, notify the appropriate individuals so they can investigate the event. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.

Checks: C-37248r610689_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Review the configured sources. If no sources exists to send audit logs from the Tanium SQL Server to a SIEM tool or Email Destination, this is a finding. Work with the SIEM administrator to determine if an alert is configured when account-enabling actions are performed. If there is no alert configured, this is a finding.

Fix: F-37213r610690_fix

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Configure sources to send audit logs from the Tanium SQL Server to a SIEM tool or Email Destination. Work with Email administrator to configure Email destination. Work with the SIEM administrator to configure an alert when account-enabling actions are performed.

b

The Tanium application must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.

AU-5 - Medium - CCI-001855 - V-234064 - SV-234064r612749_rule

RMF Control

AU-5

Severity

M

CCI

CCI-001855

Version

TANS-CN-000022

Vuln IDs

V-234064
V-92099

Rule IDs

SV-234064r612749_rule
SV-102201

If security personnel are not notified immediately upon storage volume utilization reaching 75%, they are unable to plan for storage capacity expansion.

Checks: C-37249r610692_chk

Consult with the Tanium system administrator or database administrator to determine the volume on which the Tanium SQL databases are installed. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Review the configured Sources. If none exist to send Disk Free Space of the Tanium SQL Server, this is a finding. Work with the SIEM administrator to determine if an alert is configured when Disk Free Space of the Tanium SQL Server reaches below 25%. If there is no alert configured, this is a finding.

Fix: F-37214r610693_fix

Consult with the Tanium system administrator or database administrator to determine the volume on which the Tanium SQL databases are installed. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Interact". Enter "Get Disk Free Space from all machines with Computer Name containing "[Your SQL Computer Name]. Press "Enter". Select "Save this question" located under the Question box. Enter a name (e.g., SQL Disk Free Space). Select "Create Saved Question". Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Select "Create Connection". In the Sources and Destination section, select "Saved Question" from the drop-down menu. Enter the "Saved Question Name" created above or select from the drop-down menu. Select the "Computer Group" name from the drop-down menu. Select the desired destination from the drop-down menu (must be a SIEM tool). In the General Information section, provide a name and description. Select "Create Connection" at bottom of the page. Work with the SIEM administrator to configure an alert when Disk Free Space of the Tanium SQL Server reaches below 25% of maximum.

b

The Tanium enterprise audit log reduction option must be configured to provide alerts based off Tanium audit data.

AU-5 - Medium - CCI-001858 - V-234065 - SV-234065r612749_rule

RMF Control

AU-5

Severity

M

CCI

CCI-001858

Version

TANS-CN-000023

Vuln IDs

V-234065
V-92101

Rule IDs

SV-234065r612749_rule
SV-102203

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).

Checks: C-37250r610695_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Review the configured Tanium Sources listed. If an "Audit Log" source does not exist, this is a finding. Select the "Audit Log" source. Select the audit connection found in the lower half of the screen. Verify the "Destination Type" is a SIEM tool. If the "Destination Type" is not a SIEM tool, this is a finding.

Fix: F-37215r610696_fix

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Click "Create Connection". In the Source and Destination Section, select "Audit Log" as the Event Source from the drop-down menu. In the "Destination" section, select "Socket Receiver" from the drop-down menu. Enter "Destination Name". Enter "Host". Enter "Network Protocol". Enter "Port". Consult documentation located at https://docs.tanium.com/connect/connect/index.html for reference on configuring other applicable SIEM connections. Work with the SIEM administrator to configure alerts based on audit failures.

b

Common Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

IA-2 - Medium - CCI-001941 - V-234066 - SV-234066r612749_rule

RMF Control

IA-2

Severity

M

CCI

CCI-001941

Version

TANS-CN-000027

Vuln IDs

V-234066
V-92103

Rule IDs

SV-234066r612749_rule
SV-102205

To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses, except the following: (i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and (ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Satisfies: SRG-APP-000148, SRG-APP-000005, SRG-APP-000150, SRG-APP-000152, SRG-APP-000080, SRG-APP-000156, SRG-APP-000177, SRG-APP-000185, SRG-APP-000186, SRG-APP-000190, SRG-APP-000315, SRG-APP-000316, SRG-APP-000391, SRG-APP-000392, SRG-APP-000402, SRG-APP-000403

Checks: C-37251r610698_chk

Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Run regedit as Administrator. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Validate the value for REG_DWORD "ForceSOAPSSLClientCert" is set to "1". Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Validate the following keys exist and are configured: REG_SZ "ClientCertificateAuthField" For example: X509v3 Subject Alternative Name REG_SZ "ClientCertificateAuthRegex" For example-DoD: .*\:\s*([^@]+)@.* $Note: This regedit should be valid for any Subject Alternative Name entry. REG_SZ "ClientCertificateAuth" Note: This registry value defines which certificate file to use for authentication. For example: C:\Program Files\Tanium\Tanium Server\dod.pem REG_SZ "cac_ldap_server_url" Note: This registry value requires that Tanium validate every CAC/PIV authentication attempt with AD to determine the state of the account that is logging on. It must use the syntax similar to LDAP://<AD instance FQDN>. If the value for REG_DWORD "ForceSOAPSSLClientCert" is not set to "1" and the remaining registry values are not configured, this is a finding.

Fix: F-37216r610699_fix

Use the vendor documentation titled "Reference: Smart card authentication" to implement correct configuration settings for this requirement. If assistance is required, contact the Tanium Technical Account Manager (TAM). Vendor documentation can be downloaded from the following URL: https://docs.tanium.com/platform_install/platform_install/reference_smart_card_authentication.html.

b

Tanium must notify SA and ISSO for account disabling actions.

AC-2 - Medium - CCI-001685 - V-234067 - SV-234067r612749_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001685

Version

TANS-CN-000032

Vuln IDs

V-234067
V-92105

Rule IDs

SV-234067r612749_rule
SV-102207

When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. In order to detect and respond to events that affect user accessibility and application processing, applications must audit account disabling actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.

Checks: C-37252r610701_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Review the configured sources. If no sources exists to send audit logs from the Tanium SQL Server to a SIEM tool or Email Destination, this is a finding. Work with the SIEM administrator to determine if an alert is configured when accounts are disabled. If there is no alert configured, this is a finding.

Fix: F-37217r610702_fix

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Configure sources to send audit logs from the Tanium SQL Server to a SIEM tool or Email Destination. Work with Email administrator to configure Email destination. Work with the SIEM administrator to configure an alert when accounts are disabled.

b

Tanium must notify SA and ISSO for account removal actions.

AC-2 - Medium - CCI-001686 - V-234068 - SV-234068r612749_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001686

Version

TANS-CN-000033

Vuln IDs

V-234068
V-92107

Rule IDs

SV-234068r612749_rule
SV-102209

When application accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. In order to detect and respond to events that affect user accessibility and application processing, applications must audit account removal actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.

Checks: C-37253r610704_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Review the configured sources. If no sources exists to send audit logs from the Tanium SQL Server to a SIEM tool or Email Destination, this is a finding. Work with the SIEM administrator to determine if an alert is configured when accounts are deleted. If there is no alert configured, this is a finding.

Fix: F-37218r610705_fix

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Configure sources to send audit logs from the Tanium SQL Server to a SIEM tool or Email Destination. Work with Email administrator to configure Email destination. Work with the SIEM administrator to configure an alert when accounts are deleted.

b

The Tanium application must prohibit user installation of software without explicit privileged status.

AU-9 - Medium - CCI-001493 - V-234069 - SV-234069r612749_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001493

Version

TANS-CN-000036

Vuln IDs

V-234069
V-92109

Rule IDs

SV-234069r612749_rule
SV-102211

Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user. Application functionality will vary, and while users are not permitted to install unapproved applications, there may be instances where the organization allows the user to install approved software packages such as from an approved software repository. The application must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. This requirement applies, for example, to applications that provide the ability to extend application functionality (e.g., plug-ins, add-ons) and software management applications. Satisfies: SRG-APP-000378, SRG-APP-000380, SRG-APP-000121, SRG-APP-000122, SRG-APP-000123

Checks: C-37254r610707_chk

Consult with the Tanium System Administrator to review the documented list of Tanium users. Review the users' respective approved roles, as well as the correlated Active Directory security group for the User Roles. Validate Active Directory security groups/Tanium roles are documented to assign least privileged access to the functions of the Tanium Server through the Tanium interface. If the documentation does not reflect a granular, least privileged access approach to the Active Directory Groups/Tanium Roles assignment, this is a finding.

Fix: F-37219r610708_fix

Analyze the users configured in the Tanium interface. Determine least privileged access required for each user to perform their respective duties. Move users to the appropriate Active Directory security group in order to ensure the user is synced to the appropriate Tanium User Role. If the appropriate Active Directory security groups are not already configured, create the groups and add the appropriate users. Ensure LDAP sync repopulates the Tanium Users' associated Roles accordingly.

b

Documentation defining Tanium functional roles must be maintained.

AC-3 - Medium - CCI-000213 - V-234070 - SV-234070r612749_rule

RMF Control

AC-3

Severity

M

CCI

Version

TANS-CN-000037

Vuln IDs

V-234070
V-92111

Rule IDs

SV-234070r612749_rule
SV-102213

System access should be reviewed periodically to verify that all Tanium users are assigned the appropriate role, with the least privileged access possible to perform assigned tasks being the recommended best practice. Users who have been removed from the documentation should no longer be configured as a Tanium Console User. Consider removing users that have not logged onto the system within a predetermined time frame.

Checks: C-37255r610710_chk

Consult with the Tanium System Administrator to review the documented list of Tanium functional roles. If the documentation does not define functional roles, this is a finding.

Fix: F-37220r610711_fix

Consult with the Tanium System Administrator to review the documented list of Tanium functional roles. If the documentation does not define functional roles, this is a finding.

b

The Tanium database(s) must be installed on a separate system.

AC-23 - Medium - CCI-002346 - V-234071 - SV-234071r612749_rule

RMF Control

AC-23

Severity

M

CCI

CCI-002346

Version

TANS-DB-000001

Vuln IDs

V-234071
V-92113

Rule IDs

SV-234071r612749_rule
SV-102215

Failure to protect organizational information from data mining may result in a compromise of information. Data storage objects include, for example, databases, database records, and database fields. Data mining prevention and detection techniques include, for example: limiting the types of responses provided to database queries, limiting the number/frequency of database queries to increase the work factor needed to determine the contents of such databases, and notifying organizational personnel when atypical database queries or accesses occur.

Checks: C-37256r610713_chk

Consult with the Tanium System Administrator to determine the server to which the database has been installed and is configured. If the customer is using a Tanium Appliance, this is Not Applicable. If the database is installed on the same server as the Tanium Server or Tanium Module Server, this is a finding.

Fix: F-37221r610714_fix

Move the Tanium database from the Tanium Server or Tanium Module Server to a separate server.

b

The Tanium application database must be dedicated to only the Tanium application.

AC-23 - Medium - CCI-002346 - V-234072 - SV-234072r612749_rule

RMF Control

AC-23

Severity

M

CCI

CCI-002346

Version

TANS-DB-000002

Vuln IDs

V-234072
V-92115

Rule IDs

SV-234072r612749_rule
SV-102217

Failure to protect organizational information from data mining may result in a compromise of information. Data storage objects include, for example, databases, database records, and database fields. Data mining prevention and detection techniques include, for example: limiting the types of responses provided to database queries; limiting the number/frequency of database queries to increase the work factor needed to determine the contents of such databases; and notifying organizational personnel when atypical database queries or accesses occur.

Checks: C-37257r610716_chk

With the Tanium System Administrator's assistance, access the server on which the Tanium database(s) is installed. Review the Tanium database(s). If databases related to products other than Tanium exist in the Tanium database, this is a finding.

Fix: F-37222r610717_fix

Move the Tanium database from the server hosting multiple databases for products other than Tanium or remove other product databases co-located with Tanium database(s).

b

The access to the Tanium SQL database must be restricted. Only the designated database administrator(s) can have elevated privileges to the Tanium SQL database.

CM-5 - Medium - CCI-001814 - V-234073 - SV-234073r612749_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001814

Version

TANS-DB-000003

Vuln IDs

V-234073
V-92117

Rule IDs

SV-234073r612749_rule
SV-102219

After the Tanium Server has been installed and the Tanium databases created, only the Tanium Receiver, Tanium Module, and Tanium connection manager (ad sync) service needs to access the SQL Server database.

Checks: C-37258r610719_chk

Access the Tanium SQL server interactively. Log on to the server with an account that has administrative privileges. Open SQL Server Management Studio. Connect to a Tanium instance of SQL Server. In the left pane, click "Databases". Select the Tanium database. Click "Security". Click "Users". In the "Users" pane, review the roles assigned to the user accounts. (Note: This does not apply to service accounts.) If any user account has an elevated privilege role other than the assigned database administrators, this is a finding.

Fix: F-37223r610720_fix

Access the Tanium SQL server interactively. Log on to the server with an account that has administrative privileges. Open SQL Server Management Studio. Connect to a Tanium instance of SQL Server. In the left pane, click "Databases". Select the Tanium database. Click "Security". Click "Users". In the "Users" pane, review the roles assigned to the user accounts. For any user accounts with elevated privileges, reduce the role assigned to a least privileged role.

b

The Tanium Server installers account database permissions must be reduced to an appropriate level.

CM-5 - Medium - CCI-001814 - V-234074 - SV-234074r612749_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001814

Version

TANS-DB-000004

Vuln IDs

V-234074
V-92119

Rule IDs

SV-234074r612749_rule
SV-102221

Creating the tanium and tanium_archive databases through the Tanium Server installer program or using the database create SQL scripts requires Sysadmin-level permissions. Once the databases have been created, the Tanium Server and Apache services must be configured to execute under an account that holds at least the dbo role on both databases. Post-installation, if the account used to configure the Tanium Server services to access the remote SQL database server holds only the Database Owner role, rather than the sysadmin role, consider granting this account the View Server State permission on the SQL Server. While not strictly necessary, this dynamic management view enables the Tanium Server to access data faster than the dbo role alone.

Checks: C-37259r610722_chk

Access the Tanium SQL server interactively. Log on to the server with an account that has administrative privileges. Open SQL Server Management Studio. Connect to Tanium instance of SQL Server. In the left pane, click "Databases". Select the Tanium database. Click "Security". Click "Users". In the "Users" pane, review the role assigned to the Tanium Server service user account. If the role assigned to the Tanium Server service account is not "db_owner", this is a finding. If using Postgres: Only owners of objects can change them. To view all functions, triggers, and trigger procedures, their ownership and source, as the database administrator (shown here as "postgres") run the following SQL: $ sudo su - postgres $ psql -x -c "\df+"

Fix: F-37224r610723_fix

Access the Tanium SQL server interactively. Log on to the server with an account that has administrative privileges. Open SQL Server Management Studio. Connect to Tanium instance of SQL Server. In the left pane, click "Databases". Select the Tanium database. Click "Security". Click "Users". In the "Users" pane, right-click the Tanium Server service user account. On the shortcut menu, click "Properties". Under Database role membership, change role from "sysadmin" to "db_owner". Click "OK". If using Postgres: Configure PostgreSQL to enforce access restrictions associated with changes to the configuration of PostgreSQL or database(s). Use ALTER ROLE to remove accesses from roles: $ psql -c "ALTER ROLE <role_name> NOSUPERUSER"

b

Firewall rules must be configured on the Tanium Server for Server-to-Database communications.

CM-7 - Medium - CCI-001762 - V-234075 - SV-234075r612749_rule

RMF Control

CM-7

Severity

M

CCI

Version

TANS-DB-000005

Vuln IDs

V-234075
V-92121

Rule IDs

SV-234075r612749_rule
SV-102223

The Tanium Server can use either a SQL Server RDBMS installed locally to the same device as the Tanium Server application or a remote dedicated or shared SQL Server instance. Using a local SQL Server database typically requires no changes to network firewall rules since all communication remains on the Tanium application server device. To access database resources installed to a remote device, however, the Tanium Server service communicates over the port reserved for SQL, by default port 1433, to the database. Port Needed: Tanium Server to Remote SQL Server over TCP port 1433. Network firewall rules: Allow TCP traffic on port 1433 from the Tanium Server device to the remote device hosting the SQL Server RDBMS. https://docs.tanium.com/platform_install/platform_install/reference_network_ports.html.

Checks: C-37260r610725_chk

Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Server. Access the host-based firewall configuration on the Tanium Server. Validate a rule exists for the following: Port Needed: Tanium Server to Remote SQL Server over TCP port 1433. If a host-based firewall rule does not exist to allow Tanium Server to Remote SQL Server over TCP port 1433, this is a finding. Consult with the network firewall administrator and validate rules exist for the following: Allow traffic from Tanium Server to Remote SQL Server over TCP port 1433. If a network firewall rule does not exist to allow traffic from Tanium Server to Remote SQL Server over TCP port 1433, this is a finding.

Fix: F-37225r610726_fix

Configure host-based firewall rules on the Tanium Server to include the following required traffic: Allow TCP traffic on port 1433 from the Tanium Server to the Remote SQL Server. Configure the network firewall to allow the above traffic.

b

SQL stored queries or procedures installed during Tanium installation must be removed from the Tanium Server.

SI-2 - Medium - CCI-002617 - V-234076 - SV-234076r612749_rule

RMF Control

SI-2

Severity

M

CCI

CCI-002617

Version

TANS-DB-000006

Vuln IDs

V-234076
V-92123

Rule IDs

SV-234076r612749_rule
SV-102225

Failure to protect organizational information from data mining may result in a compromise of information. Data storage objects include, for example, databases, database records, and database fields. Data mining prevention and detection techniques include, for example: limiting the types of responses provided to database queries; limiting the number/frequency of database queries to increase the work factor needed to determine the contents of such databases; and notifying organizational personnel when atypical database queries or accesses occur.

Checks: C-37261r610728_chk

Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Navigate to Program Files >> Tanium >> Tanium Server. If any SQL stored queries (.sql files) or procedures are found, this is a finding.

Fix: F-37226r610729_fix

Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Navigate to Program Files >> Tanium >> Tanium Server. Remove the SQL stored queries (.sql files) or procedures from the folder.

b

The Tanium Server must protect the confidentiality and integrity of transmitted information, in preparation to be transmitted and data at rest, with cryptographic signing capabilities enabled to protect the authenticity of communications sessions when making requests from Tanium Clients.

SC-28 - Medium - CCI-002476 - V-234077 - SV-234077r612749_rule

RMF Control

SC-28

Severity

M

CCI

CCI-002476

Version

TANS-SV-000001

Vuln IDs

V-234077
V-92125

Rule IDs

SV-234077r612749_rule
SV-102227

Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered. This requirement applies only to those applications that are either distributed or can allow access to data non-locally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, applications need to leverage transmission protection mechanisms, such as TLS, SSL VPNs, or IPsec. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. Satisfies: SRG-APP-000429, SRG-APP-000440, SRG-APP-000441

Checks: C-37262r610731_chk

Using a web browser on a system, which has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. In the "Show Settings Containing:" search box type "ReportingTLSMode". Enter. If no results are returned, this is a finding. In the "Show Settings Containing:" search box type "StateProtectedFlag". Enter. If no results are returned or "StateProtectedFlag = 0", this is a finding. If results are returned for "ReportingTLSMode" but the value is "0", this is a finding.

Fix: F-37227r612218_fix

Using a web browser on a system, which has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. Click on "New Setting". In "New System Setting" dialog window to the right, enter "ReportingTLSMode" for "Setting Name:". Enter "2" for "Setting Value:". Select "Client" from "Affects" drop-down list. Select "Numeric" from "Value Type" drop-down list. Click "Save". Click on "New Setting". In "New System Setting" dialog window to the right, enter "StateProtectedFlag" for "Setting Name:". Enter "1" for "Setting Value:". Select "Client" from "Affects" drop-down list. Select "Numeric" from "Value Type" drop-down list. Click "Save".

b

The Tanium Application Server console must be configured to initiate a session lock after a 15-minute period of inactivity.

AC-11 - Medium - CCI-000057 - V-234078 - SV-234078r612749_rule

RMF Control

AC-11

Severity

M

CCI

CCI-000057

Version

TANS-SV-000002

Vuln IDs

V-234078
V-92127

Rule IDs

SV-234078r612749_rule
SV-102229

The Tanium Console, when CAC is enabled, will initiate a session lock based upon the ActivClient or other Smart Card software. By initiating the session lock, the console will be locked and not allow unauthorized access by anyone other than the original user. Although this setting does not apply when CAC is enabled, it should be explicitly disabled in the event CAC authentication is ever broken or removed.

Checks: C-37263r610734_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with CAC. After logging in, in the top right corner of the UI select the drop down arrow and click on "Preferences". Verify the "Suspend console automatically if no activity detected for:" is configured to a value of "15" minutes or less. If the "Suspend console automatically if no activity detected for:" is not configured to a value of "15" minutes or less, this is a finding.

Fix: F-37228r610735_fix

Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. After logging in, in the top right corner of the UI, select the drop down arrow and click on "Preferences". For "Suspend console automatically if no activity detected for:" select a value of "15" minutes or less. Click "Save".

b

Tanium Trusted Content providers must be documented.

AC-17 - Medium - CCI-001453 - V-234079 - SV-234079r612749_rule

RMF Control

AC-17

Severity

M

CCI

CCI-001453

Version

TANS-SV-000003

Vuln IDs

V-234079
V-92129

Rule IDs

SV-234079r612749_rule
SV-102231

A Tanium Sensor, also called content, enables an organization to gather real-time inventory, configuration, and compliance data elements from managed computers. Sensors gather specific information from the local device and then write the results to the computer's standard output channel. The Tanium Client captures that output and forwards the results through the platform's unique "ring" architecture for display in the Tanium Console. The language used for Sensor development is based on the scripting engine available on the largest number of devices under management as well as the scripting experience and background of the people who will be responsible for creating new Sensors. VBScript and PowerShell are examples of common scripting languages used for developing sensors. Because errors in scripting can and will provide errant feedback at best and will impact functionality of the endpoint to which the content is directed, it is imperative to ensure content is only accepted from trusted sources.

Checks: C-37264r610737_chk

Note: If only using Tanium provided content and not accepting content from any other content providers, this is Not Applicable. Consult with the Tanium System Administrator to review the documented list of trusted content providers along with the Hash for their respective public keys. If the site does not have the Tanium trusted content providers documented along with the SHA-256 Hash for their respective public keys, this is a finding.

Fix: F-37229r610738_fix

Prepare and maintain documentation identifying the Tanium trusted content providers along with the SHA-256 Hash from their respective public keys.

b

Content providers must provide their public key to the Tanium administrator to import for validating signed content.

AC-17 - Medium - CCI-001453 - V-234080 - SV-234080r612749_rule

RMF Control

AC-17

Severity

M

CCI

CCI-001453

Version

TANS-SV-000004

Vuln IDs

V-234080
V-92131

Rule IDs

SV-234080r612749_rule
SV-102233

A Tanium Sensor, also called content, enables an organization to gather real-time inventory, configuration, and compliance data elements from managed computers. Sensors gather specific information from the local device and then write the results to the computer's standard output channel. The Tanium Client captures that output and forwards the results through the platform's unique "ring" architecture for display in the Tanium Console. The language used for Sensor development is based on the scripting engine available on the largest number of devices under management as well as the scripting experience and background of the people who will be responsible for creating new Sensors. VBScript and PowerShell are examples of common scripting languages used for developing sensors. Because errors in scripting can and will provide errant feedback at best and will impact functionality of the endpoint to which the content is directed, it is imperative to ensure content is only accepted from trusted sources.

Checks: C-37265r610740_chk

Note: If only using Tanium provided content and not accepting content from any other content providers, this is Not Applicable. Obtain documentation from the Tanium System Administrator that contains the public key validation data. Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Open an Explorer window. Navigate to the following folder: Program Files >> Tanium >> Tanium Server >> content_public_keys >> content folder. If the Tanium default content-release.pub key is the only key in the folder, this is not a finding. If there are documented content provider keys in the content folder, this is not a finding. If non-documented content provider keys are found in the content folder, this is a finding.

Fix: F-37230r610741_fix

Obtain the public key from the content providers and validate the keys are present in the Tanium folders. If the public keys are found for non-trusted content providers, remove the associated signing key and remove any content imported by that provider. Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Open an Explorer window. Navigate to the following folder: Program Files >> Tanium >> Tanium Server >> content_public_keys >> content folder. Copy any Trusted Source's .pub key into the folder and document them. Remove any non-Trusted Source's .pub keys from the folder.

b

Tanium public keys of content providers must be validated against documented trusted content providers.

AC-17 - Medium - CCI-001453 - V-234081 - SV-234081r612749_rule

RMF Control

AC-17

Severity

M

CCI

CCI-001453

Version

TANS-SV-000005

Vuln IDs

V-234081
V-92133

Rule IDs

SV-234081r612749_rule
SV-102235

A Tanium Sensor, also called content, enables an organization to gather real-time inventory, configuration, and compliance data elements from managed computers. Sensors gather specific information from the local device and then write the results to the computer's standard output channel. The Tanium Client captures that output and forwards the results through the platform's unique "ring" architecture for display in the Tanium Console. The language used for Sensor development is based on the scripting engine available on the largest number of devices under management as well as the scripting experience and background of the people who will be responsible for creating new Sensors. VBScript and PowerShell are examples of common scripting languages used for developing sensors. Because errors in scripting can and will provide errant feedback at best and will impact functionality of the endpoint to which the content is directed, it is imperative to ensure content is only accepted from trusted sources.

Checks: C-37266r610743_chk

Note: If only using Tanium provided content and not accepting content from any other content providers, this is Not Applicable. Obtain documentation from the Tanium System Administrator that contains the public key validation data. Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Open an "Explorer" window. Navigate to the following folder: Program Files >> Tanium >> Tanium Server >> content_public_keys >> content folder. Ensure the public keys listed in the content folder are documented. If a public key, other than the default Tanium public key, resides in the content folder and is not documented, this is a finding.

Fix: F-37231r610744_fix

Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Open an "Explorer" window. Navigate to the following folder: Program Files >> Tanium >> Tanium Server >> content_public_keys >> content folder. If a public key, other than the default Tanium public key, resides in the content folder, use a hashing utility (e.g., TaniumFileInfo.exe) to determine the hash of the public key. Document the owner, the name of the key, and the associated hash of the public key.

b

The Tanium Action Approval feature must be enabled for two-person integrity when deploying actions to endpoints.

AC-3 - Medium - CCI-000213 - V-234082 - SV-234082r612749_rule

RMF Control

AC-3

Severity

M

CCI

Version

TANS-SV-000006

Vuln IDs

V-234082
V-92135

Rule IDs

SV-234082r612749_rule
SV-102237

The Tanium Action Approval feature provides a "four eyes" control mechanism designed to achieve a high-level of security and reduce the possibility of error for critical operations. When this feature is enabled, an action configured by one Tanium console user will require a second Tanium console user with a role of Action Approver (or higher) to approve the action before it is deployed to targeted computers. While this system slows workflow, the reliability of actions deployed will be greater on the Packaging and Targeting.

Checks: C-37267r610746_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console then click on "Administration". Select the "Global Settings" tab. In the "Show Settings Containing:" search box type "require_action_approval". Click “Enter”. If no results are returned, this is a finding. If results are returned for "require_action_approval", but the value is not "1", this is a finding.

Fix: F-37232r610747_fix

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console then click on "Administration". Select the "Global Settings" tab. If "require_action_approval" does not exist: click on "New Setting". In "New System Setting" dialog box, enter "require_action_approval" for "Setting Name:". Enter "1" for "Setting Value:". Select "Server" from "Affects" drop-down list. Select "Numeric" from "Value Type" drop-down list. Click "Save".

b

The Tanium documentation identifying recognized and trusted Intel streams must be maintained.

AC-4 - Medium - CCI-001414 - V-234083 - SV-234083r612749_rule

RMF Control

AC-4

Severity

M

CCI

Version

TANS-SV-000007

Vuln IDs

V-234083
V-92137

Rule IDs

SV-234083r612749_rule
SV-102239

An IOC stream is a series or stream of IOCs that are imported from a vendor based on a subscription service. An IOC stream can be downloaded manually or on a scheduled basis. The items in an IOC stream can be separately manipulated after they are imported.

Checks: C-37268r610749_chk

Consult with the Tanium System Administrator to determine if the "Tanium Detect" module is being used, if not this is Not Applicable. Review the documented list of IOC trusted stream sources. If the site does use an external source for IOCs and the IOC trusted stream source is not documented, this is a finding.

Fix: F-37233r610750_fix

Consult with the Tanium System Administrator to determine if the "Tanium Detect" module is being used, if not this is Not Applicable. Prepare and maintain documentation identifying the Tanium Detect IOC trusted stream sources.

b

The Tanium Detect must be configured to receive IOC streams only from trusted sources.

AC-4 - Medium - CCI-001414 - V-234084 - SV-234084r612749_rule

RMF Control

AC-4

Severity

M

CCI

Version

TANS-SV-000008

Vuln IDs

V-234084
V-92139

Rule IDs

SV-234084r612749_rule
SV-102241

An IOC stream is a series or stream of intel that are imported from a vendor based on a subscription service or manually downloaded and placed in a folder. Detect can be configured to retrieve the IOC content on a regularly scheduled basis. The items in an IOC stream can be separately manipulated after they are imported.

Checks: C-37269r610752_chk

Consult with the Tanium System Administrator to determine if the "Tanium Detect" module is being used, if not this is Not Applicable. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Detect". Expand the left menu. Click the "Management" tab. Select "Sources". Verify all configured Detect Streams are configured to a documented trusted source. If any configured Detect Stream is configured to a stream that has not been documented as trusted, this is a finding.

Fix: F-37234r610753_fix

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Detect". Expand the left menu. Click the "Management" tab. Select "Sources". Click "New Source". Select the specified Source from the list. Fill out the specified information. Select "Create".

b

The Tanium Connect module must be configured to forward Tanium Detect events to identified destinations.

AU-7 - Medium - CCI-000158 - V-234085 - SV-234085r612749_rule

RMF Control

AU-7

Severity

M

CCI

CCI-000158

Version

TANS-SV-000010

Vuln IDs

V-234085
V-92141

Rule IDs

SV-234085r612749_rule
SV-102243

Indicators of Compromise (IOC) are artifacts, which are observed on the network or system that indicates computer intrusion. The Tanium Detect module detects, manages, and analyzes systems intrusion in real time. The module also responds to those detections. By forwarding Detect events using Tanium Connect, the necessary forensic evidence supporting a compromise is retained.

Checks: C-37270r610755_chk

Consult with the Tanium System Administrator to determine if the "Tanium Detect" module is being used. If it is not, this is Not Applicable. Using a web browser on a system that has connectivity to Tanium, access the Tanium web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Click "Events" under "Sources". Verify the "Tanium IOC Detect" event is being sent to an identified destination. If there is no "Tanium IOC Detect" event source, this is a finding.

Fix: F-37235r610756_fix

Consult with the Tanium System Administrator to determine if the "Tanium Detect" module is being used. If not this is Not Applicable. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Click "New Connection". Click "Create" or if importing "Import". Give the "Connection" a name and description. Select "Events" as the source. "Event Group" should be "Tanium Detect". Select the appropriate events to send. Consult with the Tanium System Administrator for the Destination. Click "Create Connection".

b

The Tanium cryptographic signing capabilities must be enabled on the Tanium Server.

CM-5 - Medium - CCI-001749 - V-234086 - SV-234086r612749_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001749

Version

TANS-SV-000014

Vuln IDs

V-234086
V-92143

Rule IDs

SV-234086r612749_rule
SV-102245

All of Tanium's signing capabilities should be enabled upon install. Tanium supports the cryptographic signing and verification before execution of all Sensors, Questions, Actions, Sensor Libraries, File Shards, etc. Enabling signing does away with the ability of an attacker to conduct Man in the Middle (MitM) attacks for the purposes of remote code execution and precludes the modification of the aforementioned data elements in transit. Additionally, Tanium supports object level signing for content ingested into the Tanium platform. This allows for the detection and rejection of changes to objects (sensors, actions, etc.) by even a privileged user within Tanium. Tanium has built-in signing capabilities enabled by default when installed. Cryptographic signing and verification of all Sensors, Questions, Actions, Sensor Libraries, File Shards, etc. before execution will be enforced by Tanium. Signing will prevent MitM remote code execution attacks and will protect data element in transit. Tanium also supports object level signing for content within the Tanium platform. Satisfies: SRG-APP-000131, SRG-APP-000233, SRG-APP-000317

Checks: C-37271r610758_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. In the "Show Settings Containing:" search box type "sign_all_questions_flag". Click "Enter". If no results are returned, this is a finding. If results are returned for "sign_all_questions_flag" but the value is not "1", this is a finding.

Fix: F-37236r610759_fix

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. Click on "New Setting". In "New System Setting" dialog box, enter "sign_all_questions_flag" for "Setting Name:". Enter "1" for "Setting Value:". Select "Server" from "Affects" drop-down list. Select "Numeric" from "Value Type" drop-down list. Click "Save".

b

The Tanium Server must be configured to only allow signed content to be imported.

CM-5 - Medium - CCI-001749 - V-234087 - SV-234087r612749_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001749

Version

TANS-SV-000015

Vuln IDs

V-234087
V-92145

Rule IDs

SV-234087r612749_rule
SV-102247

Changes to any software components can have significant effects on the overall security of the application. Verifying software components have been digitally signed using a certificate that is recognized and approved by the organization ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, or application components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The application should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.

Checks: C-37272r610761_chk

Note: This requirement only applies to Tanium implementations in production. If implementation being evaluated is in development, this requirement is Not Applicable. Access the Tanium Server through interactive logon. Drill to Program Files >> Tanium >> Tanium Server. Open the "tanium.license" in Notepad and search for "allow_unsigned_import". If "allow unsigned_import" is followed by ":true", this is a finding.

Fix: F-37237r610762_fix

Contact Tanium for a corrected license file.

b

All installation files originally downloaded to the Tanium Server must be configured to download to a location other than the Tanium Server directory.

CM-5 - Medium - CCI-001499 - V-234088 - SV-234088r612749_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001499

Version

TANS-SV-000016

Vuln IDs

V-234088
V-92147

Rule IDs

SV-234088r612749_rule
SV-102249

Typically, the Tanium Server stores the Package Source Files that it downloads from the Internet and server shares or files uploaded through the Tanium Console in a subdirectory of the server's installation directory called Downloads. To ensure package files are not accessible to non-authorized functions, the files must be re-located to outside of the server's installation directory.

Checks: C-37273r610764_chk

Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Run regedit as Administrator. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Validate the "DownloadPath REG_SZ" value does not point to a location within the Tanium Server directory. If the "DownloadPath REG_SZ" value points to a location within the Tanium Server directory, this is a finding.

Fix: F-37238r610765_fix

Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Configure a directory elsewhere on the server to relocate the installation package files. Run regedit as Administrator. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Change the "DownloadPath REG_SZ" value to point to the location of the relocated installation package files. Move the files from the original directory to the location created for the installation package files.

b

Firewall rules must be configured on the Tanium Server for Client-to-Server communications.

CM-7 - Medium - CCI-000382 - V-234089 - SV-234089r612749_rule

RMF Control

CM-7

Severity

M

CCI

Version

TANS-SV-000017

Vuln IDs

V-234089
V-92149

Rule IDs

SV-234089r612749_rule
SV-102251

In addition to the client-to-server TCP communication that takes place over port 17472, Tanium Clients also communicate to other Tanium-managed computers over port 17472. The Tanium environment can perform hundreds or thousands of times faster than other security or systems management tools because the Tanium Clients communicate in secure, linearly-controlled peer-to-peer rings. Because clients dynamically communicate with other nearby agents based on proximity and latency, rings tend to form automatically to match a customer's topology--endpoints in California will form one ring while endpoints in Germany will form a separate ring. https://docs.tanium.com/platform_install/platform_install/reference_network_ports.html

Checks: C-37274r610767_chk

Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Server. Access the host-based firewall configuration on the Tanium Server. Validate rules exist, as required, to include: Between Tanium Clients or Zone Clients over TCP port 17472, bi-directionally. If a host-based firewall rule does not exist to allow TCP port 17472, bi-directionally, this is a finding. Consult with the network firewall administrator and validate rules exist for the following: Allow TCP traffic on port 17472 from any computer to be managed on a local area network to any other computer to be managed on the same local area network. If a network firewall rule does not exist to allow TCP port 17472 from any managed computer to any other managed computer on the same local area network, this is a finding.

Fix: F-37239r610768_fix

Configure host-based and network firewall rules as required, to include Tanium Clients or Zone Clients over TCP port 17472, bi-directionally. Allow TCP traffic on port 17472 from any computer to be managed on a local area network to any other computer to be managed on the same local area network.

b

Firewall rules must be configured on the Tanium Zone Server for Client-to-Zone Server communications.

CM-7 - Medium - CCI-000382 - V-234090 - SV-234090r612749_rule

RMF Control

CM-7

Severity

M

CCI

Version

TANS-SV-000018

Vuln IDs

V-234090
V-92151

Rule IDs

SV-234090r612749_rule
SV-102253

In customer environments using the Tanium Zone Server, a Tanium Client may be configured to point to a Zone Server instead of a Tanium Server. The communication requirements for these Clients are identical to the Server-to-Client requirements. https://docs.tanium.com/platform_install/platform_install/reference_network_ports.html

Checks: C-37275r610770_chk

Note: If a Zone Server is not being used, this is Not Applicable. Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Zone Server. Access the host-based firewall configuration on the Tanium Zone Server. Validate a rule exists for the following: Port Needed: Tanium Clients to Zone Server over TCP port 17472. If a host-based firewall rule does not exist to allow TCP port 17472, bi-directionally, from Tanium Clients to the Tanium Zone Server, this is a finding.

Fix: F-37240r610771_fix

Configure host-based firewall rules as required, to include Tanium Clients to Zone Server over TCP port 17472.

b

The Tanium Application Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

CM-7 - Medium - CCI-000382 - V-234091 - SV-234091r612749_rule

RMF Control

CM-7

Severity

M

CCI

Version

TANS-SV-000019

Vuln IDs

V-234091
V-92153

Rule IDs

SV-234091r612749_rule
SV-102255

In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Applications are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the application must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.

Checks: C-37276r610773_chk

Review the PPSM CAL to ensure Tanium has been registered with all of the TCP ports required for functionality to include (but not limited to) TCP 17472, 17477, 17440, 17441, 443, and 1433. If any TCP ports are being used on the Tanium Server that have been deemed as restricted by the PPSM CAL, this is a finding.

Fix: F-37241r610774_fix

Submit a formal request to have the Tanium communication ports evaluated and added to the PPSM CAL.

b

The Tanium Server certificates must have Extended Key Usage entries for the serverAuth object TLS Web Server Authentication and the clientAuth object TLS Web Client Authentication.

IA-5 - Medium - CCI-000185 - V-234092 - SV-234092r612749_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000185

Version

TANS-SV-000020

Vuln IDs

V-234092
V-92155

Rule IDs

SV-234092r612749_rule
SV-102257

Information can be either unintentionally or maliciously disclosed or modified during reception including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. This requirement applies only to those applications that are either distributed or can allow access to data non-locally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When receiving data, applications need to leverage protection mechanisms, such as TLS, SSL VPNs, or IPsec.

Checks: C-37277r610776_chk

Access the Tanium Application server interactively. Log on to the server with an account that has administrative privileges. Navigate to Program Files >> Tanium >> Tanium Server. Locate the "SOAPServer.crt" file. Double-click on the file to open the certificate. Select the "Details" tab. Scroll down through the details to find and select the "Enhanced Key Usage" field. If there is no "Enhanced Key Usage" field, this is a finding. In the bottom screen, verify "Server Authentication" and "Client Authentication" are both identified. If "Server Authentication" and "Client Authentication" are not both identified, this is a finding.

Fix: F-37242r610777_fix

Request or regenerate the certificate being used to include both the "Server Authentication" and "Client Authentication" objects.

c

The Tanium Server certificate and private/public keys directory must be protected with appropriate permissions.

IA-5 - High - CCI-000186 - V-234093 - SV-234093r612749_rule

RMF Control

IA-5

Severity

H

CCI

CCI-000186

Version

TANS-SV-000021

Vuln IDs

V-234093
V-92157

Rule IDs

SV-234093r612749_rule
SV-102259

If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.

Checks: C-37278r610779_chk

Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Open an Explorer window. Navigate to >> Program Files >> Tanium >> Tanium Server. Right-click on the "Certs" folder. Choose "Properties". Select the "Security" tab. Click on the "Advanced" button. Validate the owner of the directory is the [Tanium service account]. Validate System has "Read Only" permissions. Validate the [Tanium service account] has "Read Only" permissions. Validate [Tanium Admins group] has Full permissions. If the owner of the directory is not the [Tanium service account] and/or System and the [Tanium service account] has more privileges than "Read Only" and/or the [Tanium Admins group] has less than Full permissions, this is a finding. Navigate to Program Files >> Tanium >> Tanium Server >> Certs. Right-click on each of the following files: Select "Properties". Select the "Security" tab. Click on the "Advanced" button. Installedcacert.crt Installed-server.crt Installed-server.key SOAPServer.crt SOAPServer.key Validate System and the [Tanium service account] have "Read-Only" permissions to each of the individual files, and the [Tanium Admin group] has Full permissions to each of the individual files. If System and the [Tanium service account] have more than "Read-Only" permissions to any of the individual files and/or the [Tanium Admin group] has less than Full permissions to any of the individual files, this is a finding. Navigate to Program Files >> Tanium >> Tanium Server >> content_public_keys. Right-click on each of the following files: Select "Properties". Select the "Security" tab. Click on the "Advanced" button. Validate System has "Read-Only" permissions and is applied to child objects. Validate [Tanium service account] has "Read-Only" permissions and is applied to child objects. Validate [Tanium Admin Group] has Full permissions and is applied to child objects. If the [Tanium service account] and system permissions to the \content_public_keys folder is greater than "Read-Only" and/or the "Read-Only" permissions have not been applied to child objects and/or the [Tanium Admin Group] has less than Full permissions, this is a finding.

Fix: F-37243r610780_fix

Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Open an Explorer window. Navigate to >> Program Files >> Tanium >> Tanium Server. Right-click on "Certs" folder. Choose "Properties". Select the "Security" tab. Click on the "Advanced" button. Change the owner of the directory to the [Tanium service account]. Reduce System and the [Tanium service account] to "Read-Only" permissions. Provide the [Tanium Admin group] with Full permissions. Navigate to >> Program Files >> Tanium >> Tanium Server >> Certs. Right-click on each of the following files: Select "Properties". Select the "Security" tab. Click on the "Advanced" button. For the following files, reduce System and the [Tanium service account] to "Read-Only": Installedcacert.crt Installed-server.crt Installed-server.key SOAPServer.crt SOAPServer.key Ensure the [Tanium Admin group] has Full permissions for those same files. Navigate to >> Program Files >> Tanium >> Tanium Server >> content_public_keys. Select "Properties". Select the "Security" tab. Click on the "Advanced" button. Reduce System to "Read-Only" permissions. – apply to child objects. Reduce [Tanium service account] to "Read-Only" permissions. – apply to child objects. Provide [Tanium Admin group] with Full permissions - apply to child objects.

b

The Tanium Module server must be installed on a separate system.

SC-2 - Medium - CCI-001082 - V-234094 - SV-234094r612749_rule

RMF Control

SC-2

Severity

M

CCI

CCI-001082

Version

TANS-SV-000023

Vuln IDs

V-234094
V-92159

Rule IDs

SV-234094r612749_rule
SV-102261

Unauthorized access to the Tanium Server is protected by disabling the Module Server service on the Tanium Server and by configuring the Module Server on a separate system. When X509 smartcard certificates (CAC or PIV tokens) are used for access to the Tanium Server, the Tanium Module server must be on a separate system. In order to restrict access to the Tanium Server resulting from an attack on the Module Server, it is recommended that the Tanium Module Server be installed on a separate system or VM from the Tanium Server. Adding to this recommendation, if the Tanium Server is configured to accept X509 Smartcard certificates (also referred to as CAC or PIV tokens) in lieu of username/password logon, the requirement becomes explicit and the Tanium Module Server must be installed on a separate system or VM.

Checks: C-37279r610782_chk

Note: If the server being validated is the Module server, this check is Not Applicable. Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Click "Start". Access the Server Manager. Select Local Server. In upper right corner, click "Tools". Select "Services". If the Tanium Module Server service is "Running", this is a finding.

Fix: F-37244r610783_fix

Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Click "Start". Access the Server Manager. Select "Local Server". In the upper right corner, click "Tools". Select "Services". Disable the Tanium Module Server service.

b

The Tanium Server directory must be restricted with appropriate permissions.

AC-3 - Medium - CCI-002165 - V-234095 - SV-234095r612749_rule

RMF Control

AC-3

Severity

M

CCI

Version

TANS-SV-000024

Vuln IDs

V-234095
V-92161

Rule IDs

SV-234095r612749_rule
SV-102263

Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside of the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.

Checks: C-37280r610785_chk

Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Open an Explorer window. Navigate to Program Files >> Tanium. Right-click on the "Tanium Server" folder. Select "Properties". Select the "Security" tab. Click on the "Advanced" button. Validate the owner of the "Tanium Server" folder is the service account [Tanium service account]. Validate the [Tanium service account] has full permissions to the "Tanium Server" folder. Validate the [Tanium Admins] group has full permissions to the "Tanium Server" folder. Validate Users have no permissions to the "Tanium Server" folder. If any accounts other than the [Tanium service account] and the [Tanium Admins] group have any permission to the "Tanium Server" folder, this is a finding. If the [Tanium service account] is not the owner of the "Tanium Server" folder, this is a finding.

Fix: F-37245r610786_fix

Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Open an Explorer window. Navigate to Program Files >> Tanium. Right-click on the "Tanium Server" folder. Select "Properties". Select the "Security" tab. Click on the "Advanced" button. Disable folder inheritance. Change the owner of the directory to the service account [Tanium service account]. Remove User permissions. Give [Tanium service account] full permissions. Give [Tanium Admins] group full permissions.

b

The Tanium Server http directory and sub-directories must be restricted with appropriate permissions.

AC-3 - Medium - CCI-002165 - V-234096 - SV-234096r612749_rule

RMF Control

AC-3

Severity

M

CCI

Version

TANS-SV-000025

Vuln IDs

V-234096
V-92163

Rule IDs

SV-234096r612749_rule
SV-102265

Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside of the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.

Checks: C-37281r610788_chk

Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Open an Explorer window. Navigate to Program Files >> Tanium >> Tanium Server. Right-click on the "Tanium Server\http" folder. Select "Properties". Select the "Security" tab. Click on the "Advanced" button. Validate Folder Inheritance is disabled. Validate the owner of the directory is the [Tanium service account]. Validate the [Tanium Admins] group has full permissions. Validate System has Read-Only permissions. Right-click on the "Tanium Server\http\libraries" folder. Select the "Security" tab. Click on the "Advanced" button. Validate Folder Inheritance is disabled. Validate the owner of the directory is the [Tanium service account]. Validate System has Read-Only permissions. Validate the [Tanium service account] has Read-Only permissions. Validate the [Tanium Admins] group has full permissions. Right-click on the "Tanium Server\http\taniumjs" folder. Select the "Security" tab. Click on the "Advanced" button. Validate Folder Inheritance is disabled. Validate the owner of the directory is the [Tanium service account]. Validate System has "Read-Only" permissions. Validate the [Tanium service account] has "Read-Only" permissions. Validate the [Tanium Admins] group has full permissions. Right-click on the "Tanium Server\http\tux" folder. Select the "Security" tab. Click on the "Advanced" button. Validate Folder Inheritance is disabled. Validate the owner of the directory is the [Tanium service account]. Validate System has "Read-Only" permissions. Validate the [Tanium service account] has "Read Only" permissions. Validate the [Tanium Admins] group has full permissions. Right-click on the "Tanium Server\http\tux-console" folder. Select the "Security" tab. Click on the "Advanced" button. Validate Folder Inheritance is disabled. Validate the owner of the directory is the [Tanium service account]. Validate System has "Read-Only" permissions. Validate the [Tanium service account] has "Read-Only" permissions. Validate the [Tanium Admins] group has full permissions. Right-click on the "Tanium Server\Logs" folder. Select "Properties". Select the "Security" tab. Click on the "Advanced" button. Validate Folder Inheritance is disabled. Validate the owner of the directory is the [Tanium service account]. Validate the [Tanium Service Account] has only "Modify" permissions. Validate the [Tanium Admins] group has full permissions. Right-click on the "Tanium Server\TDL_Logs" folder. Select "Properties". Select the "Security" tab. Click on the "Advanced" button. Validate Folder Inheritance is disabled. Validate the owner of the directory is the [Tanium service account]. Validate the [Tanium Service Account] has only "Modify" permissions. Validate the [Tanium Admins] group has full permissions. Right-click on the "Tanium Server\Certs" folder. Select "Properties". Select the "Security" tab. Click on the "Advanced" button. Validate Folder Inheritance is disabled. Validate the owner of the directory is the [Tanium service account]. Validate System has "Read-Only" permissions. Validate the [Tanium Admins] group has full permissions. Navigate to Tanium Server >> Certs. For the following files verify System and [Tanium Service Account] have "Read-Only" permissions: installedcacert.crt installed-server.crt installed-server.key SOAPServer.crt SOAPServer.key Right-click on the "Tanium Server\content_public_keys" folder. Select "Properties". Select the "Security" tab. Click on the "Advanced" button. Validate Folder Inheritance is disabled. Validate the owner of the directory is the [Tanium service account]. Validate System has "Read-Only" permissions. Validate the [Tanium Service Account] has "Read-Only" permissions. Validate the [Tanium Admins] group has full permissions. If any of the above permissions are not configured correctly, this is a finding.

Fix: F-37246r610789_fix

Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Open an Explorer window. Navigate to Program Files >> Tanium >> Tanium Server. Right-click on the "Tanium Server\http folder. Select "Properties". Select the "Security" tab. Click on the "Advanced" button. Verify/Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Change/verify the [Tanium Admins] group has full permissions. Reduce System to "Read-Only" permissions. Right-click on the "Tanium Server\http\libraries" folder. Select the "Security" tab. Click on the "Advanced" button. Verify/Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce System to "Read-Only" permissions. Reduce [Tanium service account] to "Read-Only" permissions. Change/verify the [Tanium Admins] group has full permissions. Right-click on the "Tanium Server\http\taniumjs" folder. Select the "Security" tab. Click on the "Advanced" button. Verify/Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce System to "Read-Only" permissions. Reduce [Tanium service account] to "Read-Only" permissions. Change/verify the [Tanium Admins] group has full permissions. Right-click on the "Tanium Server\http\tux" folder. Select the "Security" tab. Click on the "Advanced" button. Verify/Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce System to "Read-Only" permissions. Reduce [Tanium service account] to "Read-Only" permissions. Change/verify the [Tanium Admins] group has full permissions. Right-click on the "Tanium Server\http\tux-console" folder. Select the "Security" tab. Click on the "Advanced" button. Verify/Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce System to "Read-Only" permissions. Reduce [Tanium service account] to "Read-Only" permissions. Change/verify the [Tanium Admins] group has full permissions. Right-click on the "Tanium Server\Logs" folder. Select the "Security" tab. Click on the "Advanced" button. Verify/Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce [Tanium service account] to "Modify" permissions. Change/verify the [Tanium Admins] group has full permissions. Right-click on the "Tanium Server\http\TDL_Logs" folder. Select the "Security" tab. Click on the "Advanced" button. Verify/Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce [Tanium service account] to "Modify" permissions. Change/verify the [Tanium Admins] group has full permissions. Right-click on the "Tanium Server\Certs" folder. Select the "Security" tab. Click on the "Advanced" button. Verify/Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce System to "Read-Only" permissions. Change/verify the [Tanium Admins] group has full permissions. Navigate to Tanium Server >> Certs. For the following files verify/reduce System and [Tanium Service Account] to "Read-Only" permissions: installedcacert.crt installed-server.crt installed-server.key SOAPServer.crt SOAPServer.key Right-click on the "Tanium Server\content_public_keys" folder. Select the "Security" tab. Click on the "Advanced" button. Verify/Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce System to "Read-Only" permissions - apply to child objects. Reduce [Tanium service account] to "Read-Only" permissions - apply to child objects. Change/verify the [Tanium Admins] group has full permissions.

b

The permissions on the Tanium Server registry keys must be restricted to only the Tanium service account and the [Tanium Admins] group.

AC-3 - Medium - CCI-002165 - V-234097 - SV-234097r612749_rule

RMF Control

AC-3

Severity

M

CCI

Version

TANS-SV-000026

Vuln IDs

V-234097
V-92165

Rule IDs

SV-234097r612749_rule
SV-102267

Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside of the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.

Checks: C-37282r610791_chk

Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Run regedit as Administrator. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Right-click on "Tanium Server". Select "Permissions". Click on the "Security" tab. Click on the "Advanced" button. Validate the [Tanium service account] has full permissions. Validate the [Tanium Admins] group has full permissions. Validate the SYSTEM account has full permissions. Validate the User accounts do not have any permissions. If any other account has full permissions and/or the User account has any permissions, this is a finding.

Fix: F-37247r610792_fix

Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Run regedit as Administrator. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Right-click on "Tanium Server". Select "Properties". Click on the "Security" tab. Click on the "Advanced" button. Provide the [Tanium service account] with full permissions. Provide the [Tanium Admins] group with full permissions. Reduce permissions for any other accounts with full permissions. Remove permissions for User accounts.

b

The Tanium Server Logs and TDL_Logs directories must be restricted with appropriate permissions.

AC-3 - Medium - CCI-002165 - V-234098 - SV-234098r612749_rule

RMF Control

AC-3

Severity

M

CCI

Version

TANS-SV-000027

Vuln IDs

V-234098
V-92167

Rule IDs

SV-234098r612749_rule
SV-102269

Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside of the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.

Checks: C-37283r610794_chk

Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Open an Explorer window. Navigate to Program Files >> Tanium >> Tanium Server. Right-click on the "Logs" folder. Select "Properties". Click on the "Security" tab. Click on the "Advanced" button. Validate the owner of the directory is the [Tanium service account]. Validate the [Tanium service account] privileges is only account with modify permissions on the directory. Validate the [Tanium Administrators] group has full permissions on the directory. Right-click on the "TDL_Logs" folder. Select "Properties". Click on the "Security" tab. Click on the "Advanced" button. Validate the owner of the directory is the [Tanium service account]. Validate the [Tanium service account] privileges is the only account with modify permissions on the directory. Validate the [Tanium Administrators] group has full permissions on the directory. If any of the specified permissions are not set as required, this is a finding.

Fix: F-37248r610795_fix

Access the Tanium Server interactively. Log on to their server with an account that has administrative privileges. Open an Explorer window. Navigate to Program Files >> Tanium >> Tanium Server. Right-click on the "Logs" folder. Select "Properties". Click on the "Security" tab. Click on the "Advanced" button. Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce [Tanium service account] privileges to modify permissions on the directory. Ensure [Tanium Admins] group has full permissions on the directory. Right-click on the "TDL_Logs" folder. Select "Properties". Click on the "Security" tab. Click on the "Advanced" button. Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce [Tanium service account] privileges to modify permissions on the directory. Ensure [Tanium Admins] group has full permissions on the directory.

b

All Active Directory accounts synchronized with Tanium for non-privileged functions must be non-privileged domain accounts.

AC-6 - Medium - CCI-002235 - V-234099 - SV-234099r612749_rule

RMF Control

AC-6

Severity

M

CCI

CCI-002235

Version

TANS-SV-000028

Vuln IDs

V-234099
V-92169

Rule IDs

SV-234099r612749_rule
SV-102271

Tanium has the ability to synchronize with Active Directory for Tanium account management. Tanium advises that all replicated accounts for non-privileged level functions should be non-privileged domain accounts. In doing so, should a vulnerability in the industry standard OpenSSL libraries used by Tanium ever come to light, no privileged account information could be gained by an attacker. This is simply good housekeeping and should be exercised with any such platform product.

Checks: C-37284r610797_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Users" tab. Review each of the users listed and determine their Active Directory synced account. Access one of the domain's Active Directory Domain Controller servers with a Domain Administrator account. Review each of the Users for which a synced account is in the Tanium console as a user. Validate whether any of the users are considered to be non-privileged in Active Directory, yet have privileged capabilities in Tanium. If any of the non-privileged Active Directory accounts have elevated privileges and are synced as a Tanium privileged account, this is a finding.

Fix: F-37249r610798_fix

Access Active Directory with appropriate credentials. For each User, where a synced account is in the Tanium console as a privileged user, adjust the user to an appropriate security group in Active Directory. Verify, after syncing with Tanium, the non-privileged user account is no longer in a privileged role within Tanium.

b

A Tanium connector must be configured to send log data to an external audit log reduction capable system.

AU-4 - Medium - CCI-001851 - V-234100 - SV-234100r612749_rule

RMF Control

AU-4

Severity

M

CCI

CCI-001851

Version

TANS-SV-000029

Vuln IDs

V-234100
V-92171

Rule IDs

SV-234100r612749_rule
SV-102273

While the Tanium Server records audit log entries to the Tanium SQL database, retrieval and aggregation of log data through the Tanium console is not efficient. The Tanium Connect module allows for SIEM connectors in order to facilitate forensic data retrieval and aggregation efficiently. Consult documentation at https://docs.tanium.com/connect/connect/index.html for supported Connections.

Checks: C-37285r610800_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Review the configured Tanium Sources listed. If an "Audit Log" source does not exist, this is a finding. Select the "Audit Log" source. Select the audit connection found in the lower half of the screen. Verify the "Destination Type" is a SIEM tool. If the "Destination Type" is not a SIEM tool, this is a finding.

Fix: F-37250r610801_fix

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Click "Create Connection". In the Source and Destination Section, select "Audit Log" as the Event Source from the drop-down menu. In the "Destination" section, select "Socket Receiver" from the drop-down menu. Enter "Destination Name". Enter "Host". Enter "Network Protocol". Enter "Port". Consult documentation located at https://docs.tanium.com/connect/connect/index.html for reference on configuring other applicable SIEM connections.

b

File integrity monitoring of critical executables that Tanium uses must be configured.

CM-11 - Medium - CCI-001811 - V-234101 - SV-234101r612749_rule

RMF Control

CM-11

Severity

M

CCI

CCI-001811

Version

TANS-SV-000030

Vuln IDs

V-234101
V-92173

Rule IDs

SV-234101r612749_rule
SV-102275

Tanium inherently watches files and their respective hash values for change but while Tanium can do file integrity checks of critical executables, it is important to conduct File Integrity Monitoring (FIM) via an outside service such as Host Based Security System (HBSS) or similar security suites with FIM capability. These technologies provide independent monitoring of critical Tanium and system binaries.

Checks: C-37286r610803_chk

If the site is using Tanium Integrity Monitor, Tanium Integrity Monitor should be used to monitor the file integrity of Tanium critical files. If Tanium Integrity Monitor is not installed, a third-party file integrity-monitoring tool must be used to monitor Tanium critical executables, defined files within the Tanium Server directory path. If the file integrity of Tanium critical executables is not monitored, this is a finding.

Fix: F-37251r610804_fix

Implement a file integrity monitoring system to monitor the Tanium critical executable files.

b

Firewall rules must be configured on the Tanium module server to allow Server-to-Module Server communications from the Tanium Server.

CM-7 - Medium - CCI-001762 - V-234102 - SV-234102r612749_rule

RMF Control

CM-7

Severity

M

CCI

Version

TANS-SV-000031

Vuln IDs

V-234102
V-92175

Rule IDs

SV-234102r612749_rule
SV-102277

The Tanium Module Server is used to extend the functionality of Tanium through the use of various workbenches. The Tanium Module Server requires communication with the Tanium Server on port 17477. Without a proper connection from the Tanium Server to the Tanium Module Server, access to the system capabilities could be denied. https://docs.tanium.com/platform_install/platform_install/reference_network_ports.html.

Checks: C-37287r610806_chk

Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Module Server. Access the host-based firewall configuration on the Tanium Module Server. Validate a rule exists for the following: Port Needed: Tanium Server to Tanium Module Server over TCP port 17477. If a host-based firewall rule does not exist to allow TCP port 17477, from the Tanium Server to the Tanium Module Server, this is a finding. Consult with the network firewall administrator and validate rules exist for the following: Allow TCP traffic on port 17477 from the Tanium Server to the Tanium Module Server. If a network firewall rule does not exist to allow TCP traffic on port 17477 from the Tanium Server to the Tanium Module Server, this is a finding.

Fix: F-37252r610807_fix

Configure host-based firewall rules on the Tanium Module Server to include the following required traffic: Allow TCP traffic on port 17477 from the Tanium Server to the Tanium Module Server. Configure the network firewall to allow the above traffic.

b

Firewall rules must be configured on the Tanium Server for Server-to-Module Server communications.

CM-7 - Medium - CCI-001762 - V-234103 - SV-234103r612749_rule

RMF Control

CM-7

Severity

M

CCI

Version

TANS-SV-000032

Vuln IDs

V-234103
V-92177

Rule IDs

SV-234103r612749_rule
SV-102279

The Tanium Module Server is used to extend the functionality of Tanium through the use of various workbenches. The Tanium Module Server requires communication with the Tanium Server on port 17477. Without a proper connection from the Tanium Server to the Tanium Module Server, access to the system capabilities could be denied. https://docs.tanium.com/platform_install/platform_install/reference_network_ports.html.

Checks: C-37288r610809_chk

Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Server. Access the host-based firewall configuration on the Tanium Server. Validate a rule exists for the following: Port Needed: Tanium Server to Tanium Module Server over TCP port 17477. If a host-based firewall rule does not exist to allow TCP port 17477, from the Tanium Server to the Tanium Module Server, this is a finding. Consult with the network firewall administrator and validate rules exist for the following: Allow TCP traffic on port 17477 from the Tanium Server to the Tanium Module Server. If a network firewall rule does not exist to allow TCP traffic on port 17477 from the Tanium Server to the Tanium Module Server, this is a finding.

Fix: F-37253r610810_fix

Configure host-based firewall rules on the Tanium Server to allow the following required traffic: Allow TCP traffic on port 17477 to the Tanium Module Server from the Tanium Server. Configure the network firewall to allow the above traffic.

b

Firewall rules must be configured on the Tanium Server for Server-to-Zone Server communications.

CM-7 - Medium - CCI-001762 - V-234104 - SV-234104r612749_rule

RMF Control

CM-7

Severity

M

CCI

Version

TANS-SV-000033

Vuln IDs

V-234104
V-92179

Rule IDs

SV-234104r612749_rule
SV-102281

If you are using the Tanium Zone Server to proxy traffic from Tanium-managed computers on less trusted network segments to the Tanium Server on the core network, then the Tanium Zone Server Hub, typically installed to the Tanium Server device, must be able to connect to the Zone Server(s) in the DMZ. This is the only configuration that requires you to allow outbound traffic on port 17472 from the Tanium Server device. The ZoneServerList.txt configuration file located in the Tanium Zone Server Hub's installation folder identifies the addresses of the destination Zone Servers. See the Zone Server Configuration page for more details. Port Needed: Tanium Server to Zone Server over TCP port 17472. Network firewall rules: Allow TCP traffic on port 17472 from the Zone Server Hub, usually the Tanium Server device, to the destination DMZ devices(s) hosting the Zone Server(s). Endpoint firewall rules - for additional security, configure the following endpoint firewall rules: Allow TCP traffic outbound on port 17472 from only the Zone Server Hub process running on the Tanium Server device. Allow TCP traffic inbound on port 17472 to only the Zone Server process running on the designated Zone Server device(s). https://docs.tanium.com/platform_install/platform_install/reference_network_ports.html.

Checks: C-37289r610812_chk

Note: If a Zone Server is not being used, this is Not Applicable. Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Server. Access the host-based firewall configuration on the Tanium Server. Validate a rule exists for the following: Port Needed: Tanium Server to Zone Server over TCP port 17472. If a host-based firewall rule does not exist to allow TCP port 17472, bi-directionally, from Tanium Server to the Tanium Zone Server, this is a finding.

Fix: F-37254r610813_fix

Configure host-based firewall rules on the Tanium Zone server to include the following required traffic: Allow Tanium Server to Zone Server over TCP port 17472. Configure the network firewall to allow the above traffic.

b

The SSLHonorCipherOrder must be configured to disable weak encryption algorithms on the Tanium Server.

SC-13 - Medium - CCI-002450 - V-234105 - SV-234105r612749_rule

RMF Control

SC-13

Severity

M

CCI

CCI-002450

Version

TANS-SV-000035

Vuln IDs

V-234105
V-92181

Rule IDs

SV-234105r612749_rule
SV-102283

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Checks: C-37290r610815_chk

Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Access the server's registry by typing: regedit <enter>. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Verify the existence of a DWORD "SSLHonorCipherOrder" with a value of "0x00000001" (hex). If the DWORD "SSLHonorCipherOrder" does not exist with a value of "0x00000001" (hex), this is a finding.

Fix: F-37255r610816_fix

Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Access the server's registry by typing: regedit <enter>. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Add or modify the DWORD "SSLHonorCipherOrder" to have a value of 0x00000001 (hex).

b

The Tanium Server certificate must be signed by a DoD Certificate Authority.

SC-23 - Medium - CCI-002470 - V-234106 - SV-234106r612749_rule

RMF Control

SC-23

Severity

M

CCI

CCI-002470

Version

TANS-SV-000036

Vuln IDs

V-234106
V-92183

Rule IDs

SV-234106r612749_rule
SV-102285

The Tanium Server has the option to use a "self-signed" certificate or a Trusted Certificate Authority signed certificate for SSL connections. During evaluations of Tanium in Lab settings, customers often conclude that a "self-signed" certificate is an acceptable risk. However, in production environments it is critical that a SSL certificate signed by a Trusted Certificate Authority be used on the Tanium Server in lieu of an untrusted and insecure "self-signed" certificate.

Checks: C-37291r610818_chk

Using a web browser on a system, which has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. When connected, review the Certificate for the Tanium Server: In Internet Explorer, right-click on the page. Select "Properties". Click on the "Certificates" tab. On the "General" tab, validate the Certificate shows as issued by a DOD Root CA. On Certification "Path" tab, validate the path top-level is a DoD Root CA. If the certificate authority is not DoD Root CA, this is a finding.

Fix: F-37256r610819_fix

Request or regenerate the certificate from a DoD Root Certificate Authority.

b

Any Tanium configured EMAIL RESULTS connectors must be configured to enable TLS/SSL to encrypt communications.

SC-8 - Medium - CCI-002422 - V-234107 - SV-234107r612749_rule

RMF Control

SC-8

Severity

M

CCI

CCI-002422

Version

TANS-SV-000037

Vuln IDs

V-234107
V-92185

Rule IDs

SV-234107r612749_rule
SV-102287

Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. This requirement applies only to those applications that are either distributed or can allow access to data non-locally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, applications need to leverage transmission protection mechanisms, such as TLS, SSL VPNs, or IPsec. An example of this would be the SMTP queue. The SMTP mail protocol places email messages into a centralized queue prior to transmission. If someone were to modify an email message contained in the queue and the SMTP protocol did not check to ensure the email message was not modified while it was stored in the queue, a modified email could be sent.

Checks: C-37292r610821_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Review the configured Destinations listed. If an "Email" Destination does not exist, this is not a finding. Select "Email" destination. Select each Connection found in the lower half of the screen. Verify "Enable TLS" is "true". If "Enable TLS" is "false", this is a finding.

Fix: F-37257r610822_fix

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Review the configured Destinations listed. Select "Email" destination. Select the Connection found in the lower half of the screen. Click "Edit" on the top right of the summary page. Under the "Source and Destination" section, select the "Enable TLS" checkbox under the "Mail Configuration". Confirm the rest of the data is correct. Click "Save" at the bottom of the page. Do this for all Connections configured with an "Email" destination.

b

Tanium Server files must be excluded from on-access antivirus actions.

CM-6 - Medium - CCI-000366 - V-234108 - SV-234108r612749_rule

RMF Control

CM-6

Severity

M

CCI

Version

TANS-SV-000040

Vuln IDs

V-234108
V-92187

Rule IDs

SV-234108r612749_rule
SV-102289

Similar to any other host-based applications, the Tanium Server is subject to the restrictions other System-level software may place on an operating environment. Antivirus, IPS, Encryption, or other security and management stack software may disallow the Tanium Server from working as expected. https://docs.tanium.com/platform_install/platform_install/reference_host_system_security_exceptions.html.

Checks: C-37293r610824_chk

Consult with the Tanium System Administrator to determine the antivirus software used on the Tanium Server. Review the settings of the antivirus software. Validate exclusions exist which exclude the Tanium program files from being scanned by antivirus on-access scans. If exclusions do not exist, this is a finding.

Fix: F-37258r610825_fix

Implement exclusion policies within the antivirus software solution to prevent on-access scanning of Tanium Server program files.

b

Tanium Server files must be protected from file encryption actions.

CM-6 - Medium - CCI-000366 - V-234109 - SV-234109r612749_rule

RMF Control

CM-6

Severity

M

CCI

Version

TANS-SV-000043

Vuln IDs

V-234109
V-92189

Rule IDs

SV-234109r612749_rule
SV-102291

Similar to any other host-based applications, the Tanium Server is subject to the restrictions other System-level software may place on an operating environment. Antivirus, Encryption, or other security and management stack software may disallow the Tanium Server from working as expected. https://docs.tanium.com/platform_install/platform_install/reference_host_system_security_exceptions.html.

Checks: C-37294r610827_chk

Consult with the Tanium System Administrator to determine the file-level encryption software used on the Tanium Server. Review the settings for the file-level encryption software. Validate exclusions exist which exclude the Tanium program files from being encrypted by the file-level encryption software. If exclusions do not exist, this is a finding.

Fix: F-37259r610828_fix

Implement excluding policies within the file-level encryption software solution to exclude encryption of the Tanium Server program files.

b

The SSLCipherSuite must be configured to disable weak encryption algorithms on the Tanium Server.

SC-13 - Medium - CCI-002450 - V-234110 - SV-234110r612749_rule

RMF Control

SC-13

Severity

M

CCI

CCI-002450

Version

TANS-SV-000044

Vuln IDs

V-234110
V-92191

Rule IDs

SV-234110r612749_rule
SV-102293

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Checks: C-37295r610830_chk

Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Access the server's registry by typing: "regedit". Click "Enter". Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Verify the existence of a String "SSLCipherSuite" with a value of: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK If the String "SSLCipherSuite" does not exist with the appropriate list values, this is a finding.

Fix: F-37260r610831_fix

Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Access the server's registry by typing: regedit <enter>. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Add or modify the String "SSLCipherSuite" to have a value of: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK

b

The Tanium max_soap_sessions_total setting must be explicitly enabled to limit the number of simultaneous sessions.

AC-10 - Medium - CCI-000054 - V-234111 - SV-234111r612749_rule

RMF Control

AC-10

Severity

M

CCI

CCI-000054

Version

TANS-SV-000045

Vuln IDs

V-234111
V-92193

Rule IDs

SV-234111r612749_rule
SV-102295

Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks. This requirement may be met via the application or by utilizing information system, session control provided by a web server with specialized session management capabilities. If it has been specified that this requirement will be handled by the application, the capability to limit the maximum number of concurrent single user sessions must be designed and built into the application. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.

Checks: C-37296r610833_chk

Using a web browser on a system, which has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. In the "Show Settings Containing:" search box type "max_soap_sessions_total". Click "Enter". If no results are returned, this is a finding. If results are returned for "max_soap_sessions_total", but the value is not the value defined in the system documentation, this is a finding.

Fix: F-37261r610834_fix

Using a web browser on a system, which has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. Click on "New Setting". In "New System Setting" dialog box enter "max_soap_sessions_total" for "Setting Name:". Work with a Tanium Technical Account Manager (TAM) for a proper value and enter this for the "Setting Value:". Select "Server" from "Affects drop-down list. Select "Numeric" from "Value Type" drop-down list. Click "Save". Add this setting to the system documentation for validation.

b

The Tanium max_soap_sessions_per_user setting must be explicitly enabled to limit the number of simultaneous sessions.

AC-10 - Medium - CCI-000054 - V-234112 - SV-234112r612749_rule

RMF Control

AC-10

Severity

M

CCI

CCI-000054

Version

TANS-SV-000046

Vuln IDs

V-234112
V-92195

Rule IDs

SV-234112r612749_rule
SV-102297

Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks. This requirement may be met via the application or by utilizing information system session control provided by a web server with specialized session management capabilities. If it has been specified that this requirement will be handled by the application, the capability to limit the maximum number of concurrent single user sessions must be designed and built into the application. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.

Checks: C-37297r610836_chk

Using a web browser on a system, which has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. In the "Show Settings Containing:" search box type "max_soap_sessions_per_user". Click "Enter". If no results are returned, this is a finding. If results are returned for "max_soap_sessions_per_user", but the value is not the value defined in the system documentation, this is a finding.

Fix: F-37262r610837_fix

Using a web browser on a system, which has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. Click on "New Setting". In "New System Setting" dialog box enter "max_soap_sessions_per_user" for "Setting Name:". Work with a Tanium Technical Account Manager (TAM) for a proper value, and enter this for the "Setting Value:". Select "Server" from "Affects" drop-down list. Select "Numeric" from "Value Type" drop-down list. Click "Save". Add this setting to the system documentation for validation.

b

The Tanium soap_max_keep_alive setting must be explicitly enabled to limit the number of simultaneous sessions.

AC-10 - Medium - CCI-000054 - V-234113 - SV-234113r612749_rule

RMF Control

AC-10

Severity

M

CCI

CCI-000054

Version

TANS-SV-000047

Vuln IDs

V-234113
V-92197

Rule IDs

SV-234113r612749_rule
SV-102299

Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks. This requirement may be met via the application or by utilizing information system session control provided by a web server with specialized session management capabilities. If it has been specified that this requirement will be handled by the application, the capability to limit the maximum number of concurrent single user sessions must be designed and built into the application. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.

Checks: C-37298r610839_chk

Using a web browser on a system, which has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. In the "Show Settings Containing:" search box type "soap_max_keep_alive". Click "Enter". If no results are returned, this is a finding. If results are returned for "soap_max_keep_alive ", but the value is not the value defined in the system documentation, this is a finding.

Fix: F-37263r610840_fix

Using a web browser on a system, which has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. Click on "New Setting". In "New System Setting" dialog box enter "soap_max_keep_alive" for "Setting Name:". Work with a Tanium Technical Account Manager (TAM) for a proper value, and enter this for the "Setting Value:". Select "Server" from "Affects" drop-down list. Select "Numeric" from "Value Type" drop-down list. Click "Save". Add this setting to the system documentation for validation.

b

The Tanium documentation identifying recognized and trusted folders for Detect Local Directory Source must be maintained.

AC-4 - Medium - CCI-001414 - V-234114 - SV-234114r612749_rule

RMF Control

AC-4

Severity

M

CCI

Version

TANS-SV-000048

Vuln IDs

V-234114
V-92199

Rule IDs

SV-234114r612749_rule
SV-102301

An IOC stream is a series or "stream" of IOCs that are imported from a vendor based on a subscription service or manually downloaded and placed in a folder. Detect can be configured to retrieve the IOC content on a regularly scheduled basis. The items in an IOC stream can be separately manipulated after they are imported.

Checks: C-37299r610842_chk

Consult with the Tanium System Administrator to review the documented list of folder maintainers for Detect Local Directory Source. If the site does not leverage Local Directory Source to import IOCs, this finding is Not Applicable. If the site does use Local Directory Source to import IOCs and the folder maintainers are not documented, this is a finding.

Fix: F-37264r610843_fix

Prepare and maintain documentation identifying the Tanium IOC Local Directory Source maintainers.

b

The Tanium Detect Local Directory Source must be configured to restrict access to only authorized maintainers of Intel.

AC-4 - Medium - CCI-001414 - V-234115 - SV-234115r612749_rule

RMF Control

AC-4

Severity

M

CCI

Version

TANS-SV-000049

Vuln IDs

V-234115
V-92201

Rule IDs

SV-234115r612749_rule
SV-102303

An IOC stream is a series or ""stream"" of intel that are imported from a vendor based on a subscription service or manually downloaded and placed in a folder. Detect can be configured to retrieve the IOC content on a regularly scheduled basis. The items in an IOC stream can be separately manipulated after they are imported.

Checks: C-37300r610845_chk

Consult with the Tanium System Administrator to determine if the Tanium Detect module is being used, if not then this finding is Not Applicable. If being used then determine where they get their IOC Stream. Access the Tanium Module Server interactively. Log on to the server with an account that has administrative privileges. Open an Explorer window. Navigate to Program Files >> Tanium >> Tanium Module Server >> services >> detect3-files Right-click on the folder and choose "Properties". Select the "Security" tab. Click on the "Advanced" button. If the accounts listed in the "Security" tab do not match the list of accounts found in the Tanium documentation, this is a finding.

Fix: F-37265r610846_fix

Consult with the Tanium System Administrator to determine if the "Detect" module is being used, if not then this is Not Applicable. Access the Tanium Module Server interactively. Log on to their server with an account that has administrative privileges. Open an Explorer window. Navigate to Program Files >> Tanium >> Tanium Module Server >> services >> detect3-files Right-click on the folder and choose "Properties". Select the "Security" tab. Click on the "Advanced" button. If the accounts listed in the "Security" tab do not match the list of accounts, with the exception of SYSTEM, remove the additionally listed accounts. If the accounts listed in the "Security" tab are missing accounts from the documentation, with the exception of SYSTEM, add the additionally listed accounts with a minimum of READ permissions.

b

The Tanium documentation identifying recognized and trusted SCAP sources must be maintained.

AC-4 - Medium - CCI-001414 - V-234116 - SV-234116r612749_rule

RMF Control

AC-4

Severity

M

CCI

Version

TANS-SV-000050

Vuln IDs

V-234116
V-92203

Rule IDs

SV-234116r612749_rule
SV-102305

NIST validated SCAP XML documents are provided from several possible sources such as DISA, NIST, and the other non-government entities. These documents are used as the basis of compliance definitions leveraged to automate compliance auditing of systems. These documents are updated on different frequencies and must be manually downloaded on regular intervals and imported in order to be current. Non-approved SCAP definitions lead to a false sense of security when evaluating an enterprise environment.

Checks: C-37301r610848_chk

Consult with the Tanium System Administrator to review the documented list of trusted SCAP sources. If the site does not have "Tanium Comply" module, or does not use "Tanium Comply" for compliance validation, this finding is Not Applicable. If the site does use "Tanium Comply" and the source for SCAP content is not documented, this is a finding.

Fix: F-37266r610849_fix

If the site does not have "Tanium Comply" module, or does not use "Tanium Comply" for compliance validation, this finding is Not Applicable. Prepare and maintain documentation identifying the source of SCAP sources that will be used by "Tanium Comply" module.

b

The Tanium documentation identifying recognized and trusted OVAL feeds must be maintained.

AC-4 - Medium - CCI-001414 - V-234117 - SV-234117r612749_rule

RMF Control

AC-4

Severity

M

CCI

Version

TANS-SV-000051

Vuln IDs

V-234117
V-92205

Rule IDs

SV-234117r612749_rule
SV-102307

OVAL XML documents are provided from several possible sources such as the CIS open source repository, or any number of vendor/3rd party paid repositories. These documents are used to automate the passive validation of vulnerabilities on systems and therefore require a reasonable level of confidence in their origin. Non-approved OVAL definitions lead to a false sense of security when evaluating an enterprise environment.

Checks: C-37302r610851_chk

Consult with the Tanium System Administrator to review the documented list of trusted OVAL feeds. If the site does not have "Tanium Comply" module, or does not use "Tanium Comply" for passive vulnerability scanning, this finding is Not Applicable. Otherwise, if the site does use "Tanium Comply" and the source for OVAL content is not documented, this is a finding.

Fix: F-37267r610852_fix

If the site does not have "Tanium Comply" module, or does not use "Tanium Comply" for passive vulnerability scanning, this finding is Not Applicable. Prepare and maintain documentation identifying the source of OVAL feeds that will be used by "Tanium Comply" module.

b

Tanium Comply must be configured to receive SCAP content only from trusted sources.

AC-4 - Medium - CCI-001414 - V-234118 - SV-234118r612749_rule

RMF Control

AC-4

Severity

M

CCI

Version

TANS-SV-000052

Vuln IDs

V-234118
V-92207

Rule IDs

SV-234118r612749_rule
SV-102309

NIST-validated SCAP XML documents are provided from several possible sources such as DISA, NIST, and the other non-government entities. These documents are used as the basis of compliance definitions leveraged to automate compliance auditing of systems. These documents are updated on different frequencies and must be manually downloaded on regular intervals and imported in order to be current. Non-approved SCAP definitions lead to a false sense of security when evaluating an enterprise environment.

Checks: C-37303r610854_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Comply". Along the left side of the interface, click on "Benchmarks". Select "Configuration Compliance". Verify all imported compliance benchmarks are from a documented trusted source. If any compliance benchmark is found that does not come from a documented trusted source, this is a finding.

Fix: F-37268r610855_fix

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Comply". Along the left side of the interface, click on "Benchmarks". Select "Configuration Compliance". Delete any compliance benchmarks that come from non-trusted sources.

b

Tanium Comply must be configured to receive OVAL feeds only from trusted sources.

AC-4 - Medium - CCI-001414 - V-234119 - SV-234119r612749_rule

RMF Control

AC-4

Severity

M

CCI

Version

TANS-SV-000053

Vuln IDs

V-234119
V-92209

Rule IDs

SV-234119r612749_rule
SV-102311

OVAL XML documents are provided from several possible sources such as the CIS open source repository, or any number of vendor/3rd party paid repositories. These documents are used to automate the passive validation of vulnerabilities on systems and therefore require a reasonable level of confidence in their origin. Non-approved OVAL definitions lead to a false sense of security when evaluating an enterprise environment.

Checks: C-37304r610857_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Comply". Along the left side of the interface, click on "Benchmarks". Select "Vulnerability". Verify all imported vulnerability sources are from a documented trusted source. If any vulnerability sources found do not match a documented trusted source, this is a finding.

Fix: F-37269r610858_fix

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Comply". Along the left side of the interface, click on "Benchmarks". Select "Vulnerability". Delete any vulnerability sources, which are configured to non-trusted sources, or reconfigured to point to trusted sources.

b

The Tanium application must be configured in a High-Availability (HA) setup to ensure minimal loss of data and minimal disruption to mission processes in the event of a system failure.

SC-24 - Medium - CCI-001665 - V-234120 - SV-234120r612749_rule

RMF Control

SC-24

Severity

M

CCI

CCI-001665

Version

TANS-SV-000054

Vuln IDs

V-234120
V-92211

Rule IDs

SV-234120r612749_rule
SV-102313

Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving application state information helps to facilitate application restart and return to the operational mode of the organization with less disruption to mission-essential processes.

Checks: C-37305r610860_chk

If the system is not considered mission critical, this is Not Applicable. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Packages". Browse to the package called "Distribute Tanium Standard Utilities". Select it. Press "Status". Observe the text underneath a package file indicating the file cache status. If the cache status represents only one Tanium Server, this is a finding.

Fix: F-37270r610861_fix

If the system is not considered mission critical, this is Not Applicable. Work with the Tanium System Administrator to configure Tanium in a HA Active-Active setup based on the process outlined in the Tanium documentation found at: https://docs.tanium.com/platform_install/platform_install/installing_an_ha_active_active_cluster.html.

b

The bandwidth consumption for the Tanium Application server must be limited.

SC-5 - Medium - CCI-001095 - V-234121 - SV-234121r612749_rule

RMF Control

SC-5

Severity

M

CCI

CCI-001095

Version

TANS-SV-000055

Vuln IDs

V-234121
V-92213

Rule IDs

SV-234121r612749_rule
SV-102315

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. In the case of application DoS attacks, care must be taken when designing the application to ensure the application makes the best use of system resources. SQL queries have the potential to consume large amounts of CPU cycles if they are not tuned for optimal performance. Web services containing complex calculations requiring large amounts of time to complete can bog down if too many requests for the service are encountered within a short period of time. The methods employed to meet this requirement will vary depending upon the technology the application utilizes. However, a variety of technologies exist to limit or, in some cases, eliminate the effects of application related DoS attacks. Employing increased capacity and bandwidth combined with specialized application layer protection devices and service redundancy may reduce the susceptibility to some DoS attacks.

Checks: C-37306r610863_chk

Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Access the server's registry by typing: regedit <enter>. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Verify the existence of a DWORD "DownloadBytesPerSecondLimit". If the DWORD "DownloadBytesPerSecondLimit" does not exist with a value equal to the value recorded in the system documentation, this is a finding. Consult with your TAM for an appropriate value and record this in the system documentation. If this setting is not documented, this is a finding.

Fix: F-37271r610864_fix

Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Access the server's registry by typing: regedit <enter>. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Add or modify the DWORD "DownloadBytesPerSecondLimit" to have a value that matches the value recorded in the system documentation.

b

The Tanium SQL Server RDBMS must be configured with sufficient free space to ensure audit logging is not impacted.

AU-4 - Medium - CCI-001849 - V-234122 - SV-234122r612749_rule

RMF Control

AU-4

Severity

M

CCI

CCI-001849

Version

TANS-SV-000056

Vuln IDs

V-234122
V-92215

Rule IDs

SV-234122r612749_rule
SV-102317

In order to ensure Tanium has sufficient storage capacity in which to write the audit logs, the SQL Server RDMBS must be configured with sufficient free space. Consult the server sizing documents located at https://docs.tanium.com/platform_install/platform_install/reference_host_system_sizing_guidelines.html to determine how much free space should be allocated.

Checks: C-37307r610866_chk

Access the Tanium SQL Server interactively. Log on to their server with an account that has administrative privileges. Consult server sizing documentation at https://docs.tanium.com/platform_install/platform_install/reference_host_system_sizing_guidelines.html and the Tanium system administrator to determine the recommended disk space sizing for the size of the Tanium deployment. Launch File Explorer. Check the total disk space allocated to the hard drive allocated for the Tanium SQL databases. Compare the allocated size against the recommended disk space sizing for the size of the Tanium deployment. If the allocated size is less than the recommended disk space, this is a finding.

Fix: F-37272r610867_fix

Work with the Tanium System Administrator and/or database administrator to allocate additional disk space for the volume hosting the Tanium SQL databases.

b

The Tanium application must limit the bandwidth used in communicating with endpoints to prevent a Denial of Service (DoS) condition at the server.

SC-5 - Medium - CCI-002385 - V-234123 - SV-234123r612749_rule

RMF Control

SC-5

Severity

M

CCI

CCI-002385

Version

TANS-SV-000062

Vuln IDs

V-234123
V-92217

Rule IDs

SV-234123r612749_rule
SV-102319

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of applications to mitigate the impact of DoS attacks that have occurred or are ongoing on application availability. For each application, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or restricting the number of sessions the application opens at one time). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.

Checks: C-37308r610869_chk

Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Access the server's registry by typing: regedit <enter>. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Verify the existence of a DWORD "DownloadBytesPerSecondLimit" with a value matching what is in the system documentation. If the DWORD "DownloadBytesPerSecondLimit" does not exist with the correct value, this is a finding.

Fix: F-37273r610870_fix

Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Access the server's registry by typing: regedit <enter>. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Add or modify the DWORD "DownloadBytesPerSecondLimit" to have a value consistent with the value found in the system documentation.

b

The Tanium Application Server must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

SI-2 - Medium - CCI-002605 - V-234124 - SV-234124r612749_rule

RMF Control

SI-2

Severity

M

CCI

CCI-002605

Version

TANS-SV-000064

Vuln IDs

V-234124
V-92219

Rule IDs

SV-234124r612749_rule
SV-102321

Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). This requirement will apply to software patch management solutions that are used to install patches across the enclave and to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period utilized must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process. The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).

Checks: C-37309r610872_chk

Consult with the Tanium System Administrator to review the documented time window designated for updates. If a window of time is not defined, or does not specify a reoccurring frequency, this is a finding. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Tanium Solutions". If any module has the text "Upgrade to" a newer (greater) version number compared to the Installed version number in the Tanium Modules section of the page, this is a finding. If the Tanium install is an air gap install, work with the Tanium Technical Account Manager (TAM) to determine if the modules are up to date.

Fix: F-37274r610873_fix

Work with the Tanium System Administrator to define the reoccurring time window designated for updates. Update the system documentation to reflect this window of time. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI. Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Tanium Solutions". Select any modules that indicate "Upgrade to" and proceed with importing the modules.

b

Tanium Server files must be excluded from host-based intrusion prevention intervention.

CM-6 - Medium - CCI-000366 - V-234125 - SV-234125r612749_rule

RMF Control

CM-6

Severity

M

CCI