Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Using a web browser on a system that has connectivity to Tanium, access the Tanium web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Review the configured sources under "Configured Sources and Destinations" section. If an "Audit Log" source does not exist, this is a finding.
Using a web browser on a system that has connectivity to Tanium, access the Tanium web UI. Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Click "Create Connection". In the "Source and Destination" section, select "Audit Log" as the source from the drop-down menu. In the "Destination" section, select the desired Destination and fill in the respective fields. In the "Format" section, select the desired file format type. In the "Schedule" section, select the desired schedule. Click "Create Connection".
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on the module "Integrity Monitor". Click on "Monitors" from the left menu. Ensure "Monitors" are deployed with applicable Watchlists and Endpoints. Record any that have a number greater than "0" otherwise, this is a finding. If using third party integrity monitoring tools, this is Not Applicable.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on the module "Integrity Monitor". Click "Watchlist" from the left menu. "Create a New Watchlist" in the upper right corner. Add Name and Description of the new Watchlist. Select "Path Style" that fits your enterprise needs. Select "Create". Click on the new Watchlist. Select "Add Paths". Add paths to be monitored (Work with your TAM to determine correct paths). Click "Monitor" from the left menu. "Create a New Monitor" in the upper right corner. Add "Name" Add "Description". Add computers for the new Monitor along with Watchlist. Click "Create". Select "Deploy Monitors".
Using a web browser on a system, which has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on the navigation button (menu) on the top left of the console. Click on the "Protect Workbench". Select the arrow on the left-hand side to expand the menu. Click on "Policies". Click on the Policy with Policy Type named "AppLocker". If there is no policy type defined for "AppLocker", this is a finding. Ensure the computer group containing the Tanium server is showing as online and enforced. If the "AppLocker" policy enforcement does not contain the Tanium Server, then this is a finding. Under Policy Details ensure the Mode is set to "Blocking". If Mode is not set to "Blocking", this is a finding. Under "Policy Details" expand the arrow next to "Everyone". If all files are allowed, this is a finding. If additional paths are found, such as %PROGRAMFILES%\", "%WINDIR%" and "?:\Program Files\Tanium Server\", they must be documented. If additional file paths are found and have not been documented, this is a finding. If Tanium Protect is not available, this is not applicable.
Using a web browser on a system, which has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on the navigation button (menu) on the top left of the console. Click on the "Protect Workbench". Select the arrow on the left-hand side to expand the menu. Click on "Policies". Click on "New Policy". Select "Create". Provide a name to the policy. Select "AppLocker" from the Policy Type menu. Within the policy, ensure the "Blocking" radio button is selected. In the "Allow" section, ensure the default rules for "All files located in the Program Files Folder" and "All Files located in the Windows folder" are present. If the Tanium Server is installed in a non-default location, then a rule needs to be created to allow that file path. All rules need Windows user set to "Everyone". Save the Policy. Click on "Add Enforcement". From the dropdown, select the computer group, which contains the Tanium Server. Select "enforce".
Consult with the Tanium System Administrator to review the documented list of Tanium users. If any users have access to Tanium Comply and are not on the list of documented users, this is a finding. If Tanium Comply is not installed, this check is Not Applicable.
Prepare and maintain documentation identifying the Tanium Comply users and their respective User Roles and AD security groups.
The Tanium endpoint makes a connection to the Tanium Server; the endpoint's copy of the Tanium Server's public key is used to verify the validity of the registration day coming from the Tanium Server. If any endpoint systems do not have the correct Tanium Server public key in its configuration, they will not perform any instructions from the Tanium Server and a record of those endpoints will be listed in the Tanium Server's System Status. To validate, Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "System Status" tab. Change "Show systems that have reported in the last:", enter "7" in the first field. Select "Days" from the drop down menu in the second field to determine if any endpoints connected with an invalid key. If any systems are listed with "No" in the "Valid Key" column, this is a finding.
For systems which do not have a valid key for the Tanium Server, redeploy the client software from Tanium using the Tanium Client Deployment Tool or work with the Tanium System Administrator to accomplish this.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Actions". Click on "Scheduled Actions". Look for a scheduled action titled "Client Service Hardening - Set SYSTEM only permissions on Tanium Client directory". If a scheduled action titled "Client Service Hardening - Set SYSTEM only permissions on Tanium Client directory" does not exist, or there is a Scheduled Action contradicting the "Client Service Hardening - Set SYSTEM only permissions on Tanium Client directory" scheduled action, this is a finding. If the scheduled action exists, select it and if it is not approved (the "Approve" button at the top of the section will be displayed if not approved), this is a finding.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. On the Dashboard, select "Client Service Hardening". Select the "Set Client Directory Permissions". Tanium will parse the script and return a row for "Restricted" and a row for "Not Restricted", with their respective client counts. Click on the "Not Restricted" row. Select "Deploy Action". In the "Deploy Action" dialog box, the package "Client Service Hardening - Set SYSTEM only permissions on Tanium Client directory" will be selected. The clients, which have their Tanium Client directory "Not Restricted" will be displayed in the bottom window. Choose a schedule to deploy the hardening. Under "Targeting Criteria", in the Action Group, select "All Computers" from the drop-down. Click on "Deploy Action". Verify settings. Click on "Show Client Status Details".
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. In the "Show Settings Containing:" search box type "AllQuestionsRequireSignatureFlag". Click "Enter". If no results are returned, this is a finding. If results are returned for "AllQuestionsRequireSignatureFlag" but the value is not "1", this is a finding.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. Click on "New Setting". In "New System Setting" dialog box, enter "AllQuestionsRequireSignatureFlag" for "Setting Name:". Enter "1" for "Setting Value:". Select "Client" from "Affects" drop-down list. Select "Numeric" from "Value Type" drop-down list. Click "Save".
Note: This check is performed for the Tanium Endpoints and must be validated against the HBSS desktop firewall policy applied to the Endpoints. Consult with the HBSS administration for assistance. Validate a rule exists within the HBSS HIPS firewall policies for managed clients for the following: Port Needed: Tanium Clients or Zone Clients over TCP port 17472, bi-directionally. If a host-based firewall rule does not exist to allow TCP port 17472, bi-directionally, this is a finding. Consult with the network firewall administrator and validate rules exist for the following: Allow TCP traffic on port 17472 from any computer to be managed on a local area network to any other computer to be managed on the same local area network. If a network firewall rule does not exist to allow TCP port 17472 from any managed computer to any other managed computer on the same local area network, this is a finding.
Configure host-based and network firewall rules as required.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Scheduled Actions" tab. Look for a scheduled action titled "Client Service Hardening - Allow Only Local SYSTEM to Control Service". If a scheduled action titled "Client Service Hardening - Allow Only Local SYSTEM to Control Service" does not exist, this is a finding. If the scheduled action exists, select it and if it is not approved (the "Approve" button at the top of the section will be displayed if not approved), this is a finding. If the scheduled action exists and has been approved but does not restrict control of the Tanium Client service to Allow Only Local SYSTEM to Control Service, this is a finding. If the action is not configured to repeat at least once every 24 hours, this is a finding. If the scheduled action is not targeted at an "All Computers" Action Group, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. From the Dashboard, under "Client Service Hardening", click on "Control Service State Permissions". The results will show a "Count" of clients matching the "Service Control is set to default permissions" query. Select the result line for "Service Control is set to default permissions". Choose "Deploy Action". Deployment Package drop-down select "Client Service Hardening - Allow Only Local SYSTEM to Control Service". Configure the schedule to repeat at least every 24 hours for the requested action. Under "Targeting Criteria", in the Action Group, select "All Computers" from the drop-down. Click on "Show preview to continue". Non-compliant systems will be displayed at the bottom. Click on "Deploy Action". Verify settings. Click on "Show Client Status Details".
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Scheduled Actions" tab. Look for a scheduled action titled "Client Service Hardening - Hide Client from Add-Remove Programs". If a scheduled action titled "Client Service Hardening - Hide Client from Add-Remove Programs" does not exist, this is a finding. If the scheduled action exists, select it and if it is not approved (the "Approve" button at the top of the section will be displayed if not approved), this is a finding. If the scheduled action exists and has been approved but does not disable the visibility of the client in Add-Remove Programs, this is a finding. If the action is not configured to repeat at least every hour, this is a finding. If the scheduled action is not targeted at an "All Computers" Action Group, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. From the Dashboard, under "Client Service Hardening", click on "Hide From Add-Remove Programs". The results will show a "Count" of clients matching the "Tanium Client Visible in Add-Remove Programs" query. Select the result line. Choose "Deploy Action". The "Deploy Action" dialog box will display "Client Service Hardening - Hide Client from Add-Remove Programs" as the package. The computer names comprising the "Count" of non-compliant systems will be displayed in the bottom. Deployment Package drop-down select "Client Service Hardening - Hide Client from Add-Remove Programs". Configure the schedule to repeat at least every hour for the requested action. Under "Targeting Criteria", in the Action Group, select "All Computers" from the drop-down. Click on "Show preview to continue". Non-compliant systems will be displayed in the bottom. Click on "Deploy Action". Verify settings. Click on "Show Client Status Details".
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Scheduled Actions" tab. Look for a scheduled action titled "Client Service Hardening - Set SYSTEM only permissions on the Tanium Client directory". If a scheduled action titled "Client Service Hardening - Set SYSTEM only permissions on the Tanium Client directory" does not exist, this is a finding. If the scheduled action exists, select it and if it is not approved (the "Approve" button at the top of the section will be displayed if not approved), this is a finding. If the scheduled action exists and has been approved but does not disable the visibility of the client in Add-Remove Programs, this is a finding. If the action is not configured to repeat at least every hour, this is a finding. If the scheduled action is not targeted at an "All Computers" Action Group, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. From the Dashboard, under "Client Service Hardening", click on "Set Client Directory Permissions". The results will show a "Count" of clients' compliant and non-compliant hardening for the "Tanium Client Directory Permissions". Non-compliant clients will have a count other than "0" for "Not Restricted" or "Error: No Permissions". Select each of the "Not Restricted" or "Error: No Permissions" statuses. Select "Deploy Action". In the "Deploy Action" dialog box, change the package to "Client Service Hardening - Set SYSTEM only permissions on the Tanium Client directory" as the package. Configure the schedule to repeat at least every hour for the requested action. Under "Targeting Criteria", in the Action Group, select "All Computers" from the drop-down. Click on "Show preview to continue". Non-compliant systems will be displayed in the bottom. Click on "Deploy Action". Verify settings. Click on "Show Client Status Details".
Consult with the Tanium System Administrator to determine the antivirus used on the Tanium clients. Review the settings of the antivirus software. Validate exclusions exist which exclude the Tanium program files from being scanned by antivirus on-access scans. If exclusions do not exist, this is a finding.
Implement exclusion policies within the antivirus software solution to exclude the on-access scanning of Tanium client program files.
Access the Tanium Module Server interactively. Log on to the server with an account that has administrative privileges. Navigate to Program Files(x86) >> Tanium >> Tanium Client Deployment Tool. If the file "psexec.exe" exists, this is a finding.
Access the Tanium Module Server interactively. Log on to the server with an account that has administrative privileges. Navigate to Program Files(x86) >> Tanium >> Tanium Client Deployment Tool. Remove the file "psexec.exe".
Consult with the Tanium System Administrator to determine the file-based encryption software used on the Tanium clients. Review the settings for the file-based encryption software. Validate exclusions exist which exclude the Tanium program files from being encrypted by the file-based encryption software. If exclusions do not exist, this is a finding.
Implement excluding policies within the file-based encryption software solution to exclude the file level encryption of the Tanium client program files.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. In the "Show Settings Containing:" search box type "RandomSensorDelayInSeconds". Click "Enter". If no results are returned, this is a finding. If results are returned for "RandomSensorDelayInSeconds", but do not match the defined value in the system documentation, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. Click on "New Setting". In "New System Setting" dialog box, enter "RandomSensorDelayInSeconds" for "Setting Name:". Consult with a Tanium TAM for an appropriate value for a given network. Enter the value for "Setting Value:". Select "Clients" from "Affects" drop-down list. Select "Numeric" from "Value Type" drop-down list. Click "Save". Document the value for later use.
Consult with the Tanium System Administrator to determine the HIPS software used on the Tanium Clients. Review the settings of the HIPS software. Validate exclusions exist which exclude the Tanium program files from being restricted by HIPS. If exclusions do not exist, this is a finding.
Implement exclusion policies within the HIPS software solution to exclude the Tanium client program files from HIPS intervention.
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Run regedit as Administrator. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Validate the value for REG_DWORD "ForceSOAPSSLClientCert" is set to "1". Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Validate the following keys exist and are configured: REG_SZ "ClientCertificateAuthField" For example: X509v3 Subject Alternative Name. REG_SZ "ClientCertificateAuthRegex" For example-DoD: .*\:\s*([^@]+)@.* $Note: This regedit should be valid for any Subject Alternative Name entry. REG_SZ "ClientCertificateAuth" Note: This registry value defines which certificate file to use for authentication. For example: C:\Program Files\Tanium\Tanium Server\dod.pem REG_SZ "cac_ldap_server_url" Note: This registry value requires that Tanium validate every CAC/PIV authentication attempt with AD to determine the state of the account that is logging in. It must use the syntax similar to LDAP://<AD instance FQDN> If the value for REG_DWORD "ForceSOAPSSLClientCert" is not set to "1" and the remaining registry values are not configured, this is a finding.
Use the vendor documentation titled "Reference: Smartcard authentication" to implement correct configuration settings for this requirement. If assistance is required, contact the Tanium Technical Account Manager (TAM). Vendor documentation can be downloaded from the following URL: https://docs.tanium.com/platform_install/platform_install/reference_smart_card_authentication.html.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console, then click on "Configuration". Click the down arrow to view Apps. Find "LDAP Sync". Verify a sync exists under "Enabled Servers". If no sync exists, this is a finding. If sync exists under "Disabled Servers", this is a finding.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console, then click on "Configuration". Click the down arrow to view Apps. Find "LDAP Sync". Click "Add Server". Complete the settings using guidance from https://docs.tanium.com/platform_user/platform_user/console_using_ldap.html. Click "Show Preview to Continue". Review the users and groups to be imported. Save the configuration.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Users" tab. Consult with the Tanium System Administrator to review the documented list of Tanium users. Compare the list of Tanium users versus the users found in the appropriate Active Directory security groups for the User Roles. If there are any console users who are listed in the Tanium console that are not found in a synced Active Directory security group, this is a finding. Alternatively, the ISSO can document the non-synced Active Directory security group users and accept the risk for the users. If this is the case, this would no longer be a finding.
Consult with the Tanium System Administrator to review the documented list of Tanium users. Compare the list of Tanium users versus the users found in the appropriate Active Directory security groups for the User Roles. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on "Administration". Select the "Users" tab. Any users populated manually, select the user's name, and then click on the ""trashcan"" icon at the top of the console to delete this user. Note: Consult with the Tanium System Administrator before deleting any user accounts to ensure any scheduled actions or other content is reassigned to another user. This will prevent any potential issues arising from the deletion of a user.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Computer Groups" tab. Under the "Name" column, verify specific groups exist other than the default "All Computers" and "No Computers". If site or organization specific computer groups do not exist, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Computer Groups" tab. Configure specific Computer Groups in order to facilitate the management of computers by authorized individuals for those computers. Note: Tanium offers two ways to define computer groups. Refer to documentation for explanation found here: https://docs.tanium.com/platform_user/platform_user/console_computer_groups.html#Computer_Group_types. Note: Active Directory Computer Groups may also be used to sync with Tanium Computer Groups as a means to satisfy this requirement.
Consult with the Tanium System Administrator to review the documented list of Tanium users. The users' functional roles, computer groups, and correlated Active Directory security groups must be documented. If the site does not have the Tanium users and their respective functional roles, computer groups, and correlated Active Directory security groups documented, this is a finding.
Prepare and maintain documentation identifying the Tanium console users and their respective User Roles and AD security groups.
Consult with the Tanium System Administrator to review the documented list of Tanium users. Analyze the users configured in the Tanium interface. Review the users' respective approved roles, as well as the correlated Active Directory Group for the Tanium functional roles. Validate Active Directory Groups/Tanium functional roles are documented to assign least privileged access to the functions of the Tanium Server through the Tanium interface. If the documentation does not reflect a granular, least privileged access approach to the Active Directory Groups/Tanium functional roles assignment, this is a finding.
Analyze the users configured in the Tanium interface. Determine least privileged access required for each user to perform their respective duties. Move users to the appropriate Active Directory Group in order to ensure the user is synced to the appropriate Tanium functional role. If appropriate Active Directory Groups are not already configured, create the Groups and add the appropriate users. Ensure LDAP sync repopulates the Tanium Users' associated functional roles accordingly.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Users" tab. Verify each user against the Tanium-approved users list. Review the assigned roles for each user against the "User Functional Role" column. If any user exists in Tanium but is not on the Tanium-approved users list and/or if any user exists in Tanium at a more elevated User Functional Role than that documented on the list, this is a finding.
When using Active Directory synchronization, as is required by this STIG, User Roles assignments are assigned by LDAP sync. AD security groups correlate, one to one, to Tanium User Roles. To change a Tanium user's User Functional Role, their Active Directory account needs to be moved to the AD security group, which correlates with the applicable User Functional Role. Access the Active Directory server. Locate the account(s), which have been determined to have the incorrect User Functional Roles in Tanium. Review the Tanium-related AD Security Groups to which the user account(s) belong that directly correlate to the incorrect Tanium User Functional Roles. Remove the user account(s) from the incorrect Tanium User Roles, ensuring the user account(s) are still members of the Tanium-related AD Security Groups for which they have been documented to be authorized.
Consult with the Tanium System Administrator to review the documented list of Tanium users and their respective, approved Computer Group rights. If the documented list does not have the Tanium users and their respective, approved Computer Group rights documented, this is a finding.
Prepare and maintain documentation identifying the Tanium console users and their respective Computer Group rights.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Users" tab. Verify each user against the approved users list. Review the assigned Computer Groups for each user by selecting the user then clicking view user. View Computer Groups for the user. If any user exists in Tanium but is not on the Tanium-approved users list and/or if any user exists in Tanium with more Computer Groups than documented, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Users" tab. For any user(s) in Tanium, which is not on the approved, documented Tanium user list, access Microsoft Windows Active Directory Management. Remove, the respective user(s) from the AD Security Group in which those user(s) are members. For any user in Tanium which has not been assigned one or more Computer Groups as has been documented in the Computer Groups list, access the Microsoft Windows Active Directory Management. Add the respective user(s) to the AD Security Groups applicable for the functional roles for which the user(s) have been documented to be authorized. Click "Save".
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Run regedit as Administrator. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Validate the value for REG_DWORD "ForceSOAPSSLClientCert" is set to "1". Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Validate the following keys exist and are configured: REG_SZ "ClientCertificateAuthField" For example: X509v3 Subject Alternative Name. REG_SZ "ClientCertificateAuthRegex" For example-DoD: .*\:\s*([^@]+)@.* $Note: This regedit should be valid for any Subject Alternative Name entry. REG_SZ "ClientCertificateAuth" Note: This registry value defines which certificate file to use for authentication. For example: C:\Program Files\Tanium\Tanium Server\dod.pem REG_SZ "cac_ldap_server_url" Note: This registry value requires that Tanium validate every CAC/PIV authentication attempt with AD to determine the state of the account that is logging on. It must use the syntax similar to LDAP://<AD instance FQDN>. If the value for REG_DWORD "ForceSOAPSSLClientCert" is not set to "1" and the remaining registry values are not configured, this is a finding.
Use the vendor documentation titled "Reference: Smart card authentication" to implement correct configuration settings for this requirement. If assistance is required, contact the Tanium Technical Account Manager (TAM). Vendor documentation can be downloaded from the following URL: https://docs.tanium.com/platform_install/platform_install/reference_smart_card_authentication.html.
Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Server. Access the host-based firewall configuration on the Tanium Server. Validate a rule exists for the following: Port Needed: From only designated Tanium console user clients to Tanium Server over TCP port 443. If a host-based firewall rule does not exist to allow only designated Tanium console user clients to Tanium Server over TCP port 443, this is a finding. Consult with the network firewall administrator and validate rules exist for the following: Allow TCP traffic from only designated Tanium console user clients to Tanium Server over TCP ports 443. If a network firewall rule does not exist to allow traffic from only designated Tanium console user clients to Tanium Server over TCP port 443, this is a finding.
Configure host-based firewall rules on the Tanium Server to include the following required traffic: Allow TCP traffic on port 433 to the Tanium Server from designated Tanium console user clients. Configure the network firewall to allow the above traffic.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). If a DoD-approved use notification banner does not display prior to logon, this is a finding.
Create an .html file composed of the DoD-authorized warning banner verbiage. Name the file "warning_banner.html". Copy the .html file to the Tanium Server’s http folder. Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. Click on "New Setting". In "New System Setting" dialog box, enter "console_PreLoginBannerHTML" for "Setting Name:". Enter "warning_banner.html" for "Setting Value:". Enter Server for "Affects:". Enter Text for "Value Type:". Click "Save".
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Review the configured Sources. If no "Sources" exist to send audit logs from the Tanium SQL Server to a SIEM tool, this is a finding. Work with the SIEM administrator to determine if an alert is configured when audit data is no longer received as expected. If there is no alert configured, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Configure "Sources" to send audit logs from the Tanium SQL Server to a SIEM tool. Work with the SIEM administrator to configure an alert when no audit data is received from Tanium based on the defined schedule of connections.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Scheduled Actions" tab. Look for a scheduled action targeting all machines that is titled either "Patch - Distribute Scan Configuration" or "Patch Management - Run Patch Scan". If there is no Scheduled Action for patching or the Scheduled Action is less frequent than every "30" days, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Scheduled Actions" tab. Look for a scheduled action targeting all machines that is titled either "Patch - Distribute Scan Configuration" or "Patch Management - Run Patch Scan". Make sure the action is enabled, and configure it to reissue at a minimum, every "30" days.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Review the configured sources. If no sources exists to send audit logs from Tanium to a SIEM tool or Email Destination, this is a finding. Work with the SIEM administrator to determine if an alert is configured when accounts are created. If there is no alert configured, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Configure sources to send audit logs from the Tanium SQL Server to a SIEM tool or Email Destination. Work with Email administrator to configure Email destination. Work with the SIEM administrator to configure an alert when accounts are created.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Review the configured sources. If no sources exists to send audit logs from the Tanium SQL Server to a SIEM tool or Email Destination, this is a finding. Work with the SIEM administrator to determine if an alert is configured when accounts are modified. If there is no alert configured, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Configure a source to send audit logs from the Tanium SQL Server to a SIEM tool or Email Destination. Work with Email administrator to configure Email destination. Work with the SIEM administrator to configure an alert when accounts are modified.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Review the configured sources. If no sources exists to send audit logs from the Tanium SQL Server to a SIEM tool or Email Destination, this is a finding. Work with the SIEM administrator to determine if an alert is configured when account-enabling actions are performed. If there is no alert configured, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Configure sources to send audit logs from the Tanium SQL Server to a SIEM tool or Email Destination. Work with Email administrator to configure Email destination. Work with the SIEM administrator to configure an alert when account-enabling actions are performed.
Consult with the Tanium system administrator or database administrator to determine the volume on which the Tanium SQL databases are installed. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Review the configured Sources. If none exist to send Disk Free Space of the Tanium SQL Server, this is a finding. Work with the SIEM administrator to determine if an alert is configured when Disk Free Space of the Tanium SQL Server reaches below 25%. If there is no alert configured, this is a finding.
Consult with the Tanium system administrator or database administrator to determine the volume on which the Tanium SQL databases are installed. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Interact". Enter "Get Disk Free Space from all machines with Computer Name containing "[Your SQL Computer Name]. Press "Enter". Select "Save this question" located under the Question box. Enter a name (e.g., SQL Disk Free Space). Select "Create Saved Question". Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Select "Create Connection". In the Sources and Destination section, select "Saved Question" from the drop-down menu. Enter the "Saved Question Name" created above or select from the drop-down menu. Select the "Computer Group" name from the drop-down menu. Select the desired destination from the drop-down menu (must be a SIEM tool). In the General Information section, provide a name and description. Select "Create Connection" at bottom of the page. Work with the SIEM administrator to configure an alert when Disk Free Space of the Tanium SQL Server reaches below 25% of maximum.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Review the configured Tanium Sources listed. If an "Audit Log" source does not exist, this is a finding. Select the "Audit Log" source. Select the audit connection found in the lower half of the screen. Verify the "Destination Type" is a SIEM tool. If the "Destination Type" is not a SIEM tool, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Click "Create Connection". In the Source and Destination Section, select "Audit Log" as the Event Source from the drop-down menu. In the "Destination" section, select "Socket Receiver" from the drop-down menu. Enter "Destination Name". Enter "Host". Enter "Network Protocol". Enter "Port". Consult documentation located at https://docs.tanium.com/connect/connect/index.html for reference on configuring other applicable SIEM connections. Work with the SIEM administrator to configure alerts based on audit failures.
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Run regedit as Administrator. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Validate the value for REG_DWORD "ForceSOAPSSLClientCert" is set to "1". Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Validate the following keys exist and are configured: REG_SZ "ClientCertificateAuthField" For example: X509v3 Subject Alternative Name REG_SZ "ClientCertificateAuthRegex" For example-DoD: .*\:\s*([^@]+)@.* $Note: This regedit should be valid for any Subject Alternative Name entry. REG_SZ "ClientCertificateAuth" Note: This registry value defines which certificate file to use for authentication. For example: C:\Program Files\Tanium\Tanium Server\dod.pem REG_SZ "cac_ldap_server_url" Note: This registry value requires that Tanium validate every CAC/PIV authentication attempt with AD to determine the state of the account that is logging on. It must use the syntax similar to LDAP://<AD instance FQDN>. If the value for REG_DWORD "ForceSOAPSSLClientCert" is not set to "1" and the remaining registry values are not configured, this is a finding.
Use the vendor documentation titled "Reference: Smart card authentication" to implement correct configuration settings for this requirement. If assistance is required, contact the Tanium Technical Account Manager (TAM). Vendor documentation can be downloaded from the following URL: https://docs.tanium.com/platform_install/platform_install/reference_smart_card_authentication.html.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Review the configured sources. If no sources exists to send audit logs from the Tanium SQL Server to a SIEM tool or Email Destination, this is a finding. Work with the SIEM administrator to determine if an alert is configured when accounts are disabled. If there is no alert configured, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Configure sources to send audit logs from the Tanium SQL Server to a SIEM tool or Email Destination. Work with Email administrator to configure Email destination. Work with the SIEM administrator to configure an alert when accounts are disabled.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Review the configured sources. If no sources exists to send audit logs from the Tanium SQL Server to a SIEM tool or Email Destination, this is a finding. Work with the SIEM administrator to determine if an alert is configured when accounts are deleted. If there is no alert configured, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Configure sources to send audit logs from the Tanium SQL Server to a SIEM tool or Email Destination. Work with Email administrator to configure Email destination. Work with the SIEM administrator to configure an alert when accounts are deleted.
Consult with the Tanium System Administrator to review the documented list of Tanium users. Review the users' respective approved roles, as well as the correlated Active Directory security group for the User Roles. Validate Active Directory security groups/Tanium roles are documented to assign least privileged access to the functions of the Tanium Server through the Tanium interface. If the documentation does not reflect a granular, least privileged access approach to the Active Directory Groups/Tanium Roles assignment, this is a finding.
Analyze the users configured in the Tanium interface. Determine least privileged access required for each user to perform their respective duties. Move users to the appropriate Active Directory security group in order to ensure the user is synced to the appropriate Tanium User Role. If the appropriate Active Directory security groups are not already configured, create the groups and add the appropriate users. Ensure LDAP sync repopulates the Tanium Users' associated Roles accordingly.
Consult with the Tanium System Administrator to review the documented list of Tanium functional roles. If the documentation does not define functional roles, this is a finding.
Consult with the Tanium System Administrator to review the documented list of Tanium functional roles. If the documentation does not define functional roles, this is a finding.
Consult with the Tanium System Administrator to determine the server to which the database has been installed and is configured. If the customer is using a Tanium Appliance, this is Not Applicable. If the database is installed on the same server as the Tanium Server or Tanium Module Server, this is a finding.
Move the Tanium database from the Tanium Server or Tanium Module Server to a separate server.
With the Tanium System Administrator's assistance, access the server on which the Tanium database(s) is installed. Review the Tanium database(s). If databases related to products other than Tanium exist in the Tanium database, this is a finding.
Move the Tanium database from the server hosting multiple databases for products other than Tanium or remove other product databases co-located with Tanium database(s).
Access the Tanium SQL server interactively. Log on to the server with an account that has administrative privileges. Open SQL Server Management Studio. Connect to a Tanium instance of SQL Server. In the left pane, click "Databases". Select the Tanium database. Click "Security". Click "Users". In the "Users" pane, review the roles assigned to the user accounts. (Note: This does not apply to service accounts.) If any user account has an elevated privilege role other than the assigned database administrators, this is a finding.
Access the Tanium SQL server interactively. Log on to the server with an account that has administrative privileges. Open SQL Server Management Studio. Connect to a Tanium instance of SQL Server. In the left pane, click "Databases". Select the Tanium database. Click "Security". Click "Users". In the "Users" pane, review the roles assigned to the user accounts. For any user accounts with elevated privileges, reduce the role assigned to a least privileged role.
Access the Tanium SQL server interactively. Log on to the server with an account that has administrative privileges. Open SQL Server Management Studio. Connect to Tanium instance of SQL Server. In the left pane, click "Databases". Select the Tanium database. Click "Security". Click "Users". In the "Users" pane, review the role assigned to the Tanium Server service user account. If the role assigned to the Tanium Server service account is not "db_owner", this is a finding. If using Postgres: Only owners of objects can change them. To view all functions, triggers, and trigger procedures, their ownership and source, as the database administrator (shown here as "postgres") run the following SQL: $ sudo su - postgres $ psql -x -c "\df+"
Access the Tanium SQL server interactively. Log on to the server with an account that has administrative privileges. Open SQL Server Management Studio. Connect to Tanium instance of SQL Server. In the left pane, click "Databases". Select the Tanium database. Click "Security". Click "Users". In the "Users" pane, right-click the Tanium Server service user account. On the shortcut menu, click "Properties". Under Database role membership, change role from "sysadmin" to "db_owner". Click "OK". If using Postgres: Configure PostgreSQL to enforce access restrictions associated with changes to the configuration of PostgreSQL or database(s). Use ALTER ROLE to remove accesses from roles: $ psql -c "ALTER ROLE <role_name> NOSUPERUSER"
Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Server. Access the host-based firewall configuration on the Tanium Server. Validate a rule exists for the following: Port Needed: Tanium Server to Remote SQL Server over TCP port 1433. If a host-based firewall rule does not exist to allow Tanium Server to Remote SQL Server over TCP port 1433, this is a finding. Consult with the network firewall administrator and validate rules exist for the following: Allow traffic from Tanium Server to Remote SQL Server over TCP port 1433. If a network firewall rule does not exist to allow traffic from Tanium Server to Remote SQL Server over TCP port 1433, this is a finding.
Configure host-based firewall rules on the Tanium Server to include the following required traffic: Allow TCP traffic on port 1433 from the Tanium Server to the Remote SQL Server. Configure the network firewall to allow the above traffic.
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Navigate to Program Files >> Tanium >> Tanium Server. If any SQL stored queries (.sql files) or procedures are found, this is a finding.
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Navigate to Program Files >> Tanium >> Tanium Server. Remove the SQL stored queries (.sql files) or procedures from the folder.
Using a web browser on a system, which has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. In the "Show Settings Containing:" search box type "ReportingTLSMode". Enter. If no results are returned, this is a finding. In the "Show Settings Containing:" search box type "StateProtectedFlag". Enter. If no results are returned or "StateProtectedFlag = 0", this is a finding. If results are returned for "ReportingTLSMode" but the value is "0", this is a finding.
Using a web browser on a system, which has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. Click on "New Setting". In "New System Setting" dialog window to the right, enter "ReportingTLSMode" for "Setting Name:". Enter "2" for "Setting Value:". Select "Client" from "Affects" drop-down list. Select "Numeric" from "Value Type" drop-down list. Click "Save". Click on "New Setting". In "New System Setting" dialog window to the right, enter "StateProtectedFlag" for "Setting Name:". Enter "1" for "Setting Value:". Select "Client" from "Affects" drop-down list. Select "Numeric" from "Value Type" drop-down list. Click "Save".
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with CAC. After logging in, in the top right corner of the UI select the drop down arrow and click on "Preferences". Verify the "Suspend console automatically if no activity detected for:" is configured to a value of "15" minutes or less. If the "Suspend console automatically if no activity detected for:" is not configured to a value of "15" minutes or less, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. After logging in, in the top right corner of the UI, select the drop down arrow and click on "Preferences". For "Suspend console automatically if no activity detected for:" select a value of "15" minutes or less. Click "Save".
Note: If only using Tanium provided content and not accepting content from any other content providers, this is Not Applicable. Consult with the Tanium System Administrator to review the documented list of trusted content providers along with the Hash for their respective public keys. If the site does not have the Tanium trusted content providers documented along with the SHA-256 Hash for their respective public keys, this is a finding.
Prepare and maintain documentation identifying the Tanium trusted content providers along with the SHA-256 Hash from their respective public keys.
Note: If only using Tanium provided content and not accepting content from any other content providers, this is Not Applicable. Obtain documentation from the Tanium System Administrator that contains the public key validation data. Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Open an Explorer window. Navigate to the following folder: Program Files >> Tanium >> Tanium Server >> content_public_keys >> content folder. If the Tanium default content-release.pub key is the only key in the folder, this is not a finding. If there are documented content provider keys in the content folder, this is not a finding. If non-documented content provider keys are found in the content folder, this is a finding.
Obtain the public key from the content providers and validate the keys are present in the Tanium folders. If the public keys are found for non-trusted content providers, remove the associated signing key and remove any content imported by that provider. Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Open an Explorer window. Navigate to the following folder: Program Files >> Tanium >> Tanium Server >> content_public_keys >> content folder. Copy any Trusted Source's .pub key into the folder and document them. Remove any non-Trusted Source's .pub keys from the folder.
Note: If only using Tanium provided content and not accepting content from any other content providers, this is Not Applicable. Obtain documentation from the Tanium System Administrator that contains the public key validation data. Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Open an "Explorer" window. Navigate to the following folder: Program Files >> Tanium >> Tanium Server >> content_public_keys >> content folder. Ensure the public keys listed in the content folder are documented. If a public key, other than the default Tanium public key, resides in the content folder and is not documented, this is a finding.
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Open an "Explorer" window. Navigate to the following folder: Program Files >> Tanium >> Tanium Server >> content_public_keys >> content folder. If a public key, other than the default Tanium public key, resides in the content folder, use a hashing utility (e.g., TaniumFileInfo.exe) to determine the hash of the public key. Document the owner, the name of the key, and the associated hash of the public key.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console then click on "Administration". Select the "Global Settings" tab. In the "Show Settings Containing:" search box type "require_action_approval". Click “Enter”. If no results are returned, this is a finding. If results are returned for "require_action_approval", but the value is not "1", this is a finding.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console then click on "Administration". Select the "Global Settings" tab. If "require_action_approval" does not exist: click on "New Setting". In "New System Setting" dialog box, enter "require_action_approval" for "Setting Name:". Enter "1" for "Setting Value:". Select "Server" from "Affects" drop-down list. Select "Numeric" from "Value Type" drop-down list. Click "Save".
Consult with the Tanium System Administrator to determine if the "Tanium Detect" module is being used, if not this is Not Applicable. Review the documented list of IOC trusted stream sources. If the site does use an external source for IOCs and the IOC trusted stream source is not documented, this is a finding.
Consult with the Tanium System Administrator to determine if the "Tanium Detect" module is being used, if not this is Not Applicable. Prepare and maintain documentation identifying the Tanium Detect IOC trusted stream sources.
Consult with the Tanium System Administrator to determine if the "Tanium Detect" module is being used, if not this is Not Applicable. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Detect". Expand the left menu. Click the "Management" tab. Select "Sources". Verify all configured Detect Streams are configured to a documented trusted source. If any configured Detect Stream is configured to a stream that has not been documented as trusted, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Detect". Expand the left menu. Click the "Management" tab. Select "Sources". Click "New Source". Select the specified Source from the list. Fill out the specified information. Select "Create".
Consult with the Tanium System Administrator to determine if the "Tanium Detect" module is being used. If it is not, this is Not Applicable. Using a web browser on a system that has connectivity to Tanium, access the Tanium web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Click "Events" under "Sources". Verify the "Tanium IOC Detect" event is being sent to an identified destination. If there is no "Tanium IOC Detect" event source, this is a finding.
Consult with the Tanium System Administrator to determine if the "Tanium Detect" module is being used. If not this is Not Applicable. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Click "New Connection". Click "Create" or if importing "Import". Give the "Connection" a name and description. Select "Events" as the source. "Event Group" should be "Tanium Detect". Select the appropriate events to send. Consult with the Tanium System Administrator for the Destination. Click "Create Connection".
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. In the "Show Settings Containing:" search box type "sign_all_questions_flag". Click "Enter". If no results are returned, this is a finding. If results are returned for "sign_all_questions_flag" but the value is not "1", this is a finding.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. Click on "New Setting". In "New System Setting" dialog box, enter "sign_all_questions_flag" for "Setting Name:". Enter "1" for "Setting Value:". Select "Server" from "Affects" drop-down list. Select "Numeric" from "Value Type" drop-down list. Click "Save".
Note: This requirement only applies to Tanium implementations in production. If implementation being evaluated is in development, this requirement is Not Applicable. Access the Tanium Server through interactive logon. Drill to Program Files >> Tanium >> Tanium Server. Open the "tanium.license" in Notepad and search for "allow_unsigned_import". If "allow unsigned_import" is followed by ":true", this is a finding.
Contact Tanium for a corrected license file.
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Run regedit as Administrator. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Validate the "DownloadPath REG_SZ" value does not point to a location within the Tanium Server directory. If the "DownloadPath REG_SZ" value points to a location within the Tanium Server directory, this is a finding.
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Configure a directory elsewhere on the server to relocate the installation package files. Run regedit as Administrator. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Change the "DownloadPath REG_SZ" value to point to the location of the relocated installation package files. Move the files from the original directory to the location created for the installation package files.
Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Server. Access the host-based firewall configuration on the Tanium Server. Validate rules exist, as required, to include: Between Tanium Clients or Zone Clients over TCP port 17472, bi-directionally. If a host-based firewall rule does not exist to allow TCP port 17472, bi-directionally, this is a finding. Consult with the network firewall administrator and validate rules exist for the following: Allow TCP traffic on port 17472 from any computer to be managed on a local area network to any other computer to be managed on the same local area network. If a network firewall rule does not exist to allow TCP port 17472 from any managed computer to any other managed computer on the same local area network, this is a finding.
Configure host-based and network firewall rules as required, to include Tanium Clients or Zone Clients over TCP port 17472, bi-directionally. Allow TCP traffic on port 17472 from any computer to be managed on a local area network to any other computer to be managed on the same local area network.
Note: If a Zone Server is not being used, this is Not Applicable. Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Zone Server. Access the host-based firewall configuration on the Tanium Zone Server. Validate a rule exists for the following: Port Needed: Tanium Clients to Zone Server over TCP port 17472. If a host-based firewall rule does not exist to allow TCP port 17472, bi-directionally, from Tanium Clients to the Tanium Zone Server, this is a finding.
Configure host-based firewall rules as required, to include Tanium Clients to Zone Server over TCP port 17472.
Review the PPSM CAL to ensure Tanium has been registered with all of the TCP ports required for functionality to include (but not limited to) TCP 17472, 17477, 17440, 17441, 443, and 1433. If any TCP ports are being used on the Tanium Server that have been deemed as restricted by the PPSM CAL, this is a finding.
Submit a formal request to have the Tanium communication ports evaluated and added to the PPSM CAL.
Access the Tanium Application server interactively. Log on to the server with an account that has administrative privileges. Navigate to Program Files >> Tanium >> Tanium Server. Locate the "SOAPServer.crt" file. Double-click on the file to open the certificate. Select the "Details" tab. Scroll down through the details to find and select the "Enhanced Key Usage" field. If there is no "Enhanced Key Usage" field, this is a finding. In the bottom screen, verify "Server Authentication" and "Client Authentication" are both identified. If "Server Authentication" and "Client Authentication" are not both identified, this is a finding.
Request or regenerate the certificate being used to include both the "Server Authentication" and "Client Authentication" objects.
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Open an Explorer window. Navigate to >> Program Files >> Tanium >> Tanium Server. Right-click on the "Certs" folder. Choose "Properties". Select the "Security" tab. Click on the "Advanced" button. Validate the owner of the directory is the [Tanium service account]. Validate System has "Read Only" permissions. Validate the [Tanium service account] has "Read Only" permissions. Validate [Tanium Admins group] has Full permissions. If the owner of the directory is not the [Tanium service account] and/or System and the [Tanium service account] has more privileges than "Read Only" and/or the [Tanium Admins group] has less than Full permissions, this is a finding. Navigate to Program Files >> Tanium >> Tanium Server >> Certs. Right-click on each of the following files: Select "Properties". Select the "Security" tab. Click on the "Advanced" button. Installedcacert.crt Installed-server.crt Installed-server.key SOAPServer.crt SOAPServer.key Validate System and the [Tanium service account] have "Read-Only" permissions to each of the individual files, and the [Tanium Admin group] has Full permissions to each of the individual files. If System and the [Tanium service account] have more than "Read-Only" permissions to any of the individual files and/or the [Tanium Admin group] has less than Full permissions to any of the individual files, this is a finding. Navigate to Program Files >> Tanium >> Tanium Server >> content_public_keys. Right-click on each of the following files: Select "Properties". Select the "Security" tab. Click on the "Advanced" button. Validate System has "Read-Only" permissions and is applied to child objects. Validate [Tanium service account] has "Read-Only" permissions and is applied to child objects. Validate [Tanium Admin Group] has Full permissions and is applied to child objects. If the [Tanium service account] and system permissions to the \content_public_keys folder is greater than "Read-Only" and/or the "Read-Only" permissions have not been applied to child objects and/or the [Tanium Admin Group] has less than Full permissions, this is a finding.
Access the Tanium Server interactively. Log on with an account with administrative privileges to the server. Open an Explorer window. Navigate to >> Program Files >> Tanium >> Tanium Server. Right-click on "Certs" folder. Choose "Properties". Select the "Security" tab. Click on the "Advanced" button. Change the owner of the directory to the [Tanium service account]. Reduce System and the [Tanium service account] to "Read-Only" permissions. Provide the [Tanium Admin group] with Full permissions. Navigate to >> Program Files >> Tanium >> Tanium Server >> Certs. Right-click on each of the following files: Select "Properties". Select the "Security" tab. Click on the "Advanced" button. For the following files, reduce System and the [Tanium service account] to "Read-Only": Installedcacert.crt Installed-server.crt Installed-server.key SOAPServer.crt SOAPServer.key Ensure the [Tanium Admin group] has Full permissions for those same files. Navigate to >> Program Files >> Tanium >> Tanium Server >> content_public_keys. Select "Properties". Select the "Security" tab. Click on the "Advanced" button. Reduce System to "Read-Only" permissions. – apply to child objects. Reduce [Tanium service account] to "Read-Only" permissions. – apply to child objects. Provide [Tanium Admin group] with Full permissions - apply to child objects.
Note: If the server being validated is the Module server, this check is Not Applicable. Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Click "Start". Access the Server Manager. Select Local Server. In upper right corner, click "Tools". Select "Services". If the Tanium Module Server service is "Running", this is a finding.
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Click "Start". Access the Server Manager. Select "Local Server". In the upper right corner, click "Tools". Select "Services". Disable the Tanium Module Server service.
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Open an Explorer window. Navigate to Program Files >> Tanium. Right-click on the "Tanium Server" folder. Select "Properties". Select the "Security" tab. Click on the "Advanced" button. Validate the owner of the "Tanium Server" folder is the service account [Tanium service account]. Validate the [Tanium service account] has full permissions to the "Tanium Server" folder. Validate the [Tanium Admins] group has full permissions to the "Tanium Server" folder. Validate Users have no permissions to the "Tanium Server" folder. If any accounts other than the [Tanium service account] and the [Tanium Admins] group have any permission to the "Tanium Server" folder, this is a finding. If the [Tanium service account] is not the owner of the "Tanium Server" folder, this is a finding.
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Open an Explorer window. Navigate to Program Files >> Tanium. Right-click on the "Tanium Server" folder. Select "Properties". Select the "Security" tab. Click on the "Advanced" button. Disable folder inheritance. Change the owner of the directory to the service account [Tanium service account]. Remove User permissions. Give [Tanium service account] full permissions. Give [Tanium Admins] group full permissions.
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Open an Explorer window. Navigate to Program Files >> Tanium >> Tanium Server. Right-click on the "Tanium Server\http" folder. Select "Properties". Select the "Security" tab. Click on the "Advanced" button. Validate Folder Inheritance is disabled. Validate the owner of the directory is the [Tanium service account]. Validate the [Tanium Admins] group has full permissions. Validate System has Read-Only permissions. Right-click on the "Tanium Server\http\libraries" folder. Select the "Security" tab. Click on the "Advanced" button. Validate Folder Inheritance is disabled. Validate the owner of the directory is the [Tanium service account]. Validate System has Read-Only permissions. Validate the [Tanium service account] has Read-Only permissions. Validate the [Tanium Admins] group has full permissions. Right-click on the "Tanium Server\http\taniumjs" folder. Select the "Security" tab. Click on the "Advanced" button. Validate Folder Inheritance is disabled. Validate the owner of the directory is the [Tanium service account]. Validate System has "Read-Only" permissions. Validate the [Tanium service account] has "Read-Only" permissions. Validate the [Tanium Admins] group has full permissions. Right-click on the "Tanium Server\http\tux" folder. Select the "Security" tab. Click on the "Advanced" button. Validate Folder Inheritance is disabled. Validate the owner of the directory is the [Tanium service account]. Validate System has "Read-Only" permissions. Validate the [Tanium service account] has "Read Only" permissions. Validate the [Tanium Admins] group has full permissions. Right-click on the "Tanium Server\http\tux-console" folder. Select the "Security" tab. Click on the "Advanced" button. Validate Folder Inheritance is disabled. Validate the owner of the directory is the [Tanium service account]. Validate System has "Read-Only" permissions. Validate the [Tanium service account] has "Read-Only" permissions. Validate the [Tanium Admins] group has full permissions. Right-click on the "Tanium Server\Logs" folder. Select "Properties". Select the "Security" tab. Click on the "Advanced" button. Validate Folder Inheritance is disabled. Validate the owner of the directory is the [Tanium service account]. Validate the [Tanium Service Account] has only "Modify" permissions. Validate the [Tanium Admins] group has full permissions. Right-click on the "Tanium Server\TDL_Logs" folder. Select "Properties". Select the "Security" tab. Click on the "Advanced" button. Validate Folder Inheritance is disabled. Validate the owner of the directory is the [Tanium service account]. Validate the [Tanium Service Account] has only "Modify" permissions. Validate the [Tanium Admins] group has full permissions. Right-click on the "Tanium Server\Certs" folder. Select "Properties". Select the "Security" tab. Click on the "Advanced" button. Validate Folder Inheritance is disabled. Validate the owner of the directory is the [Tanium service account]. Validate System has "Read-Only" permissions. Validate the [Tanium Admins] group has full permissions. Navigate to Tanium Server >> Certs. For the following files verify System and [Tanium Service Account] have "Read-Only" permissions: installedcacert.crt installed-server.crt installed-server.key SOAPServer.crt SOAPServer.key Right-click on the "Tanium Server\content_public_keys" folder. Select "Properties". Select the "Security" tab. Click on the "Advanced" button. Validate Folder Inheritance is disabled. Validate the owner of the directory is the [Tanium service account]. Validate System has "Read-Only" permissions. Validate the [Tanium Service Account] has "Read-Only" permissions. Validate the [Tanium Admins] group has full permissions. If any of the above permissions are not configured correctly, this is a finding.
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Open an Explorer window. Navigate to Program Files >> Tanium >> Tanium Server. Right-click on the "Tanium Server\http folder. Select "Properties". Select the "Security" tab. Click on the "Advanced" button. Verify/Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Change/verify the [Tanium Admins] group has full permissions. Reduce System to "Read-Only" permissions. Right-click on the "Tanium Server\http\libraries" folder. Select the "Security" tab. Click on the "Advanced" button. Verify/Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce System to "Read-Only" permissions. Reduce [Tanium service account] to "Read-Only" permissions. Change/verify the [Tanium Admins] group has full permissions. Right-click on the "Tanium Server\http\taniumjs" folder. Select the "Security" tab. Click on the "Advanced" button. Verify/Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce System to "Read-Only" permissions. Reduce [Tanium service account] to "Read-Only" permissions. Change/verify the [Tanium Admins] group has full permissions. Right-click on the "Tanium Server\http\tux" folder. Select the "Security" tab. Click on the "Advanced" button. Verify/Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce System to "Read-Only" permissions. Reduce [Tanium service account] to "Read-Only" permissions. Change/verify the [Tanium Admins] group has full permissions. Right-click on the "Tanium Server\http\tux-console" folder. Select the "Security" tab. Click on the "Advanced" button. Verify/Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce System to "Read-Only" permissions. Reduce [Tanium service account] to "Read-Only" permissions. Change/verify the [Tanium Admins] group has full permissions. Right-click on the "Tanium Server\Logs" folder. Select the "Security" tab. Click on the "Advanced" button. Verify/Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce [Tanium service account] to "Modify" permissions. Change/verify the [Tanium Admins] group has full permissions. Right-click on the "Tanium Server\http\TDL_Logs" folder. Select the "Security" tab. Click on the "Advanced" button. Verify/Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce [Tanium service account] to "Modify" permissions. Change/verify the [Tanium Admins] group has full permissions. Right-click on the "Tanium Server\Certs" folder. Select the "Security" tab. Click on the "Advanced" button. Verify/Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce System to "Read-Only" permissions. Change/verify the [Tanium Admins] group has full permissions. Navigate to Tanium Server >> Certs. For the following files verify/reduce System and [Tanium Service Account] to "Read-Only" permissions: installedcacert.crt installed-server.crt installed-server.key SOAPServer.crt SOAPServer.key Right-click on the "Tanium Server\content_public_keys" folder. Select the "Security" tab. Click on the "Advanced" button. Verify/Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce System to "Read-Only" permissions - apply to child objects. Reduce [Tanium service account] to "Read-Only" permissions - apply to child objects. Change/verify the [Tanium Admins] group has full permissions.
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Run regedit as Administrator. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Right-click on "Tanium Server". Select "Permissions". Click on the "Security" tab. Click on the "Advanced" button. Validate the [Tanium service account] has full permissions. Validate the [Tanium Admins] group has full permissions. Validate the SYSTEM account has full permissions. Validate the User accounts do not have any permissions. If any other account has full permissions and/or the User account has any permissions, this is a finding.
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Run regedit as Administrator. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Right-click on "Tanium Server". Select "Properties". Click on the "Security" tab. Click on the "Advanced" button. Provide the [Tanium service account] with full permissions. Provide the [Tanium Admins] group with full permissions. Reduce permissions for any other accounts with full permissions. Remove permissions for User accounts.
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Open an Explorer window. Navigate to Program Files >> Tanium >> Tanium Server. Right-click on the "Logs" folder. Select "Properties". Click on the "Security" tab. Click on the "Advanced" button. Validate the owner of the directory is the [Tanium service account]. Validate the [Tanium service account] privileges is only account with modify permissions on the directory. Validate the [Tanium Administrators] group has full permissions on the directory. Right-click on the "TDL_Logs" folder. Select "Properties". Click on the "Security" tab. Click on the "Advanced" button. Validate the owner of the directory is the [Tanium service account]. Validate the [Tanium service account] privileges is the only account with modify permissions on the directory. Validate the [Tanium Administrators] group has full permissions on the directory. If any of the specified permissions are not set as required, this is a finding.
Access the Tanium Server interactively. Log on to their server with an account that has administrative privileges. Open an Explorer window. Navigate to Program Files >> Tanium >> Tanium Server. Right-click on the "Logs" folder. Select "Properties". Click on the "Security" tab. Click on the "Advanced" button. Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce [Tanium service account] privileges to modify permissions on the directory. Ensure [Tanium Admins] group has full permissions on the directory. Right-click on the "TDL_Logs" folder. Select "Properties". Click on the "Security" tab. Click on the "Advanced" button. Disable folder inheritance. Change/verify the owner of the directory to the [Tanium service account]. Reduce [Tanium service account] privileges to modify permissions on the directory. Ensure [Tanium Admins] group has full permissions on the directory.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Users" tab. Review each of the users listed and determine their Active Directory synced account. Access one of the domain's Active Directory Domain Controller servers with a Domain Administrator account. Review each of the Users for which a synced account is in the Tanium console as a user. Validate whether any of the users are considered to be non-privileged in Active Directory, yet have privileged capabilities in Tanium. If any of the non-privileged Active Directory accounts have elevated privileges and are synced as a Tanium privileged account, this is a finding.
Access Active Directory with appropriate credentials. For each User, where a synced account is in the Tanium console as a privileged user, adjust the user to an appropriate security group in Active Directory. Verify, after syncing with Tanium, the non-privileged user account is no longer in a privileged role within Tanium.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Review the configured Tanium Sources listed. If an "Audit Log" source does not exist, this is a finding. Select the "Audit Log" source. Select the audit connection found in the lower half of the screen. Verify the "Destination Type" is a SIEM tool. If the "Destination Type" is not a SIEM tool, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Click "Create Connection". In the Source and Destination Section, select "Audit Log" as the Event Source from the drop-down menu. In the "Destination" section, select "Socket Receiver" from the drop-down menu. Enter "Destination Name". Enter "Host". Enter "Network Protocol". Enter "Port". Consult documentation located at https://docs.tanium.com/connect/connect/index.html for reference on configuring other applicable SIEM connections.
If the site is using Tanium Integrity Monitor, Tanium Integrity Monitor should be used to monitor the file integrity of Tanium critical files. If Tanium Integrity Monitor is not installed, a third-party file integrity-monitoring tool must be used to monitor Tanium critical executables, defined files within the Tanium Server directory path. If the file integrity of Tanium critical executables is not monitored, this is a finding.
Implement a file integrity monitoring system to monitor the Tanium critical executable files.
Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Module Server. Access the host-based firewall configuration on the Tanium Module Server. Validate a rule exists for the following: Port Needed: Tanium Server to Tanium Module Server over TCP port 17477. If a host-based firewall rule does not exist to allow TCP port 17477, from the Tanium Server to the Tanium Module Server, this is a finding. Consult with the network firewall administrator and validate rules exist for the following: Allow TCP traffic on port 17477 from the Tanium Server to the Tanium Module Server. If a network firewall rule does not exist to allow TCP traffic on port 17477 from the Tanium Server to the Tanium Module Server, this is a finding.
Configure host-based firewall rules on the Tanium Module Server to include the following required traffic: Allow TCP traffic on port 17477 from the Tanium Server to the Tanium Module Server. Configure the network firewall to allow the above traffic.
Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Server. Access the host-based firewall configuration on the Tanium Server. Validate a rule exists for the following: Port Needed: Tanium Server to Tanium Module Server over TCP port 17477. If a host-based firewall rule does not exist to allow TCP port 17477, from the Tanium Server to the Tanium Module Server, this is a finding. Consult with the network firewall administrator and validate rules exist for the following: Allow TCP traffic on port 17477 from the Tanium Server to the Tanium Module Server. If a network firewall rule does not exist to allow TCP traffic on port 17477 from the Tanium Server to the Tanium Module Server, this is a finding.
Configure host-based firewall rules on the Tanium Server to allow the following required traffic: Allow TCP traffic on port 17477 to the Tanium Module Server from the Tanium Server. Configure the network firewall to allow the above traffic.
Note: If a Zone Server is not being used, this is Not Applicable. Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Server. Access the host-based firewall configuration on the Tanium Server. Validate a rule exists for the following: Port Needed: Tanium Server to Zone Server over TCP port 17472. If a host-based firewall rule does not exist to allow TCP port 17472, bi-directionally, from Tanium Server to the Tanium Zone Server, this is a finding.
Configure host-based firewall rules on the Tanium Zone server to include the following required traffic: Allow Tanium Server to Zone Server over TCP port 17472. Configure the network firewall to allow the above traffic.
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Access the server's registry by typing: regedit <enter>. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Verify the existence of a DWORD "SSLHonorCipherOrder" with a value of "0x00000001" (hex). If the DWORD "SSLHonorCipherOrder" does not exist with a value of "0x00000001" (hex), this is a finding.
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Access the server's registry by typing: regedit <enter>. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Add or modify the DWORD "SSLHonorCipherOrder" to have a value of 0x00000001 (hex).
Using a web browser on a system, which has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. When connected, review the Certificate for the Tanium Server: In Internet Explorer, right-click on the page. Select "Properties". Click on the "Certificates" tab. On the "General" tab, validate the Certificate shows as issued by a DOD Root CA. On Certification "Path" tab, validate the path top-level is a DoD Root CA. If the certificate authority is not DoD Root CA, this is a finding.
Request or regenerate the certificate from a DoD Root Certificate Authority.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Review the configured Destinations listed. If an "Email" Destination does not exist, this is not a finding. Select "Email" destination. Select each Connection found in the lower half of the screen. Verify "Enable TLS" is "true". If "Enable TLS" is "false", this is a finding.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Connect". Review the configured Destinations listed. Select "Email" destination. Select the Connection found in the lower half of the screen. Click "Edit" on the top right of the summary page. Under the "Source and Destination" section, select the "Enable TLS" checkbox under the "Mail Configuration". Confirm the rest of the data is correct. Click "Save" at the bottom of the page. Do this for all Connections configured with an "Email" destination.
Consult with the Tanium System Administrator to determine the antivirus software used on the Tanium Server. Review the settings of the antivirus software. Validate exclusions exist which exclude the Tanium program files from being scanned by antivirus on-access scans. If exclusions do not exist, this is a finding.
Implement exclusion policies within the antivirus software solution to prevent on-access scanning of Tanium Server program files.
Consult with the Tanium System Administrator to determine the file-level encryption software used on the Tanium Server. Review the settings for the file-level encryption software. Validate exclusions exist which exclude the Tanium program files from being encrypted by the file-level encryption software. If exclusions do not exist, this is a finding.
Implement excluding policies within the file-level encryption software solution to exclude encryption of the Tanium Server program files.
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Access the server's registry by typing: "regedit". Click "Enter". Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Verify the existence of a String "SSLCipherSuite" with a value of: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK If the String "SSLCipherSuite" does not exist with the appropriate list values, this is a finding.
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Access the server's registry by typing: regedit <enter>. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Add or modify the String "SSLCipherSuite" to have a value of: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
Using a web browser on a system, which has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. In the "Show Settings Containing:" search box type "max_soap_sessions_total". Click "Enter". If no results are returned, this is a finding. If results are returned for "max_soap_sessions_total", but the value is not the value defined in the system documentation, this is a finding.
Using a web browser on a system, which has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. Click on "New Setting". In "New System Setting" dialog box enter "max_soap_sessions_total" for "Setting Name:". Work with a Tanium Technical Account Manager (TAM) for a proper value and enter this for the "Setting Value:". Select "Server" from "Affects drop-down list. Select "Numeric" from "Value Type" drop-down list. Click "Save". Add this setting to the system documentation for validation.
Using a web browser on a system, which has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. In the "Show Settings Containing:" search box type "max_soap_sessions_per_user". Click "Enter". If no results are returned, this is a finding. If results are returned for "max_soap_sessions_per_user", but the value is not the value defined in the system documentation, this is a finding.
Using a web browser on a system, which has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. Click on "New Setting". In "New System Setting" dialog box enter "max_soap_sessions_per_user" for "Setting Name:". Work with a Tanium Technical Account Manager (TAM) for a proper value, and enter this for the "Setting Value:". Select "Server" from "Affects" drop-down list. Select "Numeric" from "Value Type" drop-down list. Click "Save". Add this setting to the system documentation for validation.
Using a web browser on a system, which has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. In the "Show Settings Containing:" search box type "soap_max_keep_alive". Click "Enter". If no results are returned, this is a finding. If results are returned for "soap_max_keep_alive ", but the value is not the value defined in the system documentation, this is a finding.
Using a web browser on a system, which has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. Click on "New Setting". In "New System Setting" dialog box enter "soap_max_keep_alive" for "Setting Name:". Work with a Tanium Technical Account Manager (TAM) for a proper value, and enter this for the "Setting Value:". Select "Server" from "Affects" drop-down list. Select "Numeric" from "Value Type" drop-down list. Click "Save". Add this setting to the system documentation for validation.
Consult with the Tanium System Administrator to review the documented list of folder maintainers for Detect Local Directory Source. If the site does not leverage Local Directory Source to import IOCs, this finding is Not Applicable. If the site does use Local Directory Source to import IOCs and the folder maintainers are not documented, this is a finding.
Prepare and maintain documentation identifying the Tanium IOC Local Directory Source maintainers.
Consult with the Tanium System Administrator to determine if the Tanium Detect module is being used, if not then this finding is Not Applicable. If being used then determine where they get their IOC Stream. Access the Tanium Module Server interactively. Log on to the server with an account that has administrative privileges. Open an Explorer window. Navigate to Program Files >> Tanium >> Tanium Module Server >> services >> detect3-files Right-click on the folder and choose "Properties". Select the "Security" tab. Click on the "Advanced" button. If the accounts listed in the "Security" tab do not match the list of accounts found in the Tanium documentation, this is a finding.
Consult with the Tanium System Administrator to determine if the "Detect" module is being used, if not then this is Not Applicable. Access the Tanium Module Server interactively. Log on to their server with an account that has administrative privileges. Open an Explorer window. Navigate to Program Files >> Tanium >> Tanium Module Server >> services >> detect3-files Right-click on the folder and choose "Properties". Select the "Security" tab. Click on the "Advanced" button. If the accounts listed in the "Security" tab do not match the list of accounts, with the exception of SYSTEM, remove the additionally listed accounts. If the accounts listed in the "Security" tab are missing accounts from the documentation, with the exception of SYSTEM, add the additionally listed accounts with a minimum of READ permissions.
Consult with the Tanium System Administrator to review the documented list of trusted SCAP sources. If the site does not have "Tanium Comply" module, or does not use "Tanium Comply" for compliance validation, this finding is Not Applicable. If the site does use "Tanium Comply" and the source for SCAP content is not documented, this is a finding.
If the site does not have "Tanium Comply" module, or does not use "Tanium Comply" for compliance validation, this finding is Not Applicable. Prepare and maintain documentation identifying the source of SCAP sources that will be used by "Tanium Comply" module.
Consult with the Tanium System Administrator to review the documented list of trusted OVAL feeds. If the site does not have "Tanium Comply" module, or does not use "Tanium Comply" for passive vulnerability scanning, this finding is Not Applicable. Otherwise, if the site does use "Tanium Comply" and the source for OVAL content is not documented, this is a finding.
If the site does not have "Tanium Comply" module, or does not use "Tanium Comply" for passive vulnerability scanning, this finding is Not Applicable. Prepare and maintain documentation identifying the source of OVAL feeds that will be used by "Tanium Comply" module.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Comply". Along the left side of the interface, click on "Benchmarks". Select "Configuration Compliance". Verify all imported compliance benchmarks are from a documented trusted source. If any compliance benchmark is found that does not come from a documented trusted source, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Comply". Along the left side of the interface, click on "Benchmarks". Select "Configuration Compliance". Delete any compliance benchmarks that come from non-trusted sources.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Comply". Along the left side of the interface, click on "Benchmarks". Select "Vulnerability". Verify all imported vulnerability sources are from a documented trusted source. If any vulnerability sources found do not match a documented trusted source, this is a finding.
Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Comply". Along the left side of the interface, click on "Benchmarks". Select "Vulnerability". Delete any vulnerability sources, which are configured to non-trusted sources, or reconfigured to point to trusted sources.
If the system is not considered mission critical, this is Not Applicable. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Packages". Browse to the package called "Distribute Tanium Standard Utilities". Select it. Press "Status". Observe the text underneath a package file indicating the file cache status. If the cache status represents only one Tanium Server, this is a finding.
If the system is not considered mission critical, this is Not Applicable. Work with the Tanium System Administrator to configure Tanium in a HA Active-Active setup based on the process outlined in the Tanium documentation found at: https://docs.tanium.com/platform_install/platform_install/installing_an_ha_active_active_cluster.html.
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Access the server's registry by typing: regedit <enter>. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Verify the existence of a DWORD "DownloadBytesPerSecondLimit". If the DWORD "DownloadBytesPerSecondLimit" does not exist with a value equal to the value recorded in the system documentation, this is a finding. Consult with your TAM for an appropriate value and record this in the system documentation. If this setting is not documented, this is a finding.
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Access the server's registry by typing: regedit <enter>. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Add or modify the DWORD "DownloadBytesPerSecondLimit" to have a value that matches the value recorded in the system documentation.
Access the Tanium SQL Server interactively. Log on to their server with an account that has administrative privileges. Consult server sizing documentation at https://docs.tanium.com/platform_install/platform_install/reference_host_system_sizing_guidelines.html and the Tanium system administrator to determine the recommended disk space sizing for the size of the Tanium deployment. Launch File Explorer. Check the total disk space allocated to the hard drive allocated for the Tanium SQL databases. Compare the allocated size against the recommended disk space sizing for the size of the Tanium deployment. If the allocated size is less than the recommended disk space, this is a finding.
Work with the Tanium System Administrator and/or database administrator to allocate additional disk space for the volume hosting the Tanium SQL databases.
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Access the server's registry by typing: regedit <enter>. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Verify the existence of a DWORD "DownloadBytesPerSecondLimit" with a value matching what is in the system documentation. If the DWORD "DownloadBytesPerSecondLimit" does not exist with the correct value, this is a finding.
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Access the server's registry by typing: regedit <enter>. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Add or modify the DWORD "DownloadBytesPerSecondLimit" to have a value consistent with the value found in the system documentation.
Consult with the Tanium System Administrator to review the documented time window designated for updates. If a window of time is not defined, or does not specify a reoccurring frequency, this is a finding. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI). Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Tanium Solutions". If any module has the text "Upgrade to" a newer (greater) version number compared to the Installed version number in the Tanium Modules section of the page, this is a finding. If the Tanium install is an air gap install, work with the Tanium Technical Account Manager (TAM) to determine if the modules are up to date.
Work with the Tanium System Administrator to define the reoccurring time window designated for updates. Update the system documentation to reflect this window of time. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI. Log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Tanium Solutions". Select any modules that indicate "Upgrade to" and proceed with importing the modules.
Consult with the Tanium System Administrator to determine the HIPS software used on the Tanium Server. Review the settings of the HIPS software. Validate exclusions exist which exclude the Tanium program files from being restricted by HIPS. If exclusions do not exist, this is a finding.
Implement exclusion policies within the HIPS software solution to exclude the Tanium Server program files from HIPS intervention.
Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. In the "Show Settings Containing:" search box, type "session_expiration_seconds". Click "Enter". If no results are returned, this is a finding. If results are returned for "session_expiration_seconds", but the value is not "900" or less, this is a finding.
Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. Click on "New Setting". In the "New System Setting" dialog box, enter "session_expiration_seconds" for "Setting Name:". Enter "900" or less for "Setting Value:". Select "Server" from the "Affects" drop-down list. Select "Numeric" from the "Value Type" drop-down list. Click "Save". If "session_expiration_seconds" exists but is not "900" or less, select the box beside the value and click on "Edit". Enter "900" or less for "Setting Value:". Click "Save".
Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. In the "Show Settings Containing:" search box, type "max_console_idle_seconds". Click "Enter". If no results are returned, this is a finding. If results are returned for "max_console_idle_seconds", but the value is not "900" or less, this is a finding.
Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Administration". Select the "Global Settings" tab. Click on "New Setting". In "New System Setting" dialog box, enter "max_console_idle_seconds" for "Setting Name:". Enter "900" for "Setting Value:". Select "Server" from the "Affects" drop-down list. Select "Numeric" from the "Value Type" drop-down list. Click "Save". If "max_console_idle_seconds" exists but is not "900" or less, select the box beside the value and click "Edit". Enter "900" or less for "Setting Value:". Click "Save".
Verify that to prevent a non-privileged user from affecting the Tanium Server's ability to operate, the control of the service is restricted to the Local Administrators. Log on interactively to the Tanium Server. Open the CMD prompt as admin. Run "sc sdshow "Tanium Server"". If the string does not match "D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWLOCRRC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)", this is a finding. Run the above on all other Tanium Servers, to include Tanium Servers in an Active-Active pair.
Log on interactively to the Tanium Server. Open the CMD prompt as admin. Run "sc sdset "Tanium Server" D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWLOCRRC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)". Run the above on all other Tanium Servers, to include Tanium Servers in an Active-Active pair.
As part of any Tanium install, Tanium has a tuning process that takes into account customer-provided inputs on the size of the deployment as well as characteristics of the network. Obtain from Tanium the document that states the tuning settings for the particular installation. If the organization cannot provide a server-tuning document from the vendor, this is a finding.
Obtain the vendor tuning documentation for the deployment. Include it in the system's documentation as proof of tuning.
Access the Tanium Servers (Application, SQL and Module) interactively. Log on to the server with an account that has administrative privileges. Access the server's registry by typing: "regedit". Press "Enter". Navigate to: HKEY_LOCAL_MACHINE >> SYSTEM >> CurrentControlSet >> Control >> SecurityProviders >> SCHANNEL >> Protocols >> SSL 2.0 >> Client for Module server. Navigate to: HKEY_LOCAL_MACHINE >> SYSTEM >> CurrentControlSet >> Control >> SecurityProviders >> SCHANNEL >> Protocols >> SSL 2.0 >> Server for Application server and SQL server. Name: DisabledByDefault Type: REG_DWORD Data: 0x0000001 (hex) If the value for "DisabledByDefault" is not set to "1" and "Type" is not configured to "REG_DWORD" or does not exist, this is a finding. Name: Enabled Type: REG_DWORD Data: 0x00000000 (hex) If the value for "Enabled" is not set to "0" and "Type" is not configured to "REG_DWORD" or does not exist, this is a finding.
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Access the server's registry by typing: "regedit". Press "Enter". Navigate to: HKEY_LOCAL_MACHINE >> SYSTEM >> CurrentControlSet >> Control >> SecurityProviders >> SCHANNEL >> Protocols >> SSL 2.0 >> Client. Right-click in the right window pane. Select: New >> DWORD (32-bit) Value. In the "Name" field, enter "DisabledByDefault". Press "Enter". Right-click on the newly created "Name". Select "Modify...". Enter "1" in "Value data:" and ensure that under "Base" the "Hexadecimal" radio button is selected. Click "OK". Right-click in the right window pane. Select: New >> DWORD (32-bit) Value. In the "Name" field, enter "Enabled". Press "Enter". Right-click on the newly created "Name". Select "Modify...". Leave default value of "0" in "Value data:". Ensure that under "Base" the "Hexadecimal" radio button is selected. Click "OK".
Access the Tanium Server, Tanium Module Server and Tanium SQL Server interactively. Log on to the server with an account that has administrative privileges. Access the server's registry by typing: "regedit". Press "Enter". Navigate to: HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Microsoft >> .NETFramework >> v4.0.xxxxx (the sub-version number may vary, but it is a 4.0 version; example: 4.0.30319) for Tanium Application Server. Navigate to: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> .NETFramework >> v4.0.xxxxx (the sub-version number may vary, but it is a 4.0 version; example: 4.0.30319) for Tanium SQL Server. Navigate to: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> .NETFramework >> v4.0.xxxxx (the sub-version number may vary, but it is a 4.0 version; example: 4.0.30319) for Tanium Module Server. Name: SchUseStrongCrypto Type: REG_DWORD Data: 0x0000001 (hex) If the value for "SchUseStrongCrypto" is not set to "0x00000001" (hex) and "Type" is not configured to "REG_DWORD" or does not exist, this is a finding.
Access the Tanium Server, Tanium SQL Server, and Tanium Module Server interactively. Log on to the server with an account that has administrative privileges. Access the server's registry by typing: "regedit". Press "Enter". Navigate to: HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Microsoft >> .NETFramework >> v4.0.xxxxx (the sub-version number may vary, but it is a 4.0 version; example: 4.0.30319) for Tanium Application Server. Navigate to: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> .NETFramework >> v4.0.xxxxx (the sub-version number may vary, but it is a 4.0 version; example: 4.0.30319) for Tanium SQL Server. Navigate to: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> .NETFramework >> v4.0.xxxxx (the sub-version number may vary, but it is a 4.0 version; example: 4.0.30319) for Tanium Module Server. Right-click in the right window pane. Select: New >> DWORD (32-bit) Value. In the "Name" field, enter "SchUseStrongCrypto". Press "Enter". Right-click on the newly created "Name". Select "Modify...". Enter "1" in "Value data:". Ensure that under "Base" the "Hexadecimal" radio button is selected. Click "OK".
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Access the server's registry by typing: "regedit". Press "Enter". Navigate to: HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Name: SSLCipherSuite Type: String Value:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSAAES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK If the String "SSLCipherSuite" does not exist with the appropriate list values, this is a finding.
Access the Tanium Server interactively. Log on to the server with an account that has administrative privileges. Access the server's registry by typing: "regedit". Press "Enter". Navigate to: HKEY_LOCAL_MACHINE >> Software >> Wow6432Node >> Tanium >> Tanium Server. Right-click in the right window pane. Select: New >> String Value. In the "Name" field, enter "SSLCipherSuite". Press "Enter". Right-click on the newly created "Name". Select "Modify...". Add the following: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSAAES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK Click "OK".