Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Review the configured Connections under the "Connections" section. If no Connection exists to send the "Tanium Audit Source" to a SIEM tool, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Click "Create Connection". 5. In the "Configuration" section under "Source", select "Tanium Audit Source" as the source from the drop-down menu. 6. In the "Configuration" section under "Destination", select the desired Destination and fill in the respective fields. 7. In the "Configure Output" section under "Format", select the desired file format type. 8. In the "Schedule" section, select the desired schedule. 9. Click "Create Connection".
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Select "Connect". 4. Review the "Connections" sections for Source "Tanium Audit Source". If necessary, filter the connections by filtering by "Source" and the term "Audit". 5. Verify the "State" is "Enabled". If no results are returned, this is a finding. If results are returned but the state is not "Enabled", this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Select "Connect". 4. Click "Create Connection". 5. Enter "Name". 6. Enter "Description". 7. In the "Configuration" section, select Source: "Tanium Audit Source" and under "Basic" options, select appropriate audits. 8. In the "Destination" section, select a source from the drop-down menu. 9. Enter "Destination Name". 10. Enter "Host". 11. Select "Network Protocol": "TCP" or "UDP". 12. Enter "Port". 13. Select "Save".
Review the settings of the antivirus software. Verify exclusions exist that exclude the Tanium Client process interactions from On-Access scans and are treated as Low-Risk. If exclusions do not exist, this is a finding.
Implement exclusion policies within the antivirus software to exclude the On-Access scanning of Tanium Client process interactions. These processes should be treated as Low-Risk and not scanned during read or write events.
Consult with the Tanium system administrator to review the documented list of Tanium users. The users' User Groups, Roles, Computer Groups, and correlated LDAP security groups must be documented. If the documentation does not exist or is missing any Tanium users and their respective User Groups, Roles, Computer Groups, and correlated LDAP security groups, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Permissions", select "Users". 4. Prepare and maintain documentation identifying the Tanium console users and their respective User Groups, Roles, Computer Groups, and associated LDAP security groups.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Permissions", select "Users". 4. Compare users listed to the prepared documentation. If documentation identifying the Tanium console users and their respective User Groups, Roles, Computer Groups, and associated LDAP security groups does not exist, this is a finding.
Prepare and maintain documentation identifying the Tanium console users and their respective User Groups, Roles, Computer Groups, and associated LDAP security groups.
Consult with the Tanium system administrator to review the documented list of Tanium users. The users' User Groups, Roles, Computer Groups, and correlated LDAP security groups or Local Users must be documented. Local users can be identified by the following: 1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Permissions", select "Users". 4. Compare users that do not have a Domain listed to the prepared documentation. If documentation identifying the Tanium console users and their respective User Groups, Roles, Computer Groups, and associated LDAP security groups does not exist, this is a finding.
Prepare and maintain documentation identifying the Tanium console users and their respective User Groups, Roles, Computer Groups, and associated LDAP security groups.
For Tanium Server: 1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Logging". 4. Select "Log Level". If the value for the current level for "Tanium Server" and "Tanium Module Server" is not set to "1" or higher, this is a finding. For Tanium Client: 1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI. Log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Interact". 4. In the "Explore Data" box, type the following question: Get Tanium Client Explicit Setting[LogVerbosityLevel] < 1 and Is Windows from all machines with Tanium Client Explicit Setting[LogVerbosityLevel] < 1 If any answers are returned that are "0", this is a finding.
For Tanium Server: 1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Logging". 4. In "Log Verbosity Level for Troubleshooting", set "Tanium Server" and "Tanium Module Server" to "1". For Tanium Client: 1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Interact". 4. In the "Explore Data" box, type the following question: Get Tanium Client Explicit Setting[LogVerbosityLevel] < 1 and Is Windows from all machines with Tanium Client Explicit Setting[LogVerbosityLevel] < 1 5. Select the row with "Is windows" set to "True" and deploy the following action and settings: a) Deployment Package: Modify Tanium Client Setting b) RegType: REG_DWORD c) ValueName: LogVerbosityLevel d) ValueData: 1 or higher Schedule Deployment a) Distribute over: 1 hour 6. Click "Show Preview to continue". 7. Click "Deploy Action". 8. Select the row with "Is windows" set to "False" and deploy the following action and settings: a) Deployment Package: Modify Tanium Client Setting [Non-Windows] b) RegType: NUMERIC c) ValueName: LogVerbosityLevel d) ValueData: 1 or higher Schedule Deployment a) Distribute over: 1 hour 9. Click "Show Preview to continue". 10. Click "Deploy Action".
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Platform Settings". 4. In the "Filter items" search box, type "require_action_approval". 5. Click "Enter". If no results are returned, this is a finding. If results are returned for "require_action_approval", but the value is not "1", this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Platform Settings". 4. Click "Create Setting". 5. Select "Server" box for "Setting Type". 6. In "Create Platform Setting" dialog box, enter "require_action_approval" does not exist: Flag for "Name". 7. Select "Numeric" radio button for "Value Type". 8. Enter "1" for "Value". 9. Click "Save".
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Bandwidth Throttles". 4. Work with the Tanium administrator to confirm settings. For more information, refer to https://docs.tanium.com/platform_user/platform_user/console_bandwidth_throttling.html. If the Bandwidth Throttles configuration is not accordance with organization's needs, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Bandwidth Throttles". 4. Click "Add" on the line for "Global Throttle for All Data". 5. Work with the Tanium administrator to configure the required bandwidth throttles. 6. Click "Save". 7. Work with the Tanium administrator to confirm or set the remaining options: - Global Throttle for Package Files. - Global Throttle for Sensors. - Site Throttles.
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Open a File Explorer window. 4. Navigate to Program Files >> Tanium >> Tanium Server. 5. Right-click the "Logs" folder. 6. Select "Properties". 7. Select the "Security" tab. 8. Click the "Advanced" button. - Validate the owner of the directory is the [Tanium service account]. - Validate the [Tanium service account] is the only account with modify permissions on the directory. - Validate the [Tanium Administrators] group has full permissions on the directory. 9. Right-click the "TDL_Logs" folder. 10. Select "Properties". 11. Select the "Security" tab. 12. Click the "Advanced" button. - Validate the owner of the directory is the [Tanium service account]. - Validate the [Tanium service account] is the only account with modify permissions on the directory. - Validate the [Tanium Administrators] group has full permissions on the directory. If any of the specified permissions are not set as required, this is a finding.
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Open a File Explorer window. 4. Navigate to Program Files >> Tanium >> Tanium Server. 5. Right-click the "Logs" folder. 6. Select "Properties". 7. Select the "Security" tab. 8. Click the "Advanced" button. 9. Disable folder inheritance. 10. Change/verify the owner of the directory to the [Tanium service account]. 11. Reduce [Tanium service account] privileges to modify permissions on the directory. 12. Ensure [Tanium Admins] group has full permissions on the directory. 13. Right-click the "TDL_Logs" folder. 14. Select "Properties". 15. Select the "Security" tab. 16. Click the "Advanced" button. 17. Disable folder inheritance. 18. Change/verify the owner of the directory to the [Tanium service account]. 19. Reduce [Tanium service account] privileges to modify permissions on the directory. 20. Ensure [Tanium Admins] group has full permissions on the directory.
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Open a File Explorer window. 4. Navigate to Program Files >> Tanium >> Tanium Server. 5. Right-click the "Logs" folder. 6. Select "Properties". 7. Select the "Security" tab. 8. Click the "Advanced" button. - Validate the owner of the directory is the [Tanium service account]. - Validate the [Tanium service account] is the only account with modify permissions on the directory. - Validate the [Tanium Administrators] group has full permissions on the directory. 9. Right-click the "TDL_Logs" folder. 10. Select "Properties". 11. Select the "Security" tab. 12. Click the "Advanced" button. - Validate the owner of the directory is the [Tanium service account]. - Validate the [Tanium service account] privileges is the only account with modify permissions on the directory. - Validate the [Tanium Administrators] group has full permissions on the directory. If any of the specified permissions are not set as required, this is a finding.
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Open a File Explorer window. 4. Navigate to Program Files >> Tanium >> Tanium Server. 5. Right-click the "Logs" folder. 6. Select "Properties". 7. Select the "Security" tab. 8. Click the "Advanced" button. 9. Disable folder inheritance. 10. Change/verify the owner of the directory to the [Tanium service account]. 11. Reduce [Tanium service account] privileges to modify permissions on the directory. 12. Ensure [Tanium Admins] group has full permissions on the directory. 13. Right-click the "TDL_Logs" folder. 14. Select "Properties". 15. Select the "Security" tab. 16. Click the "Advanced" button. 17. Disable folder inheritance. 18. Change/verify the owner of the directory to the [Tanium service account]. 19. Reduce [Tanium service account] privileges to modify permissions on the directory. 20. Ensure [Tanium Admins] group has full permissions on the directory.
Consult with the Tanium system administrator or database administrator to determine the volume on which the Tanium SQL databases are installed. 1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Select "Connect". 4. Review the configured Sources. If none exist to send Disk Free Space of the Tanium SQL Server, this is a finding. Work with the security information and event management (SIEM) administrator to determine if an alert is configured when Disk Free Space of the Tanium SQL Server reaches below 25%. If no alert is configured, this is a finding.
Consult with the Tanium system administrator or database administrator to determine the volume on which the Tanium SQL databases are installed. 1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Modules" in the top navigation banner. 3. Select "Interact". 4. Enter "Get Disk Free Space from all machines with Computer Name containing" [Your SQL Computer Name]. 5. Press "Enter". 6. Select "Save this question" located under the Question box. 7. Enter a name (e.g., SQL Disk Free Space). 8. Select "Create Saved Question". 9. Click "Modules" in the top navigation banner. 10. Select "Connect". 11. Select "Create Connection". 12. In the "Configuration" section, select "Saved Question" from the Source drop-down menu. 13. Enter the "Saved Question Name" created above or select from the drop-down menu. 14. Select the "Computer Group" name from the drop-down menu. 15. Select the desired destination from the drop-down menu (must be a SIEM tool). 16. In the "General Information" section, provide a name and description. 17. Click "Save". Work with the SIEM administrator to configure an alert when Disk Free Space of the Tanium SQL Server reaches below 25% of maximum. Consult with the Tanium system administrator or database administrator to determine the volume on which the Tanium SQL databases are installed. 1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application UI and log on with multifactor authentication. 2. Click "Modules" in the top navigation banner. 3. Select "Interact". 4. Enter "Get Disk Free Space from all machines with Computer Name containing" [Your SQL Computer Name]. 5. Press "Enter". 6. Select "Save this question" located under the Question box. 7. Enter a name (e.g., SQL Disk Free Space). 8. Select "Create Saved Question". 9. Click "Modules" in the top navigation banner. 10. Select "Connect". 11. Select "Create Connection". 12. In the "Configuration" section, select "Saved Question" from the Source drop-down menu. 13. Enter the "Saved Question Name" created above or select from the drop-down menu. 14. Select the "Computer Group" name from the drop-down menu. 15. Select the desired destination from the drop-down menu (must be a SIEM tool). 16. In the "General Information" section, provide a name and description. 17. Click "Save".
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log in using multifactor authentication. 2. Click "Modules" on the top of the banner of the console. 3. Click "Connect". 4. Review the configured Connections under "Connections" section. If no Connections exist to send the "Tanium Audit Source" to a security information and event management (SIEM) tool, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log in using multifactor authentication. 2. Click "Modules" on the top of the console. 3. Click "Connect". 4. Click "Create Connection". 5. In the "Configuration" section under "Source", select "Tanium Audit Source" as the source from the drop-down menu. 6. In the "Configuration" section under "Destination", select the desired Destination and fill in the respective fields. 7. In the "Configure Output" section under "Format", select the desired file format type. 8. In the "Schedule" section, select the desired schedule. 9. Click "Save".
Consult with the Tanium system administrator or database administrator to determine the volume on which the Tanium SQL databases are installed. 1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Select "Connect". 4. Review the configured Connections under "Connections" section. If none exist to send Disk Free Space of the Tanium SQL Server, this is a finding. Work with the SIEM administrator to determine if an alert is configured when Disk Free Space of the Tanium SQL Server reaches below 25%. If no alert is configured, this is a finding.
Consult with the Tanium system administrator or database administrator to determine the volume on which the Tanium SQL databases are installed. 1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Select "Interact". 4. Enter "Get Disk Free Space from all machines with Computer Name containing" [Your SQL Computer Name]. 5. Click "Enter". 6. Confirm question. 7. Select "Save" to the right of the Question Results. 8. Enter a name (e.g., SQL Disk Free Space). 9. Click "Save". 10. Click "Modules" on the top navigation banner. 11. Select "Connect". 12. Select "Create Connection". 13. In the Configuration section, select "Saved Question" from the Source drop-down menu. 14. Enter the "Saved Question Name" created above or select from the drop-down menu. 15. Select the "Computer Group" name from the drop-down menu. 16. Select the desired destination from the drop-down menu (must be a SIEM tool). 17. In the "General Information" section, provide a name and description. 18. Click "Save". Work with the SIEM administrator to configure an alert when Disk Free Space of the Tanium SQL Server reaches below 25% of maximum.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Select "Connect". 4. Review the configured Tanium Sources listed. If an "Audit Log" source does not exist, this is a finding. 5. Select the "Audit Log" source. 6. Select the audit connection found in the lower half of the screen. 7. Verify the "Destination Type" is a security information and event management (SIEM) tool. If the "Destination Type" is not a SIEM tool, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Click "Create Connection". 5. In the Configuration section, select "Tanium Audit Source" as the "Event Source" from the "Source" drop-down menu. 6. In the "Destination" section, select "Socket Receiver" from the drop-down menu. 7. Enter "Destination Name". 8. Enter "Host". 9. Enter "Network Protocol". 10. Enter "Port". 11. Click "Save". Consult documentation at https://docs.tanium.com/connect/connect/siem.html#siem for reference on configuring other applicable SIEM connections. Work with the SIEM administrator to configure alerts based on audit failures.
Consult with the Tanium system administrator to review the documented list of Tanium users. 1. Review the users' respective approved roles, as well as the correlated LDAP security group for the User Roles. 2. Validate LDAP security groups/Tanium roles are documented to assign least privileged access to the functions of the Tanium Server through the Tanium interface. If the documentation does not reflect a granular, least-privileged-access approach to the LDAP Groups/Tanium Roles assignment, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under Permissions, select "Users". 4. Analyze the users configured in the Tanium interface. 5. Determine least privileged access required for each user to perform their respective duties. 6. Move users to the appropriate LDAP security group to ensure the user is synced to the appropriate Tanium User Role. 7. If the appropriate LDAP security groups are not already configured, create the groups and add the appropriate users. 8. Ensure LDAP sync repopulates the Tanium users' associated roles accordingly.
Consult with the Tanium system administrator to review the documented list of Tanium administrators. Review the administrators' respective approved roles as the correlated LDAP security group for the User Roles. If the documentation does not reflect a granular, least-privileged-access approach to the LDAP Groups/Tanium Roles assignment, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under Permissions, select "Users". 4. Analyze the users configured in the Tanium interface. 5. Determine least privileged access required for each user to perform their respective duties. 6. Move users to the appropriate LDAP security group to ensure the user is synced to the appropriate Tanium User Role. 7. If the appropriate LDAP security groups are not already configured, create the groups and add the appropriate users. 8. Ensure LDAP sync repopulates the Tanium users' associated Roles accordingly.
If Enforce is not used to manage allowlisting, this check is not applicable. 1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Select the "Enforce" module. 4. Click the three dots next to the "Enforce" header. 5. Click "Enforcements". 6. Verify an enforcement exists for allowlisting by looking for "AppLocker" in the "Policy" column. 7. Click each enforcement for allowlisting Policy type and verify the enforcement is applied to all applicable machines. If an AppLocker Policy is not applied to all applicable machines, this is a finding.
If Enforce is not used to manage allowlisting, no fix is needed. 1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Enforce". 4. Expand the left menu. 5. From the Enforce menu, go to Policy Configurations. 6. Click "Action" and then "Create". 7. In the "General Information" section: - Enter a Name and Description for the policy. - Select AppLocker from the Policy Type options. Policy types can be filtered by operating system (All, Windows, Mac, Linux). 8. (Optional) If there is already a policy of this type, that policy can serve as the starting point for a new policy. Select the policy in the "Starting Point" pull-down menu. If requirements for this policy are missing, that information is displayed in the "Configuration Status" section. Refer to Configure Endpoint Encryption settings for BitLocker requirements. 9. In the "Settings" section: - Enter Support URL (optional). - Import Rules from XML (optional). - Select Rule Type (at least 1). 10. For each Rule Type: - Choose: Blocking. - Click "Create" under "Block" section. 11. Click "Create".
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Run regedit as Administrator. 4. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. 5. Validate the value for REG_DWORD "ForceSOAPSSLClientCert" is set to "1". 6. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. 7. Validate the following keys exist and are configured: REG_SZ "ClientCertificateAuthField" For example: X509v3 Subject Alternative Name. REG_SZ "ClientCertificateAuthRegex" For example-DoD: .+?Name:\s*?(\S+@[._a-zA-Z0-9]+).* Note: This regex may vary. REG_SZ "ClientCertificateAuth" For example: C:\Program Files\Tanium\Tanium Server\dod.pem If the value for REG_DWORD "ForceSOAPSSLClientCert" is not set to "1" and the remaining registry values are not configured, this is a finding.
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Run regedit as Administrator. 4. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. 5. Validate the value for REG_DWORD "ForceSOAPSSLClientCert" is set to "1". 6. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. 7. Configure the following keys: REG_SZ "ClientCertificateAuthField" For example: X509v3 Subject Alternative Name. REG_SZ "ClientCertificateAuthRegex" For example-DoD: .+?Name:\s*?(\S+@[._a-zA-Z0-9]+).* Note: This regex may vary. REG_SZ "ClientCertificateAuth" For example: C:\Program Files\Tanium\Tanium Server\dod.pem
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Run regedit as Administrator. 4. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. 5. Validate the value for REG_DWORD "ForceSOAPSSLClientCert" is set to "1". 6. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. 7. Validate the following keys exist and are configured: REG_SZ "ClientCertificateAuthField" For example: X509v3 Subject Alternative Name. REG_SZ "ClientCertificateAuthRegex" For example-DoD: .+?Name:\s*?(\S+@[._a-zA-Z0-9]+).* Note: This regex may vary and should be valid for any Subject Alternative Name entry. REG_SZ "ClientCertificateAuth" For example: C:\Program Files\Tanium\Tanium Server\dod.pem If the value for REG_DWORD "ForceSOAPSSLClientCert" is not set to "1" and the remaining registry values are not configured, this is a finding.
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Run regedit as Administrator. 4. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. 5. Validate the value for REG_DWORD "ForceSOAPSSLClientCert" is set to "1". 6. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. 7. Configure the following keys: REG_SZ "ClientCertificateAuthField" For example: X509v3 Subject Alternative Name. REG_SZ "ClientCertificateAuthRegex" For example-DoD: .+?Name:\s*?(\S+@[._a-zA-Z0-9]+).* Note: This regex may vary. REG_SZ "ClientCertificateAuth" For example: C:\Program Files\Tanium\Tanium Server\dod.pem
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Run regedit as Administrator. 4. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. 5. Validate the value for REG_DWORD "ForceSOAPSSLClientCert" is set to "1". 6. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. 7. Validate the following keys exist and are configured: REG_SZ "ClientCertificateAuthField" For example: X509v3 Subject Alternative Name. REG_SZ "ClientCertificateAuthRegex" For example-DoD: .+?Name:\s*?(\S+@[._a-zA-Z0-9]+).* Note: This regex may vary. REG_SZ "ClientCertificateAuth" For example: C:\Program Files\Tanium\Tanium Server\dod.pem If the value for REG_DWORD "ForceSOAPSSLClientCert" is not set to "1" and the remaining registry values are not configured, this is a finding.
Use the vendor documentation titled "Smart card authentication" to implement correct configuration settings for this requirement. Vendor documentation can be downloaded from the following URL: https://docs.tanium.com/platform_deployment_reference/platform_deployment_reference/smart_card_authentication.html?Highlight=cac 1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Run regedit as Administrator. 4. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. 5. Validate the value for REG_DWORD "ForceSOAPSSLClientCert" is set to "1". 6. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. 7. Configure the following keys: REG_SZ "ClientCertificateAuthField" For example: X509v3 Subject Alternative Name. REG_SZ "ClientCertificateAuthRegex" For example-DoD: .+?Name:\s*?(\S+@[._a-zA-Z0-9]+).* Note: This regex may vary. REG_SZ "ClientCertificateAuth" For example: C:\Program Files\Tanium\Tanium Server\dod.pem
Verify all components of the Tanium application have been updated within 60 days of vulnerability being announced by Tanium. Critical Vulnerabilities must be updated within 30 days. Consult with the Tanium system administrator to review the documented time window designated for updates. If a window of time is not defined or does not specify a reoccurring frequency, this is a finding. 1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Solutions". If any module has the text "Update to" a newer (greater) version number compared to the installed version number in the Tanium Modules section of the page, this is a finding. If the Tanium application is an "airgap" installation, work with the Tanium technical system administrator to determine if the modules are up to date.
Consult with the Tanium system administrator to review the documented time window designated for updates. If a window of time is not defined or does not specify a reoccurring frequency, work with the Tanium administrator to document this. 1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Solutions". If any module has the text "Update to" a newer (greater) version number compared to the installed version number in the Tanium Modules section of the page, work with the Tanium administrator to update those modules or content. If the Tanium application is an "airgap" installation, work with the Tanium technical system administrator to determine if the modules are up to date.
Note: If THR is not licensed or used for detection, this is not applicable. 1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Threat Response". 4. Expand the left menu. 5. Click "Alerts". 6. Filter on status "Unresolved". If any alerts are unresolved, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Threat Response". 4. Expand the left menu. 5. Click "Alerts". 6. Filter on status "Unresolved". 7. Resolve any open IOC-based alerts and change status to applicable status.
Review the settings of the antivirus software. Validate exclusions exist that exclude the Tanium Server process interactions from On-Access scans and are treated as Low-Risk. If exclusions do not exist, this is a finding.
Implement exclusion policies within the antivirus software solution to exclude the On-Access scanning of Tanium Server process interactions. These processes should be treated as Low-Risk and not scanned during read or write events.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Platform Settings". 4. In the "Filter items" search box, type "TLSMode" and "ReportingTLSMode". 5. Click "Enter". If results are returned and "TLSMode" = 0 and "ReportingTLSMode" = 0, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Platform Settings". 4. In the "Filter items" search box, type "TLSMode" and "ReportingTLSMode". 5. Click "Enter". 6. Change the value for both "TLSMode" and "ReportingTLSMode" to "1".
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Client Status". 4. Change "Show systems that have reported in the last:"; enter "7" in the first field. 5. Select "Days" from the drop-down menu in the second field to determine if any endpoints connected with an invalid key. If any systems are listed with "No" in the "Valid Key" column, this is a finding.
For systems that do not have a valid key for the Tanium Server, redeploy the client software from Tanium using Tanium Client Management or work with the Tanium system administrator to accomplish this. 1. Configure a deployment. 2. Deploy the package or installer. 3. Target appropriate systems.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Actions", select "Scheduled Actions". 4. Look for a scheduled action titled "Client Service Hardening - Set SYSTEM only permissions on Tanium Client directory". If a scheduled action titled "Client Service Hardening - Set SYSTEM only permissions on Tanium Client directory" does not exist, or there is a Scheduled Action contradicting the "Client Service Hardening - Set SYSTEM only permissions on Tanium Client directory" scheduled action, this is a finding. If the scheduled action exists, select it. If it is not approved (the "Approve" button at the top of the section will be displayed if not approved), this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Interact". 4. Within "Interact", under "Explore Data", ask the question "Get Tanium Client Directory Permissions from all machines". Tanium will parse the script and return a row for "Restricted" and a row for "Not Restricted", with their respective client counts. 5. Click the "Not Restricted" row. 6. Select "Deploy Action". - In the "Deploy Action" dialog box, the package "Client Service Hardening - Set SYSTEM only permissions on Tanium Client directory" will be selected. - The clients, which have their Tanium Client directory "Not Restricted", will be displayed in the bottom window. 7. Choose a schedule to deploy the hardening. 8. Under "Targeting Criteria", in the "Action Group", select "All Computers" from the drop-down menu. 9. Click "Deploy Action". 10. Verify settings. 11. Click "Show Client Status Details".
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Platform Settings". 4. In the "Filter Items" search box, type "AllQuestionsRequireSignatureFlag". 5. Click "Enter". If no results are returned, this is a finding. If results are returned for "AllQuestionsRequireSignatureFlag" but the value is not "1", this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Platform Settings". 4. Click "Create Setting". 5. Select "Client" box for "Setting Type". 6. In "Create Platform Setting" dialog box, enter "AllQuestionsRequireSignatureFlag" for " Name". 7. Select "Numeric" radio button for "Value Type". 8. Enter "1" for "Value". 9. Click "Save".
Note: This check is performed for the Tanium endpoints and must be validated against the enterprise firewall solution (e.g., Endpoint Security Solution Firewall, Microsoft Windows Defender Firewall setting, Microsoft Advance Threat Protection Firewall, etc.) policies applied to the endpoints. 1. Consult with the personnel who maintain the Enterprise Security Suite configuration for assistance. 2. Validate a rule exists within the firewall policies for managed clients for the following: Port Needed: Tanium Clients or Zone Clients over TCP port 17472, bidirectionally. If a host-based firewall rule does not exist to allow TCP port 17472, bidirectionally, this is a finding. 3. Consult with the boundary network firewall administrator and validate rules exist for the following: Allow TCP traffic on port 17472 from any computer to be managed on a local area network to any other computer to be managed on the same local area network. If a network firewall rule does not exist to allow TCP port 17472 from any managed computer to any other managed computer on the same local area network, this is a finding.
1. Consult with the personnel who maintain the Enterprise Security Suite to configure host-based and network firewall rules to allow the following: Tanium Clients or Zone Clients over TCP port 17472, bidirectionally. 2. Consult with the boundary network firewall administrator to create a rule to allow the following: TCP traffic on port 17472 from any computer to be managed on a local area network to any other computer to be managed on the same local area network.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Actions", select "Scheduled Actions". 4. Look for a scheduled action titled "Client Service Hardening - Allow Only Local SYSTEM to Control Service". If a scheduled action titled "Client Service Hardening - Allow Only Local SYSTEM to Control Service" does not exist, this is a finding. 5. If the scheduled action exists, select it. If it is not approved (the "Approve" button at the top of the section will be displayed if not approved), this is a finding. If the scheduled action exists and has been approved but does not restrict control of the Tanium Client service to Allow Only Local SYSTEM to Control Service, this is a finding. If the action is not configured to repeat at least every 12 hours, this is a finding. If the scheduled action is not targeted at an "All Computers" Action Group, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Interact". 4. In "Categories" section, select box for "Client Service Hardening". 5. In "Dashboards" section, select "Control Service State Permissions". 6. The results will show a "Count" of clients matching the "Service Control is set to default permissions" query. 7. Select the result line for "Service Control is set to default permissions". 8. Choose "Deploy Action". 9. In the Deployment Package drop-down, select "Client Service Hardening - Allow Only Local SYSTEM to Control Service". 10. Configure the schedule to repeat at least every 12 hours for the requested action. 11. Under "Targeting Criteria", in the Action Group, select "All Computers" from the drop-down menu. 12. Click "Show preview to continue". 13. Noncompliant systems will be displayed at the bottom. 14. Click "Deploy Action". 15. Verify settings. 16. Click "Show Client Status Details".
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Actions", select "Scheduled Actions". 4. Look for a scheduled action titled "Client Service Hardening - Hide Client from Add-Remove Programs". 5. If a scheduled action titled "Client Service Hardening - Hide Client from Add-Remove Programs" does not exist, this is a finding. If the scheduled action exists, select it. If it is not approved (the "Approve" button at the top of the section will be displayed if not approved), this is a finding. If the scheduled action exists and has been approved but does not disable the visibility of the client in Add-Remove Programs, this is a finding. If the action is not configured to repeat at least every 12 hours, this is a finding. If the scheduled action is not targeted at an "All Computers" Action Group, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Interact". 4. In "Categories" section, select box for "Client Service Hardening". 5. In "Dashboard" section, select "Hide From Add-Remove Program". 6. The results will show a "Count" of clients matching the "Tanium Client Visible in Add-Remove Programs" query. 7. Select the result line. 8. Choose "Deploy Action". 9. The "Deploy Action" dialog box will display "Client Service Hardening - Hide Client from Add-Remove Programs" as the package. The computer names comprising the "Count" of noncompliant systems will be displayed in the bottom. 10. From the Deployment Package drop-down, select "Client Service Hardening - Hide Client from Add-Remove Programs". 11. Configure the schedule to repeat at least every 12 hours for the requested action. 12. Under "Targeting Criteria", in the Action Group, select "All Computers" from the drop-down menu. 13. Click "Show preview to continue". Noncompliant systems will be displayed in the bottom. 14. Click "Deploy Action". 15. Verify settings. 16. Click "Show Client Status Details".
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Actions", select "Scheduled Actions". 4. Look for a scheduled action titled "Client Service Hardening - Set SYSTEM only permissions on the Tanium Client directory". If a scheduled action titled "Client Service Hardening - Set SYSTEM only permissions on the Tanium Client directory" does not exist, this is a finding. If the scheduled action exists, select it. If it is not approved (the "Approve" button at the top of the section will be displayed if not approved), this is a finding. If the scheduled action exists and has been approved but does not disable the visibility of the client in Add-Remove Programs, this is a finding. If the action is not configured to repeat at least every 12 hours, this is a finding. If the scheduled action is not targeted at an "All Computers" Action Group, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Interact". 4. In "Categories" section, select box for "Client Service Hardening". 5. In "Dashboard" section, select "Set Client Directory Permissions". - The results will show a "Count" of clients' compliant and noncompliant hardening for the "Tanium Client Directory Permissions". - Noncompliant clients will have a count other than "0" for "Not Restricted" or "Error: No Permissions". 6. Select each of the "Not Restricted" or "Error: No Permissions" statuses. 7. Select "Deploy Action". 8. In the "Deploy Action" dialog box, change the package to "Client Service Hardening - Set SYSTEM only permissions on the Tanium Client directory" as the package. 9. Configure the schedule to repeat at least every 12 hours for the requested action. 10. Under "Targeting Criteria", in the Action Group, select "All Computers" from the drop-down menu. 11. Click "Show preview to continue". Noncompliant systems will be displayed in the bottom. 12. Click "Deploy Action". 13. Verify settings. 14. Click "Show Client Status Details".
Review the settings of the antivirus software. Validate exclusions exist that exclude the Tanium Client directory and subsequent file interactions from On-Access scans. If exclusions do not exist, this is a finding.
Implement exclusion policies within the antivirus software solution to exclude the On-Access scanning of Tanium Client directory and subsequent file interactions.
Consult with the Tanium system administrator to determine the HIPS software used on the Tanium Clients. Review the settings of the HIPS software. Validate exclusions exist that exclude the Tanium program files from being restricted by HIPS. If exclusions do not exist, this is a finding.
Implement exclusion policies within the HIPS software solution to exclude the Tanium client program files from HIPS intervention.
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Run regedit as Administrator. 4. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. 5. Validate the value for REG_DWORD "ForceSOAPSSLClientCert" is set to "1". 6. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. 7. Validate the following keys exist and are configured: REG_SZ "ClientCertificateAuthField" For example: X509v3 Subject Alternative Name. REG_SZ "ClientCertificateAuthRegex" For example-DoD: .+?Name:\s*?(\S+@[._a-zA-Z0-9]+).* Note: This regex may vary. REG_SZ "ClientCertificateAuth" For example: C:\Program Files\Tanium\Tanium Server\dod.pem If the value for REG_DWORD "ForceSOAPSSLClientCert" is not set to "1" and the remaining registry values are not configured, this is a finding.
Use the vendor documentation titled "Smart card authentication" to implement correct configuration settings for this requirement. Vendor documentation can be downloaded from https://docs.tanium.com/platform_deployment_reference/platform_deployment_reference/smart_card_authentication.html?Highlight=cac. 1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Run regedit as Administrator. 4. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. 5. Validate the value for REG_DWORD "ForceSOAPSSLClientCert" is set to "1". 6. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. 7. Configure the following keys: REG_SZ "ClientCertificateAuthField" For example: X509v3 Subject Alternative Name. REG_SZ "ClientCertificateAuthRegex" For example-DoD: .+?Name:\s*?(\S+@[._a-zA-Z0-9]+).* Note: This regex may vary. REG_SZ "ClientCertificateAuth" For example: C:\Program Files\Tanium\Tanium Server\dod.pem
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "LDAP/AD Sync Configurations". 4. Verify a sync exists under "Enabled Servers". If no sync exists, this is a finding. If sync exists under "Disabled Servers" and there are no Enabled Servers, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "LDAP/AD Sync Configurations". 4. Click "Add Server". 5. Complete the settings using guidance from https://docs.tanium.com/platform_user/platform_user/console_using_ldap.html. 6. Click "Show Preview to Continue". 7. Review the users and groups to be imported. 8. Click "Save".
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "LDAP/AD Sync Configurations". 4. Ensure LDAP sync is enabled. If LDAP is not enabled, this is a finding.
Vendor documentation can be downloaded from https://docs.tanium.com/platform_user/platform_user/console_using_ldap.html?Highlight=LDAP. 1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "LDAP/AD Sync Configurations". 4. Follow the vendor documentation titled "Integrating with LDAP Servers" to implement correct configuration settings for this requirement.
1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Select the "Computer Groups" tab. 4. Under the "Name" column, verify organization-specific computer groups match organization-defined list in the system security plan (SSP). If site- or organization-specific computer groups do not match or exist, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web UI and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Select the "Computer Groups" tab. 4. Configure specific Computer Groups to facilitate the management of computers by authorized individuals for those computers. Note: Tanium offers two ways to define computer groups. Refer to the following documentation for explanation: https://docs.tanium.com/platform_user/platform_user/console_computer_groups.html#Computer_Group_types
Consult with the Tanium system administrator to review the documented list of Tanium users. The users' User Groups, Roles, Computer Groups, and correlated LDAP security groups must be documented. If the documentation does not exist or is missing any Tanium users and their respective User Groups, Roles, Computer Groups, and correlated LDAP security groups, this is a finding.
Prepare and maintain documentation identifying the Tanium console users and their respective User Groups, Roles, Computer Groups, and associated LDAP security groups.
1. Consult with the Tanium system administrator to review the documented list of Tanium User Groups. 2. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 3. Click "Administration" on the top navigation banner. 4. Under "Permissions", select "User Groups". 5. Click each User Group and compare both the User Group name and the assigned Role(s) to the system documentation. If any users have access to Tanium and their User Group is not on the list of documented User Groups with the appropriate Role(s), this is a finding.
Consult the documentation identifying the Tanium User Groups and their respective Role(s). 1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Permissions", select "User Groups". 4. Click each User Group and add any missing Role(s). 5. For any missing User Groups, make the appropriate adjustments in LDAP.
Consult with the Tanium system administrator to review the documented list of Tanium users and their respective, approved Computer Group rights. If the documented list does not have the Tanium users and their respective, approved Computer Group rights documented, this is a finding.
Prepare and maintain documentation identifying the Tanium console users and their respective Computer Group rights.
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Run regedit as Administrator. 4. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> WOW6432Node >> Tanium >> Tanium Server. 5. Validate the value for REG_DWORD "ForceSOAPSSLClientCert" is set to "1". 6. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> WOW6432Node >> Tanium >> Tanium Server. 7. Validate the following keys exist and are configured: REG_SZ "ClientCertificateAuthField" For example: X509v3 Subject Alternative Name REG_SZ "ClientCertificateAuthRegex" For example-DoD: .+?Name:\s*?(\S+@[._a-zA-Z0-9]+).* Note: This regex may vary. REG_SZ "ClientCertificateAuth" For example: C:\Program Files\Tanium\Tanium Server\cac.pem REG_SZ "TrustedHostList" For example: 127.0.0.1 (for IPv4) and [::1] (for IPv6) If the value for REG_DWORD "ForceSOAPSSLClientCert" is not set to "1" and the remaining registry values are not configured, this is a finding.
Use the vendor documentation titled "Smartcard authentication" to implement correct configuration settings for this requirement. The documentation is at https://docs.tanium.com/platform_deployment_reference/platform_deployment_reference/smart_card_authentication.html?Highlight=cac. 1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Run regedit as Administrator. 4. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> WOW6432Node >> Tanium >> Tanium Server. 5. Validate the value for REG_DWORD "ForceSOAPSSLClientCert" is set to "1". 6. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> WOW6432Node >> Tanium >> Tanium Server. 7. Configure the following keys: REG_SZ "ClientCertificateAuthField" For example: X509v3 Subject Alternative Name REG_SZ "ClientCertificateAuthRegex" For example-DoD: .+?Name:\s*?(\S+@[._a-zA-Z0-9]+).* Note: This regex may vary. REG_SZ "ClientCertificateAuth" For example: C:\Program Files\Tanium\Tanium Server\cac.pem REG_SZ "TrustedHostList" For example: Append 127.0.0.1 (for IPv4) and [::1] (for IPv6)
Consult with the Tanium system administrator to verify which firewall is being used as a host-based firewall on the Tanium Server. 1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Access the host-based firewall configuration on the Tanium Server. 4. Validate a rule exists for the following: Port Needed: From only designated Tanium console user clients to Tanium Server over TCP port 443. If a host-based firewall rule does not exist to allow only designated Tanium console user clients to Tanium Server over TCP port 443, this is a finding. Consult with the network firewall administrator and validate rules exist for the following: Allow TCP traffic from only designated Tanium console user clients to Tanium Server over TCP ports 443. If a network firewall rule does not exist to allow traffic from only designated Tanium console user clients to Tanium Server over TCP port 443, this is a finding.
1. Configure host-based firewall rules on the Tanium Server to include the following required traffic: Allow TCP traffic on port 433 to the Tanium Server from designated Tanium console user clients. Configure the network firewall to allow the above traffic.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Verify the DoD use notification displays prior to login: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If a DoD-approved use notification banner does not display prior to logon or cannot be acknowledged before granting access, this is a finding.
1. Create a .html file composed of the DoD-authorized warning banner verbiage: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." 2. Name the file "warning_banner.html". 3. Copy the .html file to the Tanium Server's http folder "<drive>:\Program Files\Tanium\Tanium Server\http\". 4. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 5. Click "Administration" on the top navigation banner. 6. Under "Configuration", select "Platform Settings". 7. Click "Create Setting". 8. Select "Server" box from "Setting Type". 9. In "Create Platform Setting" dialog box, enter "console_PreLoginBannerHTML" for "Name". 10. Select "Text" radio button from "Value Type". 11. Enter "warning_banner.html" for "Value:". 12. Click "Save".
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Review the configured Connections under "Connections" section. Work with the security information and event management (SIEM) administrator to determine if an alert is configured when audit data is no longer received as expected. If no alert is configured, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Expand the left menu. 5. Click "Connections". 6. Configure a Connection for the "Tanium Audit Source" source from the Tanium Application to a SIEM tool. Work with the SIEM administrator to configure an alert when no audit data is received from Tanium based on the defined schedule of connections.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Review the configured connections. If no sources exist to send audit logs from Tanium to a security information and event management (SIEM) tool or email destination, this is a finding. Work with the SIEM administrator to determine if an alert is configured when accounts are created. If no alert is configured, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Click "Create Connection" in the "Connections" section. 5. Configure sources to send audit logs from the Tanium SQL Server to a SIEM tool or email destination. 6. Work with the email administrator to configure an email destination. 7. Work with the SIEM administrator to configure an alert when accounts are created.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Review the configured connections. If no sources exist to send audit logs from the Tanium Database to a security information and event management (SIEM) tool or email destination, this is a finding. Work with the SIEM administrator to determine if an alert is configured when accounts are modified. If no alert is configured, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Click "Create Connection" in the "Connections" section. 5. Configure sources to send audit logs from the Tanium SQL Server to a SIEM tool or email destination. 6. Work with the email administrator to configure an email destination. 7. Work with the SIEM administrator to configure an alert when accounts are modified.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Review the configured sources. If no sources exists to send audit logs from the Tanium SQL Server to a security information and event management (SIEM) tool or email destination, this is a finding. Work with the SIEM administrator to determine if an alert is configured when account-enabling actions are performed. If no alert is configured, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Configure sources to send audit logs from the Tanium SQL Server to a SIEM tool or email destination. 5. Work with the email administrator to configure an email destination. 6. Work with the SIEM administrator to configure an alert when account-enabling actions are performed.
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Run regedit as Administrator. 4. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> WOW6432Node >> Tanium >> Tanium Server. 5. Validate the value for REG_DWORD "ForceSOAPSSLClientCert" is set to "1". 6. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> WOW6432Node >> Tanium >> Tanium Server. 7. Validate the following keys exist and are configured: REG_SZ "ClientCertificateAuthField" For example: X509v3 Subject Alternative Name REG_SZ "ClientCertificateAuthRegex" For example-DoD: .+?Name:\s*?(\S+@[._a-zA-Z0-9]+).* Note: This regex may vary. REG_SZ "ClientCertificateAuth" For example: E:\Program Files\Tanium\Tanium Server\cac.pem REG_SZ "TrustedHostList" For example: 127.0.0.1 (for IPv4) and [::1] (for IPv6) If the value for REG_DWORD "ForceSOAPSSLClientCert" is not set to "1" and the remaining required registry values are not configured, this is a finding.
Use the vendor documentation titled "Smart card authentication" to implement correct configuration settings for this requirement. Vendor documentation can be downloaded from https://docs.tanium.com/platform_deployment_reference/platform_deployment_reference/smart_card_authentication.html?Highlight=cac. 1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Run regedit as Administrator. 4. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> WOW6432Node >> Tanium >> Tanium Server. 5. Configure the value for REG_DWORD "ForceSOAPSSLClientCert" to "1". 6. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> WOW6432Node >> Tanium >> Tanium Server. 7. Configure the following keys: REG_SZ "ClientCertificateAuthField" For example: X509v3 Subject Alternative Name REG_SZ "ClientCertificateAuthRegex" For example-DoD: .+?Name:\s*?(\S+@[._a-zA-Z0-9]+).* Note: This regex may vary. REG_SZ "ClientCertificateAuth" For example: E:\Program Files\Tanium\Tanium Server\cac.pem REG_SZ "TrustedHostList" For example: Append 127.0.0.1 (for IPv4) and [::1] (for IPv6)
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Review the configured connections. If no sources exist to send audit logs from the Tanium SQL Server to a security information and event management (SIEM) tool or email destination, this is a finding. Work with the SIEM administrator to determine if an alert is configured when accounts are disabled. If no alert is configured, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Click "Create Connection" in the "Connections" section. 5. Configure sources to send audit logs from the Tanium SQL Server to a SIEM tool or email destination. 6. Work with the email administrator to configure an email destination. 7. Work with the SIEM administrator to configure an alert when accounts are modified.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Review the configured connections. If no sources exist to send audit logs from the Tanium SQL Server to a security information and event management (SIEM) tool or email destination, this is a finding. Work with the SIEM administrator to determine if an alert is configured when accounts are deleted. If no alert is configured, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Configure sources to send audit logs from the Tanium SQL Server to a SIEM tool or email destination. 5. Work with the email administrator to configure an email destination. 6. Work with the SIEM administrator to configure an alert when accounts are deleted.
1. Consult with the Tanium system administrator to review the documented list of Tanium users. 2. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 3. Click "Administration" on the top navigation banner. 4. Under "Permissions", select "Users". 5. Review the users' respective approved roles, as well as the correlated LDAP security group for the User Roles. 6. Validate LDAP security groups/Tanium roles are documented to assign least privileged access to the functions of the Tanium Server through the Tanium interface. If the documentation does not reflect a granular, least privileged access approach to the LDAP Groups/Tanium Roles assignment, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Permissions", select "Users". 4. Analyze the users configured in the Tanium interface. 5. Determine least privileged access required for each user to perform their respective duties. 6. Move users to the appropriate LDAP security group to ensure the user is synced to the appropriate Tanium User Role. 7. If the appropriate LDAP security groups are not already configured, create the groups and add the appropriate users. 8. Ensure LDAP sync repopulates the Tanium Users' associated Roles accordingly.
Note: If the customer is using a Tanium Appliance, this is not applicable. Consult with the Tanium system administrator to determine the server to which the database has been installed and is configured. 1. Access the Tanium Server. 2. Log on to each Tanium Application Server with an account that has administrative privileges. 3. Verify Tanium Module Service is not running on both servers. 4. Verify SQL Server Services are not running on both servers. If the Tanium Module Service is running on either server, this is a finding. If SQL Server Services are running on either server, this is a finding. If the database is installed on the same server as the Tanium Server or Tanium Module Server, this is a finding.
Move the Tanium database from the Tanium Server or Tanium Module Server to a separate server. Steps to move the Tanium database can be found at https://docs.tanium.com/platform_install/platform_install/installing_tanium_server.html#set_up_DB_server.
With the Tanium system administrator's assistance, access the server on which the Tanium database(s) is installed. 1. Access the Tanium Server. 2. Log on to each Tanium Application Server with an account that has administrative privileges. 3. Verify SQL Server Services are not running on both servers. If SQL Server Services are running on either server, this is a finding. Review the Tanium database(s). If databases related to products other than Tanium exist in the Tanium database, this is a finding.
Move the Tanium database from the server hosting multiple databases for products other than Tanium or remove other product databases co-located with Tanium database(s).
1. Access the Tanium SQL server interactively. 2. Log on to the server with an account that has administrative privileges. 3. Open SQL Server Management Studio. 4. Connect to a Tanium instance of SQL Server. 5. In the left pane, click "Databases". 6. Select the Tanium database. 7. Click "Security". 8. Click "Users". 9. In the "Users" pane, review the roles assigned to the user accounts. (Note: This does not apply to service accounts.) 10. Select the Tanium_archive database. 11. Click "Security". 12. Click "Users". 13. In the "Users" pane, review the roles assigned to the user accounts. (Note: This does not apply to service accounts.) If any user account has an elevated privilege role other than the assigned database administrators, this is a finding.
1. Access the Tanium SQL server interactively. 2. Log on to the server with an account that has administrative privileges. 3. Open SQL Server Management Studio. 4. Connect to a Tanium instance of SQL Server. 5. In the left pane, click "Databases". 6. Select the Tanium database. 7. Click "Security". 8. Click "Users". 9. In the "Users" pane, review the roles assigned to the user accounts. (Note: This does not apply to service accounts.) 10. Select the Tanium_archive database. 11. Click "Security". 12. Click "Users". 13. Adjust user roles as necessary. (Note: This does not apply to service accounts.)
1. Access the Tanium SQL server interactively. 2. Log on to the server with an account that has administrative privileges. 3. Open SQL Server Management Studio. 4. Connect to Tanium instance of SQL Server. 5. In the left pane, click "Databases". 6. Select the Tanium database. 7. Click "Security". 8. Click "Users". 9. In the "Users" pane, review the role assigned to the Tanium Server service user account. 10. In the left pane, click "Databases". 11. Select the Tanium_archive database. 12. Click "Security". 13. Click "Users". 14. In the "Users" pane, review the role assigned to the Tanium Server service user account. 15. If the role assigned to the Tanium Server service account is not "db_owner", this is a finding. 16. If using Postgres: Only owners of objects can change them. To view all functions, triggers, and trigger procedures, and their ownership and source, as the database administrator (shown here as "postgres"), run the following SQL: $ sudo su - postgres $ psql -x -c "\df+"
1. Access the Tanium SQL server interactively. 2. Log on to the server with an account that has administrative privileges. 3. Open SQL Server Management Studio. 4. Connect to Tanium instance of SQL Server. 5. In the left pane, click "Databases". 6. Select the Tanium database. 7. Click "Security". 8. Click "Users". 9. In the "Users" pane, right-click the Tanium Server service user account. 10. On the shortcut menu, click "Properties". 11. Under Database role membership, change role from "sysadmin" to "db_owner". 12. Click "OK". 13. In the left pane, click "Databases". 14. Select the Tanium_archive database. 15. Click "Security". 16. Click "Users". 17. In the "Users" pane, right-click the Tanium Server service user account. 18. On the shortcut menu, click "Properties". 19. Under Database role membership, change role from "sysadmin" to "db_owner". 20. Click "OK" 21. If using Postgres: Configure PostgreSQL to enforce access restrictions associated with changes to the configuration of PostgreSQL or database(s). Use ALTER ROLE to remove accesses from roles: $ psql -c "ALTER ROLE <role_name> NOSUPERUSER"
Consult with the Tanium system administrator to verify which firewall is being used as a host-based firewall on the Tanium Server. 1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Access the host-based firewall configuration on the Tanium Server. 4. Validate a rule exists for the following: Port Needed: Tanium Server to Remote SQL Server over TCP port 1433. If a host-based firewall rule does not exist to allow Tanium Server to Remote SQL Server over TCP port 1433, this is a finding. Consult with the network firewall administrator and validate rules exist for the following: Allow traffic from Tanium Server to Remote SQL Server over TCP port 1433. If a network firewall rule does not exist to allow traffic from Tanium Server to Remote SQL Server over TCP port 1433, this is a finding.
1. Configure host-based firewall rules on the Tanium Server to include the following required traffic: Allow TCP traffic on port 1433 from the Tanium Server to the Remote SQL Server. 2. Configure the network firewall to allow the above traffic.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Platform Settings". 4. In the "Filter items" search box, type "max_console_idle_seconds". 5. Click "Enter". If no results are returned, this is a finding. If results are returned for "max_console_idle_seconds", but the value is not between the range of "1 - 900", this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Platform Settings". 4. Click "Create Setting". 5. Select "Server" box for "Setting Type". 6. In " Create Platform Setting" dialog box enter "max_console_idle_seconds" for "Name". 7. Select "Numeric" radio button from "Value Type". 8. Select "Value" and enter a value between the range of "1 - 900". 9. Click "Save". 10. Add this setting to the system documentation for validation.
Note: If only using Tanium-provided content and not accepting content from any other content providers, this is not applicable. Consult with the Tanium system administrator to review the documented list of trusted content providers along with the hash for their respective public keys. If the site does not have the Tanium trusted content providers documented along with the SHA-256 hash for their respective public keys, this is a finding.
Prepare and maintain documentation identifying the Tanium trusted content providers along with the SHA-256 hash from their respective public keys.
Note: If only using Tanium-provided content and not accepting content from any other content providers, this is not applicable. Obtain documentation that contains the public key validation data from the Tanium system administrator. 1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Open an Explorer window. 4. Navigate to the following folder: Program Files >> Tanium >> Tanium Server >> content_public_keys >> content folder. If the Tanium default content-release.pub key is the only key in the folder, this is not a finding. If documented content provider keys are in the content folder, this is not a finding. If nondocumented content provider keys are in the content folder, this is a finding.
Obtain the public key from the content providers and validate the keys are present in the Tanium folders. If the public keys are found for nontrusted content providers, remove the associated signing key and remove any content imported by that provider. 1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Open an Explorer window. 4. Navigate to the following folder: Program Files >> Tanium >> Tanium Server >> content_public_keys >> content folder. 5. Copy any trusted source's .pub keys into the folder and document them. 6. Remove any nontrusted source's .pub keys from the folder.
Note: If only using Tanium-provided content and not accepting content from any other content providers, this is not applicable. Obtain documentation from the Tanium system administrator that contains the public key validation data. 1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Open an Explorer window. 4. Navigate to the following folder: Program Files >> Tanium >> Tanium Server >> content_public_keys >> content folder. 5. Verify the public keys listed in the content folder are documented. If a public key, other than the default Tanium public key, is in the content folder and is not documented, this is a finding.
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Open an Explorer window. 4. Navigate to the following folder: Program Files >> Tanium >> Tanium Server >> content_public_keys >> content folder. 5. If a public key, other than the default Tanium public key, resides in the content folder, use a hashing utility (e.g., TaniumFileInfo.exe) to determine the hash of the public key. 6. Document the owner, the name of the key, and the associated hash of the public key.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Platform Settings". 4. In the "Filter items" search box, type "require_action_approval". 5. Click "Enter". If no results are returned, this is a finding. If results are returned for "require_action_approval", but the value is not "1", this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Platform Settings". 4. If "require_action_approval" does not exist: click "Create Setting". 5. Select "Server" box for "Setting Type". 6. In "Create Platform Setting" dialog box, enter "require_action_approval" for "Name". 7. Select "Numeric" radio button from "Value Type". 8. Select "Value" and enter "1". 9. Click "Save".
Consult with the Tanium system administrator to determine if the Threat Response module is being used. If it is not, this is not applicable. Review the documented list of IOC trusted stream sources. If the site uses an external source for IOCs and the IOC trusted stream source is not documented, this is a finding.
Prepare and maintain documentation identifying the Threat Response trusted stream sources.
Consult with the Tanium system administrator to determine if the Threat Response module is being used. If it is not, this is not applicable. 1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Threat Response". 4. Expand the left menu. 5. Click "Intel". 6. Select "Sources". 7. Verify all configured Threat Response Streams are configured to a documented trusted source. If Threat Response is configured to a stream that has not been documented as trusted, this is a finding.
Consult the documentation on trusted intel subscription feeds. 1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Threat Response". 4. Expand the left menu. 5. Click "Intel". 6. Select "Sources". 7. Click "New Source". 8. Select the specified Source from the list. 9. Fill out the specified information based on the documented trusted intel feeds. 10. Select "Create".
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Click "Connections" under "Connections" section. 5. Filter by source and review event-based sources. If any event=based sources have a failed run for more than 72 hours, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Expand the left menu. 5. Click "Connections". 6. Click "Create Connection" or if importing, click "Import". 7. Give the "Connection" a name and description. 8. In the "Configuration" section, select "Event" as the source. 9. Select appropriate source under "Event Group" - any source to generate interest-based events (Discover, Asset, IM, THR, etc). 10. Select the appropriate events to send. Note: Consult with the Tanium system administrator for the Destination. 11. Select "Listen for this Event". 12. Click "Save".
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Platform Settings". 4. In the "Filter Items" search box, type "sign_all_questions_flag". 5. Click "Enter". If no results are returned, this is a finding. If results are returned for "sign_all_questions_flag" but the value is not "1", this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Platform Settings". 4. Click "Create Setting". 5. Select "Server" box for "Setting Type." 6. In "Create Platform Setting" dialog box, enter "sign_all_questions_flag" for "Name". 7. Select "Numeric" radio button for "Value Type". 8. Enter "1" for "Value". 9. Click "Save".
Note: This requirement applies only to Tanium implementations in production. If implementation being evaluated is in development, this requirement is not applicable. 1. Access the Tanium Server through interactive logon. 2. Open Windows Explorer and browse to the installation drive of the Tanium Server (e.g., E:\Program Files\Tanium\Tanium Server). 3. Locate the "tanium.license" file and double-click it. 4. Select Notepad to open the "tanium.license" file. 5. Select "Edit" and then select "Find" from the menu in Notepad. 6. Type "allow_unsigned_import" in the search box and select "Find Next." If "allow unsigned_import" is followed by ":true", this is a finding. If "allow unsigned_import" is followed by ":false", this is not a finding.
Contact Tanium for a corrected license file. 1. Double-click the new "tanium.license" file and select Notepad to open the file. 2.. Select "Edit" and then select "Find" from the menu in Notepad. 3. Type "allow_unsigned_import" in the search box and select "Find Next". 4. Verify "allow unsigned_import" is followed by ":false". 5. Access the Tanium Server through interactive logon. 6. Open Windows Explorer and browse to the installation drive of the Tanium Server (e.g., E:\Program Files\Tanium\Tanium Server). 7. Locate the "tanium.license" file and copy it to a backup location. 8. Copy the new "tanium.license" file to the installation drive and directory of the Tanium Server (e.g., E:\Program Files\Tanium\Tanium Server).
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Run regedit as Administrator. 4. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> WOW6432Node >> Tanium >> Tanium Server. 5. Validate the value name "DownloadPath" with value type "REG_SZ" does not point to a location within the Tanium Server directory. If the value name "DownloadPath" with value type "REG_SZ" does not exist or points to a location within the Tanium Server directory, this is a finding. If the "DownloadPath REG_SZ" value points to a location within the Tanium Server directory, this is a finding.
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Create a new folder outside of the Tanium Server directory (e.g., E:\Stage\Downloads). 4. Run regedit as Administrator. 5. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> WOW6432Node >> Tanium >> Tanium Server. 6. Add or change the value name "DownloadPath" with value type "REG_SZ" to point to the location of the relocated installation package files (e.g., E:\Stage\Downloads). 7. Move the files from the original directory (E:\Program Files\Tanium\Tanium Server\Downloads) to the location created for the installation package files. 8. Move the files from the original directory (E:\Program Files\Tanium\Tanium Server\Downloads) to the location created for the installation package files.
Note: This check is performed for the Tanium endpoints and must be validated against the enterprise firewall solution (e.g., Endpoint Security Solution Firewall, Microsoft Windows Defender Firewall setting, Microsoft Advance Threat Protection Firewall, etc.) policies applied to the endpoints. 1. Consult with the personnel who maintain the Enterprise Security Suite configuration for assistance. 2. Validate a rule exists within the firewall policies for managed clients for the following: Port Needed: Tanium Clients or Zone Clients over TCP port 17472, bidirectionally. If a host-based firewall rule does not exist to allow TCP port 17472, bidirectionally, this is a finding. 3. Consult with the boundary network firewall administrator and validate rules exist for the following: Allow TCP traffic on port 17472 from any computer to be managed on a local area network to any other computer to be managed on the same local area network. If a network firewall rule does not exist to allow TCP port 17472 from any managed computer to any other managed computer on the same local area network, this is a finding.
1. Consult with the personnel who maintain the Enterprise Security Suite to configure host-based and network firewall rules to allow the following: Tanium Clients or Zone Clients over TCP port 17472, bidirectionally. 2. Consult with the boundary network firewall administrator to create a rule to allow the following: TCP traffic on port 17472 from any computer to be managed on a local area network to any other computer to be managed on the same local area network.
Note: If a Zone Server is not being used, this is not applicable. 1. Consult with the Tanium system administrator to verify which firewall is being used as a host-based firewall on the Tanium Zone Server. 2. Access the host-based firewall configuration on the Tanium Zone Server. 3. Validate a rule exists for the following: Port Needed: Tanium Clients to Zone Server over TCP port 17472, bidirectionally. If a host-based firewall rule does not exist to allow TCP port 17472, bidirectionally, from Tanium Clients to the Tanium Zone Server, this is a finding.
Consult with the personnel who maintain the Enterprise Security Suite to configure host-based and network firewall rules to allow the following: Tanium Clients or Zone Clients over TCP port 17472, bidirectionally.
Review the PPSM CAL to verify Tanium has been registered with all of the TCP ports required for functionality to include (but not limited to) TCP 17472, 17477, 17440, 17441, 443, and 1433. If any TCP ports are being used on the Tanium Server that have been deemed as restricted by the PPSM CAL, this is a finding.
Submit a formal request to have the Tanium communication ports evaluated and added to the PPSM CAL.
1. Access the Tanium application server interactively. 2. Log on to the server with an account that has administrative privileges. 3. Navigate to Program Files >> Tanium >> Tanium Server. 4. Locate the "SOAPServer.crt" file. 5. Double-click the file to open the certificate. 6. Select the "Details" tab. 7. Scroll down through the details to find and select the "Enhanced Key Usage" field. If there is no "Enhanced Key Usage" field, this is a finding. In the bottom screen, verify "Server Authentication" and "Client Authentication" are both identified. If "Server Authentication" and "Client Authentication" are not both identified, this is a finding.
Request or regenerate the certificate being used to include both the "Server Authentication" and "Client Authentication" objects.
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Open an Explorer window. 4. Navigate to Program Files >> Tanium. 5. Right-click the "Tanium Server" folder. 6. Select "Properties". 7. Select the "Security" tab. 8. Click the "Advanced" button. - Validate the owner of the "Tanium Server" folder is the service account [Tanium service account]. - Validate the [Tanium service account] has full permissions to the "Tanium Server" folder. - Validate the [Tanium Admins] group has full permissions to the "Tanium Server" folder. - Validate Users have no permissions to the "Tanium Server" folder. If any accounts other than the [Tanium service account] and the [Tanium Admins] group have any permission to the "Tanium Server" folder, this is a finding. If the [Tanium service account] is not the owner of the "Tanium Server" folder, this is a finding.
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Open an Explorer window. 4. Navigate to Program Files >> Tanium. 5. Right-click the "Tanium Server" folder. 6. Select "Properties". 7. Select the "Security" tab. 8. Click the "Advanced" button. 9. Disable folder inheritance. 10. Change the owner of the directory to the service account [Tanium service account]. 11. Remove User permissions. 12. Give [Tanium service account] full permissions. 13. Give [Tanium Admins] group full permissions.
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Open an Explorer window. 4. Navigate to Program Files >> Tanium >> Tanium Server. 5. Right-click the "Tanium Server\http" folder. 6. Select "Properties". 7. Select the "Security" tab. 8. Click the "Advanced" button. - Validate Folder Inheritance is disabled. - Validate the owner of the directory is the [Tanium service account]. - Validate the [Tanium Admins] group has full permissions. - Validate System has Read-Only permissions. 9. Right-click the "Tanium Server\http\libraries" folder. 10. Select the "Security" tab. 11. Click the "Advanced" button. - Validate Folder Inheritance is disabled. - Validate the owner of the directory is the [Tanium service account]. - Validate System has Read-Only permissions. - Validate the [Tanium service account] has Read-Only permissions. - Validate the [Tanium Admins] group has full permissions. 12. Right-click the "Tanium Server\http\taniumjs" folder. 13. Select the "Security" tab. 14. Click the "Advanced" button. - Validate Folder Inheritance is disabled. - Validate the owner of the directory is the [Tanium service account]. - Validate System has "Read-Only" permissions. - Validate the [Tanium service account] has "Read-Only" permissions. - Validate the [Tanium Admins] group has full permissions. 15. Right-click the "Tanium Server\http\tux" folder. 16. Select the "Security" tab. 17. Click the "Advanced" button. - Validate Folder Inheritance is disabled. - Validate the owner of the directory is the [Tanium service account]. - Validate System has "Read-Only" permissions. - Validate the [Tanium service account] has "Read Only" permissions. - Validate the [Tanium Admins] group has full permissions. 18. Right-click the "Tanium Server\http\tux-console" folder. 19. Select the "Security" tab. 20. Click the "Advanced" button. - Validate Folder Inheritance is disabled. - Validate the owner of the directory is the [Tanium service account]. - Validate System has "Read-Only" permissions. - Validate the [Tanium service account] has "Read-Only" permissions. - Validate the [Tanium Admins] group has full permissions. 21. Right-click the "Tanium Server\Logs" folder. 22. Select "Properties". 23. Select the "Security" tab. 24. Click the "Advanced" button. - Validate Folder Inheritance is disabled. - Validate the owner of the directory is the [Tanium service account]. - Validate the [Tanium Service Account] has only "Modify" permissions. - Validate the [Tanium Admins] group has full permissions. 25. Right-click the "Tanium Server\TDL_Logs" folder. 26. Select "Properties". 27. Select the "Security" tab. 28. Click the "Advanced" button. - Validate Folder Inheritance is disabled. - Validate the owner of the directory is the [Tanium service account]. - Validate the [Tanium Service Account] has only "Modify" permissions. - Validate the [Tanium Admins] group has full permissions. 29. Right-click the "Tanium Server\Certs" folder. 30. Select "Properties". 31. Select the "Security" tab. 32. Click the "Advanced" button. - Validate Folder Inheritance is disabled. - Validate the owner of the directory is the [Tanium service account]. - Validate System has "Read-Only" permissions. - Validate the [Tanium Admins] group has full permissions. 33. Navigate to Tanium Server >> Certs. 34. For the following files, verify System and [Tanium Service Account] have "Read-Only" permissions: installedcacert.crt installed-server.crt installed-server.key SOAPServer.crt SOAPServer.key 35. Right-click the "Tanium Server\content_public_keys" folder. 36. Select "Properties". 37. Select the "Security" tab. 38. Click the "Advanced" button. - Validate Folder Inheritance is disabled. - Validate the owner of the directory is the [Tanium service account]. - Validate System has "Read-Only" permissions. - Validate the [Tanium Service Account] has "Read-Only" permissions. - Validate the [Tanium Admins] group has full permissions. If any of the above permissions are not configured correctly, this is a finding.
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Open an Explorer window. 4. Navigate to Program Files >> Tanium >> Tanium Server. 5. Right-click the "Tanium Server\http folder. 6. Select "Properties". 7. Select the "Security" tab. 8. Click the "Advanced" button. 9. Verify/Disable folder inheritance. 10. Change/verify the owner of the directory to the [Tanium service account]. 11. Change/verify the [Tanium Admins] group has full permissions. 12. Reduce System to "Read-Only" permissions. 13. Right-click the "Tanium Server\http\libraries" folder. 14. Select the "Security" tab. 15. Click the "Advanced" button. 16. Verify/disable folder inheritance. 17. Change/verify the owner of the directory to the [Tanium service account]. 18. Reduce System to "Read-Only" permissions. 19. Reduce [Tanium service account] to "Read-Only" permissions. 20. Change/verify the [Tanium Admins] group has full permissions. 21. Right-click the "Tanium Server\http\taniumjs" folder. 22. Select the "Security" tab. 23. Click the "Advanced" button. 24. Verify/disable folder inheritance. 25. Change/verify the owner of the directory to the [Tanium service account]. 26. Reduce System to "Read-Only" permissions. 27. Reduce [Tanium service account] to "Read-Only" permissions. 28. Change/verify the [Tanium Admins] group has full permissions. 29. Right-click the "Tanium Server\http\tux" folder. 30. Select the "Security" tab. 31. Click the "Advanced" button. 32. Verify/disable folder inheritance. 33. Change/verify the owner of the directory to the [Tanium service account]. 34. Reduce System to "Read-Only" permissions. 35. Reduce [Tanium service account] to "Read-Only" permissions. 36. Change/verify the [Tanium Admins] group has full permissions. 37. Right-click the "Tanium Server\http\tux-console" folder. 38. Select the "Security" tab. 39. Click the "Advanced" button. 40. Verify/disable folder inheritance. 41. Change/verify the owner of the directory to the [Tanium service account]. 42. Reduce System to "Read-Only" permissions. 43. Reduce [Tanium service account] to "Read-Only" permissions. 44. Change/verify the [Tanium Admins] group has full permissions. 45. Right-click the "Tanium Server\Logs" folder. 46. Select the "Security" tab. 47. Click the "Advanced" button. 48. Verify/disable folder inheritance. 49. Change/verify the owner of the directory to the [Tanium service account]. 50. Reduce [Tanium service account] to "Modify" permissions. 51. Change/verify the [Tanium Admins] group has full permissions. 52. Right-click the "Tanium Server\http\TDL_Logs" folder. 53. Select the "Security" tab. 54. Click the "Advanced" button. 55. Verify/disable folder inheritance. 56. Change/verify the owner of the directory to the [Tanium service account]. 57. Reduce [Tanium service account] to "Modify" permissions. 58. Change/verify the [Tanium Admins] group has full permissions. 59. Right-click the "Tanium Server\Certs" folder. 60. Select the "Security" tab. 61. Click the "Advanced" button. 62. Verify/disable folder inheritance. 63. Change/verify the owner of the directory to the [Tanium service account]. 64. Reduce System to "Read-Only" permissions. 65. Change/verify the [Tanium Admins] group has full permissions. 66. Navigate to Tanium Server >> Certs. 67. For the following files, verify/reduce System and [Tanium Service Account] to "Read-Only" permissions: installedcacert.crt installed-server.crt installed-server.key SOAPServer.crt SOAPServer.key 68. Right-click the "Tanium Server\content_public_keys" folder. 69. Select the "Security" tab. 70. Click the "Advanced" button. 71. Verify/disable folder inheritance. 72. Change/verify the owner of the directory to the [Tanium service account]. 73. Reduce System to "Read-Only" permissions - apply to child objects. 74. Reduce [Tanium service account] to "Read-Only" permissions - apply to child objects. 75. Change/verify the [Tanium Admins] group has full permissions.
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Run regedit as Administrator. 4. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. 5. Right-click "Tanium Server". 6. Select "Permissions". 7. Click the "Security" tab. 8. Click the "Advanced" button. - Validate the [Tanium service account] has full permissions. - Validate the [Tanium Admins] group has full permissions. - Validate the SYSTEM account has full permissions. - Validate the User accounts do not have any permissions. If any other account has full permissions and/or the User account has any permissions, this is a finding.
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Run regedit as Administrator. 4. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. 5. Right-click "Tanium Server". 6. Select "Properties". 7. Click the "Security" tab. 8. Click the "Advanced" button. 9. Provide the [Tanium service account] with full permissions. 10. Provide the [Tanium Admins] group with full permissions. 11. Reduce permissions for any other accounts with full permissions. 12. Remove permissions for User accounts.
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Open an Explorer window. 4. Navigate to Program Files >> Tanium >> Tanium Server. 5. Right-click the "Logs" folder. 6. Select "Properties". 7. Click the "Security" tab. 8. Click the "Advanced" button. - Validate the owner of the directory is the [Tanium service account]. - Validate the [Tanium service account] privileges is the only account with modify permissions on the directory. - Validate the [Tanium Administrators] group has full permissions on the directory. 9. Right-click the "TDL_Logs" folder. 10. Select "Properties". 11. Click the "Security" tab. 12. Click the "Advanced" button. - Validate the owner of the directory is the [Tanium service account]. - Validate the [Tanium service account] privileges is the only account with modify permissions on the directory. - Validate the [Tanium Administrators] group has full permissions on the directory. If any of the specified permissions are not set as required, this is a finding.
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Open an Explorer window. 4. Navigate to Program Files >> Tanium >> Tanium Server. 5. Right-click the "Logs" folder. 6. Select "Properties". 7. Click the "Security" tab. 8. Click the "Advanced" button. 9. Disable folder inheritance. 10. Change/verify the owner of the directory to the [Tanium service account]. 11. Reduce [Tanium service account] privileges to modify permissions on the directory. 12. Ensure [Tanium Admins] group has full permissions on the directory. 13. Right-click the "TDL_Logs" folder. 14. Select "Properties". 15. Click the "Security" tab. 16. Click the "Advanced" button. 17. Disable folder inheritance. 18. Change/verify the owner of the directory to the [Tanium service account]. 19. Reduce [Tanium service account] privileges to modify permissions on the directory. 20. Ensure [Tanium Admins] group has full permissions on the directory.
Consult with the Tanium system administrator to verify which firewall is being used as a host-based firewall on the Tanium Module Server. 1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Access the host-based firewall configuration on the Tanium Module Server. 4. Validate a rule exists for the following: Port Needed: Tanium Server to Tanium Module Server over TCP port 17477. If a host-based firewall rule does not exist to allow TCP port 17477 from the Tanium Server to the Tanium Module Server, this is a finding. Consult with the network firewall administrator and validate rules exist for the following: Allow TCP traffic on port 17477 from the Tanium Server to the Tanium Module Server. If a network firewall rule does not exist to allow TCP traffic on port 17477 from the Tanium Server to the Tanium Module Server, this is a finding.
1. Configure host-based firewall rules on the Tanium Module Server to include the following required traffic: Allow TCP traffic on port 17477 from the Tanium Server to the Tanium Module Server. 2. Configure the network firewall to allow the above traffic.
Consult with the Tanium system administrator to verify which firewall is being used as a host-based firewall on the Tanium Server. 1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Access the host-based firewall configuration on the Tanium Server. 4. Validate a rule exists for the following: Port Needed: Tanium Server to Tanium Module Server over TCP port 17477. If a host-based firewall rule does not exist to allow TCP port 17477 from the Tanium Server to the Tanium Module Server, this is a finding. Consult with the network firewall administrator and validate rules exist for the following: Allow TCP traffic on port 17477 from the Tanium Server to the Tanium Module Server. If a network firewall rule does not exist to allow TCP traffic on port 17477 from the Tanium Server to the Tanium Module Server, this is a finding.
1. Configure host-based firewall rules on the Tanium Server to allow the following required traffic: Allow TCP traffic on port 17477 to the Tanium Module Server from the Tanium Server. 2. Configure the network firewall to allow the above traffic.
Note: If a Zone Server is not being used, this is not applicable. Consult with the Tanium system administrator to verify which firewall is being used as a host-based firewall on the Tanium Server. 1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Access the host-based firewall configuration on the Tanium Server. 4. Validate a rule exists for the following: Port Needed: Tanium Server to Zone Server over TCP port 17472. Note: By default, the Zone Server uses 17472 for traffic from Zone Server Hubs and Tanium Clients. However, as a best practice to improve the security of the Zone Server, different ports can be configured for the hubs and clients. If a host-based firewall rule does not exist to allow TCP port 17472 or other defined port, bidirectionally, from the Tanium Server to the Tanium Zone Server, this is a finding.
1. Configure host-based firewall rules on the Tanium Zone server to include the following required traffic: Allow Tanium Server to Zone Server over TCP port 17472. 2. Configure the network firewall to allow the above traffic. Note: By default, the Zone Server uses 17472 for traffic from Zone Server Hubs and Tanium Clients. However, as a best practice to improve the security of the Zone Server, different ports can be configured for the hubs and clients.
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Access the server's registry by typing: regedit <enter>. 4. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. 5. Verify the existence of a DWORD "SSLHonorCipherOrder" with a value of "0x00000001" (hex). If the DWORD "SSLHonorCipherOrder" does not exist with a value of "0x00000001" (hex), this is a finding.
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Access the server's registry by typing: regedit <enter>. 4. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. 5. Add or modify the DWORD "SSLHonorCipherOrder" to have a value of 0x00000001 (hex).
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. When connected, review the certificate for the Tanium Server as noted below. 3. In the web browser, view the certificate and verify it was issued by a DoD root CA. Also verify the certification path's top level is a DoD root CA. If the certificate authority is not DoD Root CA, this is a finding.
Request or regenerate the certificate from a DoD root CA.
Review the settings of the antivirus software. Validate exclusions exist that exclude the Tanium Server directory and subsequent file interactions from On-Access scans. If exclusions do not exist, this is a finding.
Implement exclusion policies within the antivirus software solution to exclude the On-Access scanning of Tanium Server directory and subsequent file interactions.
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Access the server's registry by typing: "regedit". 4. Click "Enter". 5. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. 6. Verify the existence of the string "SSLCipherSuite" with a value of: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK If the string "SSLCipherSuite" does not exist with the appropriate list values, this is a finding.
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Access the server's registry by typing: regedit <enter>. 4. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. 5. Add a new string (REG_SZ) or modify the string "SSLCipherSuite" to have a value of: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Platform Settings". 4. In the "Filter items" search box, type "max_soap_sessions_total". 5. Click "Enter". If no results are returned, this is a finding. If results are returned for "max_soap_sessions_total" but the value does not follow {(Number of Users) * 1024} formula, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Platform Settings". 4. Click "Create Setting". 5. Select "Server" box for "Setting Type". 6. In "Create Platform Setting" dialog box, enter "max_soap_sessions_total" for "Name". 7. Select "Numeric" radio button from "Value Type". 8. Use this formula for determining "Setting Value": {(Number of Users) * 1024 = max_soap_sessions_total} 9. Click "Save". 10. Add this setting to the system documentation for validation.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Platform Settings". 4. In the "Filter items" search box, type "max_soap_sessions_per_user". 5. Click "Enter". If no results are returned, this is a finding. If results are returned for "max_soap_sessions_per_user" but the value is not 1024, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Platform Settings". 4. Click "Create Setting". 5. Select "Server" box for "Setting Type". 6. In "Create Platform Setting" dialog box, enter "max_soap_sessions_per_user" for "Name". 7. Select "Numeric" radio button from "Value Type". 8. Enter "1024" for the "Value:". 9. Click "Save". 10. Add this setting to the system documentation for validation.
Consult with the Tanium system administrator to review the documented list of folder maintainers for Threat Response Local Directory Source. If the site does not leverage Local Directory Source to import IOCs, this finding is not applicable. If the site does use Local Directory Source to import IOCs and the folder maintainers are not documented, this is a finding.
Prepare and maintain documentation identifying the Tanium Threat Response Local Directory Source maintainers.
Consult with the Tanium system administrator to determine if the Tanium Threat Response module is being used. If it is not, his finding is not applicable. If the Local Directory Source type is being used, determine where they get their IOC stream. 1. Access the Tanium Module Server interactively. 2. Log on to the server with an account that has administrative privileges. 3. Open an Explorer window. 4. Navigate to Program Files >> Tanium >> Tanium Module Server >> services >> threat-response-files. 5. Right-click the folder and choose "Properties". 6. Select the "Security" tab. 7. Click the "Advanced" button. If the accounts listed in the "Security" tab do not match the list of accounts in the Tanium documentation, this is a finding.
1. Access the Tanium Module Server interactively. 2. Log on to the server with an account that has administrative privileges. 3. Open an Explorer window. 4. Navigate to Program Files >> Tanium >> Tanium Module Server >> services >> threat-response-files. 5. Right-click the folder and choose "Properties". 6. Select the "Security" tab. 7. Click the "Advanced" button. If the accounts listed in the "Security" tab do not match the list of accounts, with the exception of SYSTEM, remove the additionally listed accounts. If the accounts listed in the "Security" tab are missing accounts from the documentation, with the exception of SYSTEM, add the additionally listed accounts with a minimum of READ permission.
Consult with the Tanium system administrator to review the documented list of trusted SCAP sources. If the site does not have the "Tanium Comply" module or does not use "Tanium Comply" for compliance validation, this finding is not applicable. If the site does use Tanium Comply and the source for SCAP content is not documented, this is a finding.
If the site does not have the "Tanium Comply" module or does not use "Tanium Comply" for compliance validation, this finding is not applicable. Prepare and maintain documentation identifying the source of SCAP sources that will be used by the "Tanium Comply" module.
Consult with the Tanium system administrator to review the documented list of trusted OVAL feeds. If the site does not have the "Tanium Comply" module or does not use "Tanium Comply" for passive vulnerability scanning, this finding is not applicable. If the site does use "Tanium Comply" and the source for OVAL content is not documented, this is a finding.
If the site does not have the "Tanium Comply" module or does not use "Tanium Comply" for passive vulnerability scanning, this finding is not applicable. Prepare and maintain documentation identifying the source of OVAL feeds that will be used by the "Tanium Comply" module.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top banner of the console. 3. Click "Comply". 4. Click the menu on the left side of the interface. Under "Standards", click "Compliance". Verify all imported compliance benchmarks are from a documented trusted source. If any compliance benchmark is found that does not come from a documented trusted source, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Modules" on the top banner of the console. 3. Click "Comply". 4. Click the menu on the left side of the interface. Under "Standards", click "Compliance". 5. Delete any compliance benchmarks that come from nontrusted sources.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Comply". 4. Expand the left menu. 5. Under "Standards", click "Vulnerability". 6. Verify all imported vulnerability sources are from a documented trusted source. If any vulnerability sources are found that do not come from a documented trusted source, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Comply". 4. Expand the left menu. 5. Under "Standards", click "Vulnerability". 6. Delete any vulnerability sources configured to nontrusted sources or reconfigure them to point to trusted sources.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Bandwidth Throttles". 4. Work with the Tanium administrator to confirm settings. If settings are not based on organization needs, this is a finding. For more information, refer to https://docs.tanium.com/platform_user/platform_user/console_bandwidth_throttling.html.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Bandwidth Throttles". 4. Click "Add" on the line for "Global Throttle for All Data". 5. Work with the Tanium administrator to configure the required bandwidth throttles. 6. Click "Save". 7. Work with the Tanium administrator to confirm or set settings for the remaining options: - Global Throttle for Package Files. - Global Throttle for Sensors. - Site Throttles.
Consult with the Tanium system administrator to determine the HIPS software used on the Tanium Server. Review the settings of the HIPS software. Validate exclusions exist that exclude the Tanium program files from being restricted by HIPS. If exclusions do not exist, this is a finding.
Implement exclusion policies within the HIPS software solution to exclude the Tanium Server program files from HIPS intervention.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" at top center of the screen. 3. Under "Configuration", select "Platform Settings". 4. In the "Filter Items" box, enter "max_console_idle_seconds". If no results are returned, this is a finding. If results are returned for "max_console_idle_seconds" but the value is not "900" or less, this is a finding.
If the "max_console_idle_seconds" setting exists but is not "900" or less: 1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Platform Settings". 4. In the "Filter Items" box, enter "max_console_idle_seconds". 5. Select the "max_console_idle_seconds" setting. 6. For "Value", enter "900" or less. 7. Click the "Save" button. If the "max_console_idle_seconds" setting does not exist: 1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Platform Settings". 4. Click the "Create Setting" button at the top right. 5. Select "Server" box for "Setting Type". 6. In "Create Platform Setting" dialog box, enter "max_console_idle_seconds" for "Name". 7. Select "Numeric" for the "Value Type". 8. For the "Value", enter "900" or less. 9. Click "Save".
Verify that to prevent a nonprivileged user from affecting the Tanium Server's ability to operate, the control of the service is restricted to the local administrators. 1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Open the CMD prompt as admin. 4. Run "sc sdshow "Tanium Server". If the string does not match "D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWLOCRRC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)", this is a finding. Note: Run the above on all other Tanium Servers, including Tanium Servers in an Active-Active pair.
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Open the CMD prompt as admin. 4. Run "sc sdset "Tanium Server" D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWLOCRRC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)". 5. Run the above on all other Tanium Servers, including Tanium Servers in an Active-Active pair.
1. Access the Tanium Servers (Application, SQL and Module) interactively. 2. Log on to the server with an account that has administrative privileges. 3. Access the server's registry by typing "regedit". 4. Press "Enter". 5. Confirm the following settings are in place: a) Navigate to: HKEY_LOCAL_MACHINE >> SYSTEM >> CurrentControlSet >> Control >> SecurityProviders >> SCHANNEL >> Protocols >> SSL 2.0 >> Client. Name: DisabledByDefault Type: REG_DWORD Data: 0x0000001 (hex) If the value for "DisabledByDefault" is not set to "1" and "Type" is not configured to "REG_DWORD" or does not exist, this is a finding. Name: Enabled Type: REG_DWORD Data: 0x00000000 (hex) If the value for "Enabled" is not set to "0" and "Type" is not configured to "REG_DWORD" or does not exist, this is a finding. b) Navigate to: HKEY_LOCAL_MACHINE >> SYSTEM >> CurrentControlSet >> Control >> SecurityProviders >> SCHANNEL >> Protocols >> SSL 2.0 >> Server. Name: DisabledByDefault Type: REG_DWORD Data: 0x0000001 (hex) If the value for "DisabledByDefault" is not set to "1" and "Type" is not configured to "REG_DWORD" or does not exist, this is a finding. Name: Enabled Type: REG_DWORD Data: 0x00000000 (hex) If the value for "Enabled" is not set to "0" and "Type" is not configured to "REG_DWORD" or does not exist, this is a finding. c) Repeat the steps above for SSL 3.0, TLS 1.0, and TLS 1.1. d) Navigate to: HKEY_LOCAL_MACHINE >> SYSTEM >> CurrentControlSet >> Control >> SecurityProviders >> SCHANNEL >> Protocols >> TLS 1.2 >> Client. Name: DisabledByDefault Type: REG_DWORD Data: 0x0000000 (hex) If the value for "DisabledByDefault" is not set to "0" and "Type" is not configured to "REG_DWORD" or does not exist, this is a finding. Name: Enabled Type: REG_DWORD Data: 0x00000001 (hex) If the value for "Enabled" is not set to "1" and "Type" is not configured to "REG_DWORD" or does not exist, this is a finding. e) Navigate to: HKEY_LOCAL_MACHINE >> SYSTEM >> CurrentControlSet >> Control >> SecurityProviders >> SCHANNEL >> Protocols >> SSL 2.0 >> Server. Name: DisabledByDefault Type: REG_DWORD Data: 0x0000000 (hex) If the value for "DisabledByDefault" is not set to "0" and "Type" is not configured to "REG_DWORD" or does not exist, this is a finding. Name: Enabled Type: REG_DWORD Data: 0x00000001 (hex) If the value for "Enabled" is not set to "1" and "Type" is not configured to "REG_DWORD" or does not exist, this is a finding.
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Access the server's registry by typing "regedit". 4. Press "Enter". 5. Navigate to: HKEY_LOCAL_MACHINE >> SYSTEM >> CurrentControlSet >> Control >> SecurityProviders >> SCHANNEL >> Protocols >> SSL 2.0 >> Client. 6. Right-click in the right window pane. 7. Select: New >> DWORD (32-bit) Value. 8. In the "Name" field, enter "DisabledByDefault". 9. Press "Enter". 10. Right-click the newly created "Name". 11. Select "Modify...". 12. Enter "1" in "Value data:" and ensure that under "Base", the "Hexadecimal" radio button is selected. 13. Click "OK". 14. Right-click in the right window pane. 15. Select: New >> DWORD (32-bit) Value. 16. In the "Name" field, enter "Enabled". 17. Press "Enter". 18. Right-click the newly created "Name". 19. Select "Modify...". 20. Leave default value of "0" in "Value data:". 21. Ensure that under "Base", the "Hexadecimal" radio button is selected. 22. Click "OK". 23. Navigate to: HKEY_LOCAL_MACHINE >> SYSTEM >> CurrentControlSet >> Control >> SecurityProviders >> SCHANNEL >> Protocols >> SSL 2.0 >> Server. 24. Right-click in the right window pane. 25. Select: New >> DWORD (32-bit) Value. 26. In the "Name" field, enter "DisabledByDefault". 27. Press "Enter". 28. Right-click the newly created "Name". 29. Select "Modify...". 30. Enter "1" in "Value data:" and ensure that under "Base", the "Hexadecimal" radio button is selected. 31. Click "OK". 32. Right-click in the right window pane. 33. Select: New >> DWORD (32-bit) Value. 34. In the "Name" field, enter "Enabled". 35. Press "Enter". 36. Right-click the newly created "Name". 37. Select "Modify...". 38. Leave default value of "0" in "Value data:". 39. Ensure that under "Base", the "Hexadecimal" radio button is selected. 40. Click "OK". 41. Repeat the above steps for SSL 3.0, TLS 1.0, and TLS 1.1. 42. Navigate to: HKEY_LOCAL_MACHINE >> SYSTEM >> CurrentControlSet >> Control >> SecurityProviders >> SCHANNEL >> Protocols >> TLS 1.2 >> Client. 43. Right-click in the right window pane. 44. Select: New >> DWORD (32-bit) Value. 45. In the "Name" field, enter "DisabledByDefault". 46. Press "Enter". 47. Right-click the newly created "Name". 48. Select "Modify...". 49. Enter "0" in "Value data:" and ensure that under "Base", the "Hexadecimal" radio button is selected. 50. Click "OK". 51. Right-click in the right window pane. 52. Select: New >> DWORD (32-bit) Value. 53. In the "Name" field, enter "Enabled". 54. Press "Enter". 55. Right-click the newly created "Name". 56. Select "Modify...". 57. Leave default value of "1" in "Value data:". 58. Ensure that under "Base", the "Hexadecimal" radio button is selected. 59. Click "OK". 60. Navigate to: HKEY_LOCAL_MACHINE >> SYSTEM >> CurrentControlSet >> Control >> SecurityProviders >> SCHANNEL >> Protocols >> TLS 1.2 >> Server. 61. Right-click in the right window pane. 62. Select: New >> DWORD (32-bit) Value. 63. In the "Name" field, enter "DisabledByDefault". 64. Press "Enter". 65. Right-click the newly created "Name". 66. Select "Modify...". 67. Enter "0" in "Value data:" and ensure that under "Base", the "Hexadecimal" radio button is selected. 68. Click "OK". 69. Right-click in the right window pane. 70. Select: New >> DWORD (32-bit) Value. 71. In the "Name" field, enter "Enabled". 72. Press "Enter". 73. Right-click the newly created "Name". 74. Select "Modify...". 75. Leave default value of "1" in "Value data:". 76. Ensure that under "Base", the "Hexadecimal" radio button is selected. 77. Click "OK".
1. Access the Tanium Server, Tanium Module Server, and Tanium SQL Server. 2. Log on to the server with an account that has administrative privileges. 3. Run regedit as Administrator. 4. Navigate to the following and confirm the setting "SchUseStrongCrypto" is present and configured as follows: Navigate to: HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Microsoft >> .NETFramework >> v4.0.xxxxx (the subversion number may vary, but it is a 4.0 version; example: 4.0.30319) for Tanium Application Server. Navigate to: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> .NETFramework >> v4.0.xxxxx (the subversion number may vary, but it is a 4.0 version; example: 4.0.30319) for Tanium SQL Server. Navigate to: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> .NETFramework >> v4.0.xxxxx (the subversion number may vary, but it is a 4.0 version; example: 4.0.30319) for Tanium Module Server. Name: SchUseStrongCrypto Type: REG_DWORD Data: 0x0000001 (hex) If the value for "SchUseStrongCrypto " is not set to "0x00000001" (hex) and "Type" is not configured to "REG_DWORD" or does not exist, this is a finding.
1. Access the Tanium Server, Tanium Module Server, and Tanium SQL Server. 2. Log on to the server with an account that has administrative privileges. 3. Run regedit as Administrator. 4. Use the following locations for steps 5-13. Navigate to: HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Microsoft >> .NETFramework >> v4.0.xxxxx (the subversion number may vary, but it is a 4.0 version; example: 4.0.30319) for Tanium Application Server. Navigate to: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> .NETFramework >> v4.0.xxxxx (the subversion number may vary, but it is a 4.0 version; example: 4.0.30319) for Tanium SQL Server. Navigate to: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> .NETFramework >> v4.0.xxxxx (the subversion number may vary, but it is a 4.0 version; example: 4.0.30319) for Tanium Module Server. 5. Right-click in the right window pane. 6. Select: New >> DWORD (32-bit) Value. 7. In the "Name" field, enter "SchUseStrongCrypto". 8. Press "Enter". 9. Right-click the newly created "Name". 10. Select "Modify...". 11. Enter "1" in "Value data:". 12. Ensure that under "Base", the "Hexadecimal" radio button is selected. 13. Click "OK".
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Run regedit as Administrator. 4. Navigate to: HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server. Name: SSLCipherSuite Type: String Value:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSAAES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK If the String "SSLCipherSuite" does not exist with the appropriate list values, this is a finding.
1. Access the Tanium Server. 2. Log on to the server with an account that has administrative privileges. 3. Run regedit as Administrator. 4. Navigate to: HKEY_LOCAL_MACHINE >> Software >> Wow6432Node >> Tanium >> Tanium Server. 5. Right-click in the right window pane. 6. Select: New >> String Value. 7. In the "Name" field, enter "SSLCipherSuite". 8. Press "Enter". 9. Right-click the newly created "Name". 10. Select "Modify". 11. Add the following: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSAAES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK 12. Click "OK".