Tanium 7.x Application on TanOS Security Technical Implementation Guide

Version

TANS-AP-000040

Vuln IDs

V-254877

Rule IDs

SV-254877r960762_rule

Without cryptographic integrity protections in the Tanium Client, information could be altered by unauthorized users without detection. Cryptographic mechanisms used for protecting the integrity of Tanium communications information include signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.

Checks: C-58490r867529_chk

1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration," select "Client Status". 4. Change "Show systems that have reported in the last:"; enter "7" in the first field. 5. Select "Days" from the drop-down menu in the second field to determine if any endpoints connected with an invalid key. If any systems are listed with "No" in the "Valid Key" column, this is a finding.

Fix: F-58434r867530_fix

For systems that do not have a valid key for the Tanium Server, redeploy the client software from Tanium using Tanium Client Management or work with the Tanium system administrator to accomplish this. 1. Configure a deployment. 2. Deploy the package or installer. 3. Target appropriate systems.

b

Tanium Trusted Content providers must be documented.

AC-17 - Medium - CCI-001453 - V-254878 - SV-254878r960762_rule

RMF Control

AC-17

Severity

M

CCI

Version

TANS-AP-000045

Vuln IDs

V-254878

Rule IDs

SV-254878r960762_rule

A Tanium Sensor, also called content, enables an organization to gather real-time inventory, configuration, and compliance data elements from managed computers. Sensors gather specific information from the local device and then write the results to the computer's standard output channel. The Tanium Client captures that output and forwards the results through the platform's unique "ring" architecture for display in the Tanium Console. The language used for Sensor development is based on the scripting engine available on the largest number of devices under management as well as the scripting experience and background of the people who will be responsible for creating new Sensors. VBScript and PowerShell are examples of common scripting languages used for developing sensors. Because errors in scripting can and will provide errant feedback at best and will impact functionality of the endpoint to which the content is directed, it is imperative to ensure content is only accepted from trusted sources.

Checks: C-58491r867532_chk

Note: If only using Tanium-provided content and not accepting content from any other content providers, this is Not Applicable. Consult with the Tanium System Administrator to review the documented list of trusted content providers along with the Hash for their respective public keys. If the site does not have the Tanium trusted content providers documented along with the SHA-256 Hash for their respective public keys, this is a finding.

Fix: F-58435r867533_fix

Prepare and maintain documentation identifying the Tanium trusted content providers along with the SHA-256 Hash from their respective public keys.

b

Content providers must provide their public key to the Tanium administrator to import for validating signed content.

AC-17 - Medium - CCI-001453 - V-254879 - SV-254879r960762_rule

RMF Control

AC-17

Severity

M

CCI

Version

TANS-AP-000050

Vuln IDs

V-254879

Rule IDs

SV-254879r960762_rule

A Tanium Sensor, also called content, enables an organization to gather real-time inventory, configuration, and compliance data elements from managed computers. Sensors gather specific information from the local device and then write the results to the computer's standard output channel. The Tanium Client captures that output and forwards the results through the platform's unique "ring" architecture for display in the Tanium Console. The language used for Sensor development is based on the scripting engine available on the largest number of devices under management as well as the scripting experience and background of the people who will be responsible for creating new Sensors. VBScript and PowerShell are examples of common scripting languages used for developing sensors. Because errors in scripting can and will provide errant feedback at best and will impact functionality of the endpoint to which the content is directed, it is imperative to ensure content is only accepted from trusted sources.

Checks: C-58492r867535_chk

Note: If only using Tanium-provided content and not accepting content from any other content providers, this is Not Applicable. Obtain documentation from the Tanium System Administrator that contains the public key validation data. 1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "2" for "Tanium Operations Menu," and then press "Enter". 4. Press "5" for "Manage Custom Signing Keys," and then press "Enter". 5. Press "L" for "List Content Signing Keys," and then press "Enter". If signing keys not listed in the provided documentation are present, this is a finding.

Fix: F-58436r867536_fix

Note: If only using Tanium-provided content and not accepting content from any other content providers, this is Not Applicable. Obtain documentation from the Tanium System Administrator that contains the public key validation data. 1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "2" for "Tanium Operations Menu," and then press "Enter". 4. Press "5" for "Manage Custom Signing Keys," and then press "Enter". 5. Press "A" for "List Content Signing Keys," and then press "Enter". 6. Check the provided documentation and either update the document with the name and SHA-256 hash of the key or remove the key.

b

Tanium public keys of content providers must be validated against documented trusted content providers.

AC-17 - Medium - CCI-001453 - V-254880 - SV-254880r960762_rule

RMF Control

AC-17

Severity

M

CCI

Version

TANS-AP-000055

Vuln IDs

V-254880

Rule IDs

SV-254880r960762_rule

A Tanium Sensor, also called content, enables an organization to gather real-time inventory, configuration, and compliance data elements from managed computers. Sensors gather specific information from the local device and then write the results to the computer's standard output channel. The Tanium Client captures that output and forwards the results through the platform's unique "ring" architecture for display in the Tanium Console. The language used for Sensor development is based on the scripting engine available on the largest number of devices under management as well as the scripting experience and background of the people who will be responsible for creating new Sensors. VBScript and PowerShell are examples of common scripting languages used for developing sensors. Because errors in scripting can and will provide errant feedback at best and will impact functionality of the endpoint to which the content is directed, it is imperative to ensure content is only accepted from trusted sources.

Checks: C-58493r867538_chk

Note: If only using Tanium-provided content and not accepting content from any other content providers, this is Not Applicable. Obtain documentation from the Tanium System Administrator that contains the public key validation data. 1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "2" for "Tanium Operations Menu," and then press "Enter". 4. Press "5" for "Manage Custom Signing Keys," and then press "Enter". 5. Press "L" for "List Content Signing Keys," and then press "Enter". If signing keys not listed in the provided documentation are present, this is a finding.

Fix: F-58437r867539_fix

Note: If only using Tanium-provided content and not accepting content from any other content providers, this is Not Applicable. Obtain documentation from the Tanium System Administrator that contains the public key validation data. 1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "2" for "Tanium Operations Menu," and then press "Enter". 4. Press "5" for "Manage Custom Signing Keys," and then press "Enter". 5. Press "A" for "List Content Signing Keys," and then press "Enter". 6. Check the provided documentation and either update the document with the name and SHA-256 hash of the key or remove the key.

b

The Tanium Application Server must be configured to only use LDAP for account management functions.

AC-2 - Medium - CCI-000015 - V-254881 - SV-254881r960768_rule

RMF Control

AC-2

Severity

M

CCI

Version

TANS-AP-000065

Vuln IDs

V-254881

Rule IDs

SV-254881r960768_rule

Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. To reduce risk, the Tanium Application Server must be configured to allow for LDAP to provide account management functions that immediately enforce the organization's current account policy.

Checks: C-58494r867541_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration," select "LDAP/AD Sync Configurations". 4. Ensure LDAP sync is enabled. If LDAP is not enabled, this is a finding.

Fix: F-58438r867542_fix

Vendor documentation can be downloaded from the following URL: https://docs.tanium.com/platform_user/platform_user/console_using_ldap.html?Highlight=LDAP 1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration," select "LDAP/AD Sync Configurations". 4. Follow the vendor documentation titled "Integrating with LDAP Servers" to implement correct configuration settings for this requirement.

b

Tanium Computer Groups must be used to restrict console users from affecting changes to unauthorized computers.

AC-3 - Medium - CCI-000213 - V-254882 - SV-254882r960792_rule

RMF Control

AC-3

Severity

M

CCI

Version

TANS-AP-000100

Vuln IDs

V-254882

Rule IDs

SV-254882r960792_rule

Computer Groups allow a site running Tanium to assign responsibility of specific Computer Groups to specific Tanium console users. By doing so, a desktop administrator, for example, will not have the ability to enforce an action against a high visibility server. For large sites, it is crucial to have the Computer Groups. While a smaller site might not seem to require Computer Groups, creating them provides for a cleaner implementation. All sites will be required to have some kind of Computer Groups configured other than the default "All Computers".

Checks: C-58495r867544_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Select the "Computer Groups" tab. 4. Under the "Name" column, verify organization-specific computer groups match the organization-defined list in the system security plan (SSP). If site- or organization-specific computer groups do not match or exist, this is a finding.

Fix: F-58439r867545_fix

1. Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Select the "Computer Groups" tab. 4. Configure specific Computer Groups to facilitate the management of computers by authorized individuals for those computers. Note: Tanium offers two ways to define computer groups. Refer to documentation for explanation found here: https://docs.tanium.com/platform_user/platform_user/console_computer_groups.html#Computer_Group_types.

b

Documentation identifying Tanium console users, their respective User Groups, Computer Groups, and Roles must be maintained.

AC-3 - Medium - CCI-000213 - V-254883 - SV-254883r960792_rule

RMF Control

AC-3

Severity

M

CCI

Version

TANS-AP-000105

Vuln IDs

V-254883

Rule IDs

SV-254883r960792_rule

System access must be reviewed periodically to verify all Tanium users are assigned the appropriate functional role, with the least privileged access possible to perform assigned tasks being the recommended best practice to avoid unauthorized access.

Checks: C-58496r867547_chk

Consult with the Tanium System Administrator to review the documented list of Tanium users. User Groups, Roles, Computer Groups, and correlated LDAP security groups must be documented for users. If the documentation does not exist, or is missing any Tanium users and their respective User Groups, Roles, Computer Groups, and correlated LDAP security groups documentation, this is a finding.

Fix: F-58440r867548_fix

Prepare and maintain documentation identifying the Tanium console users and their respective User Groups, Roles, Computer Groups, and associated LDAP security groups.

b

The Tanium application must be configured to use Tanium User Groups in a manner consistent with the model outlined within the environment's system documentation.

AC-3 - Medium - CCI-000213 - V-254884 - SV-254884r960792_rule

RMF Control

AC-3

Severity

M

CCI

Version

TANS-AP-000110

Vuln IDs

V-254884

Rule IDs

SV-254884r960792_rule

It is important for information system owners to document authorized user groups for the Tanium application to avoid unauthorized access to systems. Misaligned implementation of user groups grants excessive access and results in potential compromise of "need-to-know" when it comes to information access.

Checks: C-58497r867550_chk

Consult with the Tanium System Administrator to review the documented list of Tanium User Groups. 1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under Permissions, select "User Groups". 4. Click each User Group and compare both the User Group name and the assigned Role(s) to the system documentation. If any users have access to Tanium and their User Group is not on the list of documented User Groups with the appropriate Role(s), this is a finding.

Fix: F-58441r867551_fix

Consult the documentation identifying the Tanium User Groups and their respective Role(s). 1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under Permissions, select "User Groups". 4. Click each User Group and add any missing Role(s). 5. For any missing User Groups, make the appropriate adjustments in LDAP.

b

Documentation identifying Tanium console users and their respective Computer Group rights must be maintained.

AC-3 - Medium - CCI-000213 - V-254885 - SV-254885r960792_rule

RMF Control

AC-3

Severity

M

CCI

Version

TANS-AP-000115

Vuln IDs

V-254885

Rule IDs

SV-254885r960792_rule

System access must be reviewed periodically to verify all Tanium users are assigned the appropriate computer groups, with the least privileged access possible to perform assigned tasks. Users who have been removed from the documentation should no longer be configured as a Tanium Console User.

Checks: C-58498r867553_chk

Consult with the Tanium System Administrator to review the documented list of Tanium users and their respective, approved Computer Group rights. If the documented list does not have the Tanium users and their respective approved Computer Group rights documented, this is a finding.

Fix: F-58442r867554_fix

Prepare and maintain documentation identifying the Tanium console users and their respective Computer Group rights.

b

The Tanium Action Approval feature must be enabled for two-person integrity when deploying actions to endpoints.

AC-3 - Medium - CCI-000213 - V-254886 - SV-254886r960792_rule

RMF Control

AC-3

Severity

M

CCI

Version

TANS-AP-000120

Vuln IDs

V-254886

Rule IDs

SV-254886r960792_rule

The Tanium Action Approval feature provides a two-person integrity control mechanism designed to achieve a high-level of security and reduce the possibility of error for critical operations. When this feature is enabled, an action configured by one Tanium console user will require a second Tanium console user with a role of Action Approver (or higher) to approve the action before it is deployed to targeted computers. While this system slows workflow, the reliability of actions deployed will be greater on the Packaging and Targeting. Satisfies: SRG-APP-000033, SRG-APP-000488

Checks: C-58499r867556_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration," select "Platform Settings". 4. In the "Filter items" search box type "require_action_approval". 5. Click "Enter". If no results are returned, this is a finding. If results are returned for "require_action_approval", but the value is not "1", this is a finding.

Fix: F-58443r867557_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration," select "Platform Settings". 4. If "require_action_approval" does not exist, click "Create Setting". 5. Select "Server" for "Setting Type". 6. In the "Create Platform Setting" dialog box, enter "require_action_approval" for "Name". 7. Select "Numeric" radio button from "Value Type". 8. Select "Value" and enter "1". 9. Click "Save".

b

The Tanium documentation identifying recognized and trusted IOC streams must be maintained.

AC-4 - Medium - CCI-001414 - V-254887 - SV-254887r960804_rule

RMF Control

AC-4

Severity

M

CCI

Version

TANS-AP-000130

Vuln IDs

V-254887

Rule IDs

SV-254887r960804_rule

Using trusted and recognized IOC sources may detect and prevent systems from becoming compromised. An IOC stream is a series or stream of IOCs that are imported from a vendor based on a subscription service. An IOC stream can be downloaded manually or on a scheduled basis. The items in an IOC stream can be separately manipulated after they are imported.

Checks: C-58500r867559_chk

Consult with the Tanium System Administrator to determine if the Threat Response module is being used. If not, this is Not Applicable. Review the documented list of IOC trusted stream sources. If the site does use an external source for IOCs and the IOC trusted stream source is not documented, this is a finding.

Fix: F-58444r867560_fix

Prepare and maintain documentation identifying the Threat Response trusted stream sources.

b

Tanium Threat Response must be configured to receive IOC streams only from trusted sources.

AC-4 - Medium - CCI-001414 - V-254888 - SV-254888r960804_rule

RMF Control

AC-4

Severity

M

CCI

Version

TANS-AP-000135

Vuln IDs

V-254888

Rule IDs

SV-254888r960804_rule

Using trusted and recognized IOC sources may detect and prevent systems from becoming compromised. An IOC stream is a series or stream of intel that is imported from a vendor based on a subscription service or manually downloaded and placed in a folder. Threat Response can be configured to retrieve the IOC content on a regularly scheduled basis. The items in an IOC stream can be separately manipulated after they are imported.

Checks: C-58501r867562_chk

Consult with the Tanium System Administrator to determine if the Threat Response module is being used, if not this is Not Applicable. 1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Threat Response". 4. Expand the left menu. 5. Click "Intel". 6. Select "Sources". 7. Verify all configured Threat Response Streams are configured to a documented trusted source. If Threat Response is configured to a stream that has not been documented as trusted, this is a finding.

Fix: F-58445r867563_fix

Consult the documentation on trusted intel subscription feeds. 1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Threat Response". 4. Expand the left menu. 5. Click "Intel". 6. Select "Sources". 7. Click "New Source". 8. Select the specified Source from the list. 9. Fill out the specified information based on the documented trusted intel feeds. 10. Select "Create".

b

The Tanium documentation identifying recognized and trusted folders for Threat Response Local Directory Source must be maintained.

AC-4 - Medium - CCI-001414 - V-254889 - SV-254889r960804_rule

RMF Control

AC-4

Severity

M

CCI

Version

TANS-AP-000140

Vuln IDs

V-254889

Rule IDs

SV-254889r960804_rule

Using trusted and recognized IOC sources may detect and prevent systems from becoming compromised. An IOC stream is a series or stream of IOCs that are imported from a vendor based on a subscription service or manually downloaded and placed in a folder. Threat Response can be configured to retrieve the IOC content on a regularly scheduled basis. The items in an IOC stream can be separately manipulated after they are imported.

Checks: C-58502r867565_chk

Consult with the Tanium System Administrator to review the documented list of folder maintainers for Threat Response Local Directory Source. If the site does not leverage Local Directory Source to import IOCs, this finding is Not Applicable. If the site does use Local Directory Source to import IOCs and the folder maintainers are not documented, this is a finding.

Fix: F-58446r867566_fix

Prepare and maintain documentation identifying the Tanium Threat Response Local Directory Source maintainers.

b

The Tanium Threat Response Local Directory Source must be configured to restrict access to only authorized maintainers of Threat Intel.

AC-4 - Medium - CCI-001414 - V-254890 - SV-254890r960804_rule

RMF Control

AC-4

Severity

M

CCI

Version

TANS-AP-000145

Vuln IDs

V-254890

Rule IDs

SV-254890r960804_rule

Using trusted and recognized IOC sources may detect and prevent systems from becoming compromised. An IOC stream is a series or stream of intel imported from a vendor based on a subscription service or manually downloaded and placed in a folder. Threat Response can be configured to retrieve the IOC content on a regularly scheduled basis. The items in an IOC stream can be separately manipulated after they are imported.

Checks: C-58503r867568_chk

Consult with the Tanium System Administrator to determine if the Tanium Threat Response module is being used. If not, this finding is Not Applicable. If the Local Directory Source type is being used, then determine where they get their IOC Stream. 1. Access the Tanium Module Server interactively. 2. Log on to the server with an account that has administrative privileges. 3. Open an Explorer window. 4. Navigate to Program Files >> Tanium >> Tanium Module Server >> Services >> Threat-Response-Files. 5. Right-click on the folder and choose "Properties". 6. Select the "Security" tab. 7. Click "Advanced". If the accounts listed in the Security tab do not match the list of accounts found in the Tanium documentation, this is a finding.

Fix: F-58447r867569_fix

1. Access the Tanium Module Server interactively. 2. Log on to the server with an account that has administrative privileges. 3. Open an Explorer window. 4. Navigate to Program Files >> Tanium >> Tanium Module Server >> Services >> Threat-Response-Files. 5. Right-click on the folder and choose "Properties". 6. Select the "Security" tab. 7. Click "Advanced". If the accounts listed in the Security tab do not match the list of accounts, with the exception of SYSTEM, remove the additionally listed accounts. If the accounts listed in the "Security" tab are missing accounts from the documentation, with the exception of SYSTEM, add the additionally listed accounts with a minimum of READ permissions.

b

The Tanium documentation identifying recognized and trusted SCAP sources must be maintained.

AC-4 - Medium - CCI-001414 - V-254891 - SV-254891r960804_rule

RMF Control

AC-4

Severity

M

CCI

Version

TANS-AP-000150

Vuln IDs

V-254891

Rule IDs

SV-254891r960804_rule

NIST validated SCAP XML documents are provided from several possible sources such as DISA, NIST, and the other nongovernment entities. These documents are used as the basis of compliance definitions leveraged to automate compliance auditing of systems. These documents are updated on different frequencies and must be manually downloaded on regular intervals and imported to be current. Nonapproved SCAP definitions lead to a false sense of security when evaluating an enterprise environment.

Checks: C-58504r867571_chk

Consult with the Tanium System Administrator to review the documented list of trusted SCAP sources. If the site does not have the "Tanium Comply" module, or does not use Tanium Comply for compliance validation, this finding is Not Applicable. If the site does use Tanium Comply and the source for SCAP content is not documented, this is a finding.

Fix: F-58448r867572_fix

If the site does not have the Tanium Comply module, or does not use Tanium Comply for compliance validation, this finding is Not Applicable. Prepare and maintain documentation identifying the source of SCAP sources that will be used by the Tanium Comply module.

b

The Tanium documentation identifying recognized and trusted OVAL feeds must be maintained.

AC-4 - Medium - CCI-001414 - V-254892 - SV-254892r960804_rule

RMF Control

AC-4

Severity

M

CCI

Version

TANS-AP-000155

Vuln IDs

V-254892

Rule IDs

SV-254892r960804_rule

OVAL XML documents are provided from several possible sources such as the CIS open source repository, or any number of vendor/third-party paid repositories. These documents are used to automate the passive validation of vulnerabilities on systems and therefore require a reasonable level of confidence in their origin. Nonapproved OVAL definitions lead to a false sense of security when evaluating an enterprise environment.

Checks: C-58505r867574_chk

Consult with the Tanium System Administrator to review the documented list of trusted OVAL feeds. If the site does not have Tanium Comply module, or does not use Tanium Comply for passive vulnerability scanning, this finding is Not Applicable. Otherwise, if the site does use Tanium Comply and the source for OVAL content is not documented, this is a finding.

Fix: F-58449r867575_fix

If the site does not have Tanium Comply module, or does not use Tanium Comply for passive vulnerability scanning, this finding is Not Applicable. Prepare and maintain documentation identifying the source of OVAL feeds that will be used by Tanium Comply module.

b

Tanium Comply must be configured to receive SCAP content only from trusted sources.

AC-4 - Medium - CCI-001414 - V-254893 - SV-254893r960804_rule

RMF Control

AC-4

Severity

M

CCI

Version

TANS-AP-000160

Vuln IDs

V-254893

Rule IDs

SV-254893r960804_rule

NIST-validated SCAP XML documents are provided from several possible sources such as DISA, NIST, and the other nongovernment entities. These documents are used as the basis of compliance definitions leveraged to automate compliance auditing of systems. These documents are updated on different frequencies and must be manually downloaded on regular intervals and imported to be current. Nonapproved SCAP definitions lead to a false sense of security when evaluating an enterprise environment.

Checks: C-58506r867577_chk

1. Using a web browser on a system, that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top banner of the console. 3. Click "Comply". 4. Click the menu on the left side of the interface and then click "Compliance" under "Standards". Verify all imported compliance benchmarks are from a documented trusted source. If any compliance benchmark is found that does not come from a documented trusted source, this is a finding.

Fix: F-58450r867578_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top banner of the console. 3. Click "Comply". 4. Click the menu on the left side of the interface and then click "Compliance" under "Standards". 5. Delete any compliance benchmarks that come from nontrusted sources.

b

Tanium Comply must be configured to receive OVAL feeds only from trusted sources.

AC-4 - Medium - CCI-001414 - V-254894 - SV-254894r960804_rule

RMF Control

AC-4

Severity

M

CCI

Version

TANS-AP-000165

Vuln IDs

V-254894

Rule IDs

SV-254894r960804_rule

OVAL XML documents are provided from several possible sources such as the CIS open source repository, or any number of vendor/third party paid repositories. These documents are used to automate the passive validation of vulnerabilities on systems and therefore require a reasonable level of confidence in their origin. Nonapproved OVAL definitions lead to a false sense of security when evaluating an enterprise environment.

Checks: C-58507r867580_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Comply". 4. Expand the left menu. 5. Under "Standards," click "Vulnerability". 6. Verify all imported vulnerability sources are from a documented trusted source. If any vulnerability sources are found that do not come from a documented trusted source, this is a finding.

Fix: F-58451r867581_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Comply". 4. Expand the left menu. 5. Under "Standards," click "Vulnerability". 6. Delete any vulnerability sources configured to nontrusted sources, or reconfigure to point to trusted sources.

b

The publicly accessible Tanium application must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the application.

AC-8 - Medium - CCI-000048 - V-254895 - SV-254895r960843_rule

RMF Control

AC-8

Severity

M

CCI

CCI-000048

Version

TANS-AP-000175

Vuln IDs

V-254895

Rule IDs

SV-254895r960843_rule

Display of a standardized and approved use notification before granting access to the publicly accessible application ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for desktops, laptops, and other devices accommodating banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Satisfies: SRG-APP-000068, SRG-APP-000070

Checks: C-58508r867583_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Verify DOD use notification displayed prior to login. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If a DOD-approved use notification banner does not display prior to logon, this is a finding.

Fix: F-58452r867584_fix

1. Create an .html file composed of the DOD-authorized warning banner verbiage. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." 2. Name the file "warning_banner.html". 3. Use SFTP to upload the HTML banner file to the /incoming folder. 4. Access the Tanium Server interactively. 5. Log on to the TanOS server with the tanadmin user role. 6. Enter 2: Tanium Operations >> X: Advanced Operations >> 4: Manage HTML Banner and follow the prompts to copy the HTML banner file to the appropriate location. 7. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 8. Click "Administration" on the top navigation banner. 9. Under Configuration, select "Platform Settings. 10. Click "Create Setting". 11. Select "Server" box from "Setting Type". 12. In " Create Platform Setting" dialog box, enter "console_PreLoginBannerHTML" for "Name". 13. Select "Text" radio button from "Value Type". 14. Enter "warning_banner.html" for "Value:". 15. Click "Save".

b

The publicly accessible Tanium application must retain the Standard Mandatory DOD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.

AC-8 - Medium - CCI-000050 - V-254896 - SV-254896r960846_rule

RMF Control

AC-8

Severity

M

CCI

CCI-000050

Version

TANS-AP-000180

Vuln IDs

V-254896

Rule IDs

SV-254896r960846_rule

Display of a standardized and approved use notification before granting access to the publicly accessible application ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for desktops, laptops, and other devices accommodating banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

Checks: C-58509r867586_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Verify DOD use notification displayed prior to login. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. If a DOD-approved use notification banner does not display prior to logon, this is a finding.

Fix: F-58453r867587_fix

1. Create an .html file composed of the DOD-authorized warning banner verbiage. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." 2. Name the file "warning_banner.html". 3. Use SFTP to upload the HTML banner file to the /incoming folder. 4. Access the Tanium Server interactively. 5. Log on to the TanOS server with the tanadmin user role. 6. Enter 2: Tanium Operations >> X: Advanced Operations >> 4: Manage HTML Banner and follow the prompts to copy the HTML banner file to the appropriate location. 7. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 8. Click "Administration" on the top navigation banner. 9. Under Configuration, select "Platform Settings. 10. Click "Create Setting". 11. Select "Server" from "Setting Type". 12. In " Create Platform Setting" dialog box, enter "console_PreLoginBannerHTML" for "Name". 13. Select "Text" radio button from "Value Type". 14. Enter "warning_banner.html" for "Value:". 15. Click "Save".

b

Multifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

AC-11 - Medium - CCI-000056 - V-254897 - SV-254897r986516_rule

RMF Control

AC-11

Severity

M

CCI

CCI-000056

Version

TANS-AP-000195

Vuln IDs

V-254897

Rule IDs

SV-254897r986516_rule

To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses, except the following. (i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and (ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Satisfies: SRG-APP-000080, SRG-APP-000148, SRG-APP-000149, SRG-APP-000150, SRG-APP-000151, SRG-APP-000152, SRG-APP-000156, SRG-APP-000391, SRG-APP-000392, SRG-APP-000402, SRG-APP-000403, SRG-APP-000005, SRG-APP-000004, SRG-APP-000002

Checks: C-58510r986514_chk

1. Access the Tanium Server interactively. 2. Log on to the TanOS console with the "tanadmin" user role. 3. Enter "2" to access the "Tanium Operations" menu. 4. Enter "2" to access the "Tanium Configuration" Settings menu. 5. Enter "1" to access the "Edit Tanium Server Settings" menu. 6. Validate the value for "ForceSOAPSSLClientCert" is set to "1". 7. Validate the following keys exist and are configured: 7A. "ClientCertificateAuthField" For example: X509v3 Subject Alternative Name. 7B. "ClientCertificateAuthRegex" For example: .*:\s(\d+)@.* Note: This regex may vary. 7C. "ClientCertificateAuth" For example: /opt/Tanium/TaniumServer/cac.pem 7D. "TrustedHostList" For example: Append 127.0.0.1 (for IPv4) and [::1] (for IPv6) If the value for "ForceSOAPSSLClientCert" is not set to "1" and the remaining registry values are not configured, this is a finding.

Fix: F-58454r986515_fix

Use the vendor documentation titled "Multi-Factor Authentication" to implement correct configuration settings for this requirement. Vendor documentation can be downloaded from the following URL: https://docs.tanium.com/platform_deployment_reference/platform_deployment_reference/smart_card_authentication.html#cac_Tanium_Appliance 1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin user role. 3. Enter "2" to access the "Tanium Operations" menu. 4. Enter "2" to access the "Tanium Configuration" Settings menu. 5. Enter "1" to access the "Edit Tanium Server Settings" menu. 6. Validate the value for "ForceSOAPSSLClientCert" is set to "1". 7. Validate the following keys exist and are configured: 7A. "ClientCertificateAuthField" For example: X509v3 Subject Alternative Name. 7B. "ClientCertificateAuthRegex" For example: .*:\s(\d+)@.* Note: This regex may vary. 7C. "ClientCertificateAuth" For example: /opt/Tanium/TaniumServer/cac.pem Note: The path name is case sensitive. 7D. "TrustedHostList" For example: Append 127.0.0.1 (for IPv4) and [::1] (for IPv6).

b

The Tanium application must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

AU-5 - Medium - CCI-000139 - V-254898 - SV-254898r960912_rule

RMF Control

AU-5

Severity

M

CCI

CCI-000139

Version

TANS-AP-000260

Vuln IDs

V-254898

Rule IDs

SV-254898r960912_rule

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.

Checks: C-58511r867592_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Review the configured Connections under "Connections" section. Work with the SIEM administrator to determine if an alert is configured when audit data is no longer received as expected. If there is no alert configured, this is a finding.

Fix: F-58455r867593_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Expand the left menu. 5. Click "Connections". 6. Configure a Connection for the "Tanium Audit Source" source from the Tanium Application to a SIEM tool. Work with the SIEM administrator to configure an alert when no audit data is received from Tanium based on the defined schedule of connections.

b

The Tanium application must be configured to send audit records from multiple components within the system to a central location for review and analysis of audit records.

AU-6 - Medium - CCI-000154 - V-254899 - SV-254899r960918_rule

RMF Control

AU-6

Severity

M

CCI

CCI-000154

Version

TANS-AP-000270

Vuln IDs

V-254899

Rule IDs

SV-254899r960918_rule

Successful incident response and auditing relies on timely, accurate system information and analysis to allow the organization to identify and respond to potential incidents in a proficient manner. If the application does not provide the ability to centrally review the application logs, forensic analysis is negatively impacted. Segregation of logging data to multiple disparate computer systems is counterproductive and makes log analysis and log event alarming difficult to implement and manage, particularly when the system or application has multiple logging components written to different locations or systems. Automated mechanisms for centralized reviews and analyses include, for example, Security Information Management products.

Checks: C-58512r870360_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Review the configured Connections under the "Connections" section. If no Connection exists to send the "Tanium Audit Source" to a SIEM tool, this is a finding.

Fix: F-58456r867596_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Click "Create Connection". 5. In the "Configuration" section under "Source," select "Tanium Audit Source" as the source from the drop-down menu. 6. In the "Configuration" section under "Destination," select the desired Destination and fill in the respective fields. 7. In the "Configure Output" section under "Format," select the desired file format type. 8. In the "Schedule" section, select the desired schedule. 9. Click "Create Connection".

b

The Tanium applications must provide the capability to filter audit records for events of interest based upon organization-defined criteria.

AU-7 - Medium - CCI-000158 - V-254900 - SV-254900r960924_rule

RMF Control

AU-7

Severity

M

CCI

CCI-000158

Version

TANS-AP-000280

Vuln IDs

V-254900

Rule IDs

SV-254900r960924_rule

The ability to specify the event criteria of interest provides the persons reviewing the logs with the ability to quickly isolate and identify these events without having to review entries that are of little or no consequence to the investigation. Without this capability, forensic investigations are impeded. Events of interest can be identified by the content of specific audit record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component. This requires applications to provide the capability to customize audit record reports based on organization-defined criteria.

Checks: C-58513r867598_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Expand the left menu. 5. Click "Connections". 5. Review the configured Connections. If there are no configured connections, this is a finding.

Fix: F-58457r867599_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Expand the left menu. 5. Click "Connections". 6. Click "Create Connection" or if importing, click "Import". 7. Give the "Connection" a name and description. 8. In the "Configuration" section, select "Event" as the source. 9. Select appropriate source under "Event Group". Any source to generate interest-based events (Discover, Asset, IM, THR, etc.). 10. Select the appropriate events to send. Note: Consult with the Tanium System Administrator for the Destination. 11. Select "Listen for this Event". 12. Click "Save".

b

Access to Tanium logs on each endpoint must be restricted by permissions.

AU-9 - Medium - CCI-000163 - V-254901 - SV-254901r960933_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000163

Version

TANS-AP-000295

Vuln IDs

V-254901

Rule IDs

SV-254901r960933_rule

For the Tanium Client software to run without impact from external negligent or malicious changes, the permissions on the Tanium log files and their directory must be restricted. Tanium is deployed with a Client Hardening Solution. This solution, when applied, will ensure directory permissions are in place.

Checks: C-58514r870361_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under Actions, select "Scheduled Actions". 4. Look for a scheduled action titled "Client Service Hardening - Set SYSTEM only permissions on Tanium Client directory". If a scheduled action titled "Client Service Hardening - Set SYSTEM only permissions on Tanium Client directory" does not exist, or there is a Scheduled Action contradicting the "Client Service Hardening - Set SYSTEM only permissions on Tanium Client directory" scheduled action, this is a finding. If the scheduled action exists, select it and if it is not approved (the "Approve" button at the top of the section will be displayed if not approved), this is a finding.

Fix: F-58458r867602_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Ask the question "Get Tanium Client Directory Permissions from all machines". Tanium will parse the script and return a row for "Restricted" and a row for "Not Restricted", with their respective client counts. 3. Click the "Not Restricted" row. 4. Select "Deploy Action". In the "Deploy Action" dialog box, the package "Client Service Hardening - Set SYSTEM only permissions on Tanium Client directory" will be selected. The clients, which have their Tanium Client directory "Not Restricted" will be displayed in the bottom window. 5. Choose a schedule to deploy the hardening. 6. Under "Targeting Criteria," in the Action Group, select "All Computers" from the drop-down. 7. Click "Deploy Action". 8. Verify settings. 9. Click "Show Client Status Details".

b

The Tanium application must prohibit user installation, modification, or deletion of software without explicit privileged status.

AU-9 - Medium - CCI-001493 - V-254902 - SV-254902r960939_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001493

Version

TANS-AP-000305

Vuln IDs

V-254902

Rule IDs

SV-254902r960939_rule

Allowing regular users to install, modify, or delete software, without explicit privileges, creates the risk that the application performs in an inconsistent manner from its design. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user. Application functionality will vary, and while users are not permitted to install unapproved applications, there may be instances where the organization allows the user to install approved software packages such as from an approved software repository. The application must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. Satisfies: SRG-APP-000121, SRG-APP-000122, SRG-APP-000123

Checks: C-58515r867604_chk

1. Consult with the Tanium System Administrator to review the documented list of Tanium users. 2. Review the users' respective approved roles, as well as the correlated LDAP security group for the User Roles. 3. Validate LDAP security groups/Tanium roles are documented to assign least privileged access to the functions of the Tanium Server through the Tanium interface. If the documentation does not reflect a granular, least privileged access approach to the LDAP Groups/Tanium Roles assignment, this is a finding.

Fix: F-58459r867605_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under Permissions, select "Users". 4. Analyze the users configured in the Tanium interface. 5. Determine least privileged access required for each user to perform their respective duties. 6. Move users to the appropriate LDAP security group to ensure the user is synced to the appropriate Tanium User Role. 7. If the appropriate LDAP security groups are not already configured, create the groups and add the appropriate users. 8. Ensure LDAP sync repopulates the Tanium Users' associated Roles accordingly.

b

The Tanium cryptographic signing capabilities must be enabled on the Tanium Clients to safeguard the authenticity of communications sessions when answering requests from the Tanium Server.

SC-23 - Medium - CCI-001184 - V-254903 - SV-254903r986519_rule

RMF Control

SC-23

Severity

M

CCI

CCI-001184

Version

TANS-AP-000330

Vuln IDs

V-254903

Rule IDs

SV-254903r986519_rule

All of Tanium's signing capabilities should be enabled upon install. Tanium supports the cryptographic signing and verification before execution of all Sensors, Questions, Actions, Sensor Libraries, File Shards, etc. Enabling signing does away with the ability of an attacker to conduct Man in the Middle (MitM) attacks for the purposes of remote code execution and precludes the modification of the aforementioned data elements in transit. Additionally, Tanium supports object level signing for content ingested into the Tanium platform. This allows for the detection and rejection of changes to objects (sensors, actions, etc.) by even a privileged user within Tanium. Tanium has built-in signing capabilities enabled by default when installed. Cryptographic signing and verification of all Sensors, Questions, Actions, Sensor Libraries, File Shards, etc. before execution will be enforced by Tanium. Signing will prevent MitM remote code execution attacks and will protect data element in transit. Tanium also supports object level signing for content within the Tanium platform. Satisfies: SRG-APP-000131, SRG-APP-000219

Checks: C-58516r986517_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration," select "Platform Settings". 4. In the "Filter Items" search box type "AllQuestionsRequireSignatureFlag". 5. Click "Enter". If no results are returned, this is a finding. If results are returned for "AllQuestionsRequireSignatureFlag" but the value is not "1", this is a finding.

Fix: F-58460r986518_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web UI and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration," select "Platform Settings". 4. Click "Create Setting". 5. Select "Client" box for "Setting Type." 6. In "Create Platform Setting" dialog box, enter "AllQuestionsRequireSignatureFlag" for "Name". 7. Select "Numeric" radio button for "Value Type". 8. Enter "1" for "Value". 9. Click "Save".

b

The Tanium cryptographic signing capabilities must be enabled on the Tanium Server.

SC-3 - Medium - CCI-001084 - V-254904 - SV-254904r997043_rule

RMF Control

SC-3

Severity

M

CCI

CCI-001084

Version

TANS-AP-000335

Vuln IDs

V-254904

Rule IDs

SV-254904r997043_rule

All of Tanium's signing capabilities must be enabled upon install. Tanium supports the cryptographic signing and verification before execution of all Sensors, Questions, Actions, Sensor Libraries, File Shards, etc. Enabling signing does away with the ability of an attacker to conduct man-in-the-middle (MITM) attacks for the purposes of remote code execution and precludes the modification of the aforementioned data elements in transit. Additionally, Tanium supports object-level signing for content ingested into the Tanium platform. This allows for the detection and rejection of changes to objects (sensors, actions, etc.) by even a privileged user within Tanium. Tanium has built-in signing capabilities enabled by default when installed. Cryptographic signing and verification of all Sensors, Questions, Actions, Sensor Libraries, File Shards, etc., before execution will be enforced by Tanium. Signing will prevent MITM remote code execution attacks and will protect data element in transit. Tanium also supports object-level signing for content within the Tanium platform. Satisfies: SRG-APP-000131, SRG-APP-000233, SRG-APP-000317

Checks: C-58517r986520_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration," select "Platform Settings". 4. In the "Filter Items" search box, enter "sign_all_questions_flag". 5. Click "Enter". If no results are returned, this is a finding. If results are returned for "sign_all_questions_flag" but the value is not "1", this is a finding.

Fix: F-58461r986521_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface UI and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration," select "Platform Settings". 4. Click "Create Setting". 5. Select "Server" for "Setting Type." 6. In "Create Platform Setting" dialog box, enter "sign_all_questions_flag" for "Name". 7. Select "Numeric" radio button for "Value Type". 8. Enter "1" for "Value". 9. Click "Save".

b

Firewall rules must be configured on the Tanium Endpoints for Client-to-Server communications.

CM-7 - Medium - CCI-000382 - V-254905 - SV-254905r960966_rule

RMF Control

CM-7

Severity

M

CCI

Version

TANS-AP-000355

Vuln IDs

V-254905

Rule IDs

SV-254905r960966_rule

In addition to the client-to-server TCP communication that takes place over port 17472, Tanium Clients also communicate to other Tanium-managed computers over port 17472. Without proper firewall configurations, proper TCP communications may not take place as necessary for application functionality. The Tanium environment can perform hundreds or thousands of times faster than other security or systems management tools because the Tanium Clients communicate in secure, linearly-controlled peer-to-peer rings. Because clients dynamically communicate with other nearby agents based on proximity and latency, rings tend to form automatically to match a customer’s topology—endpoints in California will form one ring while endpoints in Germany will form a separate ring.

Checks: C-58518r867613_chk

Note: This check is performed for the Tanium Endpoints and must be validated against the enterprise firewall solution (e.g., Endpoint Security Solution Firewall, Microsoft Windows Defender Firewall setting, Microsoft Advance Threat Protection Firewall, etc.) policies applied to the Endpoints. 1. Consult with the personnel who maintain the Enterprise Security Suite configuration for assistance. 2. Validate a rule exists within the firewall policies for managed clients for the following: 2A. Port Needed: Tanium Clients or Zone Clients over TCP port 17472, bi-directionally. If a host-based firewall rule does not exist to allow TCP port 17472, bi-directionally, this is a finding. 3. Consult with the boundary network firewall administrator and validate rules exist for the following: 3A. Allow TCP traffic on port 17472 from any computer to be managed on a local area network to any other computer to be managed on the same local area network. If a network firewall rule does not exist to allow TCP port 17472 from any managed computer to any other managed computer on the same local area network, this is a finding.

Fix: F-58462r867614_fix

1. Consult with the personnel who maintain the Enterprise Security Suite to configure host-based and network firewall rules to allow the following: 1A. Tanium Clients or Zone Clients over TCP port 17472, bi-directionally. 2. Consult with the boundary network firewall administrator to create a rule to allow the following: 2A. TCP traffic on port 17472 from any computer to be managed on a local area network to any other computer to be managed on the same local area network.

b

Firewall rules must be configured on the Tanium Server for Client-to-Server communications.

CM-7 - Medium - CCI-000382 - V-254906 - SV-254906r960966_rule

RMF Control

CM-7

Severity

M

CCI

Version

TANS-AP-000360

Vuln IDs

V-254906

Rule IDs

SV-254906r960966_rule

In addition to the client-to-server TCP communication that takes place over port 17472, Tanium Clients also communicate to other Tanium-managed computers over port 17472. Without proper firewall configurations, proper TCP communications may not take place as necessary for application functionality. The Tanium environment can perform hundreds or thousands of times faster than other security or systems management tools because the Tanium Clients communicate in secure, linearly-controlled peer-to-peer rings. Because clients dynamically communicate with other nearby agents based on proximity and latency, rings tend to form automatically to match a customer's topology—endpoints in California will form one ring while endpoints in Germany will form a separate ring. https://docs.tanium.com/platform_deployment_reference/platform_deployment_reference/network_ports.html

Checks: C-58519r867616_chk

Note: This check is performed for the Tanium Endpoints and must be validated against the enterprise firewall solution (e.g., Endpoint Security Solution Firewall, Microsoft Windows Defender Firewall setting, Microsoft Advance Threat Protection Firewall, etc.) policies applied to the Endpoints. 1. Consult with the personnel who maintain the Enterprise Security Suite configuration for assistance. 2. Validate a rule exists within the firewall policies for managed clients for the following: 2A. Port Needed: Tanium Clients or Zone Clients over TCP port 17472, bi-directionally. If a host-based firewall rule does not exist to allow TCP port 17472, bi-directionally, this is a finding. 3. Consult with the boundary network firewall administrator and validate rules exist for the following: 3A. Allow TCP traffic on port 17472 from any computer to be managed on a local area network to any other computer to be managed on the same local area network. If a network firewall rule does not exist to allow TCP port 17472 from any managed computer to any other managed computer on the same local area network, this is a finding.

Fix: F-58463r867617_fix

1. Consult with the personnel who maintain the Enterprise Security Suite to configure host-based and network firewall rules to allow the following: 1A. Tanium Clients or Zone Clients over TCP port 17472, bi-directionally. 2. Consult with the boundary network firewall administrator to create a rule to allow the following: 2A. TCP traffic on port 17472 from any computer to be managed on a local area network to any other computer to be managed on the same local area network.

b

Firewall rules must be configured on the Tanium Zone Server for Client-to-Zone Server communications.

CM-7 - Medium - CCI-000382 - V-254907 - SV-254907r960966_rule

RMF Control

CM-7

Severity

M

CCI

Version

TANS-AP-000365

Vuln IDs

V-254907

Rule IDs

SV-254907r960966_rule

In customer environments using the Tanium Zone Server, a Tanium Client may be configured to point to a Zone Server instead of a Tanium Server. The communication requirements for these Clients are identical to the Server-to-Client requirements. Without proper firewall configurations, proper TCP communications may not take place as necessary for application functionality. Additionally, without proper configuration, organizations may lose complete visibility into endpoints that cannot connect directly to the Tanium Server. https://docs.tanium.com/platform_deployment_reference/platform_deployment_reference/network_ports.html

Checks: C-58520r867619_chk

Note: If a Zone Server is not being used, this is Not Applicable. 1. Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Zone Server. 2. Access the host-based firewall configuration on the Tanium Zone Server. 3. Validate a rule exists for the following: 3A. Port Needed: Tanium Clients to Zone Server over TCP port 17472, bi-directionally. If a host-based firewall rule does not exist to allow TCP port 17472, bi-directionally, from Tanium Clients to the Tanium Zone Server, this is a finding.

Fix: F-58464r867620_fix

1. Consult with the personnel who maintain the Enterprise Security Suite to configure host-based and network firewall rules to allow the following: 1A. Tanium Clients or Zone Clients over TCP port 17472, bi-directionally.

b

The Tanium Application Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

CM-7 - Medium - CCI-000382 - V-254908 - SV-254908r960966_rule

RMF Control

CM-7

Severity

M

CCI

Version

TANS-AP-000370

Vuln IDs

V-254908

Rule IDs

SV-254908r960966_rule

To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Applications are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the application must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.

Checks: C-58521r867622_chk

Review the PPSM CAL to ensure Tanium has been registered with all of the TCP ports required for functionality to include (but not limited to) TCP 17472, 17477, 17440, 17441, 443, and 1433. If any TCP ports are being used on the Tanium Server that have been deemed as restricted by the PPSM CAL, this is a finding.

Fix: F-58465r867623_fix

Submit a formal request to have the Tanium communication ports evaluated and added to the PPSM CAL.

b

The Tanium endpoint must have the Tanium Servers public key in its installation.

IA-3 - Medium - CCI-000778 - V-254909 - SV-254909r960999_rule

RMF Control

IA-3

Severity

M

CCI

CCI-000778

Version

TANS-AP-000415

Vuln IDs

V-254909

Rule IDs

SV-254909r960999_rule

Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.

Checks: C-58522r867625_chk

The Tanium endpoint makes a connection to the Tanium Server; the endpoint's copy of the Tanium Server's public key is used to verify the validity of the registration day coming from the Tanium Server. If any endpoint systems do not have the correct Tanium Server public key in its configuration, they will not perform any instructions from the Tanium Server and a record of those endpoints will be listed in the Tanium Server's System Status. To validate: 1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3 . Select the "Client Status" tab. 4. Click "Administration". 5. Change "Show systems that have reported in the last:", enter "7" in the first field. 6. Select "Days" from the drop-down menu in the second field to determine if any endpoints connected with an invalid key. If any systems are listed with "No" in the "Valid Key" column, this is a finding.

Fix: F-58466r867626_fix

For systems which do not have a valid key for the Tanium Server, redeploy the client software using the Tanium Client Management (TCM) or work with the Tanium System Administrator to accomplish this. Documentation on TCM: https://docs.tanium.com/client/client/index.html.

b

The Tanium application must enforce a minimum 15-character password length.

Medium - CCI-004066 - V-254910 - SV-254910r986523_rule

RMF Control

Severity

M

CCI

CCI-004066

Version

TANS-AP-000425

Vuln IDs

V-254910

Rule IDs

SV-254910r986523_rule

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Checks: C-58523r867628_chk

Console Users: Per guidance, Enterprise Console users are inherited via LDAP synchronization, as such passwords are not managed or enforced at the Tanium application level. Local TanOS account: 1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "C" for "User Administration Menu," and then press "Enter". 4. Press "L" for "Local Tanium User Management," and then press "Enter". 5. Press "B" for "Security Policy Local Authentication Service," and then press "Enter". If the value of "Password Minimum Length:" is less than "15", this is a finding.

Fix: F-58467r867629_fix

Console Users: Per guidance, Enterprise Console users are inherited via LDAP synchronization, as such passwords are not managed or enforced at the Tanium application level. Local TanOS account: 1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "C" for "User Administration Menu," and then press "Enter". 4. Press "L" for "Local Tanium User Management," and then press "Enter". 5. Press "B" for "Security Policy Local Authentication Service," and then press "Enter". 6. Type "yes," and then press "Enter". 7. Input the following settings, pressing "Enter" after every value: a) Minimum Password Lifetime - 1 b) Maximum Password Lifetime - 60 c) Minimum Password Length - 15 d) Minimum Password History - 5 e) Password Lockout - TRUE f) Maximum Password Attempts - 3 8. Type "yes" to accept the new password policy.

b

Tanium must enforce 24 hours/one day as the minimum password lifetime.

Medium - CCI-004066 - V-254912 - SV-254912r986524_rule

RMF Control

Severity

M

CCI

CCI-004066

Version

TANS-AP-000470

Vuln IDs

V-254912

Rule IDs

SV-254912r986524_rule

Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement.

Checks: C-58525r867634_chk

Console Users: Per guidance, Enterprise Console users are inherited via LDAP synchronization as such passwords are not managed or enforced at the Tanium application level. Local TanOS account: 1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "C" for "User Administration Menu," and then press "Enter". 4. Press "L" for " Local Tanium User Management," and then press "Enter". 5. Press "B" for " Security Policy Local Authentication Service," and then press "Enter". If the value of "Password Minimum Age (days):" is greater than "1", this is a finding.

Fix: F-58469r867635_fix

Console Users: Per guidance, Enterprise Console users are inherited via LDAP synchronization as such passwords are not managed or enforced at the Tanium application level. Local TanOS account: 1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "C" for "User Administration Menu," and then press "Enter". 4. Press "L" for "Local Tanium User Management," and then press "Enter". 5. Press "B" for "Security Policy Local Authentication Service," and then press "Enter". 6. Type "yes" and press "Enter". 7. Input the following settings, pressing "Enter" after every value: a) Minimum Password Lifetime - 1 b) Maximum Password Lifetime - 60 c) Minimum Password Length - 15 d) Minimum Password History - 5 e) Password Lockout - TRUE f) Maximum Password Attempts - 3 8. Type "yes" to accept the new password policy.

b

The Tanium application must enforce a 60-day maximum password lifetime restriction.

Medium - CCI-004066 - V-254913 - SV-254913r986525_rule

RMF Control

Severity

M

CCI

CCI-004066

Version

TANS-AP-000475

Vuln IDs

V-254913

Rule IDs

SV-254913r986525_rule

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. One method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the system and/or application passwords could be compromised. This requirement does not include emergency administration accounts which are meant for access to the application in case of failure. These accounts are not required to have maximum password lifetime restrictions.

Checks: C-58526r867637_chk

Console Users: Per guidance, Enterprise Console users are inherited via LDAP synchronization as such passwords are not managed or enforced at the Tanium application level. Local TanOS account: 1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Enter "C" for "User Administration Menu," and then press "Enter". 4. Enter "L" for " Local Tanium User Management," and then press "Enter". 5. Enter "B" for " Security Policy Local Authentication Service," and then press "Enter". If the value of "Password Maximum Age (days):" is greater than "60", this is a finding.

Fix: F-58470r867638_fix

Console Users: Per guidance, Enterprise Console users are inherited via LDAP synchronization as such passwords are not managed or enforced at the Tanium application level. Local TanOS account: 1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Enter "" for "User Administration Menu," and then press "Enter". 4. Enter "L" for "Local Tanium User Management," and then press "Enter". 5. Enter "B" for "Security Policy Local Authentication Service," and then press "Enter". 6. Type "yes," and then press "Enter". 7. Input the following settings, pressing "Enter" after every value: a) Minimum Password Lifetime - 1 b) Maximum Password Lifetime - 60 c) Minimum Password Length - 15 d) Minimum Password History - 5 e) Password Lockout - TRUE f) Maximum Password Attempts - 3 8. Type "yes" to accept the new password policy.

b

The Tanium Server certificates must have Extended Key Usage entries for the serverAuth object TLS Web Server Authentication and the clientAuth object TLS Web Client Authentication.

IA-5 - Medium - CCI-000185 - V-254914 - SV-254914r961038_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000185

Version

TANS-AP-000480

Vuln IDs

V-254914

Rule IDs

SV-254914r961038_rule

Restricting this setting limits the user's ability to change their password. Passwords need to be changed at specific policy based intervals; however, if the application allows the user to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Checks: C-58527r867640_chk

From Browser: 1. Navigate to the Tanium Console URI and log in using multi-factor authentication. 2. Click the lock to the left of the URI in the address bar. 3. Select the lock on the left of the URI in the address bar: a) Chrome: Select "Certificate". b) Edge: Select "Connection is Secure," and then select the certificate icon on the right. 4. Select the "Details" tab. 5. Scroll down through the details to find and select the "Enhanced Key Usage" field. If there is no "Enhanced Key Usage" field, this is a finding. In the bottom screen, verify "Server Authentication" and "Client Authentication" are both identified. If "Server Authentication" and "Client Authentication" are not both identified, this is a finding. From Server: 1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "2" for "Tanium Operations Menu," and then press "Enter". 4. Press "7" for "Download SOAP Certificate," and then press "Enter". 5. In a browser with access to the Tanium Server Console, navigate to https://<tanium server>/pub/SOAPServer.crt. 6. Download the SOAPServer.crt file when prompted. 7. Double-click on the file to open the certificate. 8. Select the "Details" tab. 9. Scroll down through the details to find and select the "Enhanced Key Usage" field. If there is no "Enhanced Key Usage" field, this is a finding. In the bottom screen, verify "Server Authentication" and "Client Authentication" are both identified. If "Server Authentication" and "Client Authentication" are not both identified, this is a finding.

Fix: F-58471r867641_fix

Request or regenerate the certificate being used to include both the "Server Authentication" and "Client Authentication" objects.

b

The Tanium application must be configured for LDAP user/group synchronization to map the authenticated identity to the individual user or group account for PKI-based authentication.

IA-5 - Medium - CCI-000187 - V-254915 - SV-254915r961044_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000187

Version

TANS-AP-000490

Vuln IDs

V-254915

Rule IDs

SV-254915r961044_rule

Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.

Checks: C-58528r867643_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration," select "LDAP/AD Sync Configurations". 4. Verify a sync exists under "Enabled Servers". If no sync exists, this is a finding. If sync exists under "Disabled Servers" and there are no Enabled Servers, this is a finding."

Fix: F-58472r867644_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration," select "LDAP/AD Sync Configurations". 4. Verify a sync exists under "Enabled Servers". 5. If no sync exists, click "Add Server". 6. Fill in the correct information for connecting to the organizations LDAP server. Work with a systems administrator to get this information if necessary. 7. Click "Save". 8. If a sync exists and it is disabled, click the edit icon. 9. Change the status to "enabled". 10. Click "Save".

b

The Tanium application must uniquely identify and authenticate nonorganizational users (or processes acting on behalf of nonorganizational users).

IA-8 - Medium - CCI-000804 - V-254916 - SV-254916r961053_rule

RMF Control

IA-8

Severity

M

CCI

CCI-000804

Version

TANS-AP-000505

Vuln IDs

V-254916

Rule IDs

SV-254916r961053_rule

Lack of authentication and identification enables nonorganizational users to gain access to the application or possibly other information systems and provides an opportunity for intruders to compromise resources within the application or information system. Nonorganizational users include all information system users other than organizational users, which include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors and guest researchers). Nonorganizational users must be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access, such as accessing a web server.

Checks: C-58529r867646_chk

Local users can be identified by the following: 1. Using a web browser on a system, which has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Permissions," select "Users". 4. Compare users listed to the prepared documentation. If documentation identifying the Tanium console users and their respective User Groups, Roles, Computer Groups, and associated LDAP security groups does not exist this is a finding.

Fix: F-58473r867647_fix

Prepare and maintain documentation identifying the Tanium console users and their respective User Groups, Roles, Computer Groups, and associated LDAP security groups.

b

The Tanium application must separate user functionality (including user interface services) from information system management functionality.

SC-2 - Medium - CCI-001082 - V-254917 - SV-254917r961095_rule

RMF Control

SC-2

Severity

M

CCI

CCI-001082

Version

TANS-AP-000555

Vuln IDs

V-254917

Rule IDs

SV-254917r961095_rule

Application management functionality includes functions necessary for administration and requires privileged user access. Allowing nonprivileged users to access application management functionality capabilities increases the risk that nonprivileged users may obtain elevated privileges. The separation of user functionality from information system management functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, different network addresses, different TCP/UDP ports, virtualization techniques, combinations of these methods, or other methods, as appropriate. An example of this type of separation is observed in web administrative interfaces that use separate authentication methods for users of any other information system resources. This may include isolating the administrative interface on a different security domain and with additional access controls.

Checks: C-58530r867649_chk

Consult with the Tanium System Administrator to review the documented list of Tanium users. The users' User Groups, Roles, Computer Groups, and correlated LDAP security groups or Local Users must be documented. Local users can be identified by the following: 1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Permissions," select "Users". 4. Compare users that do not have a Domain listed to the prepared documentation. If documentation identifying the Tanium console users and their respective User Groups, Roles, Computer Groups, and associated LDAP security groups does not exist this is a finding.

Fix: F-58474r867650_fix

Prepare and maintain documentation identifying the Tanium console users and their respective User Groups, Roles, Computer Groups, and associated LDAP security groups.

b

The Tanium Server and Client applications must have logging enabled.

SC-24 - Medium - CCI-001665 - V-254918 - SV-254918r961125_rule

RMF Control

SC-24

Severity

M

CCI

CCI-001665

Version

TANS-AP-000600

Vuln IDs

V-254918

Rule IDs

SV-254918r961125_rule

Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving application state information helps to facilitate application restart and return to the operational mode of the organization with less disruption to mission-essential processes.

Checks: C-58531r867652_chk

Tanium Server: 1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration," select "Common". 4. Select "Log Level". 5. In "Log Verbosity Level for Troubleshooting," verify current level for "Tanium Server" is set. If the value for current level for "Tanium Server" is not set to "1" or higher this is a finding. Tanium Client: 1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Interact". 4. In the "Explore Data" box, type the following question: 4A. Get Tanium Client Explicit Setting[LogVerbosityLevel] < 1 and Is Windows from all machines with Tanium Client Explicit Setting[LogVerbosityLevel] < 1 Note: For VDI systems, follow vendor guidance: https://docs.tanium.com/client/client/os_imaging.html#VDI If there are any answers returned that are "0" this is a finding.

Fix: F-58475r867653_fix

Tanium Server: 1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration," select "Common". 4. Select "Log Level". 5. In "Log Verbosity Level for Troubleshooting," verify current level for "Tanium Server" is set. Tanium Client: 1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Interact". 4. In the "Explore Data" box, type the following question: 4A. Get Tanium Client Explicit Setting[LogVerbosityLevel] < 1 and Is Windows from all machines with Tanium Client Explicit Setting[LogVerbosityLevel] < 1 5. Select the row with "Is windows" set to "True" and deploy the following action and settings: a) Deployment Package: Modify Tanium Client Setting b) RegType: REG_DWORD c) ValueName: LogVerbosityLevel d) ValueData: 1 or higher Schedule Deployment a) Distribute over: 1 hour 6. Click "Show Preview to continue". 7. Click "Deploy Action". 8. Select the row with "Is windows" set to "False" and deploy the following action and settings: a) Deployment Package: Modify Tanium Client Setting [Non-Windows] b) RegType: NUMERIC c) ValueName: LogVerbosityLevel d) ValueData: 1 or higher Schedule Deployment a) Distribute over: 1 hour 9. Click "Show Preview to continue". 10. Click "Deploy Action".

b

The Tanium application must restrict the ability of individuals to use information systems to launch organization-defined Denial of Service (DoS) attacks against other information systems.

SC-5 - Medium - CCI-001094 - V-254919 - SV-254919r961152_rule

RMF Control

SC-5

Severity

M

CCI

CCI-001094

Version

TANS-AP-000630

Vuln IDs

V-254919

Rule IDs

SV-254919r961152_rule

The Tanium Action Approval feature provides a two-person integrity control mechanism designed to achieve a high-level of security and reduce the possibility of error for critical operations and DoS conditions. When this feature is enabled, an action configured by one Tanium console user will require a second Tanium console user with a role of Action Approver (or higher) to approve the action before it is deployed to targeted computers.

Checks: C-58532r867655_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration," select "Platform Settings". 4. In the "Filter items" search box, type "require_action_approval". 5. Click "Enter". If no results are returned, this is a finding. If results are returned for "require_action_approval", but the value is not "1", this is a finding.

Fix: F-58476r867656_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration," select "Platform Settings". 4. Click "Create Setting". 5. Select "Server" for "Setting Type". 5. In "Create Platform Setting" dialog box, enter "require_action_approval" does not exist: Flag" for " Name". 6. Select the "Numeric" radio button for "Value Type". 7. Enter "1" for "Value". 8. Click "Save".

b

The Tanium application must manage bandwidth throttles to limit the effects of information flooding types of Denial of Service (DoS) attacks.

SC-5 - Medium - CCI-001095 - V-254920 - SV-254920r961155_rule

RMF Control

SC-5

Severity

M

CCI

CCI-001095

Version

TANS-AP-000635

Vuln IDs

V-254920

Rule IDs

SV-254920r961155_rule

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. In the case of application DoS attacks, care must be taken when designing the application to ensure the application makes the best use of system resources. SQL queries have the potential to consume large amounts of CPU cycles if they are not tuned for optimal performance. Web services containing complex calculations requiring large amounts of time to complete can bog down if too many requests for the service are encountered within a short period of time. The methods employed to meet this requirement will vary depending upon the technology the application utilizes. However, a variety of technologies exist to limit or, in some cases, eliminate the effects of application related DoS attacks. Employing increased capacity and bandwidth combined with specialized application layer protection devices and service redundancy may reduce the susceptibility to some DoS attacks.

Checks: C-58533r867658_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration," select "Bandwidth Throttles". 4. Work with the Tanium Administrator to confirm settings. 5. If bandwidth throttles are not configured, this is a finding. For more information, see the following: https://docs.tanium.com/platform_user/platform_user/console_bandwidth_throttling.html.

Fix: F-58477r867659_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration," select "Bandwidth Throttles". 4. Click "Add" on the line for "Global Throttle for All Data". 5. Work with Tanium Administrator to configure the required bandwidth throttles. 6. Click "Save". 7. Work with the Tanium Administrator to confirm or set settings for the remaining options: 7A. Global Throttle for Package Files. 7B. Global Throttle for Sensors. 7C. Site Throttles.

b

The Tanium application must reveal error messages only to the ISSO, ISSM, and SA.

SI-11 - Medium - CCI-001314 - V-254921 - SV-254921r961170_rule

RMF Control

SI-11

Severity

M

CCI

CCI-001314

Version

TANS-AP-000655

Vuln IDs

V-254921

Rule IDs

SV-254921r961170_rule

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the application. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Checks: C-58534r867661_chk

1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Enter "C" for "User Administration Menu," and then press "Enter". 4. Enter "U" for "TanOS User Management," and then press "Enter". If there are any users other than the documented approved TanOS users this is a finding.

Fix: F-58478r867662_fix

1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role, or any additional user with administrative privileges. 3. Enter "C" for "User Administration Menu," and then press "Enter". 4. Enter "U" for "TanOS User Management," and then press "Enter". 5. Work with Tanium System Administrator to either document approved accounts or remove nonapproved accounts.

b

Tanium must notify system administrator (SA) and the information system security officer (ISSO) when accounts are created.

AC-2 - Medium - CCI-000015 - V-254923 - SV-254923r986528_rule

RMF Control

AC-2

Severity

M

CCI

Version

TANS-AP-000700

Vuln IDs

V-254923

Rule IDs

SV-254923r986528_rule

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail, which documents the creation of application user accounts and notifies administrators and ISSO exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to offload those access control functions and focus on core application features and functionality.

Checks: C-58536r986526_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Review the configured connections. If no sources exist to send audit logs from Tanium to a SIEM tool or email destination, this is a finding. Work with the SIEM administrator to determine if an alert is configured when accounts are created. If there is no alert configured, this is a finding.

Fix: F-58480r986527_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Click "Create Connection" in the "Connections" section. 5. Configure sources to send audit logs from the Tanium SQL Server to a SIEM tool or email destination. 6. Work with email administrator to configure email destination. 7. Work with the SIEM administrator to configure an alert when accounts are created.

b

Tanium must notify system administrators (SAs) and the information system security officer (ISSO) when accounts are modified.

AC-2 - Medium - CCI-000015 - V-254924 - SV-254924r986531_rule

RMF Control

AC-2

Severity

M

CCI

Version

TANS-AP-000705

Vuln IDs

V-254924

Rule IDs

SV-254924r986531_rule

When application accounts are modified, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the application processes themselves. Sending notification of account modification events to the SA and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Checks: C-58537r986529_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Review the configured connections. If no sources exist to send audit logs from the Tanium Database to a SIEM tool or email destination, this is a finding. Work with the SIEM administrator to determine if an alert is configured when accounts are modified. If there is no alert configured, this is a finding.

Fix: F-58481r986530_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Click "Create Connection" in the "Connections" section. 5. Configure sources to send audit logs from the Tanium SQL Server to a SIEM tool or email destination. 6. Work with email administrator to configure email destination. 7. Work with the SIEM administrator to configure an alert when accounts are modified.

b

Tanium must notify system administrators (SAs) and the information system security officer (ISSO) for account disabling actions.

AC-2 - Medium - CCI-000015 - V-254925 - SV-254925r986534_rule

RMF Control

AC-2

Severity

M

CCI

Version

TANS-AP-000710

Vuln IDs

V-254925

Rule IDs

SV-254925r986534_rule

When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the application processes themselves. Sending notification of account disabling events to the SA and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Checks: C-58538r986532_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Review the configured connections. If no sources exist to send audit logs from the Tanium SQL Server to a SIEM tool or email destination, this is a finding. Work with the SIEM administrator to determine if an alert is configured when accounts are disabled. If there is no alert configured, this is a finding.

Fix: F-58482r986533_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Click "Create Connection" in the "Connections" section. 5. Configure sources to send audit logs from the Tanium SQL Server to a SIEM tool or email destination. 6. Work with email administrator to configure email destination. 7. Work with the SIEM administrator to configure an alert when accounts are modified.

b

Tanium must notify system administrators (SAs) and the information system security officer (ISSO) for account removal actions.

AC-2 - Medium - CCI-000015 - V-254926 - SV-254926r986537_rule

RMF Control

AC-2

Severity

M

CCI

Version

TANS-AP-000715

Vuln IDs

V-254926

Rule IDs

SV-254926r986537_rule

When application accounts are removed, user accessibility is affected. Accounts are utilized for identifying users or for identifying the application processes themselves. Sending notification of account removal events to the SA and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Checks: C-58539r986535_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Review the configured connections. If no sources exist to send audit logs from the Tanium SQL Server to a SIEM tool or email destination, this is a finding. Work with the SIEM administrator to determine if an alert is configured when accounts are deleted. If there is no alert configured, this is a finding.

Fix: F-58483r986536_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Configure sources to send audit logs from the Tanium SQL Server to a SIEM tool or email destination. 5. Work with email administrator to configure email destination. 6. Work with the SIEM administrator to configure an alert when accounts are deleted.

b

The Tanium application must set an inactive timeout for sessions.

AC-12 - Medium - CCI-002361 - V-254927 - SV-254927r961221_rule

RMF Control

AC-12

Severity

M

CCI

CCI-002361

Version

TANS-AP-000720

Vuln IDs

V-254927

Rule IDs

SV-254927r961221_rule

Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain that sessions not closed through the user logging out of an application are eventually closed. Acceptable values are 5 minutes for high-value applications, 10 minutes for medium-value applications, and 20 minutes for low-value applications.

Checks: C-58540r867679_chk

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI). 1. Log on with multi-factor authentication. 2. Click "Administration" at top center of the screen. 3. Select the "Global Settings" under "Management". 4. In "Filter Items" box, enter "max_console_idle_seconds". If no results are returned, this is a finding. If results are returned for "max_console_idle_seconds", but the value is not "900" or less, this is a finding.

Fix: F-58484r867680_fix

In the event the "max_console_idle_seconds" setting exists, but is not "900" or less: 1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration," select "Platform Settings". 4. In the "Filter Items" box, enter "max_console_idle_seconds". 5. Select the "max_console_idle_seconds" setting. 6. Enter "900" or less for "Value". 7. Click "Save". In the event the "max_console_idle_seconds" setting does not exist: 1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration," select "Platform Settings". 4. Click "Create Setting" in the top right. 5. Select "Server" for "Setting Type". 6. In "Create Platform Setting" dialog box, enter "max_console_idle_seconds" for "Name". 7. Select "Numeric" for the "Value Type". 8. Enter "900" or less for the "Value". 9. Click "Save".

b

The Tanium Application Server must be configured with a connector to sync to Microsoft Active Directory for account management functions.

SC-3 - Medium - CCI-001084 - V-254928 - SV-254928r986540_rule

RMF Control

SC-3

Severity

M

CCI

CCI-001084

Version

TANS-AP-000765

Vuln IDs

V-254928

Rule IDs

SV-254928r986540_rule

By restricting access to the Tanium Server to only Microsoft Active Directory, user accounts and related permissions can be strictly monitored. Account management will be under the operational responsibility of the System Administrator for the Windows Operation System Active Directory. Satisfies: SRG-APP-000233, SRG-APP-000317, SRG-APP-000233

Checks: C-58541r986538_chk

Console Users: 1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration," select "LDAP/AD Sync Configurations". 4. Verify a sync exists under "Enabled Servers". If no sync exists, this is a finding. If sync exists under "Disabled Servers" and there are no Enabled Servers, this is a finding. Local TanOS Accounts: 1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role, or any additional user with administrative privileges. 3. Enter "C" for "User Administration Menu," and then press "Enter". 4. Enter "L" for "Local Tanium User Management," and then press "Enter". 5. Press "2" for "Manage Local User(s)," and then press "Enter". If there are any users other than the documented approved local users this is a finding.

Fix: F-58485r986539_fix

Console Users: 1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web UI and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration," select "LDAP/AD Sync Configurations". 4. Click "Add Server". 5. Complete the settings using guidance from https://docs.tanium.com/platform_user/platform_user/console_using_ldap.html. 6. Click "Show Preview to Continue". 7. Review the users and groups to be imported. 8. Click "Save". Local TanOS Accounts: 1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role, or any additional user with administrative privileges. 3. Enter "C" for "User Administration Menu," and then press "Enter". 4. Enter "L" for "Local Tanium User Management," and then press "Enter". 5. Press "2" for "Manage Local User(s)," and then press "Enter". 6. Work with Tanium System Administrator to either document approved accounts or remove nonapproved accounts.

b

Tanium must notify the system administrator (SA) and information system security officer (ISSO) of account enabling actions.

AC-2 - Medium - CCI-000015 - V-254929 - SV-254929r986543_rule

RMF Control

AC-2

Severity

M

CCI

Version

TANS-AP-000780

Vuln IDs

V-254929

Rule IDs

SV-254929r986543_rule

Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Sending notification of account enabling events to the SA and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To detect and respond to events that affect user accessibility and application processing, applications must notify the appropriate individuals so they can investigate the event. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to offload those access control functions and focus on core application features and functionality.

Checks: C-58542r986541_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Review the configured sources. If no sources exist to send audit logs from the Tanium SQL Server to a SIEM tool or email destination, this is a finding. 1. Work with the SIEM administrator to determine if an alert is configured when account-enabling actions are performed. If there is no alert configured, this is a finding.

Fix: F-58486r986542_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Configure sources to send audit logs from the Tanium SQL Server to a SIEM tool or email destination. 5. Work with email administrator to configure email destination. 6. Work with the SIEM administrator to configure an alert when account-enabling actions are performed.

b

Control of the Tanium Client service must be restricted to SYSTEM access only for all managed clients.

AC-3 - Medium - CCI-002165 - V-254930 - SV-254930r961317_rule

RMF Control

AC-3

Severity

M

CCI

CCI-002165

Version

TANS-AP-000800

Vuln IDs

V-254930

Rule IDs

SV-254930r961317_rule

The reliability of the Tanium client's ability to operate depends upon controlling access to the Tanium client service. By restricting access to SYSTEM access only, the non-Tanium system administrator will not have the ability to impact operability of the service.

Checks: C-58543r867688_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under Actions, select "Scheduled Actions". 4. Look for a scheduled action titled "Client Service Hardening - Allow Only Local SYSTEM to Control Service". If a scheduled action titled "Client Service Hardening - Allow Only Local SYSTEM to Control Service" does not exist, this is a finding. 5. If the scheduled action exists, select it and if it is not approved (the "Approve" button at the top of the section will be displayed if not approved), this is a finding. If the scheduled action exists and has been approved but does not restrict control of the Tanium Client service to "Allow Only Local SYSTEM to Control Service," this is a finding. If the action is not configured to repeat at least every hour, this is a finding. If the scheduled action is not targeted at an "All Computers" Action Group, this is a finding.

Fix: F-58487r867689_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Interact". 4. In "Categories" section, select "Client Service Hardening". 5. In "Dashboards" section, select "Control Service State Permissions". 6. The results will show a "Count" of clients matching the "Service Control is set to default permissions" query. 7. Select the result line for "Service Control is set to default permissions". 8. Choose "Deploy Action". 9. Deployment Package drop-down select "Client Service Hardening - Allow Only Local SYSTEM to Control Service". 10. Configure the schedule to repeat at least every hour for the requested action. 11. Under "Targeting Criteria" in the Action Group, select "All Computers" from the drop-down. 12. Click "Show preview to continue". 13. Noncompliant systems will be displayed at the bottom. 14. Click "Deploy Action". 15. Verify settings. 16. Click "Show Client Status Details".

b

The ability to uninstall the Tanium Client service must be disabled on all managed clients.

AC-3 - Medium - CCI-002165 - V-254931 - SV-254931r961317_rule

RMF Control

AC-3

Severity

M

CCI

CCI-002165

Version

TANS-AP-000805

Vuln IDs

V-254931

Rule IDs

SV-254931r961317_rule

By default, end users have the ability to uninstall software on their clients. In the event the Tanium Client software is uninstalled, the Tanium Server is unable to manage the client and must redeploy to the client. Preventing the software from being displayed in the client's Add/Remove Programs will lessen the risk of the software being uninstalled by non-Tanium System Administrators.

Checks: C-58544r867691_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under Actions, select "Scheduled Actions". 4. Look for a scheduled action titled "Client Service Hardening - Hide Client from Add-Remove Programs". 5. If a scheduled action titled "Client Service Hardening - Hide Client from Add-Remove Programs" does not exist, this is a finding. If the scheduled action exists, select it and if it is not approved (the "Approve" button at the top of the section will be displayed if not approved), this is a finding. If the scheduled action exists and has been approved but does not disable the visibility of the client in Add-Remove Programs, this is a finding. If the action is not configured to repeat at least every hour, this is a finding. If the scheduled action is not targeted at an "All Computers" Action Group, this is a finding.

Fix: F-58488r867692_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Interact". 4. In the "Categories" section, select "Client Service Hardening". 5. In "Dashboard" section, select "Hide From Add-Remove Program". 6. The results will show a "Count" of clients matching the "Tanium Client Visible in Add-Remove Programs" query. 7. Select the result line. 8. Choose "Deploy Action". 9. The "Deploy Action" dialog box will display "Client Service Hardening - Hide Client from Add-Remove Programs" as the package. The computer names comprising the "count" of noncompliant systems will be displayed in the bottom. 10. Deployment Package drop-down select "Client Service Hardening - Hide Client from Add-Remove Programs". 11. Configure the schedule to repeat at least every hour for the requested action. 12. Under "Targeting Criteria", in the "Action Group," select "All Computers" from the drop-down. 13. Click "Show preview to continue". Noncompliant systems will be displayed in the bottom. 14. Click "Deploy Action". 15. Verify settings. 16. Click "Show Client Status Details".

b

The permissions on the Tanium Client directory must be restricted to only the SYSTEM account on all managed clients.

AC-3 - Medium - CCI-002165 - V-254932 - SV-254932r961317_rule

RMF Control

AC-3

Severity

M

CCI

CCI-002165

Version

TANS-AP-000810

Vuln IDs

V-254932

Rule IDs

SV-254932r961317_rule

By restricting access to the Tanium Client directory on managed clients, the Tanium client's ability to operate and function as designed will be protected from malicious attack and unintentional modifications by end users.

Checks: C-58545r867694_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under Actions, select "Scheduled Actions". 4. Look for a scheduled action titled "Client Service Hardening - Set SYSTEM only permissions on the Tanium Client directory". If a scheduled action titled "Client Service Hardening - Set SYSTEM only permissions on the Tanium Client directory" does not exist, this is a finding. If the scheduled action exists, select it and if it is not approved (the "Approve" button at the top of the section will be displayed if not approved), this is a finding. If the scheduled action exists and has been approved but does not disable the visibility of the client in Add-Remove Programs, this is a finding. If the action is not configured to repeat at least every hour, this is a finding. If the scheduled action is not targeted at an "All Computers" Action Group, this is a finding.

Fix: F-58489r867695_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Interact". 4. In the "Categories" section, select "Client Service Hardening". 5. In the "Dashboard" section, select "Set Client Directory Permissions". The results will show a "Count" of clients' compliant and noncompliant hardening for the "Tanium Client Directory Permissions". Noncompliant clients will have a count other than "0" for "Not Restricted" or "Error: No Permissions". 6. Select each of the "Not Restricted" or "Error: No Permissions." Statuses. 7. Select "Deploy Action". 8. In the "Deploy Action" dialog box, change the package to "Client Service Hardening - Set SYSTEM only permissions on the Tanium Client directory" as the package. 9. Configure the schedule to repeat at least every hour for the requested action. 10. Under "Targeting Criteria", in the Action Group, select "All Computers" from the drop-down. 11. Click "Show preview to continue". Noncompliant systems will be displayed in the bottom. 12. Click "Deploy Action". 13. Verify settings. 14. Click "Show Client Status Details".

b

The Tanium application must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.

AU-4 - Medium - CCI-001849 - V-254933 - SV-254933r961392_rule

RMF Control

AU-4

Severity

M

CCI

CCI-001849

Version

TANS-AP-000860

Vuln IDs

V-254933

Rule IDs

SV-254933r961392_rule

In order to ensure applications have a sufficient storage capacity in which to write the audit logs, applications need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial installation of the application and is closely associated with the DBA and system administrator roles. The DBA or system administrator will usually coordinate the allocation of physical drive space with the application owner/installer and the application will prompt the installer to provide the capacity information, the physical location of the disk, or both.

Checks: C-58546r867697_chk

Consult with the Tanium system administrator or database administrator to determine the memory plan needed for the database. 1. Access the Tanium Server interactively. 2. Log on to the TanOS console as the user "tanadmin". 3. Enter "3" to access the "Tanium Support" menu. 4. Enter "3" to access the "Tanium Database Operations" menu. 5. Enter "D" to view "Memory Data Plan". Work with the SIEM administrator to determine if an alert is configured when Disk Free Space of the Tanium SQL Server reaches below 25 percent. If there is no alert configured, this is a finding.

Fix: F-58490r867698_fix

Consult with the Tanium system administrator or database administrator to determine the memory plan needed for the database. 1. Access the Tanium Server interactively. 2. Log on to the TanOS SSH console as the user with tanadmin rights. 3. Enter "3" to access the "Tanium Support" menu. 4. Enter "3" to access the "Tanium Database Operations" menu. 5. Enter "D" to access "Database Memory Plan" menu. 6. Enter "S" to "Select DB Memory Plan". 7. Enter "T","D","S","M","L", or "X" to confirm memory plan size, and then press "Enter" to continue. 8. Enter "A" to save and apply the DB memory plan. Work with the SIEM administrator to determine if an alert is configured when Disk Free Space of the Tanium SQL Server reaches below 25 percent. If there is no alert configured, this is a finding.

b

The Tanium application must offload audit records onto a different system or media than the system being audited.

AU-4 - Medium - CCI-001851 - V-254934 - SV-254934r961395_rule

RMF Control

AU-4

Severity

M

CCI

CCI-001851

Version

TANS-AP-000865

Vuln IDs

V-254934

Rule IDs

SV-254934r961395_rule

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity.

Checks: C-58547r867700_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on using multi-factor authentication. 2. Click "Modules" on the top of the banner of the console. 3. Click "Connect". 4. Review the configured connections under "Connections" section. If no connection exists to send the "Tanium Audit Source" to a SIEM tool, this is a finding.

Fix: F-58491r867701_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on using multi-factor authentication. 2. Click "Modules" on the top of the console. 3. Click "Connect". 4. Click "Create Connection". 5. In the "Configuration" section under "Source", select "Tanium Audit Source" as the source from the drop-down menu. 6. In the "Configuration" section under "Destination", select the desired destination and fill in the respective fields. 7. In the "Configure Output" section under "Format", select the desired file format type. 8. In the "Schedule" section, select the desired schedule. 9. Click "Save".

b

The Tanium application must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.

AU-5 - Medium - CCI-001855 - V-254935 - SV-254935r961398_rule

RMF Control

AU-5

Severity

M

CCI

CCI-001855

Version

TANS-AP-000870

Vuln IDs

V-254935

Rule IDs

SV-254935r961398_rule

If security personnel are not notified immediately upon storage volume utilization reaching 75 percent, they are unable to plan for storage capacity expansion.

Checks: C-58548r867703_chk

1. Access the Tanium Server interactively. 2. Log on to the TanOS console as the user "tanadmin". 3. Enter "3" to access the "Tanium Support" menu. 4. Enter "6" to display last scheduled health check results. If none exists, then this is a finding.

Fix: F-58492r867704_fix

1. Access the Tanium Server interactively. 2. Log on to the TanOS console as the user "tanadmin". 3. Enter "3" to access the "Tanium Support" menu. 4. Enter "5" to Run a Health Check.

b

The Tanium application must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.

AU-5 - Medium - CCI-001858 - V-254936 - SV-254936r961401_rule

RMF Control

AU-5

Severity

M

CCI

CCI-001858

Version

TANS-AP-000875

Vuln IDs

V-254936

Rule IDs

SV-254936r961401_rule

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).

Checks: C-58549r867706_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Review the configured Tanium Sources listed. If an "Audit Log" source does not exist, this is a finding. 5. Select the "Audit Log" source. 6. Select the audit connection found in the lower half of the screen. 7. Verify the "Destination Type" is a SIEM tool. If the "Destination Type" is not a SIEM tool, this is a finding.

Fix: F-58493r870363_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Click "Create Connection". 5. In the Configuration section, select "Tanium Audit Source" as the Event Source from the "Source" drop-down menu. 6. In the "Destination" section, select "Socket Receiver" from the drop-down menu. 7. Enter "Destination Name". 8. Enter "Host". 9. Enter "Network Protocol". 10. Enter "Port". 11. Click "Save". Consult documentation located at https://docs.tanium.com/connect/connect/siem.html#siem for reference on configuring other applicable SIEM connections. Work with the SIEM administrator to configure alerts based on audit failures.

b

The Tanium application must prohibit user installation of software without explicit privileged status.

Medium - CCI-003980 - V-254938 - SV-254938r986545_rule

RMF Control

Severity

M

CCI

CCI-003980

Version

TANS-AP-000940

Vuln IDs

V-254938

Rule IDs

SV-254938r986545_rule

Allowing regular users to install software without explicit privileges creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user. Application functionality will vary, and while users are not permitted to install unapproved applications, there may be instances where the organization allows the user to install approved software packages such as from an approved software repository. The application must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. This requirement applies, for example, to applications that provide the ability to extend application functionality (e.g., plug-ins, add-ons) and software management applications.

Checks: C-58551r867712_chk

Consult with the Tanium System Administrator to review the documented list of Tanium users. 1. Review the users' respective approved roles, as well as the correlated LDAP security group for the User Roles. 2. Validate LDAP security groups/Tanium roles are documented to assign least privileged access to the functions of the Tanium Server through the Tanium interface. If the documentation does not reflect a granular, least privileged access approach to the LDAP Groups/Tanium Roles assignment, this is a finding.

Fix: F-58495r986544_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under Permissions, select "Users". 4. Analyze the users configured in the Tanium interface. 5. Determine least privileged access required for each user to perform their respective duties. 6. Move users to the appropriate LDAP security group to ensure the user is synced to the appropriate Tanium User Role. 7. If the appropriate LDAP security groups are not already configured, create the groups and add the appropriate users. 8. Ensure LDAP sync repopulates the Tanium users' associated roles accordingly.

b

The application must enforce access restrictions associated with changes to application configuration.

CM-5 - Medium - CCI-001813 - V-254939 - SV-254939r961461_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001813

Version

TANS-AP-000950

Vuln IDs

V-254939

Rule IDs

SV-254939r961461_rule

Failure to provide logical access restrictions associated with changes to application configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals should be allowed to obtain access to application components for the purposes of initiating changes, including upgrades and modifications. Logical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).

Checks: C-58552r867715_chk

Consult with the Tanium System Administrator to review the documented list of Tanium Administrators. 1. Review the administrators' respective approved roles, as the correlated LDAP security group for the User Roles. If the documentation does not reflect a granular, least privileged access approach to the LDAP Groups/Tanium Roles assignment, this is a finding.

Fix: F-58496r867716_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Permissions", select "Users". 4. Analyze the users configured in the Tanium interface. 5. Determine least privileged access required for each user to perform their respective duties. 6. Move users to the appropriate LDAP security group to ensure the user is synced to the appropriate Tanium User Role. 7. If the appropriate LDAP security groups are not already configured, create the groups and add the appropriate users. 8. Ensure LDAP sync repopulates the Tanium Users' associated Roles accordingly.

b

Firewall rules must be configured on the Tanium Server for Console-to-Server communications.

CM-7 - Medium - CCI-001762 - V-254940 - SV-254940r961470_rule

RMF Control

CM-7

Severity

M

CCI

Version

TANS-AP-000965

Vuln IDs

V-254940

Rule IDs

SV-254940r961470_rule

An HTML5 based application, the Tanium Console runs from any device with a browser that supports HTML5. For security, the HTTP and SOAP communication to the Tanium Server is SSL encrypted, so the Tanium Server installer configures the server to listen for HTTP and SOAP requests on port 443. Without a proper connection to the Tanium Server, access to the system capabilities could be denied. Port Needed: To Tanium Server over TCP port 443. Network firewall rules: Allow HTTP traffic on TCP port 443 from any computer on the internal network to the Tanium Server device. https://docs.tanium.com/platform_install/platform_install/reference_network_ports.html.

Checks: C-58553r867718_chk

Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Server. 1. Access the Tanium Server interactively. 2. Log on to the server with an account that has administrative privileges. 3. Access the host-based firewall configuration on the Tanium Server. 4. Validate a rule exists for the following: 4A. Port Needed: From only designated Tanium console user clients to Tanium Server over TCP port 443. If a host-based firewall rule does not exist to allow only designated Tanium console user clients to Tanium Server over TCP port 443, this is a finding. 4B. Consult with the network firewall administrator and validate rules exist for the following: Allow TCP traffic from only designated Tanium console user clients to Tanium Server over TCP ports 443. If a network firewall rule does not exist to allow traffic from only designated Tanium console user clients to Tanium Server over TCP port 443, this is a finding.

Fix: F-58497r867719_fix

1. Configure host-based firewall rules on the Tanium Server to include the following required traffic: 1A. Allow TCP traffic on port 433 to the Tanium Server from designated Tanium console user clients. 1B. Configure the network firewall to allow the above traffic.

b

Firewall rules must be configured on the Tanium Server for Server-to-Database communications.

CM-7 - Medium - CCI-001762 - V-254941 - SV-254941r961470_rule

RMF Control

CM-7

Severity

M

CCI

Version

TANS-AP-000970

Vuln IDs

V-254941

Rule IDs

SV-254941r961470_rule

The Tanium Server can use either a SQL Server RDBMS installed locally to the same device as the Tanium Server application or a remote dedicated or shared SQL Server instance. Using a local SQL Server database typically requires no changes to network firewall rules since all communication remains on the Tanium application server device. To access database resources installed to a remote device, however, the Tanium Server service communicates over the port reserved for SQL, by default port 1433, to the database. Port Needed: Tanium Server to Remote SQL Server over TCP port 1433. Network firewall rules: Allow TCP traffic on port 1433 from the Tanium Server device to the remote device hosting the SQL Server RDBMS. https://docs.tanium.com/platform_install/platform_install/reference_network_ports.html.

Checks: C-58554r867721_chk

Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Server. 1. Access the Tanium Server interactively. 2. Log on to the server with an account that has administrative privileges. 3. Access the host-based firewall configuration on the Tanium Server. 4. Validate a rule exists for the following: 4A. Port Needed: Tanium Server to Remote SQL Server over TCP port 1433. If a host-based firewall rule does not exist to allow Tanium Server to Remote SQL Server over TCP port 1433, this is a finding. 4B. Consult with the network firewall administrator and validate rules exist for the following: Allow traffic from Tanium Server to Remote SQL Server over TCP port 1433. If a network firewall rule does not exist to allow traffic from Tanium Server to Remote SQL Server over TCP port 1433, this is a finding.

Fix: F-58498r867722_fix

1. Configure host-based firewall rules on the Tanium Server to include the following required traffic: 1A. Allow TCP traffic on port 1433 from the Tanium Server to the Remote SQL Server. 2. Configure the network firewall to allow the above traffic.

b

Firewall rules must be configured on the Tanium module server to allow Server-to-Module Server communications from the Tanium Server.

CM-7 - Medium - CCI-001762 - V-254942 - SV-254942r961470_rule

RMF Control

CM-7

Severity

M

CCI

Version

TANS-AP-000975

Vuln IDs

V-254942

Rule IDs

SV-254942r961470_rule

The Tanium Module Server is used to extend the functionality of Tanium through the use of various workbenches. The Tanium Module Server requires communication with the Tanium Server on port 17477. Without a proper connection from the Tanium Server to the Tanium Module Server, access to the system capabilities could be denied. https://docs.tanium.com/platform_install/platform_install/reference_network_ports.html.

Checks: C-58555r867724_chk

Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Module Server. 1. Access the Tanium Server interactively. 2. Log on to the server with an account that has administrative privileges. 3. Access the host-based firewall configuration on the Tanium Module Server. 4. Validate a rule exists for the following: 4A. Port Needed: Tanium Server to Tanium Module Server over TCP port 17477. If a host-based firewall rule does not exist to allow TCP port 17477, from the Tanium Server to the Tanium Module Server, this is a finding. 4B. Consult with the network firewall administrator and validate rules exist for the following: Allow TCP traffic on port 17477 from the Tanium Server to the Tanium Module Server. If a network firewall rule does not exist to allow TCP traffic on port 17477 from the Tanium Server to the Tanium Module Server, this is a finding.

Fix: F-58499r867725_fix

1. Configure host-based firewall rules on the Tanium Module Server to include the following required traffic: 1A. Allow TCP traffic on port 17477 from the Tanium Server to the Tanium Module Server. 2. Configure the network firewall to allow the above traffic.

b

Firewall rules must be configured on the Tanium Server for Server-to-Module Server communications.

CM-7 - Medium - CCI-001762 - V-254943 - SV-254943r961470_rule

RMF Control

CM-7

Severity

M

CCI

Version

TANS-AP-000980

Vuln IDs

V-254943

Rule IDs

SV-254943r961470_rule

The Tanium Module Server is used to extend the functionality of Tanium through the use of various workbenches. The Tanium Module Server requires communication with the Tanium Server on port 17477. Without a proper connection from the Tanium Server to the Tanium Module Server, access to the system capabilities could be denied. https://docs.tanium.com/platform_install/platform_install/reference_network_ports.html.

Checks: C-58556r867727_chk

Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Server. 1. Access the Tanium Server interactively. 2. Log on to the server with an account that has administrative privileges. 3. Access the host-based firewall configuration on the Tanium Server. 4. Validate a rule exists for the following: 4A. Port Needed: Tanium Server to Tanium Module Server over TCP port 17477. If a host-based firewall rule does not exist to allow TCP port 17477, from the Tanium Server to the Tanium Module Server, this is a finding. 4B. Consult with the network firewall administrator and validate rules exist for the following: Allow TCP traffic on port 17477 from the Tanium Server to the Tanium Module Server. If a network firewall rule does not exist to allow TCP traffic on port 17477 from the Tanium Server to the Tanium Module Server, this is a finding.

Fix: F-58500r867728_fix

1. Configure host-based firewall rules on the Tanium Server to allow the following required traffic: 1A. Allow TCP traffic on port 17477 to the Tanium Module Server from the Tanium Server. 2. Configure the network firewall to allow the above traffic.

b

Firewall rules must be configured on the Tanium Server for Server-to-Zone Server communications.

CM-7 - Medium - CCI-001762 - V-254944 - SV-254944r961470_rule

RMF Control

CM-7

Severity

M

CCI

Version

TANS-AP-000985

Vuln IDs

V-254944

Rule IDs

SV-254944r961470_rule

If using the Tanium Zone Server to proxy traffic from Tanium-managed computers on less trusted network segments to the Tanium Server on the core network, then the Tanium Zone Server Hub, typically installed to the Tanium Server device must be able to connect to the Zone Server(s) in the DMZ. This is the only configuration that requires outbound traffic to be allowed on port 17472 from the Tanium Server device. The ZoneServerList.txt configuration file located in the Tanium Zone Server Hub's installation folder identifies the addresses of the destination Zone Servers. See the Zone Server Configuration page for more details. Port Needed: Tanium Server to Zone Server over TCP port 17472. Network firewall rules: Allow TCP traffic on port 17472 from the Zone Server Hub, usually the Tanium Server device, to the destination DMZ devices(s) hosting the Zone Server(s). Endpoint firewall rules—for additional security, configure the following endpoint firewall rules: Allow TCP traffic outbound on port 17472 from only the Zone Server Hub process running on the Tanium Server device. Allow TCP traffic inbound on port 17472 to only the Zone Server process running on the designated Zone Server device(s). https://docs.tanium.com/platform_install/platform_install/reference_network_ports.html.

Checks: C-58557r867730_chk

Note: If a Zone Server is not being used, this is Not Applicable. Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Server. 1. Access the Tanium Server interactively. 2. Log on to the server with an account that has administrative privileges. 3. Access the host-based firewall configuration on the Tanium Server. 4. Validate a rule exists for the following: 4A. Port Needed: Tanium Server to Zone Server over TCP port 17472. Note: By default, the Zone Server uses 17472 for traffic from Zone Server Hubs and Tanium Clients. However, as a best practice to improve the security of the Zone Server, different ports can be configured for the hubs and clients. If a host-based firewall rule does not exist to allow TCP port 17472 or other defined port, bidirectionally, from Tanium Server to the Tanium Zone Server, this is a finding.

Fix: F-58501r867731_fix

1. Configure host-based firewall rules on the Tanium Zone server to include the following required traffic: 1A. Allow Tanium Server to Zone Server over TCP port 17472. 2. Configure the network firewall to allow the above traffic. Note: By default, the Zone Server uses 17472 for traffic from Zone Server Hubs and Tanium Clients. However, as a best practice to improve the security of the Zone Server, different ports can be configured for the hubs and clients.

b

The SSLHonorCipherOrder must be configured to disable weak encryption algorithms on the Tanium Server.

SC-13 - Medium - CCI-002450 - V-254945 - SV-254945r962034_rule

RMF Control

SC-13

Severity

M

CCI

CCI-002450

Version

TANS-AP-001090

Vuln IDs

V-254945

Rule IDs

SV-254945r962034_rule

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Checks: C-58558r867733_chk

1. Access the Tanium Server interactively. 2. Log on to the server with the tanadmin role. 3. Enter 2: Tanium Operations >> 2: Tanium Configuration Settings >> 1: Edit Tanium Server Settings. 4. Verify the existence of a "SSLHonorCipherOrder" key with a value of "1". If the "SSLHonorCipherOrder" key does not exist with a value of "1", this is a finding.

Fix: F-58502r870382_fix

1. Access the Tanium Server interactively. 2. Log on to the server with the tanadmin role. 3. Enter 2: Tanium Operations >> 2: Tanium Configuration Settings >> 1: Edit Tanium Server Settings. 4. Enter number associated with key "SSLHonorCipherOrder" to edit its value. 5. Add or modify the "SSLHonorCipherOrder" key to have a value of "1".

b

The SSLCipherSuite must be configured to disable weak encryption algorithms on the Tanium Server.

SC-13 - Medium - CCI-002450 - V-254946 - SV-254946r962034_rule

RMF Control

SC-13

Severity

M

CCI

CCI-002450

Version

TANS-AP-001095

Vuln IDs

V-254946

Rule IDs

SV-254946r962034_rule

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Checks: C-58559r867736_chk

1. Access the Tanium Server interactively. 2. Log on to the server with the tanadmin role. 3. Enter 2: Tanium Operations >> 2: Tanium Configuration Settings >> 1: Edit Tanium Server Settings. 4. Verify the existence of a "SSLCipherSuite" key with a value of: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK If the String "SSLCipherSuite" does not exist with the appropriate list values, this is a finding.

Fix: F-58503r870383_fix

1. Access the Tanium Server interactively. 2. Log on to the server with the tanadmin role. 3. Enter 2: Tanium Operations >> 2: Tanium Configuration Settings >> 1: Edit Tanium Server Settings. 4. Enter the number associated with key "SSLCipherSuite" to edit its value. 5. Add or modify the "SSLCipherSuite" key to have a value of: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK

b

The Tanium Server certificate must be signed by a DOD Certificate Authority.

SC-23 - Medium - CCI-002470 - V-254947 - SV-254947r961596_rule

RMF Control

SC-23

Severity

M

CCI

CCI-002470

Version

TANS-AP-001130

Vuln IDs

V-254947

Rule IDs

SV-254947r961596_rule

The Tanium Server has the option to use a "self-signed" certificate or a Trusted Certificate Authority signed certificate for SSL connections. During evaluations of Tanium in Lab settings, customers often conclude that a "self-signed" certificate is an acceptable risk. However, in production environments it is critical that a SSL certificate signed by a Trusted Certificate Authority be used on the Tanium Server in lieu of an untrusted and insecure "self-signed" certificate.

Checks: C-58560r867739_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. When connected, review the Certificate for the Tanium Server. 3. In the web browser, view the presented Certificate and verify that the Certificate shows as issued by a DOD Root CA. Also verify that the Certification path's top-level is a DOD Root CA. 4. If the certificate authority is not DOD Root CA, this is a finding.

Fix: F-58504r867740_fix

Request or regenerate the certificate from a DOD Root Certificate Authority.

b

The Tanium application must limit the bandwidth used in communicating with endpoints to prevent a denial of service (DoS) condition at the server.

SC-5 - Medium - CCI-002385 - V-254948 - SV-254948r961620_rule

RMF Control

SC-5

Severity

M

CCI

CCI-002385

Version

TANS-AP-001150

Vuln IDs

V-254948

Rule IDs

SV-254948r961620_rule

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of applications to mitigate the impact of DoS attacks that have occurred or are ongoing on application availability. For each application, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or restricting the number of sessions the application opens at one time). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.

Checks: C-58561r867742_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Bandwidth Throttles". 4. Work with the Tanium Administrator to confirm settings. If bandwidth throttles are not configured, this is a finding. For more information, see the following: https://docs.tanium.com/platform_user/platform_user/console_bandwidth_throttling.html.

Fix: F-58505r867743_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under Configuration, select "Bandwidth Throttles". 4. Click "Add" on the line for "Global Throttle for All Data". 5. Work with Tanium Administrator to configure the required bandwidth throttles. 6. Click "Save". 7. Work with the Tanium Administrator to confirm or set settings for the remaining options: a) Global Throttle for Package Files b) Global Throttle for Sensors c) Site Throttles

b

The Tanium application must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

SI-2 - Medium - CCI-002605 - V-254949 - SV-254949r961683_rule

RMF Control

SI-2

Severity

M

CCI

CCI-002605

Version

TANS-AP-001215

Vuln IDs

V-254949

Rule IDs

SV-254949r961683_rule

Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). This requirement will apply to software patch management solutions that are used to install patches across the enclave and also to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period utilized must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process. The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

Checks: C-58562r867745_chk

Ensure all components of the Tanium application have been updated within 60 days of the vulnerability being announced by Tanium. Critical Vulnerabilities must be updated within 30 days. --- Consult with the Tanium System Administrator to review the documented time window designated for updates. If a window of time is not defined, or does not specify a reoccurring frequency, this is a finding. 1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration," select "Solutions". If any module has the text, "Update to" a newer (greater) version number compared to the Installed version number in the Tanium Modules section of the page, this is a finding. If the Tanium application is an "airgap" installation, work with the Tanium Technical System Administrator to determine if the modules are up to date.

Fix: F-58506r867746_fix

Consult with the Tanium System Administrator to review the documented time window designated for updates. If a window of time is not defined, or does not specify a reoccurring frequency, work with the Tanium Administrator to document. 1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Administration" on the top navigation banner. 3. Under Configuration, select "Solutions". If any module has the text, "Update to" a newer (greater) version number compared to the Installed version number in the Tanium Modules section of the page, work with the Tanium Administrator to update those modules or content. If the Tanium application is an "airgap" installation, work with the Tanium Technical System Administrator to determine if the modules are up to date.

b

Tanium must alert the ISSO, ISSM, and other individuals designated by the local organization when the following Indicators of Compromise (IOCs) or potential compromise are detected: real time intrusion detection; threats identified by authoritative sources (e.g., CTOs); and Category I, II, IV, and VII incidents in accordance with CJCSM 6510.01B.

SI-4 - Medium - CCI-002664 - V-254950 - SV-254950r961728_rule

RMF Control

SI-4

Severity

M

CCI

CCI-002664

Version

TANS-AP-001250

Vuln IDs

V-254950

Rule IDs

SV-254950r961728_rule

When a security event occurs, the application that has detected the event must immediately notify the appropriate support personnel so they can respond appropriately. Alerts may be generated from a variety of sources, including, audit records or inputs from malicious code protection mechanisms, intrusion detection, or prevention mechanisms. Alerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Individuals designated by the local organization to receive alerts may include, for example, system administrators, mission/business owners, or system owners. IOCs are forensic artifacts from intrusions identified on organizational information systems (at the host or network level). IOCs provide organizations with valuable information on objects or information systems that have been compromised. These indicators reflect the occurrence of a compromise or a potential compromise. This requirement applies to applications that provide monitoring capability for unusual/unauthorized activities including, but not limited to, host-based intrusion detection, antivirus, and malware applications.

Checks: C-58563r867748_chk

Note: If THR is not licensed or used for detection then this is not applicable. 1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Threat Response". 4. Expand the left menu. 5. Click "Alerts". 6. Filter on status "Unresolved". If any alerts are unresolved, this is a finding.

Fix: F-58507r867749_fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Threat Response". 4. Expand the left menu. 5. Click "Alerts". 6. Filter on status "Unresolved". 7. Resolve any open IOC-based alerts and change status to applicable status.

b

The application must, at a minimum, offload interconnected systems in real time and offload standalone systems weekly.

AU-4 - Medium - CCI-001851 - V-254951 - SV-254951r961860_rule

RMF Control

AU-4

Severity

M

CCI

CCI-001851

Version

TANS-AP-001405

Vuln IDs

V-254951

Rule IDs

SV-254951r961860_rule

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity.

Checks: C-58564r867751_chk

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top navigation banner. 3. Select "Connect". 4. Review the "Connections" sections for source "Tanium Audit Source". If necessary, filter the connections by filtering by "Source" and the term "Audit". 5. Select "Audit" from list. 6. In the Summary section, verify the "State" is "Enabled" and the "Next Run" value is less than "7" days. If no results are returned, this is a finding. If results are returned but the state is not "Enabled", this is a finding. If the schedule duration is more than one week, this is a finding. If a schedule is not set, this is a finding.

Fix: F-58508r870364_fix

1.Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top navigation banner. 3. Select "Connect". 4. Click "Create Connection". 5. Enter "Name". 6. Enter "Description". 7. In the "Configuration" section, select "Source: Tanium Audit Source" and then under "Basic" options select appropriate audits. 8. In the Destination section, select a source from the drop-down menu. 9. Enter "Destination Name". 10. Enter "Host". 11. Select "Network Protocol", then "TCP" or "UDP". 12. Enter "Port". 13. In the Schedule section, select "Enable Schedule". 14. Select "Basic". 15. Select the drop-down under "Frequency" and choose, "One run per day, on selected days of the week". 16. Select a day. 17. Select a time. 18. Select "Save".

b

Tanium Client processes must be excluded from on-access scan.

CM-6 - Medium - CCI-000366 - V-254952 - SV-254952r961863_rule

RMF Control

CM-6

Severity

M

CCI

Version

TANS-AP-001410

Vuln IDs

V-254952

Rule IDs

SV-254952r961863_rule

Similar to any other host-based applications, the Tanium Client is subject to the restrictions other system-level software may place on an operating environment. That is to say that Antivirus, IPS, Encryption, or other security and management stack software may disallow the Client from working as expected. https://docs.tanium.com/client/client/requirements.html#Host_system_security_exceptions

Checks: C-58565r867754_chk

Review the settings of the antivirus software. Validate exclusions exist that exclude the Tanium Client process interactions from on-access scans and are treated as low-risk. If exclusions do not exist, this is a finding.

Fix: F-58509r867755_fix

Implement exclusion policies within the antivirus software solution to exclude the on-access scanning of Tanium Client process interactions. These processes should be treated as low-risk and not scanned during read or write events.

b

Tanium Client directory and subsequent files must be excluded from on-access scan.

CM-6 - Medium - CCI-000366 - V-254953 - SV-254953r961863_rule

RMF Control

CM-6

Severity

M

CCI

Version

TANS-AP-001415

Vuln IDs

V-254953

Rule IDs

SV-254953r961863_rule

Similar to any other host-based applications, the Tanium Client is subject to the restrictions other system-level software may place on an operating environment. That is to say that Antivirus, IPS, Encryption, or other security and management stack software may disallow the Client from working as expected. https://docs.tanium.com/client/client/requirements.html#Host_system_security_exceptions

Checks: C-58566r867757_chk

Review the settings of the antivirus software. Validate exclusions exist that exclude the Tanium Client directory and subsequent files interactions from on-access scans. If exclusions do not exist, this is a finding.

Fix: F-58510r867758_fix

Implement exclusion policies within the antivirus software solution to exclude the on-access scanning of Tanium Client directory and subsequent files interactions.

b

Tanium endpoint files must be excluded from host-based intrusion prevention intervention.

CM-6 - Medium - CCI-000366 - V-254954 - SV-254954r961863_rule

RMF Control

CM-6

Severity

M

CCI

Version

TANS-AP-001420

Vuln IDs

V-254954

Rule IDs

SV-254954r961863_rule

Similar to any other host-based applications, the Tanium Client is subject to the restrictions other system-level software may place on an operating environment. Antivirus, IPS, Encryption, or other security and management stack software may disallow the Tanium Server from working as expected. https://docs.tanium.com/client/client/requirements.html#Host_system_security_exceptions

Checks: C-58567r867760_chk

Consult with the Tanium System Administrator to determine the HIPS software used on the Tanium Clients. Review the settings of the HIPS software. Validate exclusions exist which exclude the Tanium program files from being restricted by HIPS. If exclusions do not exist, this is a finding.

Fix: F-58511r867761_fix

In the host-based intrusion prevention system, ensure the following folders are excluded: Windows (64-bit OS versions) - \Program Files (x86)\Tanium\Tanium Client Windows (32-bit OS versions) - \Program Files\Tanium\Tanium Client macOS - /Library/Tanium/TaniumClient Linux, Solaris, AIX - /opt/Tanium/TaniumClient In the host-based intrusion prevention system, ensure the following processes are excluded: Windows, macOS, Linux - <Tanium Client>/Tools/StdUtils directory or all the files that it contains, including: Windows, macOS, Linux - 7za.exe (Windows) or 7za (macOS, Linux) Windows, macOS, Linux - runasuser.exe (Windows only) Windows, macOS, Linux - runasuser64.exe (Windows only) Windows, macOS, Linux - TaniumExecWrapper.exe (Windows) or TaniumExecWrapper (macOS, Linux) Windows, macOS, Linux - TaniumFileInfo.exe (Windows only) Windows, macOS, Linux - TPowerShell.exe (Windows only) macOS, Linux, Solaris, AIX - <Tanium Client>/TaniumClient macOS, Linux, Solaris, AIX - <Tanium Client>/taniumclient macOS, Linux - <Tanium Client>/distribute-tools.sh macOS, Linux - <Tanium Client>/TaniumCX Windows - <Tanium Client>\TaniumClient.exe Windows - <Tanium Client>\TaniumCX.exe

b

Tanium Server directory and subsequent files must be excluded from on-access scan.

CM-6 - Medium - CCI-000366 - V-254955 - SV-254955r961863_rule

RMF Control

CM-6

Severity

M

CCI

Version

TANS-AP-001425

Vuln IDs

V-254955

Rule IDs

SV-254955r961863_rule

Similar to any other host-based applications, the Tanium Server is subject to the restrictions other system-level software may place on an operating environment. Antivirus, IPS, Encryption, or other security and management stack software may disallow the Tanium Server from working as expected. https://docs.tanium.com/client/client/requirements.html#Host_system_security_exceptions

Checks: C-58568r867763_chk

Review the settings of the antivirus software. Validate exclusions exist that exclude the Tanium Server directory and subsequent files interactions from on-access scans. If exclusions do not exist, this is a finding.

Fix: F-58512r867764_fix

Implement exclusion policies within the antivirus software solution to exclude the on-access scanning of Tanium Server directory and subsequent files interactions.

b

Tanium Server processes must be excluded from on-access scan.

CM-6 - Medium - CCI-000366 - V-254956 - SV-254956r961863_rule

RMF Control

CM-6

Severity

M

CCI