Tanium 7.x Operating System on TanOS V2R1

b

The Tanium Operating System (TanOS) must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.

AC-7 - Medium - CCI-000044 - V-254839 - SV-254839r958388_rule

RMF Control

AC-7

Severity

M

CCI

CCI-000044

Version

TANS-OS-000070

Vuln IDs

V-254839

Rule IDs

SV-254839r958388_rule

By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.

Checks: C-58452r866056_chk

1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "C" for "User Administration Menu," and then press "Enter". 4. Press L for "Local Tanium User Management," and then press "Enter". 5. Press "B" for "Security Policy Local Authentication Service," and then press "Enter". If the value of "Maximum Password Attempts:" is greater than "3", this is a finding.

Fix: F-58396r866057_fix

1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "C" for "User Administration Menu," and then press "Enter". 4. Press "L" for "Local Tanium User Management," and then press "Enter". 5. Press B for "Security Policy Local Authentication Service," and then press "Enter". 6. Type "yes," and then press "Enter". 7. Input the following settings pressing "Enter" after every value: a) Minimum Password Lifetime: Configure an appropriate value b) Maximum Password Lifetime: Configure an appropriate value c) Minimum Password Length: Configure an appropriate value d) Minimum Password History: Configure an appropriate value e) Password Lockout: Configure an appropriate value f) Maximum Password Attempts: 3 8. Type "yes" to accept the new password policy.

b

The Tanium Operating System (TanOS) must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system.

AC-8 - Medium - CCI-000048 - V-254840 - SV-254840r958390_rule

RMF Control

AC-8

Severity

M

CCI

CCI-000048

Version

TANS-OS-000075

Vuln IDs

V-254840

Rule IDs

SV-254840r958390_rule

Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for operating system that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't."

Checks: C-58453r870365_chk

1. Access the Tanium Server interactively. 2. Verify DOD use notification displayed prior to login. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If a DOD-approved use notification banner does not display prior to logon, this is a finding.

Fix: F-58397r870366_fix

1. Create a .txt file composed of the DOD-authorized warning banner verbiage. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." 2. Name the file "banner_ssh.txt". 3. Use SFTP to upload the HTML banner file to the /incoming folder. 4. Access the Tanium Server interactively. 5. Log on to the TanOS server with the tanadmin role, or any additional user with administrative privileges. 6. Enter A: Appliance Configuration Menu >> A: Security >> 3: Configure SSH Banner and follow the prompts. 7. Log off and back on to the Tanium Server to confirm application.

b

The Tanium Operating System (TanOS) must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.

AC-10 - Medium - CCI-000054 - V-254841 - SV-254841r958398_rule

RMF Control

AC-10

Severity

M

CCI

CCI-000054

Version

TANS-OS-000095

Vuln IDs

V-254841

Rule IDs

SV-254841r958398_rule

Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.

Checks: C-58454r866062_chk

1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "A" for "Appliance Configuration Menu," and then press "Enter". 4. Press "A" for "Security," and then press "Enter". 5. Press "P" for "Security Policy," and then press "Enter". 6. Press "M" for "Maximum Concurrent Logins," and then press "Enter". 7. Work with the Tanium Administrator to confirm the number of maximum concurrent users. If the value of "Maximum Concurrent Logins:" is greater than the approved value, this is a finding.

Fix: F-58398r866063_fix

1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "A" for "Appliance Configuration Menu," and press "Enter". 4. Press "A" for "Security," and then press "Enter". 5. Press P for "Security Policy," and then press "Enter". 6. Press "M" for "Maximum Concurrent Logins," and then press "Enter". 7. Work with the Tanium Administrator to set the number of maximum concurrent users.

b

The Tanium operating system (TanOS) must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

AU-5 - Medium - CCI-000139 - V-254842 - SV-254842r958424_rule

RMF Control

AU-5

Severity

M

CCI

CCI-000139

Version

TANS-OS-000165

Vuln IDs

V-254842

Rule IDs

SV-254842r958424_rule

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.

Checks: C-58455r870377_chk

1. Access the TanOS interactively. 2. Press "A" for "Appliance Configuration Menu," and then press "Enter". 3. Press 4 for "Syslog Configuration," and then press "Enter". 4. Press "1" for "Check current status," and then press Enter. If the syslog status page states, "No existing TanOS syslog forwarding configuration found", this is a finding. If the syslog status page states, "Syslog forwarding configuration" and the SIEM administrator verifies SIEM is receiving the events correctly and generating notifications for audit processing failure events, this is not a finding.

Fix: F-58399r866066_fix

1. Access the TanOS interactively. 2. Press A for "Appliance Configuration Menu," and then press "Enter". 3. Press "4" for "Syslog Configuration," and then press "Enter". 4. Press 5 for "Configure syslog forwarding," and then press "Enter". 5. Enter the destination host (IP address or hostname) provided by the SIEM administrator, and then press "Enter". 6. Enter the destination port number and press "Enter". 7. If TLS is required for this syslog destination, enter "Yes", otherwise enter "No", and then press "Enter". 8. Enter the destination protocol, "udp" or "tcp", and then press "Enter". 9. Work with the SIEM administrator to validate events are being received, and to configure notifications for audit processing failure events.

b

The Tanium Operating System (TanOS) must enforce 24 hours/one day as the maximum password lifetime.

Medium - CCI-004066 - V-254843 - SV-254843r986548_rule

RMF Control

Severity

M

CCI

CCI-004066

Version

TANS-OS-000270

Vuln IDs

V-254843

Rule IDs

SV-254843r986548_rule

Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Checks: C-58456r866068_chk

1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "C" for "User Administration Menu". 4. Press "L" for "Local Tanium User Management". 5. Press "B" for "Security Policy Local Authentication Service". If the "Password Minimum Age (days)" is not set to "1", this is a finding.

Fix: F-58400r866069_fix

1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "C" for "User Administration Menu". 4. Press "L" for "Local Tanium User Management". 5. Press "B" for "Security Policy Local Authentication Service". 6. Type "Yes". 7. Set the value for "Define the minimum password in days [0 - 20]" to "1". 8. Press "Enter" to accept the current values for the rest of the options. 9. Type "Yes" to apply the new security policy.

b

The Tanium Operating System (TanOS) must enforce a 60-day maximum password lifetime restriction.

Medium - CCI-004066 - V-254844 - SV-254844r986549_rule

RMF Control

Severity

M

CCI

CCI-004066

Version

TANS-OS-000275

Vuln IDs

V-254844

Rule IDs

SV-254844r986549_rule

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. One method of minimizing this risk is to use complex passwords and periodically change them. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.

Checks: C-58457r866071_chk

1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "C" for "User Administration Menu". 4. Press "L" for "Local Tanium User Management". 5. Press "B" for "Security Policy Local Authentication Service". If the "Password Maximum Age (days)" is not set to "60", this is a finding.

Fix: F-58401r866072_fix

1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "C" for "User Administration Menu". 4. Press "L" for "Local Tanium User Management". 5. Press "B" for "Security Policy Local Authentication Service". 6. Type "Yes". 7. Press "Enter" to accept the current value for "Define the minimum password in days [0 - 20]". 8. Set the value of "Define the maximum password lifetime in days [0-300]" to "60". 9. Press "Enter" to accept the current values for the rest of the options. 10. Type "Yes" to apply the new security policy.

b

The Tanium Operating System (TanOS) must enforce a minimum 15-character password length.

Medium - CCI-004066 - V-254846 - SV-254846r986550_rule

RMF Control

Severity

M

CCI

CCI-004066

Version

TANS-OS-000285

Vuln IDs

V-254846

Rule IDs

SV-254846r986550_rule

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Checks: C-58459r866077_chk

1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "C" for "User Administration Menu". 4. Press "L" for "Local Tanium User Management". 5. Press "B" for "Security Policy Local Authentication Service". If "Password Minimum Length" is not set to 15, this is a finding.

Fix: F-58403r866078_fix

1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "C" for "User Administration Menu". 4. Press "L" for "Local Tanium User Management". 5. Press "B" for "Security Policy Local Authentication Service". 6. Type "Yes". 7. Press "Enter" to accept the current value for "Define the minimum password in days [0 - 20]". 8. Press "Enter" to accept the current value for "Define the maximum password lifetime in days [0-300]". 9. Set the value for "Define the maximum password length (characters) [0-30]" to "15". 11. Press "Enter" to accept the current values for the rest of the options. 12. Type "Yes" to apply the new security policy.

c

The Tanium Operating System (TanOS) must use multifactor authentication for network access to privileged accounts.

IA-2 - High - CCI-000765 - V-254847 - SV-254847r986546_rule

RMF Control

IA-2

Severity

H

CCI

CCI-000765

Version

TANS-OS-000325

Vuln IDs

V-254847

Rule IDs

SV-254847r986546_rule

Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. Factors include: (i) Something a user knows (e.g., password/PIN); (ii) Something a user has (e.g., cryptographic identification device, token); or (iii) Something a user is (e.g., biometric). A privileged account is defined as an information system account with authorizations of a privileged user. Network access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the internet). The DOD CAC with DOD-approved PKI is an example of multifactor authentication.

Checks: C-58460r866080_chk

1. Sign in to the TanOS console as a user with the tanadmin role. 2. Enter "C" to go to the "User Administration" menu. 3. Enter "M" to go to the "Multi-Factor Global Settings" menu. 4. If the status shows "Multi-Factor: Optional", this is a finding.

Fix: F-58404r866081_fix

1. Sign in to the TanOS console as a user with the tanadmin role. 2. Enter "C" to go to the "User Administration" menu. 3. Enter "M" to go to the "Multi-Factor Global Settings" menu. 4. Enter "M" to "Require Multi-Factor Authentication". 5. Enter "E" to "Enable Require Multi-factor Authentication".

b

The Tanium Operating System (TanOS) must use multifactor authentication for network access to nonprivileged accounts.

IA-2 - Medium - CCI-000766 - V-254848 - SV-254848r986547_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000766

Version

TANS-OS-000330

Vuln IDs

V-254848

Rule IDs

SV-254848r986547_rule

To assure accountability and prevent unauthenticated access, nonprivileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication uses two or more factors to achieve authentication. Factors include:(i) Something you know (e.g., password/PIN); (ii) Something you have (e.g., cryptographic identification device, token); or (iii) Something you are (e.g., biometric). A nonprivileged account is any information system account with authorizations of a nonprivileged user. Network access is any access to an application by a user (or process acting on behalf of a user) where said access is obtained through a network connection. The DOD CAC with DOD-approved PKI is an example of multifactor authentication.

Checks: C-58461r866083_chk

1. Sign in to the TanOS console as a user with the tanadmin role. 2. Enter "C" to go to the "User Administration" menu. 3. Enter "M" to go to the "Multi-Factor Global Settings" menu. 4. If the status shows "Multi-Factor: Optional", this is a finding.

Fix: F-58405r866084_fix

1. Sign in to the TanOS console as a user with the tanadmin role. 2. Enter "C" to go to the "User Administration" menu. 3. Enter "M" to go to the "Multi-Factor Global Settings" menu. 4. Enter "M" to "Require Multi-Factor Authentication". 5. Enter "E" to "Enable Require Multi-factor Authentication".

b

The Tanium Operating System (TanOS) must use FIPS-validated SHA-2 or higher hash function to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.

IA-7 - Medium - CCI-000803 - V-254849 - SV-254849r971535_rule

RMF Control

IA-7

Severity

M

CCI

CCI-000803

Version

TANS-OS-000385

Vuln IDs

V-254849

Rule IDs

SV-254849r971535_rule

To protect the integrity of the authenticator and authentication mechanism used for the cryptographic module used by the network device, the application, operating system, or protocol must be configured to use one of the following hash functions for hashing the password or other authenticator in accordance with SP 800-131Ar1: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, and SHA3-512. This requirement also include HMAC, KDFs, Random Bit Generation, and hash-only applications (e.g., hashing passwords and use for compute a checksum). For digital signature verification, SP800-131Ar1 allows SHA-1 for legacy use only, but this is discouraged by DOD. Separate requirements for configuring applications and protocols used by each product (e.g., SNMPv3, SSH, NTP, and other protocols and applications that require server/client authentication) are required to implement this requirement.

Checks: C-58462r866086_chk

1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "A" for "Appliance Configuration Menu," and then press "Enter". 4. Press "A" for "Security," and then press "Enter". 5. Press "X" for "Advanced Security," and then press "Enter". If the FIPS 140-2 setting is currently disabled or persistently disabled, this is a finding.

Fix: F-58406r866087_fix

1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "A" for "Appliance Configuration Menu," and then press "Enter". 4. Press "A" for "Security," and then press "Enter". 5. Press "X" for "Advanced Security," and then press "Enter". 6. Press "1" for "FIPS 140-2 mode (disabled/enabled)". 7. Type "yes" to confirm enabling FIPS 140-2 Mode and then press "Enter". 8. Press "Enter" at the confirmation prompt that instructs the user to reboot the appliance. 9. Type "RR" and press "Enter" to return to the root menu. 10. Press "B" for "Appliance Maintenance," and then press "Enter". 11. Press "B" for "Reboot/Shutdown," and then press "Enter". 12. Press "1" for "Reboot the appliance," and then press "Enter". 13. Type "Yes", and then press "Enter" to reboot the appliance and complete the configuration.

b

The Tanium Operating System (TanOS) must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.

SC-5 - Medium - CCI-001095 - V-254851 - SV-254851r958528_rule

RMF Control

SC-5

Severity

M

CCI

CCI-001095

Version

TANS-OS-000455

Vuln IDs

V-254851

Rule IDs

SV-254851r958528_rule

DoS is a condition that occurs when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.

Checks: C-58464r866092_chk

1. Sign in to the TanOS console as a user with the tanadmin role. 2. Enter "A" to go to the "Appliance Configuration" menu. 3. Enter "A" to go to the "Security" menu. 4. Enter "X" to go to the "Advanced Security" menu. 5. If you see "DOS protection: disabled" in the middle of the screen, this is a finding.

Fix: F-58408r866093_fix

1. Sign in to the TanOS console as a user with the tanadmin role. 2. Enter "A" to go to the "Appliance Configuration" menu. 3. Enter "A" to go to the "Security" menu. 4. Enter " to go to the "Advanced Security" menu. 5. Enter "6" to enable DoS protection. The screen updates with an enabled status.

b

Tanium Operating System (TanOS) must terminate all network connections associated with a communications session at the end of the session, or as follows: For in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; for user sessions (nonprivileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements.

SC-10 - Medium - CCI-001133 - V-254852 - SV-254852r970703_rule

RMF Control

SC-10

Severity

M

CCI

CCI-001133

Version

TANS-OS-000465

Vuln IDs

V-254852

Rule IDs

SV-254852r970703_rule

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.

Checks: C-58465r866095_chk

1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "A" for "Appliance Configuration Menu," and then press "Enter". 4. Press "A" for "Security," and then press "Enter". 5. Press "X" for "Advanced Security," and then press "Enter". If the "Menu Timeout" setting is "-" for "Current" or "Persistent", this is a finding. If the "Menu Timeout" is greater than "600" (seconds) for either "Current" or "Persistent", this is a finding.

Fix: F-58409r866096_fix

1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "A" for "Appliance Configuration Menu," and then press "Enter". 4. Press "A" for "Security," and then press "Enter". 5. Press "X" for "Advanced Security," and then press "Enter". 6. Press "5" for "Set Menu Timeout," and then press "Enter". 7. Enter a timeout value no greater than "600" seconds, and then press "Enter". The timeout is not applied until a new login session is started. 8. Type "RR" and press "Enter" to return to the root menu. 9. Press "Z" for "Log out," and then press Enter. The session will disconnect and the menu timeout will be active at next sign in.

b

The Tanium Operating System (TanOS) must use FIPS-validated encryption and hashing algorithms to protect the confidentiality and integrity of operating system configuration and user-generated data stored on the host.

SC-28 - Medium - CCI-001199 - V-254853 - SV-254853r958552_rule

RMF Control

SC-28

Severity

M

CCI

CCI-001199

Version

TANS-OS-000515

Vuln IDs

V-254853

Rule IDs

SV-254853r958552_rule

Confidentiality and integrity protections are intended to address the confidentiality and integrity of system information at rest when it is located on a storage device within the network device or as a component of the network device. This protection is required to prevent unauthorized alteration, corruption, or disclosure of information when not stored directly on the network device. This requirement addresses the protection of user-generated data as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information.

Checks: C-58466r866098_chk

1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "A" for "Appliance Configuration Menu," and then press "Enter". 4. Press "A" for "Security," and then press "Enter". 5. Press "X" for "Advanced Security," and then press "Enter". If the FIPS 140-2 setting is currently disabled or persistently disabled, this is a finding.

Fix: F-58410r866099_fix

1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "A" for "Appliance Configuration Menu," and then press "Enter". 4. Press "A" for "Security," and then press "Enter". 5. Press "X" for "Advanced Security," and then press "Enter". 6. Press "1" for "FIPS 140-2 mode (disabled/enabled). 7. Type "yes" to confirm enabling FIPS 140-2 Mode, and then press "Enter". 8. Press "Enter" at the confirmation prompt that instructs the user to reboot the appliance. 9. Type "RR" and press "Enter" to return to the root menu. 10. Press "B" for "Appliance Maintenance," and then press "Enter". 11. Press "B" for "Reboot/Shutdown," and then press "Enter". 12. Press "1" for "Reboot the appliance," and then press "Enter". 13. Type "Yes" and press "Enter" to reboot the appliance and complete the configuration.

b

The Tanium Operating System (TanOS) must notify the ISSO and ISSM of failed security verification tests.

SI-6 - Medium - CCI-001294 - V-254854 - SV-254854r958558_rule

RMF Control

SI-6

Severity

M

CCI

CCI-001294

Version

TANS-OS-000535

Vuln IDs

V-254854

Rule IDs

SV-254854r958558_rule

If personnel are not notified of failed security verification tests, they will not be able to take corrective action and the unsecure condition(s) will remain. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Notifications provided by information systems include electronic alerts, messages to local computer consoles, and/or hardware indications, such as lights. This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.

Checks: C-58467r870378_chk

1. Access the TanOS interactively. 2. Press "A" for "Appliance Configuration Menu," and then press "Enter". 3. Press "4" for "Syslog Configuration," and press then "Enter". 4. Press "1" for "Check current status," and then press "Enter". If the syslog status page states, "No existing TanOS syslog forwarding configuration found", this is a finding. If the syslog status page states, "Syslog forwarding configuration" and the SIEM administrator verifies SIEM is receiving the events correctly and generating notifications for failed security verification tests, this is not a finding.

Fix: F-58411r866102_fix

1. Access the TanOS interactively. 2. Press "A" for "Appliance Configuration Menu," and then press "Enter". 3. Press "4" for "Syslog Configuration," and then press "Enter". 4. Press "5" for "Configure syslog forwarding," and then press "Enter". 5. Enter the destination host (IP address or hostname) provided by the SIEM administrator, and press "Enter". 6. Enter the destination port number, and then press "Enter". 7. If TLS is required for this syslog destination, enter "Yes", otherwise enter "No", and then press "Enter". 8. Enter the destination protocol, "udp" or "tcp", and then press "Enter". 9. Work with the SIEM administrator to validate events are being received, and to configure notifications for failure events.

b

The publicly accessible Tanium Operating System (TanOS) must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system.

AC-8 - Medium - CCI-001384 - V-254855 - SV-254855r958586_rule

RMF Control

AC-8

Severity

M

CCI

CCI-001384

Version

TANS-OS-000605

Vuln IDs

V-254855

Rule IDs

SV-254855r958586_rule

Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for operating system that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't".

Checks: C-58468r870370_chk

1. Access the TanOS interactively. If the Standard Mandatory DOD Notice and Consent Banner is not displayed at logon, this is a finding.

Fix: F-58412r870371_fix

1. Use SFTP to copy a file named "banner_ssh.txt" containing the Standard Mandatory DOD Notice and Consent Banner to the /incoming folder. 2. Access the TanOS interactively. 3. Enter "A" to go to the "Appliance Configuration" menu. 4. Enter "A" to go to the "Security" menu. 5. Enter "3" to add the banner file.

b

The Tanium Operating System (TanOS) must notify system administrators (SAs) and information system security officers (ISSOs) when accounts are created.

AC-2 - Medium - CCI-000015 - V-254856 - SV-254856r986552_rule

RMF Control

AC-2

Severity

M

CCI

CCI-000015

Version

TANS-OS-000710

Vuln IDs

V-254856

Rule IDs

SV-254856r986552_rule

Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create a new account. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of operating system user accounts and notifies administrators and ISSOs that it exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Checks: C-58469r986551_chk

1. Access the TanOS interactively. 2. Press "A" for "Appliance Configuration Menu," and then press "Enter". 3. Press "4" for "Syslog Configuration," and press then "Enter". 4. Press "1" for "Check current status," and then press "Enter". If the syslog status page states, "No existing TanOS syslog forwarding configuration found", this is a finding. If the syslog status page states, "Syslog forwarding configuration" and the SIEM administrator verifies SIEM is receiving the events correctly and generating notifications for account creation events, this is not a finding.

Fix: F-58413r866108_fix

1. Access the TanOS interactively. 2. Press "A" for "Appliance Configuration Menu," and then press "Enter". 3. Press "4" for "Syslog Configuration," and then press "Enter". 4. Press "5" for "Configure syslog forwarding," and then press "Enter". 5. Enter the destination host (IP address or hostname) provided by the SIEM administrator, and then press "Enter". 6. Enter the destination port number, and then press "Enter". 7. If TLS is required for this syslog destination, enter "Yes", otherwise enter "No", and then press "Enter". 8. Enter the destination protocol, "udp" or "tcp", and press "Enter". 9. Work with the SIEM administrator to validate events are being received, and to configure notifications for account creation events.

b

The Tanium Operating System (TanOS) must audit and notify system administrators (SAs) and information system security officers (ISSOs) when accounts are modified.

AC-2 - Medium - CCI-000015 - V-254857 - SV-254857r986554_rule

RMF Control

AC-2

Severity

M

CCI

CCI-000015

Version

TANS-OS-000715

Vuln IDs

V-254857

Rule IDs

SV-254857r986554_rule

Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Notification of account modification is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail, which documents the modification of operating system user accounts and notifies the SA and ISSO of changes. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Checks: C-58470r986553_chk

1. Access the TanOS interactively. 2. Press "A" for "Appliance Configuration Menu," and then press "Enter". 3. Press "4" for "Syslog Configuration," and then press "Enter". 4. Press "1" for "Check current status," and then press "Enter". If the syslog status page states, "No existing TanOS syslog forwarding configuration found", this is a finding. If the syslog status page states, "Syslog forwarding configuration", and the SIEM administrator verifies SIEM is receiving the events correctly and generating notifications for account modification events, this is not a finding.

Fix: F-58414r866111_fix

1. Access the TanOS interactively. 2. Press "A" for "Appliance Configuration Menu," and then press "Enter". 3. Press "4" for "Syslog Configuration," and then press "Enter". 4. Press "5" for "Configure syslog forwarding," and then press "Enter". 5. Enter the destination host (IP address or hostname) provided by the SIEM administrator, and then press "Enter". 6. Enter the destination port number, and then press "Enter". 7. If TLS is required for this syslog destination, enter "Yes", otherwise enter "No", and then press "Enter". 8. Enter the destination protocol, "udp" or "tcp", and then press "Enter". 9. Work with the SIEM administrator to validate events are being received, and to configure notifications for account modification events.

b

The Tanium Operating System (TanOS) must notify system administrators (SAs) and information system security officers (ISSOs) when accounts are removed.

AC-2 - Medium - CCI-000015 - V-254858 - SV-254858r986555_rule

RMF Control

AC-2

Severity

M

CCI

CCI-000015

Version

TANS-OS-000725

Vuln IDs

V-254858

Rule IDs

SV-254858r986555_rule

When operating system accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes themselves. Sending notification of account removal events to the SA and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Checks: C-58471r866113_chk

1. Access the TanOS interactively. 2. Press "A" for "Appliance Configuration Menu," and then press "Enter". 3. Press "4" for "Syslog Configuration," and then press "Enter". 4. Press "1" for "Check current status," and then press "Enter". If the syslog status page states "No existing TanOS syslog forwarding configuration found" this is a finding. If the syslog status page states "Syslog forwarding configuration" and the SIEM administrator verifies SIEM is receiving the events correctly and generating notifications for account removal events, this is not a finding.

Fix: F-58415r866114_fix

1. Access the TanOS interactively. 2. Press "A" for "Appliance Configuration Menu," and then press "Enter". 3. Press "4" for "Syslog Configuration," and then press "Enter". 4. Press "5" for "Configure syslog forwarding," and press then "Enter". 5. Enter the destination host (IP address or hostname) provided by the SIEM administrator, and then press "Enter". 6. Enter the destination port number and press "Enter". 7. If TLS is required for this syslog destination, enter "Yes", otherwise enter "No", and then press "Enter". 8. Enter the destination protocol, "udp" or "tcp", and press "Enter". 9. Work with the SIEM administrator to validate events are being received, and to configure notifications for account removal/deletion events.

b

Tanium Operating System (TanOS) must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.

AC-12 - Medium - CCI-002361 - V-254859 - SV-254859r958636_rule

RMF Control

AC-12

Severity

M

CCI

CCI-002361

Version

TANS-OS-000735

Vuln IDs

V-254859

Rule IDs

SV-254859r958636_rule

Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions.

Checks: C-58472r866116_chk

1. Sign in to the TanOS console as a user with the tanadmin role. 2. Enter "A" to go to the "Appliance Configuration" menu. 3. Enter "A" to go to the "Security" menu. 4. Enter "X" to go to the "Advanced Security" menu. 5. Enter "5" to go to "Set Menu Timeout". 6. See the current setting for timeout, if this does not match the organizationally defined standard, this is a finding.

Fix: F-58416r866117_fix

1. Sign in to the TanOS console as a user with the tanadmin role. 2. Enter "A" to go to the "Appliance Configuration" menu. 3. Enter "A" to go to the "" menu. 4. Enter "X" to go to the "Advanced Security" menu. 5. Enter "5" to go to "Set Menu Timeout". 6. Enter the correct Timeout in seconds, and then press "Enter" to set the setting.

b

Tanium must audit and notify system administrators (SAs) and information system security officers (ISSOs) when accounts are enabled.

AC-2 - Medium - CCI-000015 - V-254860 - SV-254860r986557_rule

RMF Control

AC-2

Severity

M

CCI

CCI-000015

Version

TANS-OS-000860

Vuln IDs

V-254860

Rule IDs

SV-254860r986557_rule

Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable an existing disabled account. Sending notification of account enabling actions to the SA and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To detect and respond to events that affect user accessibility and application processing, operating systems must audit account enabling actions and, as required, notify the appropriate individuals so they can investigate the event. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Checks: C-58473r986556_chk

1. Access the Tanium Operating System (TanOS) interactively. 2. Press "A" for "Appliance Configuration Menu," and then press "Enter". 3. Press "4" for "Syslog Configuration," and then press "Enter". 4. Press "1" for "Check current status," and then press "Enter". If the syslog status page states, "No existing TanOS syslog forwarding configuration found", this is a finding. If the syslog status page states, "Syslog forwarding configuration" and the SIEM administrator verifies SIEM is receiving the events correctly and generating notifications for account enable events, this is not a finding.

Fix: F-58417r866120_fix

1. Access the TanOS interactively. 2. Press "A" for "Appliance Configuration Menu," and then press "Enter". 3. Press "4" for "Syslog Configuration," and then press "Enter". 4. Press "5" for "Configure syslog forwarding," and then press "Enter". 5. Enter the destination host (IP address or hostname) provided by the SIEM administrator, and then press "Enter". 6. Enter the destination port number and then press "Enter". 7. If TLS is required for this syslog destination, enter "Yes", otherwise enter "No", and then press "Enter". 8. Enter the destination protocol, "udp" or "tcp", and then press "Enter". 9. Work with the SIEM administrator to validate events are being received, and to configure notifications for account removal/deletion events.

b

Tanium must automatically lock accounts and require them be unlocked by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.

AC-7 - Medium - CCI-002238 - V-254861 - SV-254861r958736_rule

RMF Control

AC-7

Severity

M

CCI

CCI-002238

Version

TANS-OS-000985

Vuln IDs

V-254861

Rule IDs

SV-254861r958736_rule

By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.

Checks: C-58474r866122_chk

1. Log in to Tanium interactively as a TanAdmin user. 2. Type "A" for "Appliance Configuration Menu". 3. Type "A" for Security. 4. Type "P" for Security Policy. 5. The section for "Account lockout:" should read "0 seconds after 3 failures". If the section reads anything else, this is a finding.

Fix: F-58418r866123_fix

1. Log in to Tanium interactively as a TanAdmin user. 2. Type "A" for "Appliance Configuration Menu". 3. Type "A" for "Security". 4. Type "P" for "Security Policy". 5. Type "Account Lockout Time". 6. Set the account lockout time to "0". Note: The time range for the three failures to occur is 15 minutes by default and cannot be configured otherwise.

b

The Tanium operating system (TanOS) must offload audit records onto a different system or media than the system being audited.

AU-12 - Medium - CCI-000169 - V-254862 - SV-254862r958754_rule

RMF Control

AU-12

Severity

M

CCI

CCI-000169

Version

TANS-OS-001030

Vuln IDs

V-254862

Rule IDs

SV-254862r958754_rule

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. Satisfies: SRG-OS-000342, SRG-OS-000479, SRG-OS-000215, SRG-OS-000062

Checks: C-58475r866125_chk

1. Access the TanOS interactively. 2. Press "A" for "Appliance Configuration Menu," and then press "Enter". 3. Press "4" for "Syslog Configuration," and then press "Enter". 4. Press "1" for "Check current status," and then press "Enter". If the syslog status page states "No existing TanOS syslog forwarding configuration found" this is a finding. If the syslog status page states "Syslog forwarding configuration" and the SIEM administrator verifies that the destination SIEM is receiving the events correctly, this is not a finding.

Fix: F-58419r866126_fix

1. Access the TanOS interactively. 2. Press "A" for "Appliance Configuration Menu," and then press "Enter". 3. Press "4" for "Syslog Configuration," and then press "Enter". 4. Press "5" for "Configure syslog forwarding," and then press "Enter". 5. Enter the destination host (IP address or hostname) provided by the SIEM administrator, and then press "Enter". 6. Enter the destination port number and press "Enter". 7. If TLS is required for this syslog destination, enter "Yes", otherwise enter "No", and then press "Enter". 8. Enter the destination protocol, "udp" or "tcp", and then press "Enter". 9. Work with the SIEM administrator to validate events are being received.

b

The Tanium operating system (TanOS) must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.

AU-5 - Medium - CCI-001855 - V-254863 - SV-254863r971542_rule

RMF Control

AU-5

Severity

M

CCI

CCI-001855

Version

TANS-OS-001035

Vuln IDs

V-254863

Rule IDs

SV-254863r971542_rule

If security personnel are not notified immediately when storage volume reaches 75 percent, they are unable to plan for audit record storage capacity expansion.

Checks: C-58476r866128_chk

1. Access the TanOS interactively. 2. Press "A" for "Appliance Configuration Menu," and then press "Enter". 3. Press "5" for "SNMP Configuration," and then press "Enter". If the State is "Disabled" this is a finding. If the state is "Enabled", work with the SNMP monitoring system administrator to ensure warnings are sent when TanOS storage reaches 75 percent of capacity. If they are not being sent, and this is a finding.

Fix: F-58420r866129_fix

1. Access the TanOS interactively. 2. Press "A" for "Appliance Configuration Menu," and then press "Enter". 3. Press "5" for "SNMP Configuration," and then press "Enter". 4. Press "S" for "Set Password and Start the SNMP Service," and then press "Enter". 5. Enter the desired SNMP password and press "Enter". 6. Press "Enter" to continue and return to the SNMP configuration menu and verify the state is now "Enabled". Work with the SNMP monitoring system administrator to enable warning alerts for low free space.

b

The Tanium operating system (TanOS) must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.

AU-5 - Medium - CCI-001858 - V-254864 - SV-254864r958758_rule

RMF Control

AU-5

Severity

M

CCI

CCI-001858

Version

TANS-OS-001040

Vuln IDs

V-254864

Rule IDs

SV-254864r958758_rule

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).

Checks: C-58477r866131_chk

1. Access the TanOS interactively. 2. Press "A" for "Appliance Configuration Menu," and then press "Enter". 3. Press "4" for "Syslog Configuration," and then press "Enter". 4. Press "1" for "Check current status," and then press "Enter". If the syslog status page states "No existing TanOS syslog forwarding configuration found" this is a finding. If the syslog status page states "Syslog forwarding configuration" and the SIEM administrator verifies SIEM is receiving the events correctly and generating notifications for audit failure events, this is not a finding.

Fix: F-58421r866132_fix

1. Access the TanOS interactively. 2. Press "A" for "Appliance Configuration Menu," and then press "Enter". 3. Press "4" for "Syslog Configuration," and then press "Enter". 4. Press "5" for "Configure syslog forwarding," and then press "Enter". 5. Enter the destination host (IP address or hostname) provided by the SIEM administrator, and then press "Enter". 6. Enter the destination port number and press "Enter". 7. If TLS is required for this syslog destination, enter "Yes", otherwise enter "No", and press "Enter". 8. Enter the destination protocol, "udp" or "tcp", and press "Enter". 9. Work with the SIEM administrator to validate events are being received, and to configure notifications for audit failure events.

b

The Tanium operating system (TanOS) must, for networked systems, compare internal information system clocks at least every 24 hours with a server synchronized to one of the redundant United States Naval Observatory (USNO) time servers or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).

Medium - CCI-004923 - V-254865 - SV-254865r986559_rule

RMF Control

Severity

M

CCI

CCI-004923

Version

TANS-OS-001095

Vuln IDs

V-254865

Rule IDs

SV-254865r986559_rule

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside of the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).

Checks: C-58478r866134_chk

1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "A" for "Appliance Configuration Menu," and then press "Enter". 4. Press "3" for "NTP Configuration," and then press "Enter". If there is no address listed for "Currently configured ntp servers:", this is a finding. If the "Current NTP Status" does not list a status of "Synchronized to NTP Server (<address>) at stratum #" and "Time correct to within # ms", this is a finding.

Fix: F-58422r986558_fix

1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "A" for "Appliance Configuration Menu," and then press "Enter". 4. Press "3" for "NTP Configuration," and then press "Enter". 5. Type "Yes" to "Remove the current NTP servers and enter new information?" and then press "Enter". 6. Type the first NTP server address, and then press "Enter". 7. Type "Yes" to provide a second NTP Server, and then press "Enter". 8. Type the second NTP server address and then press "Enter". 9. Press "Enter" to return to the "Appliance Configuration" menu.

b

The Tanium Operating System (TanOS) must synchronize internal information system clocks to the authoritative time source when the time difference is greater than the organization-defined time period.

Medium - CCI-004926 - V-254866 - SV-254866r986560_rule

RMF Control

Severity

M

CCI

CCI-004926

Version

TANS-OS-001100

Vuln IDs

V-254866

Rule IDs

SV-254866r986560_rule

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider setting time periods for different types of systems (e.g., financial, legal, or mission-critical systems). Organizations should also consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). This requirement is related to the comparison done every 24 hours in CCI-001891 because a comparison must be done in order to determine the time difference.

Checks: C-58479r866137_chk

1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "A" for "Appliance Configuration Menu," and then press "Enter". 4. Press "3" for "NTP Configuration," and then press "Enter". If there is no address listed for "Currently configured ntp servers:", this is a finding. If the "Current NTP Status" does not list a status of "Synchronized to NTP Server (<address>) at stratum #" and "Time correct to within # ms", this is a finding.

Fix: F-58423r866138_fix

1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "A" for "Appliance Configuration Menu," and then press "Enter". 4. Press "3" for "NTP Configuration," and then press "Enter". 5. Type "Yes" to "Remove the current NTP servers and enter new information?" and then press "Enter". 6. Type the first NTP server address and then press "Enter". 7. Type "Yes" to provide a second NTP Server, and then press "Enter". 8. Type the second NTP server address and then press "Enter". 8. Press "Enter" to return to the "Appliance Configuration" menu.

b

The Tanium Operating System (TanOS) must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.

Medium - CCI-004928 - V-254867 - SV-254867r987876_rule

RMF Control

Severity

M

CCI

CCI-004928

Version

TANS-OS-001105

Vuln IDs

V-254867

Rule IDs

SV-254867r987876_rule

The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes it's time to a more accurate source. The system must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. Organizations should also consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). This requirement is related to the comparison done in CCI-001891. DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: A time server designated for the appropriate DOD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.

Checks: C-58480r866140_chk

1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "A" for "Appliance Configuration Menu," and then press "Enter". 4. Press "3" for "NTP Configuration," and then press "Enter". If there is no address or only a single address listed for "Currently configured ntp servers:", this is a finding. If the "Currently configured ntp servers:" list is not the organizationally mandated list of geographically distributed time servers, this is a finding.

Fix: F-58424r986561_fix

1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "A" for "Appliance Configuration Menu," and then press "Enter". 4. Press "3" for "NTP Configuration," and then press "Enter". 5. Type "Yes" to "Remove the current NTP servers and enter new information?" and press "Enter". 6. Type the first NTP server address and press "Enter". 7. Type "Yes" to provide a second NTP Server, and then press "Enter". 8. Type the second NTP server address, and then press "Enter". 9. Press "Enter" to return to the "Appliance Configuration" menu.

b

The Tanium operating system (TanOS) must perform data integrity verification on the name/address resolution responses the system receives from authoritative sources.

SC-21 - Medium - CCI-002467 - V-254868 - SV-254868r958864_rule

RMF Control

SC-21

Severity

M

CCI

CCI-002467

Version

TANS-OS-001325

Vuln IDs

V-254868

Rule IDs

SV-254868r958864_rule

If data origin authentication and data integrity verification is not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed, which would result in query failure or denial of service. Data integrity verification must be performed to thwart these types of attacks. Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching Domain Name System (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. This applies to operating systems that have integrated DNS clients.

Checks: C-58481r866143_chk

1. Work with a systems administrator to determine a designated Name Server that performs data integrity checks. 2. Sign in to the TanOS console as a user with the tanadmin role. 3. Enter "A" to go to the "Appliance Configuration" menu. 4. Enter "1" to go to the "Hostname/DNS Configuration" menu. 5. Enter "2", if the ip address shown is not the designated Name Server determined in step 1. This is a finding.

Fix: F-58425r866144_fix

1. Work with a systems administrator to determine a designated Name Server that performs data integrity checks. 2. Sign in to the TanOS console as a user with the tanadmin role. 3. Enter "A" to go to the "Appliance Configuration" menu. 4. Enter "1" to go to the "Hostname/DNS Configuration" menu. 5. Enter "2" and follow the prompts to modify the DNS server configuration.

b

The Tanium operating system (TanOS) must perform data origin verification authentication on the name/address resolution responses the system receives from authoritative sources.

SC-21 - Medium - CCI-002468 - V-254869 - SV-254869r958866_rule

RMF Control

SC-21

Severity

M

CCI

CCI-002468

Version

TANS-OS-001330

Vuln IDs

V-254869

Rule IDs

SV-254869r958866_rule

If data origin authentication and data integrity verification is not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed, which would result in query failure or denial of service. Data origin authentication verification must be performed to thwart these types of attacks. Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching Domain Name System (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. This applies to operating systems that have integrated DNS clients.

Checks: C-58482r866146_chk

1. Work with a systems administrator to determine a designated Name Server that performs data origin authentic ion checks. 2. Sign in to the TanOS console as a user with the tanadmin role. 3. Enter "A" to go to the "Appliance Configuration" menu. 4. Enter "1" to go to the "Hostname/DNS Configuration" menu. 5. Enter "2", if the ip address shown is not the designated Name Server determined in step 1. This is a finding.

Fix: F-58426r866147_fix

1. Work with a systems administrator to determine a designated Name Server that performs data origin authentic ion checks. 2. Sign in to the TanOS console as a user with the tanadmin role. 3. Enter "A" to go to the "Appliance Configuration" menu. 4. Enter "1" to go to the "Hostname/DNS Configuration" menu. 5. Enter "2" and follow the prompts to modify the DNS server configuration.

b

The Tanium Operating System (TanOS) must protect against or limit the effects of denial of service (DoS) attacks by employing organization-defined security safeguards.

SC-5 - Medium - CCI-002385 - V-254870 - SV-254870r958902_rule

RMF Control

SC-5

Severity

M

CCI

CCI-002385

Version

TANS-OS-001420

Vuln IDs

V-254870

Rule IDs

SV-254870r958902_rule

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.

Checks: C-58483r866149_chk

1. Sign in to the TanOS console as a user with the tanadmin role. 2. Enter "A" to go to the "Appliance Configuration" menu. 3. Enter "A" to go to the "Security" menu. 4. Enter "X" to go to the "Advanced Security" menu. 5. If you see "DOS protection: disabled" in the middle of the screen, this is a finding.

Fix: F-58427r866150_fix

1. Sign in to the TanOS console as a user with the tanadmin role. 2. Enter "A" to go to the "Appliance Configuration" menu. 3. Enter "A" to go to the "Security" menu. 4. Enter "X" to go to the "Advanced Security" menu. 5. Enter "6" to enable DoS protection. The screen updates with an enabled status.

b

The Tanium operating system (TanOS) must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

SI-2 - Medium - CCI-002605 - V-254871 - SV-254871r958940_rule

RMF Control

SI-2

Severity

M

CCI

CCI-002605

Version

TANS-OS-001515

Vuln IDs

V-254871

Rule IDs

SV-254871r958940_rule

Security flaws with operating systems are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period utilized must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process. The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).

Checks: C-58484r866152_chk

1. Access the Tanium Server interactively. 2. Check the version number of the installed TanOS release displayed at the bottom of the main menu. 3. Compare to the latest available release on https://kb.tanium.com/Category:TanOS. 4. If the installed release is not the current release, review the release notes for the current release and any other releases newer than the current version to check for security-relevant updates and when they were released. If there are security-relevant updates that have not been installed within the directed time period, this is a finding.

Fix: F-58428r866153_fix

1. Download the target TanOS upgrade file from Tanium. 2. Transfer the upgrade to the SFTP incoming folder on the TanOS appliance. 3. Access the Tanium Server interactively. 4. Press "B" for "Appliance Maintenance Menu," and then press "Enter". 5. Press "3" for "Upgrade TanOS," and then press "Enter". 5b. If this TanOS server is part of an appliance array, type "yes" and then press "Enter" to choose to upgrade all appliances in the array. 6. Press "1" (or the appropriate number if there are multiple upgrade files to select from) to choose the upgrade file to install. 7. Review the upgrade version confirmation and type "Yes" and then press "Enter" to begin the upgrade.

b

The Tanium operating system (TanOS) must install security-relevant firmware updates within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).

SI-2 - Medium - CCI-002607 - V-254872 - SV-254872r958942_rule

RMF Control

SI-2

Severity

M

CCI

CCI-002607

Version

TANS-OS-001520

Vuln IDs

V-254872

Rule IDs

SV-254872r958942_rule

Security flaws with firmware are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant firmware updates. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. Organization-defined time periods for updating security-relevant firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period utilized must be a configurable parameter. Time frames for application of security-relevant firmware updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process. The application will be configured to check for and install security-relevant firmware updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).

Checks: C-58485r866155_chk

1. Access the Tanium Server interactively. 2. Check the version number of the installed TanOS release displayed at the bottom of the main menu. 3. Compare to the latest available release on https://kb.tanium.com/Category:TanOS. 4. If the installed release is not the current release, review the release notes for the current release and any other releases newer than the current version to check for security-relevant updates and when they were released. If there are security-relevant updates that have not been installed within the directed time period, this is a finding.

Fix: F-58429r866156_fix

1. Download the target TanOS upgrade file from Tanium. 2. Transfer the upgrade to the SFTP incoming folder on the TanOS appliance. 3. Access the Tanium Server interactively. 4. Press "B" for "Appliance Maintenance Menu," and then press "Enter". 5. Press "3" for "Upgrade TanOS," and then press "Enter". 5b. If this TanOS server is part of an appliance array, type "yes" and then press "Enter" to choose to upgrade all appliances in the array. 6. Press "1" (or the appropriate number if there are multiple upgrade files to select from) to choose the upgrade file to install. 7. Review the upgrade version confirmation and type "Yes" and then press "Enter" to begin the upgrade.

c

The Tanium Operating System (TanOS) must use a FIPS-validated cryptographic module to provision digital signatures.

IA-5 - High - CCI-000185 - V-254873 - SV-254873r959036_rule

RMF Control

IA-5

Severity

H

CCI

CCI-000185

Version

TANS-OS-001760

Vuln IDs

V-254873

Rule IDs

SV-254873r959036_rule

FIPS 140-2 precludes the use of invalidated cryptography for the cryptographic protection of sensitive or valuable data within federal systems. Un-validated cryptography is viewed by NIST as providing no protection to the information or data - in effect the data would be considered unprotected plaintext. If the agency specifies that the information or data be cryptographically protected, then FIPS 140-2 is applicable. In essence, if cryptography is required, then it must be validated. Cryptographic modules that have been approved for classified use may be used in lieu of modules that have been validated against the FIPS 140-2 standard. The cryptographic module used must have at least one validated digital signature function. This validated hash algorithm must be used to generate digital signatures for all cryptographic security function within the product being evaluated. Satisfies: SRG-OS-000550, SRG-OS-000530

Checks: C-58486r866158_chk

1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "A" for "Appliance Configuration Menu," and then press "Enter". 4. Press "A" for "Security," and then press "Enter". 5. Press "X" for "Advanced Security," and then press "Enter". If the FIPS 140-2 setting is currently disabled or persistently disabled, this is a finding.

Fix: F-58430r866159_fix

1. Access the Tanium Server interactively. 2. Log on to the TanOS server with the tanadmin role. 3. Press "A" for "Appliance Configuration Menu," and then press "Enter". 4. Press "A" for "Security," and then press "Enter". 5. Press "X" for "Advanced Security," and then press "Enter". 6. Press "1" for "FIPS 140-2 mode (disabled/enabled)". 7. Type "yes" to confirm enabling FIPS 140-2 Mode, and then press "Enter". 8. Press "Enter" at the confirmation prompt that instructs the user to reboot the appliance. 9. Type "RR" and press "Enter" to return to the root menu. 10. Press "B" for "Appliance Maintenance," and then press "Enter". 11. Press "B" for "Reboot/Shutdown," and then press "Enter". 12. Press "1" for "Reboot the appliance," and then press "Enter". 13. Type "Yes" and then press "Enter" to reboot the appliance and complete the configuration.

Removed rules 2

Content changes 4

Checks: C-58452r866056_chk

Fix: F-58396r866057_fix

Generate Mitigation Statement:

Checks: C-58453r870365_chk

Fix: F-58397r870366_fix

Generate Mitigation Statement:

Checks: C-58454r866062_chk

Fix: F-58398r866063_fix

Generate Mitigation Statement:

Checks: C-58455r870377_chk

Fix: F-58399r866066_fix

Generate Mitigation Statement:

Checks: C-58456r866068_chk

Fix: F-58400r866069_fix

Generate Mitigation Statement:

Checks: C-58457r866071_chk

Fix: F-58401r866072_fix

Generate Mitigation Statement:

Checks: C-58459r866077_chk

Fix: F-58403r866078_fix

Generate Mitigation Statement:

Checks: C-58460r866080_chk

Fix: F-58404r866081_fix

Generate Mitigation Statement:

Checks: C-58461r866083_chk

Fix: F-58405r866084_fix

Generate Mitigation Statement:

Checks: C-58462r866086_chk

Fix: F-58406r866087_fix

Generate Mitigation Statement:

Checks: C-58464r866092_chk

Fix: F-58408r866093_fix

Generate Mitigation Statement:

Checks: C-58465r866095_chk

Fix: F-58409r866096_fix

Generate Mitigation Statement:

Checks: C-58466r866098_chk

Fix: F-58410r866099_fix

Generate Mitigation Statement:

Checks: C-58467r870378_chk

Fix: F-58411r866102_fix

Generate Mitigation Statement:

Checks: C-58468r870370_chk

Fix: F-58412r870371_fix

Generate Mitigation Statement:

Checks: C-58469r986551_chk

Fix: F-58413r866108_fix

Generate Mitigation Statement:

Checks: C-58470r986553_chk

Fix: F-58414r866111_fix

Generate Mitigation Statement:

Checks: C-58471r866113_chk

Fix: F-58415r866114_fix

Generate Mitigation Statement:

Checks: C-58472r866116_chk

Fix: F-58416r866117_fix

Generate Mitigation Statement:

Checks: C-58473r986556_chk

Fix: F-58417r866120_fix

Generate Mitigation Statement:

Checks: C-58474r866122_chk

Fix: F-58418r866123_fix

Generate Mitigation Statement:

Checks: C-58475r866125_chk

Fix: F-58419r866126_fix

Generate Mitigation Statement:

Checks: C-58476r866128_chk

Fix: F-58420r866129_fix

Generate Mitigation Statement:

Checks: C-58477r866131_chk

Fix: F-58421r866132_fix

Generate Mitigation Statement:

Checks: C-58478r866134_chk

Fix: F-58422r986558_fix

Generate Mitigation Statement:

Checks: C-58479r866137_chk

Fix: F-58423r866138_fix

Generate Mitigation Statement: