Tanium 7.0 Security Technical Implementation Guide

Access to Tanium logs on each endpoint must be restricted by permissions.

SRG-APP-000131

SRG-APP-000015

The Tanium endpoint must have the Tanium Servers public key in its installation, which will allow it to authenticate and uniquely identify all network-connected endpoint devices before establishing any connection.

SRG-APP-000119

The Tanium cryptographic signing capabilities must be enabled on the Tanium Clients, which will ensure the authenticity of communications sessions when answering requests from the Tanium Server.

SRG-APP-000142

Firewall rules must be configured on the Tanium Endpoints for Client-to-Server communications.

SRG-APP-000328

Control of the Tanium Client service must be restricted to SYSTEM access only for all managed clients.

SRG-APP-000328

The ability to uninstall the Tanium Client service must be disabled on all managed clients.

SRG-APP-000328

The permissions on the Tanium Client directory must be restricted to only the SYSTEM account on all managed clients.

SRG-APP-000516

Tanium endpoint files must be excluded from on-access antivirus actions.

SRG-APP-000516

The Tanium Client Deployment Tool (CDT) must not be configured to use the psexec method of deployment.

SRG-APP-000516

Tanium endpoint files must be protected from file encryption actions.

SRG-APP-000246

Tanium must restrict the ability of individuals to place too much impact upon the network, which might result in a denial-of-service (DoS) event on the network by using RandomSensorDelayInSeconds.

SRG-APP-000516

Tanium endpoint files must be excluded from host-based intrusion prevention intervention.

SRG-APP-000023

The Tanium Server must be configured with a connector to sync to Microsoft Active Directory for account management functions, must isolate security functions from non-security functions, and must terminate shared/group account credentials when members leave the group.

SRG-APP-000023

The Tanium Server must be configured to only use Microsoft Active Directory for account management functions.

SRG-APP-000033

Tanium Computer Groups must be used to restrict console users from affecting changes to unauthorized computers.

SRG-APP-000033

Documentation identifying Tanium console users and their respective User Roles must be maintained.

SRG-APP-000033

Role-based system access must be configured to least privileged access to Tanium Server functions through the Tanium interface.

SRG-APP-000033

Tanium console users User Roles must be validated against the documentation for User Roles.

SRG-APP-000033

Documentation identifying Tanium console users and their respective Computer Group rights must be maintained.

SRG-APP-000033

Tanium console users Computer Group rights must be validated against the documentation for Computer Group rights.

SRG-APP-000149

Common Access Card (CAC)-based authentication must be enforced and enabled on the Tanium Server for network and local access with privileged and non-privileged accounts.

SRG-APP-000383

Firewall rules must be configured on the Tanium Server for Console-to-Server communications.

SRG-APP-000070

The publicly accessible Tanium application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.

SRG-APP-000108

Tanium must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

SRG-APP-000270

Flaw remediation Tanium applications must employ automated mechanisms to determine the state of information system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).