Skip to content
Log In

Tanium 7.x Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • All installation files originally downloaded to the Tanium Server must be configured to download to a location other than the Tanium Server directory.

    Typically, the Tanium Server stores the Package Source Files that it downloads from the internet and server shares or files uploaded through the Tanium Console in a subdirectory of the server's ins...
    Rule Medium Severity
    Show

  • SRG-APP-000142

    Group
    Show

  • SRG-APP-000142

    Group
    Show

  • Firewall rules must be configured on the Tanium Zone Server for Client-to-Zone Server communications.

    In customer environments using the Tanium Zone Server, a Tanium Client may be configured to point to a Zone Server instead of a Tanium Server. The communication requirements for these Clients are i...
    Rule Medium Severity
    Show

  • SRG-APP-000142

    Group
    Show

  • SRG-APP-000175

    Group
    Show

  • The Tanium Server certificates must have Extended Key Usage entries for the serverAuth object TLS Web Server Authentication and the clientAuth object TLS Web Client Authentication.

    Restricting this setting limits the user's ability to change their password. Passwords must be changed at specific policy-based intervals; however, if the application allows the user to immediately...
    Rule Medium Severity
    Show

  • SRG-APP-000328

    Group
    Show

  • Firewall rules must be configured on the Tanium Server for Server-to-Zone Server communications.

    If using the Tanium Zone Server to proxy traffic from Tanium-managed computers on less trusted network segments to the Tanium Server on the core network, the Tanium Zone Server Hub, typically insta...
    Rule Medium Severity
    Show

  • SRG-APP-000328

    Group
    Show

  • The Tanium Server http directory and subdirectories must be restricted with appropriate permissions.

    Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which...
    Rule Medium Severity
    Show

  • SRG-APP-000328

    Group
    Show

  • The permissions on the Tanium Server registry keys must be restricted to only the Tanium service account and the [Tanium Admins] group.

    Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which...
    Rule Medium Severity
    Show

  • SRG-APP-000328

    Group
    Show

  • The Tanium Server Logs and TDL_Logs directories must be restricted with appropriate permissions.

    Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which...
    Rule Medium Severity
    Show

  • SRG-APP-000383

    Group
    Show

  • Firewall rules must be configured on the Tanium module server to allow Server-to-Module Server communications from the Tanium Server.

    The Tanium Module Server is used to extend the functionality of Tanium through the use of various workbenches. The Tanium Module Server requires communication with the Tanium Server on port 17477. ...
    Rule Medium Severity
    Show

  • SRG-APP-000383

    Group
    Show

  • SRG-APP-000427

    Group
    Show

  • SRG-APP-000516

    Group
    Show

  • Tanium Server directory and subsequent files must be excluded from On-Access scan.

    Similar to any other host-based applications, the Tanium Server is subject to the restrictions other system-level software may place on an operating environment. Antivirus, intrusion prevention sys...
    Rule Medium Severity
    Show

  • SRG-APP-000416

    Group
    Show

  • SRG-APP-000001

    Group
    Show

  • The Tanium "max_soap_sessions_total" setting must be explicitly enabled to limit the number of simultaneous sessions.

    Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allowed users and sessions per user is helpful in li...
    Rule Medium Severity
    Show

  • SRG-APP-000001

    Group
    Show

  • SRG-APP-000039

    Group
    Show

  • The Tanium documentation identifying recognized and trusted folders for Threat Response Local Directory Source must be maintained.

    Using trusted and recognized indicator of compromise (IOC) sources may detect and prevent systems from becoming compromised. An IOC stream is a series or stream of IOCs that are imported from a ven...
    Rule Medium Severity
    Show

  • SRG-APP-000039

    Group
    Show

  • SRG-APP-000039

    Group
    Show

  • The Tanium documentation identifying recognized and trusted Security Content Automation Protocol (SCAP) sources must be maintained.

    SCAP XML documents validated by the National Institute of Standards and Technology (NIST) are provided from several possible sources such as DISA, NIST, and nongovernment entities. These documents ...
    Rule Medium Severity
    Show

  • SRG-APP-000039

    Group
    Show

  • The Tanium documentation identifying recognized and trusted Open Vulnerability and Assessment Language (OVAL) feeds must be maintained.

    OVAL XML documents are provided from several possible sources such as the Community Intercomparison Suite (CIS) open-source repository and vendor/third-party paid repositories. These documents are ...
    Rule Medium Severity
    Show

  • SRG-APP-000039

    Group
    Show

  • SRG-APP-000039

    Group
    Show

  • Tanium Comply must be configured to receive Open Vulnerability and Assessment Language (OVAL) feeds only from trusted sources.

    OVAL XML documents are provided from several possible sources such as the Community Intercomparison Suite (CIS) open-source repository and vendor/third-party paid repositories. These documents are ...
    Rule Medium Severity
    Show

  • SRG-APP-000435

    Group
    Show

  • SRG-APP-000516

    Group
    Show

  • Tanium Server files must be excluded from host-based intrusion prevention intervention.

    Similar to any other host-based applications, the Tanium Server is subject to the restrictions other system-level software may place on an operating environment. Antivirus, intrusion prevention sys...
    Rule Medium Severity
    Show

  • SRG-APP-000295

    Group
    Show

  • The Tanium application must set an inactive timeout for sessions.

    Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By cl...
    Rule Medium Severity
    Show

  • SRG-APP-000435

    Group
    Show

  • SRG-APP-000439

    Group
    Show

  • The Tanium Application, SQL, and Module servers must all be configured to communicate using TLS 1.2 Strict Only.

    Disabling feedback to senders when there is a failure in protocol validation format prevents adversaries from obtaining information that would otherwise be unavailable.
    Rule High Severity
    Show

  • SRG-APP-000439

    Group
    Show

  • SRG-APP-000439

    Group
    Show

  • The SSLCipherSuite registry value must be set.

    Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered. This requirement...
    Rule High Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules