Tanium 7.x Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The Tanium application must be configured to send audit records from multiple components within the system to a central location for review and analysis.
Successful incident response and auditing relies on timely, accurate system information and analysis to allow the organization to identify and respond to potential incidents in a proficient manner....Rule Medium Severity -
The Tanium application must uniquely identify and authenticate nonorganizational users (or processes acting on behalf of nonorganizational users).
Lack of authentication and identification enables nonorganizational users to gain access to the application or possibly other information systems and provides an opportunity for intruders to compro...Rule Medium Severity -
The Tanium application must separate user functionality (including user interface services) from information system management functionality.
Application management functionality includes functions necessary for administration and requires privileged user access. Allowing nonprivileged users to access application management functionality...Rule Medium Severity -
The Tanium application must manage bandwidth throttles to limit the effects of information flooding types of denial-of-service (DoS) attacks.
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. In the case...Rule Medium Severity -
The Tanium application must provide an immediate real-time alert to the system administrator and information system security officer, at a minimum, of all audit failure events requiring real-time alerts.
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impe...Rule Medium Severity -
The Tanium application must prohibit user installation of software without explicit privileged status.
Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escal...Rule Medium Severity -
The Tanium application must electronically verify Personal Identity Verification (PIV) credentials.
The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC to support identity management and personal authentication f...Rule Medium Severity -
The Tanium application must accept Personal Identity Verification (PIV) credentials from other federal agencies.
Access may be denied to authorized users if federal agency PIV credentials are not accepted. PIV credentials are issued by federal agencies and conform to FIPS Publication 201 and supporting guid...Rule Medium Severity -
The Tanium application must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (incl...Rule Medium Severity -
The Tanium endpoint must have the Tanium Server's pki.db in its installation.
Without cryptographic integrity protections in the Tanium Client, information could be altered by unauthorized users without detection. Cryptographic mechanisms used for protecting the integrity o...Rule Medium Severity -
The Tanium cryptographic signing capabilities must be enabled on the Tanium Clients to safeguard the authenticity of communications sessions when answering requests from the Tanium Server.
All of Tanium's signing capabilities should be enabled upon install. Tanium supports the cryptographic signing and verification before execution of all Sensors, Questions, Actions, Sensor Libraries...Rule Medium Severity -
The ability to uninstall the Tanium Client service must be disabled on all managed clients.
By default, end users have the ability to uninstall software on their clients. In the event the Tanium Client software is uninstalled, the Tanium Server is unable to manage the client and must rede...Rule Medium Severity -
The Tanium Application Server must be configured to only use LDAP for account management functions.
Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. To r...Rule Medium Severity -
Tanium Computer Groups must be used to restrict console users from effecting changes to unauthorized computers.
Computer Groups allow a site running Tanium to assign responsibility of specific Computer Groups to specific Tanium console users. By doing so, a desktop administrator, for example, will not have t...Rule Medium Severity -
Multifactor authentication must be enabled on the Tanium Server for network access with privileged accounts.
The Tanium application must be configured to use multifactor authentication. Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multif...Rule High Severity -
Firewall rules must be configured on the Tanium Server for Console-to-Server communications.
An HTML5-based application, the Tanium Console runs from any device with a browser that supports HTML5. For security, the HTTP and SOAP communication to the Tanium Server is SSL encrypted, so the T...Rule Medium Severity -
The publicly accessible Tanium application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.
Display of a standardized and approved use notification before granting access to the publicly accessible application ensures privacy and security notification verbiage used is consistent with appl...Rule Medium Severity -
Tanium must notify system administrators and the information system security officer (ISSO) when accounts are modified.
When application accounts are modified, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the application processes. Sending notification of ...Rule Medium Severity -
Tanium must notify the system administrator and information system security officer (ISSO) of account enabling actions.
Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable a...Rule Medium Severity -
Tanium must notify system administrators and the information system security officer (ISSO) for account removal actions.
When application accounts are removed, user accessibility is affected. Accounts are utilized for identifying users or for identifying the application processes. Sending notification of account remo...Rule Medium Severity -
The Tanium Server installer's account database permissions must be reduced to an appropriate level.
Creating the "tanium" and "tanium_archive" databases through the Tanium Server installer program or using the database to create SQL scripts requires Sysadmin-level permissions. Once the databases ...Rule Medium Severity -
Firewall rules must be configured on the Tanium Server for server-to-database communications.
The Tanium Server can use either a SQL Server relational database management system (RDBMS) installed locally to the same device as the Tanium Server application or a remote dedicated or shared SQL...Rule Medium Severity -
Content providers must provide their public key to the Tanium administrator to import for validating signed content.
A Tanium Sensor, also called content, enables an organization to gather real-time inventory, configuration, and compliance data elements from managed computers. Sensors gather specific information ...Rule Medium Severity -
The Tanium applications must be configured to filter audit records for events of interest based on organization-defined criteria.
The ability to specify the event criteria that are of interest enables those reviewing the logs to quickly isolate and identify these events without having to review entries that are of little or n...Rule Medium Severity -
The Tanium cryptographic signing capabilities must be enabled on the Tanium Server.
All of Tanium's signing capabilities should be enabled upon install. Tanium supports the cryptographic signing and verification before execution of all Sensors, Questions, Actions, Sensor Libraries...Rule Medium Severity -
Firewall rules must be configured on the Tanium Server for client-to-server communications.
In addition to the client-to-server TCP communication that takes place over port 17472, Tanium Clients also communicate to other Tanium-managed computers over port 17472. Without proper firewall co...Rule Medium Severity -
The Tanium Application Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM Category Assurance List (CAL) and vulnerability assessments.
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restr...Rule Medium Severity -
The Tanium Server directory must be restricted with appropriate permissions.
Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which...Rule Medium Severity -
The SSLHonorCipherOrder must be configured to disable weak encryption algorithms on the Tanium Server.
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographic modules adhering to the higher standards appr...Rule Medium Severity -
The Tanium Server certificate must be signed by a DoD certificate authority (CA).
The Tanium Server has the option to use a "self-signed" certificate or a trusted CA signed certificate for SSL connections. During evaluations of Tanium in lab settings, customers often conclude th...Rule Medium Severity -
The SSLCipherSuite must be configured to disable weak encryption algorithms on the Tanium Server.
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographic modules adhering to the higher standards appr...Rule Medium Severity -
The Tanium "max_soap_sessions_per_user" setting must be explicitly enabled to limit the number of simultaneous sessions.
Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allowed users and sessions per user is helpful in li...Rule Medium Severity -
The Tanium Threat Response Local Directory Source must be configured to restrict access to only authorized maintainers of threat intel.
Using trusted and recognized indicator of compromise (IOC) sources may detect and prevent systems from becoming compromised. An IOC stream is a series or stream of intel that is imported from a ven...Rule Medium Severity -
Tanium Comply must be configured to receive Security Content Automation Protocol (SCAP) content only from trusted sources.
SCAP XML documents validated by the National Institute of Standards and Technology (NIST) are provided from several possible sources such as DISA, NIST, and other nongovernment entities. These docu...Rule Medium Severity -
The Tanium application must limit the bandwidth used in communicating with endpoints to prevent a denial-of-service (DoS) condition at the server.
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This require...Rule Medium Severity -
The Tanium application service must be protected from being stopped by a nonprivileged user.
Denial of service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded cap...Rule Medium Severity -
The SchUseStrongCrypto registry value must be set.
Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered. This requirement...Rule High Severity -
SRG-APP-000416
Group -
SRG-APP-000359
Group -
SRG-APP-000111
Group -
SRG-APP-000515
Group -
The application must, at a minimum, offload interconnected systems in real time and offload standalone systems weekly.
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity.Rule Medium Severity -
SRG-APP-000516
Group -
Tanium Client processes must be excluded from On-Access scan.
Similar to any other host-based applications, the Tanium Client is subject to the restrictions other system-level software may place on an operating environment. Antivirus, intrusion prevention sys...Rule Medium Severity -
SRG-APP-000177
Group -
The Tanium application must be configured for LDAP user/group synchronization to map the authenticated identity to the individual user or group account for PKI-based authentication.
Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.Rule Medium Severity -
SRG-APP-000180
Group -
The Tanium application must provide an immediate warning to the system administrator and information system security officer (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.
If security personnel are not notified immediately upon storage volume utilization reaching 75%, they are unable to plan for storage capacity expansion.Rule Medium Severity -
SRG-APP-000360
Group -
SRG-APP-000211
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.