Tanium must enforce 24 hours/one day as the minimum password lifetime.

An XCCDF Rule

Description

<VulnDiscussion>Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-254912r1015865_rule
Severity: Medium
References: CCI-000198 CCI-004066
Updated: 17 days ago

Console Users:

Per guidance, Enterprise Console users are inherited via LDAP synchronization as such passwords are not managed or enforced at the Tanium application level. 

Local TanOS account: 
1. Access the Tanium Server interactively.

2. Log on to the TanOS server with the tanadmin role.

3. Press "C" for "User Administration Menu," and then press "Enter".

4. Press "L" for "Local Tanium User Management," and then press "Enter".

5. Press "B" for "Security Policy Local Authentication Service," and then press "Enter".

6. Type "yes" and press "Enter".

7. Input the following settings, pressing "Enter" after every value:
    a) Minimum Password Lifetime - 1
    b) Maximum Password Lifetime - 60
    c) Minimum Password Length - 15
    d) Minimum Password History - 5
    e) Password Lockout - TRUE
    f) Maximum Password Attempts - 3

8. Type "yes" to accept the new password policy.

Tanium must enforce 24 hours/one day as the minimum password lifetime.

Description

Remediation - Manual Procedure