The permissions on the Tanium Client directory must be restricted to only the SYSTEM account on all managed clients.

An XCCDF Rule

Description

By restricting access to the Tanium Client directory on managed clients, the Tanium client's ability to operate and function as designed will be protected from malicious attack and unintentional modifications by end users.

ID: SV-234041r612749_rule
Version: TANS-CL-000007
Severity: Medium
References: CCI-002165
Updated: 6 days ago

Remediation Templates

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI).

Log on with CAC.

From the Dashboard, under "Client Service Hardening", click on "Set Client Directory Permissions".
The results will show a "Count" of clients' compliant and non-compliant hardening for the "Tanium Client Directory Permissions".

Non-compliant clients will have a count other than "0" for "Not Restricted" or "Error: No Permissions".

Select each of the "Not Restricted" or "Error: No Permissions" statuses.

Select "Deploy Action".

In the "Deploy Action" dialog box, change the package to "Client Service Hardening - Set SYSTEM only permissions on the Tanium Client directory" as the package.

Configure the schedule to repeat at least every hour for the requested action.

Under "Targeting Criteria", in the Action Group, select "All Computers" from the drop-down.

Click on "Show preview to continue". Non-compliant systems will be displayed in the bottom.

Click on "Deploy Action".

Verify settings.

Click on "Show Client Status Details".

The permissions on the Tanium Client directory must be restricted to only the SYSTEM account on all managed clients.

Description

Remediation Templates

A Manual Procedure