Tanium console users User Roles must be validated against the documentation for User Roles.
An XCCDF Rule
Description
<VulnDiscussion>System access should be reviewed periodically to verify that all Tanium users are assigned the appropriate role, with the least privileged access possible to perform assigned tasks being the recommended best practice. Users who have been removed from the documentation should no longer be configured as a Tanium Console User. Consider removing users that have not logged onto the system within a predetermined time frame. When using Active Directory synchronization, as is required by this STIG, User Roles assignments are via the LDAP Sync, AD security groups correlate, one to one, to Tanium User Roles. To change a Tanium user's User Role, their Active Directory account needs to be moved to the AD security group, which correlates with the applicable User Role.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-234053r612749_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
When using Active Directory synchronization, as is required by this STIG, User Roles assignments are assigned by LDAP sync. AD security groups correlate, one to one, to Tanium User Roles.
To change a Tanium user's User Functional Role, their Active Directory account needs to be moved to the AD security group, which correlates with the applicable User Functional Role.
Access the Active Directory server.