STIGQter STIGQter: STIG Summary: Tanium 7.3 Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Feb 2019: Tanium must employ a deny-all, permit-by-exception (whitelist) policy to allow the execution of authorized software programs.

DISA Rule

SV-102139r1_rule

Vulnerability Number

V-92037

Group Title

SRG-APP-000386

Rule Version

TANS-00-000670

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Using a web browser on a system, which has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC.

Click on the navigation button (menu) on the top left of the console.

Click on the "Protect Workbench".

Select the arrow on the left-hand side to expand the menu.

Click on "Policies".

Click on "New Policy".

Select "Create".

Provide a name to the policy.

Select "AppLocker" from the Policy Type menu.

Within the policy, ensure the "Blocking" radio button is selected.

In the "Allow" section, ensure the default rules for "All files located in the Program Files Folder" and "All Files located in the Windows folder" are present.

If the Tanium Server is installed in a non-default location, then a rule needs to be created to allow that file path.

All rules need Windows user set to "Everyone".

Save the Policy.

Click on "Add Enforcement".

From the dropdown, select the computer group, which contains the Tanium Server.

Select "enforce".

Check Contents

Using a web browser on a system, which has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC.

Click on the navigation button (menu) on the top left of the console.

Click on the "Protect Workbench".

Select the arrow on the left-hand side to expand the menu.

Click on "Policies".

Click on the Policy with Policy Type named "AppLocker".

If there is no policy type defined for "AppLocker", this is a finding.

Ensure the computer group containing the Tanium server is showing as online and enforced.

If the "AppLocker" policy enforcement does not contain the Tanium Server, then this is a finding.

Under Policy Details ensure the Mode is set to "Blocking".

If Mode is not set to "Blocking", this is a finding.

Under "Policy Details" expand the arrow next to "Everyone".

If all files are allowed, this is a finding.

If additional paths are found, such as %PROGRAMFILES%\", "%WINDIR%" and "?:\Program Files\Tanium Server\", they must be documented.

If additional file paths are found and have not been documented, this is a finding.

If Tanium Protect is not available, this is not applicable.

Vulnerability Number

V-92037

Documentable

False

Rule Version

TANS-00-000670

Severity Override Guidance

Using a web browser on a system, which has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC.

Click on the navigation button (menu) on the top left of the console.

Click on the "Protect Workbench".

Select the arrow on the left-hand side to expand the menu.

Click on "Policies".

Click on the Policy with Policy Type named "AppLocker".

If there is no policy type defined for "AppLocker", this is a finding.

Ensure the computer group containing the Tanium server is showing as online and enforced.

If the "AppLocker" policy enforcement does not contain the Tanium Server, then this is a finding.

Under Policy Details ensure the Mode is set to "Blocking".

If Mode is not set to "Blocking", this is a finding.

Under "Policy Details" expand the arrow next to "Everyone".

If all files are allowed, this is a finding.

If additional paths are found, such as %PROGRAMFILES%\", "%WINDIR%" and "?:\Program Files\Tanium Server\", they must be documented.

If additional file paths are found and have not been documented, this is a finding.

If Tanium Protect is not available, this is not applicable.

Check Content Reference

M

Target Key

3505

Comments