STIGQter: STIG Summary: Tanium 7.3 Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The Tanium application must retain the session lock until the user reestablishes access using established identification and authentication procedures.

DISA Rule

SV-234047r612749_rule

Vulnerability Number

V-234047

Group Title

SRG-APP-000002

Rule Version

TANS-CN-000001

Severity

CAT II

CCI(s)

• CCI-000060 - The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.

Weight

10

Fix Recommendation

Use the vendor documentation titled "Reference: Smartcard authentication" to implement correct configuration settings for this requirement. If assistance is required, contact the Tanium Technical Account Manager (TAM).

Vendor documentation can be downloaded from the following URL: https://docs.tanium.com/platform_install/platform_install/reference_smart_card_authentication.html.

Check Contents

Access the Tanium Server interactively.

Log on to the server with an account that has administrative privileges.

Run regedit as Administrator.

Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server.

Validate the value for REG_DWORD "ForceSOAPSSLClientCert" is set to "1".

Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server.

Validate the following keys exist and are configured:
REG_SZ "ClientCertificateAuthField"

For example:
X509v3 Subject Alternative Name.

REG_SZ "ClientCertificateAuthRegex"

For example-DoD:
.*\:\s*([^@]+)@.*
$Note: This regedit should be valid for any Subject Alternative Name entry.

REG_SZ "ClientCertificateAuth"
Note: This registry value defines which certificate file to use for authentication.

For example:
C:\Program Files\Tanium\Tanium Server\dod.pem

REG_SZ "cac_ldap_server_url"

Note: This registry value requires that Tanium validate every CAC/PIV authentication attempt with AD to determine the state of the account that is logging in. It must use the syntax similar to LDAP://<AD instance FQDN>

If the value for REG_DWORD "ForceSOAPSSLClientCert" is not set to "1" and the remaining registry values are not configured, this is a finding.

Vulnerability Number

V-234047

Documentable

False

Rule Version

TANS-CN-000001

Severity Override Guidance

Access the Tanium Server interactively.

Log on to the server with an account that has administrative privileges.

Run regedit as Administrator.

Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server.

Validate the value for REG_DWORD "ForceSOAPSSLClientCert" is set to "1".

Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server.

Validate the following keys exist and are configured:
REG_SZ "ClientCertificateAuthField"

For example:
X509v3 Subject Alternative Name.

REG_SZ "ClientCertificateAuthRegex"

For example-DoD:
.*\:\s*([^@]+)@.*
$Note: This regedit should be valid for any Subject Alternative Name entry.

REG_SZ "ClientCertificateAuth"
Note: This registry value defines which certificate file to use for authentication.

For example:
C:\Program Files\Tanium\Tanium Server\dod.pem

REG_SZ "cac_ldap_server_url"

Note: This registry value requires that Tanium validate every CAC/PIV authentication attempt with AD to determine the state of the account that is logging in. It must use the syntax similar to LDAP://<AD instance FQDN>

If the value for REG_DWORD "ForceSOAPSSLClientCert" is not set to "1" and the remaining registry values are not configured, this is a finding.

Check Content Reference

M

Target Key

5259

Comments