STIGQter STIGQter: STIG Summary: Tanium 6.5 Security Technical Implementation Guide

Version: 1

Release: 2 Benchmark Date: 28 Oct 2016

CheckedNameTitle
SV-81461r1_ruleThe Tanium endpoint must have the Tanium Servers public key in its installation.
SV-81463r1_ruleAccess to Tanium logs on each endpoint must be restricted by permissions.
SV-81465r2_ruleThe Tanium cryptographic signing capabilities must be enabled on the Tanium Server.
SV-81467r1_ruleFirewall rules must be configured on the Tanium Endpoints for Client-to-Server communications.
SV-81469r1_ruleControl of the Tanium Client service must be restricted to SYSTEM access only for all managed clients.
SV-81471r1_ruleThe ability to uninstall the Tanium Client service must be disabled on all managed clients.
SV-81473r2_ruleThe permissions on the Tanium Client directory must be restricted to only the SYSTEM account on all managed clients.
SV-81475r1_ruleTanium endpoint files must be protected from antivirus actions.
SV-81477r1_ruleThe Tanium Client - Set Action Lock must be set to OFF during maintenance window timeframes only.
SV-81479r1_ruleThe Tanium Client Deployment Tool (CDT) must not be configured to use the psexec method of deployment.
SV-81481r1_ruleThe Tanium Client must ensure the authenticity of communications sessions when answering requests from the Tanium Server.
SV-81483r1_ruleTanium endpoint files must be protected from file encryption actions.
SV-81485r1_ruleThe Tanium Console_ProhibitSavedLogin option must be explicitly enabled to prevent console browsers from saving non-CAC logon information.
SV-81487r1_ruleThe Tanium Application Server must be configured with a connector to sync to Microsoft Active Directory for account management functions.
SV-81489r1_ruleThe Tanium Application Server must be configured to only use Microsoft Active Directory for account management functions.
SV-81491r1_ruleComputer Groups must be used to restrict console users from affecting changes to unauthorized computers.
SV-81493r1_ruleDocumentation identifying Tanium console users and their respective User Roles must be maintained.
SV-81495r1_ruleRole-based system access must be configured to least privileged access to Tanium Server functions through the Tanium interface.
SV-81497r1_ruleTanium console users User Roles must be validated against the documentation for User Roles.
SV-81499r1_ruleDocumentation identifying Tanium console users and their respective Computer Groups rights must be maintained.
SV-81501r1_ruleTanium console users Computer Group rights must be validated against the documentation for Computer Group rights.
SV-81503r2_ruleCommon Access Card (CAC)-based authentication must be enabled on the Tanium Server for network access with privileged accounts.
SV-81505r2_ruleCommon Access Card (CAC)-based authentication must be enabled on the Tanium Server for network access with non-privileged accounts.
SV-81507r2_ruleCommon Access Card (CAC)-based authentication must be enforced on the Tanium Server for authentication for local access with privileged accounts.
SV-81509r1_ruleCommon Access Card (CAC)-based authentication must be enforced on the Tanium Server for authentication for local access with non-privileged accounts.
SV-81511r1_ruleFirewall rules must be configured on the Tanium Server for Console-to-Server communications.
SV-81513r1_ruleThe Tanium SQL database must be installed on a separate system.
SV-81515r1_ruleThe Tanium SQL server must be dedicated to the Tanium application database.
SV-81517r1_ruleThe access to the Tanium SQL database must be restricted. Only the designated database administrator(s) can have elevated privileges to the Tanium SQL database.
SV-81519r1_ruleThe Tanium Server installers account SQL database permissions must be reduced from sysadmin to db_owner.
SV-81521r1_ruleFirewall rules must be configured on the Tanium Server for Server-to-Database communications.
SV-81523r1_ruleSQL stored queries or procedures installed during Tanium installation must be removed from the Tanium Server.
SV-81525r1_ruleThe Tanium Application Server must protect the confidentiality and integrity of transmitted information.
SV-81527r1_ruleThe Tanium Application Server console must be configured to initiate a session lock after a 15-minute period of inactivity.
SV-81529r1_ruleTrusted Content providers must be documented.
SV-81531r1_ruleContent providers must provide their public key to the Tanium administrator to import for validating signed content.
SV-81533r1_rulePublic keys of content providers must be validated against documented trusted content providers.
SV-81535r1_ruleThe Tanium Action Approval feature must be enabled for two person integrity when deploying actions to endpoints.
SV-81537r1_ruleThe Tanium documentation identifying recognized and trusted IOC Detect streams must be maintained.
SV-81539r1_ruleThe Tanium IOC Detect must be configured to receive IOC streams only from trusted sources.
SV-81541r2_ruleThe LogFileSize on Tanium Servers must be enabled with a value of 104857600 (100MB) or more.
SV-81543r1_ruleThe Tanium IOC Detect module must be configured to forward events.
SV-81545r1_ruleTanium Server files must be protected from antivirus actions.
SV-81547r1_ruleThe Tanium Application Server console must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to The Tanium Application Server.
SV-81549r1_ruleThe Tanium Application Server console must be configured to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
SV-81551r1_ruleTanium Server files must be protected from file encryption actions.
SV-81553r2_ruleThe SSLCipherSuite must be configured to disable weak encryption algorithms on the Tanium Server.
SV-81555r1_ruleThe Tanium Application Server must protect audit tools from unauthorized access.
SV-81557r1_ruleThe Tanium Application Server must protect audit tools from unauthorized modification.
SV-81559r1_ruleThe Tanium Application Server must protect audit tools from unauthorized deletion.
SV-81561r1_ruleThe Tanium cryptographic signing capabilities must be enabled on the Tanium Server.
SV-81563r2_ruleThe Tanium Server must be configured to only allow signed content to be imported.
SV-81565r1_ruleAll installation files originally downloaded to the Tanium Server must be configured to download to a location other than the Tanium Server directory.
SV-81567r1_ruleFirewall rules must be configured on the Tanium Server for Client-to-Server communications.
SV-81569r1_ruleFirewall rules must be configured on the Tanium Zone Server for Client-to-Zone Server communications.
SV-81571r1_ruleThe Tanium Application Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
SV-81573r1_ruleThe Tanium Server certificates must have Extended Key Usage entries for the serverAuth object TLS Web Server Authentication and the clientAuth object TLS Web Client Authentication.
SV-81575r1_ruleThe Tanium Server certificate and private/public keys directory must be protected with appropriate permissions.
SV-81577r1_ruleFlash must not be installed on the Tanium Server.
SV-81579r1_ruleThe Tanium Module server must be installed on a separate system.
SV-81581r1_ruleThe permissions on the Tanium Server directory must be restricted to only the Tanium service account.
SV-81583r1_ruleThe Tanium Server http directory and sub-directories must be restricted with appropriate permissions.
SV-81585r1_ruleThe permissions on the Tanium Server registry keys must be restricted to only the Tanium service account.
SV-81587r1_ruleThe Tanium Server Logs and TDL_Logs directories must be restricted with appropriate permissions.
SV-81589r1_ruleAll Active Directory accounts synchronized with Tanium must be non-privileged domain accounts.
SV-81591r1_ruleA connector must be configured to send log data to offline log collection.
SV-81593r1_ruleFirewall rules must be configured on the Tanium module server to allow Server-to-Module Server communications from the Tanium Server.
SV-81595r1_ruleFirewall rules must be configured on the Tanium Server for Server-to-Module Server communications.
SV-81597r1_ruleFirewall rules must be configured on the Tanium Server for Server-to-Zone Server communications.
SV-81599r1_ruleThe Tanium application must authenticate all endpoint devices before allowing a network connection using bidirectional authentication that is cryptographically based.
SV-81601r2_ruleThe SSLHonorCipherOrder DWORD must be configured to disable weak encryption algorithms on the Tanium Server.
SV-81603r1_ruleThe Tanium Server certificate must be signed by a DoD Certificate Authority.
SV-81605r1_ruleAny configured EMAIL RESULTS connectors must be configured to enable TLS/SSL to encrypt communications.
SV-81607r1_ruleThe Tanium Server must ensure the authenticity of communications sessions when making requests from Tanium Clients.
SV-81609r1_ruleFile integrity monitoring of critical executables that Tanium uses must be configured.