STIGQter STIGQter: STIG Summary: Tanium 7.0 Security Technical Implementation Guide

Version: 1

Release: 2 Benchmark Date: 27 July 2018

CheckedNameTitle
SV-93283r1_ruleThe Tanium endpoint must have the Tanium Servers public key in its installation, which will allow it to authenticate and uniquely identify all network-connected endpoint devices before establishing any connection.
SV-93285r1_ruleAccess to Tanium logs on each endpoint must be restricted by permissions.
SV-93287r1_ruleThe Tanium cryptographic signing capabilities must be enabled on the Tanium Clients, which will ensure the authenticity of communications sessions when answering requests from the Tanium Server.
SV-93289r1_ruleFirewall rules must be configured on the Tanium Endpoints for Client-to-Server communications.
SV-93291r1_ruleControl of the Tanium Client service must be restricted to SYSTEM access only for all managed clients.
SV-93293r1_ruleThe ability to uninstall the Tanium Client service must be disabled on all managed clients.
SV-93295r1_ruleThe permissions on the Tanium Client directory must be restricted to only the SYSTEM account on all managed clients.
SV-93297r1_ruleTanium endpoint files must be excluded from on-access antivirus actions.
SV-93299r1_ruleThe Tanium Client Deployment Tool (CDT) must not be configured to use the psexec method of deployment.
SV-93301r1_ruleTanium endpoint files must be protected from file encryption actions.
SV-93303r1_ruleTanium must restrict the ability of individuals to place too much impact upon the network, which might result in a denial-of-service (DoS) event on the network by using RandomSensorDelayInSeconds.
SV-93305r1_ruleTanium endpoint files must be excluded from host-based intrusion prevention intervention.
SV-93307r1_ruleThe Tanium Server must be configured with a connector to sync to Microsoft Active Directory for account management functions, must isolate security functions from non-security functions, and must terminate shared/group account credentials when members leave the group.
SV-93309r1_ruleThe Tanium Server must be configured to only use Microsoft Active Directory for account management functions.
SV-93311r1_ruleTanium Computer Groups must be used to restrict console users from affecting changes to unauthorized computers.
SV-93313r1_ruleDocumentation identifying Tanium console users and their respective User Roles must be maintained.
SV-93315r1_ruleRole-based system access must be configured to least privileged access to Tanium Server functions through the Tanium interface.
SV-93317r1_ruleTanium console users User Roles must be validated against the documentation for User Roles.
SV-93319r1_ruleDocumentation identifying Tanium console users and their respective Computer Group rights must be maintained.
SV-93321r1_ruleTanium console users Computer Group rights must be validated against the documentation for Computer Group rights.
SV-93323r1_ruleCommon Access Card (CAC)-based authentication must be enforced and enabled on the Tanium Server for network and local access with privileged and non-privileged accounts.
SV-93325r1_ruleFirewall rules must be configured on the Tanium Server for Console-to-Server communications.
SV-93327r1_ruleThe publicly accessible Tanium application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.
SV-93329r1_ruleTanium must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
SV-93331r1_ruleFlaw remediation Tanium applications must employ automated mechanisms to determine the state of information system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
SV-93333r1_ruleTanium must notify system administrators and ISSO when accounts are created.
SV-93335r1_ruleTanium must notify system administrators and ISSO when accounts are modified.
SV-93337r1_ruleTanium must notify the SA and ISSO of account enabling actions.
SV-93339r1_ruleTanium must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.
SV-93341r1_ruleCommon Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.
SV-93343r1_ruleTanium must notify System Administrators and Information System Security Officers for account disabling actions.
SV-93345r1_ruleTanium must notify System Administrators and Information System Security Officers for account removal actions.
SV-93347r1_ruleTanium must prohibit user installation of software without explicit privileged status and enforce access restrictions associated with changes to application configuration.
SV-93349r1_ruleTanium must provide the capability to centrally review and analyze audit records from multiple components within the system.
SV-93351r1_ruleThe Tanium SQL database must be installed on a separate system.
SV-93353r1_ruleThe Tanium SQL server must be dedicated to the Tanium database.
SV-93355r1_ruleThe access to the Tanium SQL database must be restricted. Only the designated database administrator(s) can have elevated privileges to the Tanium SQL database.
SV-93357r1_ruleThe Tanium Server installers account SQL database permissions must be reduced from sysadmin to db_owner.
SV-93359r1_ruleFirewall rules must be configured on the Tanium Server for Server-to-Database communications.
SV-93361r1_ruleSQL stored queries or procedures installed during Tanium installation must be removed from the Tanium Server.
SV-93363r1_ruleThe Tanium Server must protect the confidentiality and integrity of transmitted information with cryptographic signing capabilities enabled to ensure the authenticity of communications sessions when making requests from Tanium Clients.
SV-93365r1_ruleThe Tanium Server console must be configured to initiate a session lock after a 15-minute period of inactivity.
SV-93367r1_ruleTanium Trusted Content providers must be documented.
SV-93369r1_ruleContent providers must provide their public key to the Tanium administrator to import for validating signed content.
SV-93371r1_ruleTanium public keys of content providers must be validated against documented trusted content providers.
SV-93373r1_ruleThe Tanium Action Approval feature must be enabled for two person integrity when deploying actions to endpoints.
SV-93375r1_ruleThe Tanium documentation identifying recognized and trusted IOC Detect streams must be maintained.
SV-93377r1_ruleThe Tanium IOC Detect must be configured to receive IOC streams only from trusted sources.
SV-93379r1_ruleThe Tanium Connect module must be configured to forward Tanium IOC Detect events to identified destinations.
SV-93381r1_ruleThe Tanium Server must protect audit tools from unauthorized access, modification, or deletion.
SV-93383r1_ruleThe Tanium Server must be configured to only allow signed content to be imported.
SV-93385r2_ruleAll installation files originally downloaded to the Tanium Server must be configured to download to a location other than the Tanium Server directory.
SV-93387r1_ruleFirewall rules must be configured on the Tanium Server for Client-to-Server communications.
SV-93389r1_ruleFirewall rules must be configured on the Tanium Zone Server for Client-to-Zone Server communications.
SV-93391r1_ruleThe Tanium Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
SV-93393r1_ruleThe Tanium Server certificates must have Extended Key Usage entries for the serverAuth object TLS Web Server Authentication and the clientAuth object TLS Web Client Authentication.
SV-93395r1_ruleThe Tanium Server certificate and private/public keys directory must be protected with appropriate permissions.
SV-93397r1_ruleThe Tanium Module server must be installed on a separate system.
SV-93399r1_ruleThe Tanium Server directory must be restricted with appropriate permissions.
SV-93401r1_ruleThe Tanium Server http directory and sub-directories must be restricted with appropriate permissions.
SV-93403r1_ruleThe permissions on the Tanium Server registry keys must be restricted to only the Tanium service account and the [Tanium Admins] group.
SV-93405r1_ruleThe Tanium Server Logs and TDL_Logs directories must be restricted with appropriate permissions.
SV-93407r1_ruleAll Active Directory accounts synchronized with Tanium for non-privileged functions must be non-privileged domain accounts.
SV-93409r1_ruleA Tanium connector must be configured to send log data to an external audit log reduction-capable system and provide alerts.
SV-93411r1_ruleFile integrity monitoring of critical executables that Tanium uses must be configured.
SV-93413r1_ruleFirewall rules must be configured on the Tanium module server to allow Server-to-Module Server communications from the Tanium Server.
SV-93415r1_ruleFirewall rules must be configured on the Tanium Server for Server-to-Module Server communications.
SV-93417r1_ruleFirewall rules must be configured on the Tanium Server for Server-to-Zone Server communications.
SV-93419r1_ruleThe SSLHonorCipherOrder must be configured to disable weak encryption algorithms on the Tanium Server.
SV-93421r1_ruleThe Tanium Server certificate must be signed by a DoD Certificate Authority.
SV-93423r1_ruleAny Tanium configured EMAIL RESULTS connectors must be configured to enable TLS/SSL to encrypt communications.
SV-93425r1_ruleTanium Server files must be excluded from on-access antivirus actions.
SV-93427r1_ruleThe Tanium Server console must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to The Tanium Server.
SV-93429r1_ruleThe Tanium Server console must be configured to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
SV-93431r1_ruleTanium Server files must be protected from file encryption actions.
SV-93433r1_ruleThe Tanium max_soap_sessions_total setting must be explicitly enabled to limit the number of simultaneous sessions.
SV-93435r1_ruleThe Tanium max_soap_sessions_per_user setting must be explicitly enabled to limit the number of simultaneous sessions.
SV-93437r1_ruleThe Tanium documentation identifying recognized and trusted folders for IOC Detect Folder streams must be maintained.
SV-93439r1_ruleThe Tanium IOC Detect Folder streams must be configured to restrict access to only authorized maintainers of IOCs.
SV-93441r1_ruleThe Tanium documentation identifying recognized and trusted SCAP feeds must be maintained.
SV-93443r1_ruleThe Tanium documentation identifying recognized and trusted OVAL feeds must be maintained.
SV-93445r1_ruleTanium Comply must be configured to receive SCAP feeds only from trusted sources.
SV-93447r1_ruleTanium Comply must be configured to receive OVAL feeds only from trusted sources.
SV-93449r1_ruleTanium must be configured in a High-Availability (HA) setup to ensure minimal loss of data and minimal disruption to mission processes in the event of a system failure.
SV-93451r1_ruleThe bandwidth consumption for the Tanium Server must be limited.
SV-93453r1_ruleThe Tanium SQL Server RDBMS must be configured with sufficient free space to ensure audit logging is not impacted.
SV-93455r1_ruleTanium must limit the bandwidth used in communicating with endpoints to prevent a denial-of-service (DoS) condition at the server.
SV-93457r1_ruleTanium Server must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
SV-93459r1_ruleTanium Server files must be excluded from host-based intrusion prevention intervention.
SV-93461r1_ruleTanium must set an absolute timeout for sessions.
SV-93463r1_ruleTanium must set an inactive timeout for sessions.
SV-93465r1_ruleTanium service must be protected from being stopped by a non-privileged user.
SV-93467r1_ruleThe Tanium web server must be tuned to handle the operational requirements of the hosted application.
SV-93469r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93471r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93473r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93475r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93477r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93479r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93481r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93483r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93485r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93487r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93489r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93491r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93493r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93495r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93497r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93499r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93501r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93503r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93505r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93507r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93509r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93511r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93513r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93515r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93517r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93519r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93521r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93523r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93525r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93527r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93529r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93531r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93533r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93535r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93537r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93539r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93541r1_ruleTanium must be configured to communicate using TLS 1.2 Strict Only.
SV-93543r1_ruleThe Tanium soap_max_keep_alive setting must be explicitly enabled to limit the number of simultaneous sessions.
SV-93545r1_ruleThe SSLCipherSuite must be configured to disable weak encryption algorithms on the Tanium Server.