STIGQter STIGQter: STIG Summary: Tanium 7.3 Security Technical Implementation Guide

Version: 1

Release: 1 Benchmark Date: 20 Feb 2019

CheckedNameTitle
SV-102135r1_ruleTanium must centrally review and analyze audit records from multiple components within the system.
SV-102137r1_ruleTanium must implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner.
SV-102139r1_ruleTanium must employ a deny-all, permit-by-exception (whitelist) policy to allow the execution of authorized software programs.
SV-102141r1_ruleThe vulnerability scanning application must implement privileged access authorization to all Tanium information systems and infrastructure components for selected organization-defined vulnerability scanning activities.
SV-102143r1_ruleThe Tanium endpoint must have the Tanium Servers public key in its installation.
SV-102145r1_ruleAccess to Tanium logs on each endpoint must be restricted by permissions.
SV-102147r1_ruleThe Tanium cryptographic signing capabilities must be enabled on the Tanium Clients to safeguard the authenticity of communications sessions when answering requests from the Tanium Server.
SV-102149r1_ruleFirewall rules must be configured on the Tanium Endpoints for Client-to-Server communications.
SV-102151r1_ruleControl of the Tanium Client service must be restricted to SYSTEM access only for all managed clients.
SV-102153r1_ruleThe ability to uninstall the Tanium Client service must be disabled on all managed clients.
SV-102155r1_ruleThe permissions on the Tanium Client directory must be restricted to only the SYSTEM account on all managed clients.
SV-102157r1_ruleTanium endpoint files must be excluded from on-access antivirus actions.
SV-102159r1_ruleThe Tanium Client Deployment Tool (CDT) must not be configured to use the psexec method of deployment.
SV-102161r1_ruleTanium endpoint files must be protected from file encryption actions.
SV-102163r1_ruleThe Tanium application must restrict the ability of individuals to place too much impact upon the network, which might result in a Denial of Service (DoS) event on the network by using RandomSensorDelayInSeconds.
SV-102165r1_ruleTanium endpoint files must be excluded from host-based intrusion prevention intervention.
SV-102167r1_ruleThe Tanium application must retain the session lock until the user reestablishes access using established identification and authentication procedures.
SV-102169r1_ruleThe Tanium Application Server must be configured with a connector to sync to Microsoft Active Directory for account management functions.
SV-102171r1_ruleThe Tanium Application Server must be configured to only use Microsoft Active Directory for account management functions.
SV-102173r1_ruleTanium Computer Groups must be used to restrict console users from affecting changes to unauthorized computers.
SV-102175r1_ruleDocumentation identifying Tanium console users, their respective functional roles, and computer groups must be maintained.
SV-102177r1_ruleRole-based system access must be configured to least privileged access to Tanium Server functions through the Tanium interface.
SV-102179r1_ruleTanium console users User Roles must be validated against the documentation for User Roles.
SV-102181r1_ruleDocumentation identifying Tanium console users and their respective Computer Group rights must be maintained.
SV-102183r1_ruleTanium console users Computer Group rights must be validated against the documentation for Computer Group rights.
SV-102185r1_ruleCommon Access Card (CAC)-based authentication must be enabled on the Tanium Server for network access with privileged accounts.
SV-102187r1_ruleFirewall rules must be configured on the Tanium Server for Console-to-Server communications.
SV-102189r1_ruleThe publicly accessible Tanium application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.
SV-102191r1_ruleTanium must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
SV-102193r1_ruleFlaw remediation Tanium applications must employ automated mechanisms to determine the state of information system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
SV-102195r1_ruleTanium must notify SA and ISSO when accounts are created.
SV-102197r1_ruleTanium must notify SA and ISSO when accounts are modified.
SV-102199r1_ruleThe Tanium application must notify SA and ISSO of account enabling actions.
SV-102201r1_ruleThe Tanium application must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.
SV-102203r1_ruleThe Tanium enterprise audit log reduction option must be configured to provide alerts based off Tanium audit data.
SV-102205r1_ruleCommon Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.
SV-102207r1_ruleTanium must notify SA and ISSO for account disabling actions.
SV-102209r1_ruleTanium must notify SA and ISSO for account removal actions.
SV-102211r1_ruleThe Tanium application must prohibit user installation of software without explicit privileged status.
SV-102213r1_ruleDocumentation defining Tanium functional roles must be maintained.
SV-102215r1_ruleThe Tanium database(s) must be installed on a separate system.
SV-102217r1_ruleThe Tanium application database must be dedicated to only the Tanium application.
SV-102219r1_ruleThe access to the Tanium SQL database must be restricted. Only the designated database administrator(s) can have elevated privileges to the Tanium SQL database.
SV-102221r1_ruleThe Tanium Server installers account database permissions must be reduced to an appropriate level.
SV-102223r1_ruleFirewall rules must be configured on the Tanium Server for Server-to-Database communications.
SV-102225r1_ruleSQL stored queries or procedures installed during Tanium installation must be removed from the Tanium Server.
SV-102227r1_ruleThe Tanium Server must protect the confidentiality and integrity of transmitted information, in preparation to be transmitted and data at rest, with cryptographic signing capabilities enabled to protect the authenticity of communications sessions when making requests from Tanium Clients.
SV-102229r1_ruleThe Tanium Application Server console must be configured to initiate a session lock after a 15-minute period of inactivity.
SV-102231r1_ruleTanium Trusted Content providers must be documented.
SV-102233r1_ruleContent providers must provide their public key to the Tanium administrator to import for validating signed content.
SV-102235r1_ruleTanium public keys of content providers must be validated against documented trusted content providers.
SV-102237r1_ruleThe Tanium Action Approval feature must be enabled for two-person integrity when deploying actions to endpoints.
SV-102239r1_ruleThe Tanium documentation identifying recognized and trusted Intel streams must be maintained.
SV-102241r1_ruleThe Tanium Detect must be configured to receive IOC streams only from trusted sources.
SV-102243r1_ruleThe Tanium Connect module must be configured to forward Tanium Detect events to identified destinations.
SV-102245r1_ruleThe Tanium cryptographic signing capabilities must be enabled on the Tanium Server.
SV-102247r1_ruleThe Tanium Server must be configured to only allow signed content to be imported.
SV-102249r1_ruleAll installation files originally downloaded to the Tanium Server must be configured to download to a location other than the Tanium Server directory.
SV-102251r1_ruleFirewall rules must be configured on the Tanium Server for Client-to-Server communications.
SV-102253r1_ruleFirewall rules must be configured on the Tanium Zone Server for Client-to-Zone Server communications.
SV-102255r1_ruleThe Tanium Application Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
SV-102257r1_ruleThe Tanium Server certificates must have Extended Key Usage entries for the serverAuth object TLS Web Server Authentication and the clientAuth object TLS Web Client Authentication.
SV-102259r1_ruleThe Tanium Server certificate and private/public keys directory must be protected with appropriate permissions.
SV-102261r1_ruleThe Tanium Module server must be installed on a separate system.
SV-102263r1_ruleThe Tanium Server directory must be restricted with appropriate permissions.
SV-102265r1_ruleThe Tanium Server http directory and sub-directories must be restricted with appropriate permissions.
SV-102267r1_ruleThe permissions on the Tanium Server registry keys must be restricted to only the Tanium service account and the [Tanium Admins] group.
SV-102269r1_ruleThe Tanium Server Logs and TDL_Logs directories must be restricted with appropriate permissions.
SV-102271r1_ruleAll Active Directory accounts synchronized with Tanium for non-privileged functions must be non-privileged domain accounts.
SV-102273r1_ruleA Tanium connector must be configured to send log data to an external audit log reduction capable system.
SV-102275r1_ruleFile integrity monitoring of critical executables that Tanium uses must be configured.
SV-102277r1_ruleFirewall rules must be configured on the Tanium module server to allow Server-to-Module Server communications from the Tanium Server.
SV-102279r1_ruleFirewall rules must be configured on the Tanium Server for Server-to-Module Server communications.
SV-102281r1_ruleFirewall rules must be configured on the Tanium Server for Server-to-Zone Server communications.
SV-102283r1_ruleThe SSLHonorCipherOrder must be configured to disable weak encryption algorithms on the Tanium Server.
SV-102285r1_ruleThe Tanium Server certificate must be signed by a DoD Certificate Authority.
SV-102287r1_ruleAny Tanium configured EMAIL RESULTS connectors must be configured to enable TLS/SSL to encrypt communications.
SV-102289r1_ruleTanium Server files must be excluded from on-access antivirus actions.
SV-102291r1_ruleTanium Server files must be protected from file encryption actions.
SV-102293r1_ruleThe SSLCipherSuite must be configured to disable weak encryption algorithms on the Tanium Server.
SV-102295r1_ruleThe Tanium max_soap_sessions_total setting must be explicitly enabled to limit the number of simultaneous sessions.
SV-102297r1_ruleThe Tanium max_soap_sessions_per_user setting must be explicitly enabled to limit the number of simultaneous sessions.
SV-102299r1_ruleThe Tanium soap_max_keep_alive setting must be explicitly enabled to limit the number of simultaneous sessions.
SV-102301r1_ruleThe Tanium documentation identifying recognized and trusted folders for Detect Local Directory Source must be maintained.
SV-102303r1_ruleThe Tanium Detect Local Directory Source must be configured to restrict access to only authorized maintainers of Intel.
SV-102305r1_ruleThe Tanium documentation identifying recognized and trusted SCAP sources must be maintained.
SV-102307r1_ruleThe Tanium documentation identifying recognized and trusted OVAL feeds must be maintained.
SV-102309r1_ruleTanium Comply must be configured to receive SCAP content only from trusted sources.
SV-102311r1_ruleTanium Comply must be configured to receive OVAL feeds only from trusted sources.
SV-102313r1_ruleThe Tanium application must be configured in a High-Availability (HA) setup to ensure minimal loss of data and minimal disruption to mission processes in the event of a system failure.
SV-102315r1_ruleThe bandwidth consumption for the Tanium Application server must be limited.
SV-102317r1_ruleThe Tanium SQL Server RDBMS must be configured with sufficient free space to ensure audit logging is not impacted.
SV-102319r1_ruleThe Tanium application must limit the bandwidth used in communicating with endpoints to prevent a Denial of Service (DoS) condition at the server.
SV-102321r1_ruleThe Tanium Application Server must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
SV-102323r1_ruleTanium Server files must be excluded from host-based intrusion prevention intervention.
SV-102325r1_ruleThe Tanium application must set an absolute timeout for sessions.
SV-102327r1_ruleThe Tanium application must set an inactive timeout for sessions.
SV-102329r1_ruleThe Tanium application service must be protected from being stopped by a non-privileged user.
SV-102331r1_ruleThe Tanium web server must be tuned to handle the operational requirements of the hosted application.
SV-102333r1_ruleThe Tanium application, SQL and Module servers must all be configured to communicate using TLS 1.2 Strict Only.
SV-102335r1_ruleThe Tanium application must be configured to communicate using TLS 1.2 Strict Only.
SV-102337r1_ruleThe Tanium application must be configured to communicate using TLS 1.2 Strict Only.