| V-253779 | | The Tanium application must be configured to send audit records from multiple components within the system to a central location for review and analysis. | Successful incident response and auditing relies on timely, accurate system information and analysis to allow the organization to identify and respond... |
| V-253780 | | The application must, at a minimum, offload interconnected systems in real time and offload standalone systems weekly. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Offloading is a common process in information sy... |
| V-253781 | | Tanium Client processes must be excluded from On-Access scan. | Similar to any other host-based applications, the Tanium Client is subject to the restrictions other system-level software may place on an operating e... |
| V-253782 | | The Tanium application must be configured for LDAP user/group synchronization to map the authenticated identity to the individual user or group account for PKI-based authentication. | Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will n... |
| V-253783 | | The Tanium application must uniquely identify and authenticate nonorganizational users (or processes acting on behalf of nonorganizational users). | Lack of authentication and identification enables nonorganizational users to gain access to the application or possibly other information systems and ... |
| V-253784 | | The Tanium application must separate user functionality (including user interface services) from information system management functionality. | Application management functionality includes functions necessary for administration and requires privileged user access. Allowing nonprivileged users... |
| V-253785 | | The Tanium Server and Client applications must have logging enabled. | Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure s... |
| V-253786 | | The Tanium application must restrict the ability of individuals to use information systems to launch organization-defined denial-of-service (DoS) attacks against other information systems. | The Tanium Action Approval feature provides a two-person integrity control mechanism designed to achieve a high level of security and reduce the possi... |
| V-253787 | | The Tanium application must manage bandwidth throttles to limit the effects of information flooding types of denial-of-service (DoS) attacks. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-253788 | | The Tanium application must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. | Any application providing too much information in error messages risks compromising the data and security of the application and system. The structure... |
| V-253789 | | The Tanium application must reveal error messages only to the information system security officer (ISSO), information system security manager (ISSM), and system administrator (SA). | Only authorized personnel must be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational stat... |
| V-253791 | | The Tanium application must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. | To ensure applications have a sufficient storage capacity in which to write the audit logs, applications must be able to allocate audit record storage... |
| V-253792 | | The Tanium application must offload audit records onto a different system or media than the system being audited. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Offloading is a common process in information sy... |
| V-253793 | | The Tanium application must provide an immediate warning to the system administrator and information system security officer (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity. | If security personnel are not notified immediately upon storage volume utilization reaching 75%, they are unable to plan for storage capacity expansio... |
| V-253794 | | The Tanium application must provide an immediate real-time alert to the system administrator and information system security officer, at a minimum, of all audit failure events requiring real-time alerts. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time aler... |
| V-253795 | | The Tanium application must prohibit user installation of software without explicit privileged status. | Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be inst... |
| V-253796 | | The application must enforce access restrictions associated with changes to application configuration. | Failure to provide logical access restrictions associated with changes to application configuration may have significant effects on the overall securi... |
| V-253797 | | The application must employ a deny-all, permit-by-exception (allowlist) policy to allow the execution of authorized software programs. | Using an allowlist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software d... |
| V-253798 | | The Tanium application must accept Personal Identity Verification (PIV) credentials. | The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.
DoD has mandated the use of the CAC to support id... |
| V-253799 | | The Tanium application must electronically verify Personal Identity Verification (PIV) credentials. | The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.
DoD has mandated the use of the CAC to support id... |
| V-253800 | | The Tanium application must accept Personal Identity Verification (PIV) credentials from other federal agencies. | Access may be denied to authorized users if federal agency PIV credentials are not accepted.
PIV credentials are issued by federal agencies and conf... |
| V-253801 | | The Tanium application must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs). | Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovere... |
| V-253802 | | Tanium must alert the ISSO, ISSM, and other individuals designated by the local organization when the following Indicators of Compromise (IOCs) or potential compromise are detected: real-time intrusion detection; threats identified by authoritative sources (e.g., CTOs); and Category I, II, IV, and VII incidents in accordance with CJCSM 6510.01B. | When a security event occurs, the application that has detected the event must immediately notify the appropriate support personnel so they can respon... |
| V-253803 | | Tanium Server processes must be excluded from On-Access scan. | Similar to any other host-based applications, the Tanium Server is subject to the restrictions other system-level software may place on an operating e... |
| V-253804 | | The Tanium application must authenticate endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authenticati... |
| V-253805 | | The Tanium endpoint must have the Tanium Server's pki.db in its installation. | Without cryptographic integrity protections in the Tanium Client, information could be altered by unauthorized users without detection.
Cryptographic... |
| V-253806 | | Access to Tanium logs on each endpoint must be restricted by permissions. | For the Tanium Client software to run without impact from external negligent or malicious changes, the permissions on the Tanium log files and their d... |
| V-253807 | | The Tanium cryptographic signing capabilities must be enabled on the Tanium Clients to safeguard the authenticity of communications sessions when answering requests from the Tanium Server. | All of Tanium's signing capabilities must be enabled upon install. Tanium supports the cryptographic signing and verification before execution of all ... |
| V-253808 | | Firewall rules must be configured on the Tanium endpoints for client-to-server communications. | In addition to the client-to-server TCP communication that takes place over port 17472, Tanium Clients also communicate to other Tanium-managed comput... |
| V-253809 | | Control of the Tanium Client service must be restricted to SYSTEM access only for all managed clients. | The reliability of the Tanium client's ability to operate depends on controlling access to the Tanium client service. By restricting access to SYSTEM ... |
| V-253810 | | The ability to uninstall the Tanium Client service must be disabled on all managed clients. | By default, end users have the ability to uninstall software on their clients. In the event the Tanium Client software is uninstalled, the Tanium Serv... |
| V-253811 | | The permissions on the Tanium Client directory must be restricted to only the SYSTEM account on all managed clients. | By restricting access to the Tanium Client directory on managed clients, the Tanium client's ability to operate and function as designed will be prote... |
| V-253812 | | Tanium Client directory and subsequent files must be excluded from On-Access scan. | Similar to any other host-based applications, the Tanium Client is subject to the restrictions other system-level software may place on an operating e... |
| V-253813 | | Tanium endpoint files must be excluded from host-based intrusion prevention system (HIPS) intervention. | Similar to any other host-based applications, the Tanium Client is subject to the restrictions other system-level software may place on an operating e... |
| V-253814 | | The Tanium application must retain the session lock until the user reestablishes access using established identification and authentication procedures. | Unattended systems are susceptible to unauthorized use and should be locked when unattended. This protects critical and sensitive data from exposure t... |
| V-253815 | | The Tanium Application Server must be configured with a connector to sync to Microsoft Active Directory for account management functions. | By restricting access to the Tanium Server to only Microsoft Active Directory, user accounts and related permissions can be strictly monitored. Accoun... |
| V-253816 | | The Tanium Application Server must be configured to only use LDAP for account management functions. | Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk o... |
| V-253817 | | Tanium Computer Groups must be used to restrict console users from effecting changes to unauthorized computers. | Computer Groups allow a site running Tanium to assign responsibility of specific Computer Groups to specific Tanium console users. By doing so, a desk... |
| V-253818 | | Documentation identifying Tanium console users, their respective User Groups, Computer Groups, and Roles must be maintained. | System access should be reviewed periodically to verify that all Tanium users are assigned the appropriate functional role, with the least privileged ... |
| V-253819 | | The Tanium application must be configured to use Tanium User Groups in a manner consistent with the model outlined in the environment's system documentation. | It is important for information system owners to document authorized User Groups for the Tanium application to avoid unauthorized access to systems. M... |
| V-253820 | | Documentation identifying Tanium console users and their respective Computer Group rights must be maintained. | System access should be reviewed periodically to verify all Tanium users are assigned the appropriate computer groups, with the least privileged acces... |
| V-253822 | | Firewall rules must be configured on the Tanium Server for Console-to-Server communications. | An HTML5-based application, the Tanium Console runs from any device with a browser that supports HTML5. For security, the HTTP and SOAP communication ... |
| V-253823 | | The publicly accessible Tanium application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application. | Display of a standardized and approved use notification before granting access to the publicly accessible application ensures privacy and security not... |
| V-253824 | | The Tanium application must alert the information system security officer and system administrator (at a minimum) in the event of an audit processing failure. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-253825 | | Tanium must notify system administrator and information system security officer (ISSO) when accounts are created. | Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way t... |
| V-253826 | | Tanium must notify system administrators and the information system security officer (ISSO) when accounts are modified. | When application accounts are modified, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the ... |
| V-253827 | | Tanium must notify the system administrator and information system security officer (ISSO) of account enabling actions. | Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of reestablishing access. One way to ... |
| V-253828 | | Multifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts. | To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-253829 | | Tanium must notify system administrators and the information system security officer (ISSO) for account disabling actions. | When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the ... |
| V-253830 | | Tanium must notify system administrators and the information system security officer (ISSO) for account removal actions. | When application accounts are removed, user accessibility is affected. Accounts are utilized for identifying users or for identifying the application ... |
| V-253831 | | The Tanium application must prohibit user installation, modification, or deletion of software without explicit privileged status. | Allowing regular users to install, modify, or delete software, without explicit privileges, creates the risk that the application performs in a manner... |
| V-253832 | | The Tanium database(s) must be installed on a separate system. | Failure to protect organizational information from data mining may result in a compromise of information.
Data storage objects include, for example, ... |
| V-253833 | | The Tanium application database must be dedicated to only the Tanium application. | Failure to protect organizational information from data mining may result in a compromise of information.
Data storage objects include, for example, ... |
| V-253834 | | The access to the Tanium SQL database must be restricted. Only the designated database administrator(s) can have elevated privileges to the Tanium SQL database. | After the Tanium Server has been installed and the Tanium databases created, only the Tanium Server needs to access the SQL Server database.... |
| V-253835 | | The Tanium Server installer's account database permissions must be reduced to an appropriate level. | Creating the "tanium" and "tanium_archive" databases through the Tanium Server installer program or using the database to create SQL scripts requires ... |
| V-253836 | | Firewall rules must be configured on the Tanium Server for server-to-database communications. | The Tanium Server can use either a SQL Server relational database management system (RDBMS) installed locally to the same device as the Tanium Server ... |
| V-253837 | | The Tanium Application Server console must be configured to initiate a session lock after a 15-minute period of inactivity. | When multifactor authentication is enabled, the Tanium Console will initiate a session lock based on the ActivClient or other smartcard software.
By... |
| V-253838 | | Tanium Trusted Content providers must be documented. | A Tanium Sensor, also called content, enables an organization to gather real-time inventory, configuration, and compliance data elements from managed ... |
| V-253839 | | Content providers must provide their public key to the Tanium administrator to import for validating signed content. | A Tanium Sensor, also called content, enables an organization to gather real-time inventory, configuration, and compliance data elements from managed ... |
| V-253840 | | Tanium public keys of content providers must be validated against documented trusted content providers. | A Tanium Sensor, also called content, enables an organization to gather real-time inventory, configuration, and compliance data elements from managed ... |
| V-253841 | | The Tanium Action Approval feature must be enabled for two-person integrity when deploying actions to endpoints. | The Tanium Action Approval feature provides a two-person integrity control mechanism designed to achieve a high level of security and reduce the possi... |
| V-253842 | | The Tanium documentation identifying recognized and trusted indicator of compromise (IOC) streams must be maintained. | Using trusted and recognized IOC sources may detect compromise and prevent systems from becoming compromised. An IOC stream is a series or stream of I... |
| V-253843 | | Tanium Threat Response must be configured to receive IOC streams only from trusted sources. | Using trusted and recognized IOC sources may detect compromise and prevent systems from becoming compromised. An IOC stream is a series or stream of i... |
| V-253844 | | The Tanium applications must be configured to filter audit records for events of interest based on organization-defined criteria. | The ability to specify the event criteria that are of interest enables those reviewing the logs to quickly isolate and identify these events without h... |
| V-253845 | | The Tanium cryptographic signing capabilities must be enabled on the Tanium Server. | All of Tanium's signing capabilities must be enabled upon install. Tanium supports the cryptographic signing and verification before execution of all ... |
| V-253846 | | The Tanium Server must be configured to allow only signed content to be imported. | Changes to any software components can have significant effects on the overall security of the application. Verifying software components have been di... |
| V-253847 | | All installation files originally downloaded to the Tanium Server must be configured to download to a location other than the Tanium Server directory. | Typically, the Tanium Server stores the Package Source Files that it downloads from the internet and server shares or files uploaded through the Taniu... |
| V-253848 | | Firewall rules must be configured on the Tanium Server for client-to-server communications. | In addition to the client-to-server TCP communication that takes place over port 17472, Tanium Clients also communicate to other Tanium-managed comput... |
| V-253849 | | Firewall rules must be configured on the Tanium Zone Server for Client-to-Zone Server communications. | In customer environments using the Tanium Zone Server, a Tanium Client may be configured to point to a Zone Server instead of a Tanium Server. The com... |
| V-253850 | | The Tanium Application Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM Category Assurance List (CAL) and vulnerability assessments. | To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within d... |
| V-253851 | | The Tanium Server certificates must have Extended Key Usage entries for the serverAuth object TLS Web Server Authentication and the clientAuth object TLS Web Client Authentication. | Restricting this setting limits the user's ability to change their password. Passwords must be changed at specific policy-based intervals; however, if... |
| V-253852 | | The Tanium Server directory must be restricted with appropriate permissions. | Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should ... |
| V-253853 | | The Tanium Server http directory and subdirectories must be restricted with appropriate permissions. | Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should ... |
| V-253854 | | The permissions on the Tanium Server registry keys must be restricted to only the Tanium service account and the [Tanium Admins] group. | Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should ... |
| V-253855 | | The Tanium Server Logs and TDL_Logs directories must be restricted with appropriate permissions. | Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should ... |
| V-253856 | | Firewall rules must be configured on the Tanium module server to allow Server-to-Module Server communications from the Tanium Server. | The Tanium Module Server is used to extend the functionality of Tanium through the use of various workbenches. The Tanium Module Server requires commu... |
| V-253857 | | Firewall rules must be configured on the Tanium Server for Server-to-Module Server communications. | The Tanium Module Server is used to extend the functionality of Tanium through the use of various workbenches. The Tanium Module Server requires commu... |
| V-253858 | | Firewall rules must be configured on the Tanium Server for Server-to-Zone Server communications. | If using the Tanium Zone Server to proxy traffic from Tanium-managed computers on less trusted network segments to the Tanium Server on the core netwo... |
| V-253859 | | The SSLHonorCipherOrder must be configured to disable weak encryption algorithms on the Tanium Server. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographi... |
| V-253860 | | The Tanium Server certificate must be signed by a DoD certificate authority (CA). | The Tanium Server has the option to use a "self-signed" certificate or a trusted CA signed certificate for SSL connections. During evaluations of Tani... |
| V-253861 | | Tanium Server directory and subsequent files must be excluded from On-Access scan. | Similar to any other host-based applications, the Tanium Server is subject to the restrictions other system-level software may place on an operating e... |
| V-253862 | | The SSLCipherSuite must be configured to disable weak encryption algorithms on the Tanium Server. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographi... |
| V-253863 | | The Tanium "max_soap_sessions_total" setting must be explicitly enabled to limit the number of simultaneous sessions. | Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allow... |
| V-253864 | | The Tanium "max_soap_sessions_per_user" setting must be explicitly enabled to limit the number of simultaneous sessions. | Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allow... |
| V-253865 | | The Tanium documentation identifying recognized and trusted folders for Threat Response Local Directory Source must be maintained. | Using trusted and recognized indicator of compromise (IOC) sources may detect and prevent systems from becoming compromised. An IOC stream is a series... |
| V-253866 | | The Tanium Threat Response Local Directory Source must be configured to restrict access to only authorized maintainers of threat intel. | Using trusted and recognized indicator of compromise (IOC) sources may detect and prevent systems from becoming compromised. An IOC stream is a series... |
| V-253867 | | The Tanium documentation identifying recognized and trusted Security Content Automation Protocol (SCAP) sources must be maintained. | SCAP XML documents validated by the National Institute of Standards and Technology (NIST) are provided from several possible sources such as DISA, NIS... |
| V-253868 | | The Tanium documentation identifying recognized and trusted Open Vulnerability and Assessment Language (OVAL) feeds must be maintained. | OVAL XML documents are provided from several possible sources such as the Community Intercomparison Suite (CIS) open-source repository and vendor/thir... |
| V-253869 | | Tanium Comply must be configured to receive Security Content Automation Protocol (SCAP) content only from trusted sources. | SCAP XML documents validated by the National Institute of Standards and Technology (NIST) are provided from several possible sources such as DISA, NIS... |
| V-253870 | | Tanium Comply must be configured to receive Open Vulnerability and Assessment Language (OVAL) feeds only from trusted sources. | OVAL XML documents are provided from several possible sources such as the Community Intercomparison Suite (CIS) open-source repository and vendor/thir... |
| V-253871 | | The Tanium application must limit the bandwidth used in communicating with endpoints to prevent a denial-of-service (DoS) condition at the server. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-253872 | | Tanium Server files must be excluded from host-based intrusion prevention intervention. | Similar to any other host-based applications, the Tanium Server is subject to the restrictions other system-level software may place on an operating e... |
| V-253873 | | The Tanium application must set an inactive timeout for sessions. | Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted applicat... |
| V-253874 | | The Tanium application service must be protected from being stopped by a nonprivileged user. | Denial of service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accompl... |
| V-253821 | | Multifactor authentication must be enabled on the Tanium Server for network access with privileged accounts. | The Tanium application must be configured to use multifactor authentication. Without the use of multifactor authentication, the ease of access to priv... |
| V-253875 | | The Tanium Application, SQL, and Module servers must all be configured to communicate using TLS 1.2 Strict Only. | Disabling feedback to senders when there is a failure in protocol validation format prevents adversaries from obtaining information that would otherwi... |
| V-253876 | | The SchUseStrongCrypto registry value must be set. | Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepte... |
| V-253877 | | The SSLCipherSuite registry value must be set. | Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepte... |
