STIGQter: STIG Summary: Tanium 7.3 Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021: STIGQter: STIG Summary: Tanium 7.3 Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:SV-234033r612749_rule
V-234033
SRG-APP-000386
TANS-00-000670
CAT II
10
Using a web browser on a system, which has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC.
Click on the navigation button (menu) on the top left of the console.
Click on the "Protect Workbench".
Select the arrow on the left-hand side to expand the menu.
Click on "Policies".
Click on "New Policy".
Select "Create".
Provide a name to the policy.
Select "AppLocker" from the Policy Type menu.
Within the policy, ensure the "Blocking" radio button is selected.
In the "Allow" section, ensure the default rules for "All files located in the Program Files Folder" and "All Files located in the Windows folder" are present.
If the Tanium Server is installed in a non-default location, then a rule needs to be created to allow that file path.
All rules need Windows user set to "Everyone".
Save the Policy.
Click on "Add Enforcement".
From the dropdown, select the computer group, which contains the Tanium Server.
Select "enforce".
Using a web browser on a system, which has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC.
Click on the navigation button (menu) on the top left of the console.
Click on the "Protect Workbench".
Select the arrow on the left-hand side to expand the menu.
Click on "Policies".
Click on the Policy with Policy Type named "AppLocker".
If there is no policy type defined for "AppLocker", this is a finding.
Ensure the computer group containing the Tanium server is showing as online and enforced.
If the "AppLocker" policy enforcement does not contain the Tanium Server, then this is a finding.
Under Policy Details ensure the Mode is set to "Blocking".
If Mode is not set to "Blocking", this is a finding.
Under "Policy Details" expand the arrow next to "Everyone".
If all files are allowed, this is a finding.
If additional paths are found, such as %PROGRAMFILES%\", "%WINDIR%" and "?:\Program Files\Tanium Server\", they must be documented.
If additional file paths are found and have not been documented, this is a finding.
If Tanium Protect is not available, this is not applicable.
V-234033
False
TANS-00-000670
Using a web browser on a system, which has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC.
Click on the navigation button (menu) on the top left of the console.
Click on the "Protect Workbench".
Select the arrow on the left-hand side to expand the menu.
Click on "Policies".
Click on the Policy with Policy Type named "AppLocker".
If there is no policy type defined for "AppLocker", this is a finding.
Ensure the computer group containing the Tanium server is showing as online and enforced.
If the "AppLocker" policy enforcement does not contain the Tanium Server, then this is a finding.
Under Policy Details ensure the Mode is set to "Blocking".
If Mode is not set to "Blocking", this is a finding.
Under "Policy Details" expand the arrow next to "Everyone".
If all files are allowed, this is a finding.
If additional paths are found, such as %PROGRAMFILES%\", "%WINDIR%" and "?:\Program Files\Tanium Server\", they must be documented.
If additional file paths are found and have not been documented, this is a finding.
If Tanium Protect is not available, this is not applicable.
M
5259