STIGQter STIGQter: STIG Summary: Tanium 7.3 Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

Control of the Tanium Client service must be restricted to SYSTEM access only for all managed clients.

DISA Rule

SV-234039r612749_rule

Vulnerability Number

V-234039

Group Title

SRG-APP-000328

Rule Version

TANS-CL-000005

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI).

Log on with CAC.

From the Dashboard, under "Client Service Hardening", click on "Control Service State Permissions".

The results will show a "Count" of clients matching the "Service Control is set to default permissions" query.

Select the result line for "Service Control is set to default permissions".

Choose "Deploy Action".

Deployment Package drop-down select "Client Service Hardening - Allow Only Local SYSTEM to Control Service".

Configure the schedule to repeat at least every hour for the requested action.

Under "Targeting Criteria", in the Action Group, select "All Computers" from the drop-down.

Click on "Show preview to continue".

Non-compliant systems will be displayed at the bottom.

Click on "Deploy Action".

Verify settings.

Click on "Show Client Status Details".

Check Contents

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI).

Log on with CAC.

Click on the navigation button (hamburger menu) on the top left of the console.

Click on "Administration".

Select the "Scheduled Actions" tab.

Look for a scheduled action titled "Client Service Hardening - Allow Only Local SYSTEM to Control Service".

If a scheduled action titled "Client Service Hardening - Allow Only Local SYSTEM to Control Service" does not exist, this is a finding.

If the scheduled action exists, select it and if it is not approved (the "Approve" button at the top of the section will be displayed if not approved), this is a finding.

If the scheduled action exists and has been approved but does not restrict control of the Tanium Client service to Allow Only Local SYSTEM to Control Service, this is a finding.

If the action is not configured to repeat at least every hour, this is a finding.

If the scheduled action is not targeted at an "All Computers" Action Group, this is a finding.

Vulnerability Number

V-234039

Documentable

False

Rule Version

TANS-CL-000005

Severity Override Guidance

Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI).

Log on with CAC.

Click on the navigation button (hamburger menu) on the top left of the console.

Click on "Administration".

Select the "Scheduled Actions" tab.

Look for a scheduled action titled "Client Service Hardening - Allow Only Local SYSTEM to Control Service".

If a scheduled action titled "Client Service Hardening - Allow Only Local SYSTEM to Control Service" does not exist, this is a finding.

If the scheduled action exists, select it and if it is not approved (the "Approve" button at the top of the section will be displayed if not approved), this is a finding.

If the scheduled action exists and has been approved but does not restrict control of the Tanium Client service to Allow Only Local SYSTEM to Control Service, this is a finding.

If the action is not configured to repeat at least every hour, this is a finding.

If the scheduled action is not targeted at an "All Computers" Action Group, this is a finding.

Check Content Reference

M

Target Key

5259

Comments