STIGQter: STIG Summary: Tanium 7.0 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 27 July 2018:

Common Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

DISA Rule

SV-93341r1_rule

Vulnerability Number

V-78635

Group Title

SRG-APP-000148

Rule Version

TANS-CN-000027

Severity

CAT II

CCI(s)

• CCI-000056 - The information system retains the session lock until the user reestablishes access using established identification and authentication procedures.
• CCI-000166 - The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
• CCI-000187 - The information system, for PKI-based authentication, maps the authenticated identity to the account of the individual or group.
• CCI-000764 - The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
• CCI-000766 - The information system implements multifactor authentication for network access to non-privileged accounts.
• CCI-000768 - The information system implements multifactor authentication for local access to non-privileged accounts.
• CCI-000877 - The organization employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
• CCI-000879 - The organization terminates sessions and network connections when nonlocal maintenance is completed.
• CCI-001133 - The information system terminates the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.
• CCI-001941 - The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.
• CCI-001953 - The information system accepts Personal Identity Verification (PIV) credentials.
• CCI-001954 - The information system electronically verifies Personal Identity Verification (PIV) credentials.
• CCI-002009 - The information system accepts Personal Identity Verification (PIV) credentials from other federal agencies.
• CCI-002010 - The information system electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.
• CCI-002314 - The information system controls remote access methods.
• CCI-002322 - The organization provides the capability to expeditiously disconnect or disable remote access to the information system within the organization-defined time period.

Weight

10

Fix Recommendation

Use the vendor documentation titled "Reference: Smart card authentication" to implement correct configuration settings for this requirement. If assistance is required, contact the Tanium Technical Account Manager (TAM).

Vendor documentation can be downloaded from the following URL: https://docs.tanium.com/platform_install/platform_install/reference_smart_card_authentication.html.

Check Contents

Access the Tanium Server interactively.

Log on with an account with administrative privileges to the server.

Run regedit as Administrator.

Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server

Validate the value for REG_DWORD "ForceSOAPSSLClientCert" is set to "1".

Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server

Validate the following keys exist and are configured:
REG_SZ "ClientCertificateAuthField"

For example:
X509v3 Subject Alternative Name.

REG_SZ "ClientCertificateAuthRegex"

For example-DoD:
.*\:\s*([^@]+)@.*$

Note: This regedit should be valid for any Subject Alternative Name entry.

REG_SZ "ClientCertificateAuth"
Note: This registry value defines which certificate file to use for authentication.

For example:
C:\Program Files\Tanium\Tanium Server\dod.pem

REG_SZ "cac_ldap_server_url"
Note: This registry value requires that Tanium validate every CAC/PIV authentication attempt with AD to determine the state of the account that is logging on. It must use the syntax similar to LDAP://<AD instance FQDN>

If the value for REG_DWORD "ForceSOAPSSLClientCert" is not set to "1" and the remaining registry values are not configured, this is a finding.

Vulnerability Number

V-78635

Documentable

False

Rule Version

TANS-CN-000027

Severity Override Guidance

Access the Tanium Server interactively.

Log on with an account with administrative privileges to the server.

Run regedit as Administrator.

Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server

Validate the value for REG_DWORD "ForceSOAPSSLClientCert" is set to "1".

Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Wow6432Node >> Tanium >> Tanium Server

Validate the following keys exist and are configured:
REG_SZ "ClientCertificateAuthField"

For example:
X509v3 Subject Alternative Name.

REG_SZ "ClientCertificateAuthRegex"

For example-DoD:
.*\:\s*([^@]+)@.*$

Note: This regedit should be valid for any Subject Alternative Name entry.

REG_SZ "ClientCertificateAuth"
Note: This registry value defines which certificate file to use for authentication.

For example:
C:\Program Files\Tanium\Tanium Server\dod.pem

REG_SZ "cac_ldap_server_url"
Note: This registry value requires that Tanium validate every CAC/PIV authentication attempt with AD to determine the state of the account that is logging on. It must use the syntax similar to LDAP://<AD instance FQDN>

If the value for REG_DWORD "ForceSOAPSSLClientCert" is not set to "1" and the remaining registry values are not configured, this is a finding.

Check Content Reference

M

Target Key

3215

Comments