STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 4 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Tanium 7.0 Security Technical Implementation Guide

Version

V1R3

Release Date

Feb 11, 2025

SCAP Benchmark ID

Tanium_7.0_STIG

Total Checks

132

Tags

other

CAT I: 4CAT II: 128CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (132)

V-240976MEDIUMThe Tanium endpoint must have the Tanium Servers public key in its installation, which will allow it to authenticate and uniquely identify all network-connected endpoint devices before establishing any connection.V-240977MEDIUMAccess to Tanium logs on each endpoint must be restricted by permissions.V-240978MEDIUMThe Tanium cryptographic signing capabilities must be enabled on the Tanium Clients, which will ensure the authenticity of communications sessions when answering requests from the Tanium Server.V-240979MEDIUMFirewall rules must be configured on the Tanium Endpoints for Client-to-Server communications.V-240980MEDIUMControl of the Tanium Client service must be restricted to SYSTEM access only for all managed clients.V-240981MEDIUMThe ability to uninstall the Tanium Client service must be disabled on all managed clients.V-240982MEDIUMThe permissions on the Tanium Client directory must be restricted to only the SYSTEM account on all managed clients.V-240983MEDIUMTanium endpoint files must be excluded from on-access antivirus actions.V-240984MEDIUMThe Tanium Client Deployment Tool (CDT) must not be configured to use the psexec method of deployment.V-240985MEDIUMTanium endpoint files must be protected from file encryption actions.V-240986MEDIUMTanium must restrict the ability of individuals to place too much impact upon the network, which might result in a denial-of-service (DoS) event on the network by using RandomSensorDelayInSeconds.V-240987MEDIUMTanium endpoint files must be excluded from host-based intrusion prevention intervention.V-240988MEDIUMThe Tanium Server must be configured with a connector to sync to Microsoft Active Directory for account management functions, must isolate security functions from non-security functions, and must terminate shared/group account credentials when members leave the group.V-240989MEDIUMThe Tanium Server must be configured to only use Microsoft Active Directory for account management functions.V-240990MEDIUMTanium Computer Groups must be used to restrict console users from affecting changes to unauthorized computers.V-240991MEDIUMDocumentation identifying Tanium console users and their respective User Roles must be maintained.V-240992HIGHRole-based system access must be configured to least privileged access to Tanium Server functions through the Tanium interface.V-240993MEDIUMTanium console users User Roles must be validated against the documentation for User Roles.V-240994MEDIUMDocumentation identifying Tanium console users and their respective Computer Group rights must be maintained.V-240995MEDIUMTanium console users Computer Group rights must be validated against the documentation for Computer Group rights.V-240996HIGHCommon Access Card (CAC)-based authentication must be enforced and enabled on the Tanium Server for network and local access with privileged and non-privileged accounts.V-240997MEDIUMFirewall rules must be configured on the Tanium Server for Console-to-Server communications.V-240998MEDIUMThe publicly accessible Tanium application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.V-240999MEDIUMTanium must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.V-241000MEDIUMFlaw remediation Tanium applications must employ automated mechanisms to determine the state of information system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).V-241001MEDIUMTanium must notify system administrators and ISSO when accounts are created.V-241002MEDIUMTanium must notify system administrators and ISSO when accounts are modified.V-241003MEDIUMTanium must notify the SA and ISSO of account enabling actions.V-241004MEDIUMTanium must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.V-241005MEDIUMCommon Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.V-241006MEDIUMTanium must notify System Administrators and Information System Security Officers for account disabling actions.V-241007MEDIUMTanium must notify System Administrators and Information System Security Officers for account removal actions.V-241008MEDIUMTanium must prohibit user installation of software without explicit privileged status and enforce access restrictions associated with changes to application configuration.V-241009MEDIUMTanium must provide the capability to centrally review and analyze audit records from multiple components within the system.V-241010MEDIUMThe Tanium SQL database must be installed on a separate system.V-241011MEDIUMThe Tanium SQL server must be dedicated to the Tanium database.V-241012MEDIUMThe access to the Tanium SQL database must be restricted. Only the designated database administrator(s) can have elevated privileges to the Tanium SQL database.V-241013MEDIUMThe Tanium Server installers account SQL database permissions must be reduced from sysadmin to db_owner.V-241014MEDIUMFirewall rules must be configured on the Tanium Server for Server-to-Database communications.V-241015MEDIUMSQL stored queries or procedures installed during Tanium installation must be removed from the Tanium Server.V-241016MEDIUMThe Tanium Server must protect the confidentiality and integrity of transmitted information with cryptographic signing capabilities enabled to ensure the authenticity of communications sessions when making requests from Tanium Clients.V-241017MEDIUMThe Tanium Server console must be configured to initiate a session lock after a 15-minute period of inactivity.V-241018MEDIUMTanium Trusted Content providers must be documented.V-241019MEDIUMContent providers must provide their public key to the Tanium administrator to import for validating signed content.V-241020MEDIUMTanium public keys of content providers must be validated against documented trusted content providers.V-241021MEDIUMThe Tanium Action Approval feature must be enabled for two person integrity when deploying actions to endpoints.V-241022MEDIUMThe Tanium documentation identifying recognized and trusted IOC Detect streams must be maintained.V-241023MEDIUMThe Tanium IOC Detect must be configured to receive IOC streams only from trusted sources.V-241024MEDIUMThe Tanium Connect module must be configured to forward Tanium IOC Detect events to identified destinations.V-241025MEDIUMThe Tanium Server must protect audit tools from unauthorized access, modification, or deletion.V-241026MEDIUMThe Tanium Server must be configured to only allow signed content to be imported.V-241027MEDIUMAll installation files originally downloaded to the Tanium Server must be configured to download to a location other than the Tanium Server directory.V-241028MEDIUMFirewall rules must be configured on the Tanium Server for Client-to-Server communications.V-241029MEDIUMFirewall rules must be configured on the Tanium Zone Server for Client-to-Zone Server communications.V-241030MEDIUMThe Tanium Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.V-241031MEDIUMThe Tanium Server certificates must have Extended Key Usage entries for the serverAuth object TLS Web Server Authentication and the clientAuth object TLS Web Client Authentication.V-241032HIGHThe Tanium Server certificate and private/public keys directory must be protected with appropriate permissions.V-241033MEDIUMThe Tanium Module server must be installed on a separate system.V-241034MEDIUMThe Tanium Server directory must be restricted with appropriate permissions.V-241035MEDIUMThe Tanium Server http directory and sub-directories must be restricted with appropriate permissions.V-241036MEDIUMThe permissions on the Tanium Server registry keys must be restricted to only the Tanium service account and the [Tanium Admins] group.V-241037MEDIUMThe Tanium Server Logs and TDL_Logs directories must be restricted with appropriate permissions.V-241038MEDIUMAll Active Directory accounts synchronized with Tanium for non-privileged functions must be non-privileged domain accounts.V-241039MEDIUMA Tanium connector must be configured to send log data to an external audit log reduction-capable system and provide alerts.V-241040MEDIUMFile integrity monitoring of critical executables that Tanium uses must be configured.V-241041MEDIUMFirewall rules must be configured on the Tanium module server to allow Server-to-Module Server communications from the Tanium Server.V-241042MEDIUMFirewall rules must be configured on the Tanium Server for Server-to-Module Server communications.V-241043MEDIUMFirewall rules must be configured on the Tanium Server for Server-to-Zone Server communications.V-241044MEDIUMThe SSLHonorCipherOrder must be configured to disable weak encryption algorithms on the Tanium Server.V-241045MEDIUMThe Tanium Server certificate must be signed by a DoD Certificate Authority.V-241046MEDIUMAny Tanium configured EMAIL RESULTS connectors must be configured to enable TLS/SSL to encrypt communications.V-241047MEDIUMTanium Server files must be excluded from on-access antivirus actions.V-241048MEDIUMThe Tanium Server console must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to The Tanium Server.V-241049MEDIUMThe Tanium Server console must be configured to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.V-241050MEDIUMTanium Server files must be protected from file encryption actions.V-241051MEDIUMThe SSLCipherSuite must be configured to disable weak encryption algorithms on the Tanium Server.V-241052MEDIUMThe Tanium max_soap_sessions_total setting must be explicitly enabled to limit the number of simultaneous sessions.V-241053MEDIUMThe Tanium max_soap_sessions_per_user setting must be explicitly enabled to limit the number of simultaneous sessions.V-241054MEDIUMThe Tanium soap_max_keep_alive setting must be explicitly enabled to limit the number of simultaneous sessions.V-241055MEDIUMThe Tanium documentation identifying recognized and trusted folders for IOC Detect Folder streams must be maintained.V-241056MEDIUMThe Tanium IOC Detect Folder streams must be configured to restrict access to only authorized maintainers of IOCs.V-241057MEDIUMThe Tanium documentation identifying recognized and trusted SCAP feeds must be maintained.V-241058MEDIUMThe Tanium documentation identifying recognized and trusted OVAL feeds must be maintained.V-241059MEDIUMTanium Comply must be configured to receive SCAP feeds only from trusted sources.V-241060MEDIUMTanium Comply must be configured to receive OVAL feeds only from trusted sources.V-241061MEDIUMTanium must be configured in a High-Availability (HA) setup to ensure minimal loss of data and minimal disruption to mission processes in the event of a system failure.V-241062MEDIUMThe bandwidth consumption for the Tanium Server must be limited.V-241063MEDIUMThe Tanium SQL Server RDBMS must be configured with sufficient free space to ensure audit logging is not impacted.V-241064MEDIUMTanium must limit the bandwidth used in communicating with endpoints to prevent a denial-of-service (DoS) condition at the server.V-241065HIGHTanium Server must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).V-241066MEDIUMTanium Server files must be excluded from host-based intrusion prevention intervention.V-241067MEDIUMTanium must set an absolute timeout for sessions.V-241068MEDIUMTanium must set an inactive timeout for sessions.V-241069MEDIUMTanium service must be protected from being stopped by a non-privileged user.V-241070MEDIUMThe Tanium web server must be tuned to handle the operational requirements of the hosted application.V-241071MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241072MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241073MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241074MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241075MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241076MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241077MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241078MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241079MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241080MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241081MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241082MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241083MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241084MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241085MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241086MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241087MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241088MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241089MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241090MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241091MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241092MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241093MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241094MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241095MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241096MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241097MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241098MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241099MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241100MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241101MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241102MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241103MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241104MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241105MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241106MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.V-241107MEDIUMTanium must be configured to communicate using TLS 1.2 Strict Only.