STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 4 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Tanium 7.3 Security Technical Implementation Guide

Version

V2R3

Release Date

Feb 11, 2025

SCAP Benchmark ID

Tanium_7.3_STIG

Total Checks

102

Tags

other

CAT I: 4CAT II: 98CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (102)

V-234031MEDIUMTanium must centrally review and analyze audit records from multiple components within the system.V-234032MEDIUMTanium must implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner.V-234033MEDIUMTanium must employ a deny-all, permit-by-exception (whitelist) policy to allow the execution of authorized software programs.V-234034MEDIUMThe vulnerability scanning application must implement privileged access authorization to all Tanium information systems and infrastructure components for selected organization-defined vulnerability scanning activities.V-234035MEDIUMThe Tanium endpoint must have the Tanium Servers public key in its installation.V-234036MEDIUMAccess to Tanium logs on each endpoint must be restricted by permissions.V-234037MEDIUMThe Tanium cryptographic signing capabilities must be enabled on the Tanium Clients to safeguard the authenticity of communications sessions when answering requests from the Tanium Server.V-234038MEDIUMFirewall rules must be configured on the Tanium Endpoints for Client-to-Server communications.V-234039MEDIUMControl of the Tanium Client service must be restricted to SYSTEM access only for all managed clients.V-234040MEDIUMThe ability to uninstall the Tanium Client service must be disabled on all managed clients.V-234041MEDIUMThe permissions on the Tanium Client directory must be restricted to only the SYSTEM account on all managed clients.V-234042MEDIUMTanium endpoint files must be excluded from on-access antivirus actions.V-234043MEDIUMThe Tanium Client Deployment Tool (CDT) must not be configured to use the psexec method of deployment.V-234044MEDIUMTanium endpoint files must be protected from file encryption actions.V-234045MEDIUMThe Tanium application must restrict the ability of individuals to place too much impact upon the network, which might result in a Denial of Service (DoS) event on the network by using RandomSensorDelayInSeconds.V-234046MEDIUMTanium endpoint files must be excluded from host-based intrusion prevention intervention.V-234047MEDIUMThe Tanium application must retain the session lock until the user reestablishes access using established identification and authentication procedures.V-234048MEDIUMThe Tanium Application Server must be configured with a connector to sync to Microsoft Active Directory for account management functions.V-234049MEDIUMThe Tanium Application Server must be configured to only use Microsoft Active Directory for account management functions.V-234050MEDIUMTanium Computer Groups must be used to restrict console users from affecting changes to unauthorized computers.V-234051MEDIUMDocumentation identifying Tanium console users, their respective functional roles, and computer groups must be maintained.V-234052HIGHRole-based system access must be configured to least privileged access to Tanium Server functions through the Tanium interface.V-234053MEDIUMTanium console users User Roles must be validated against the documentation for User Roles.V-234054MEDIUMDocumentation identifying Tanium console users and their respective Computer Group rights must be maintained.V-234055MEDIUMTanium console users Computer Group rights must be validated against the documentation for Computer Group rights.V-234056HIGHCommon Access Card (CAC)-based authentication must be enabled on the Tanium Server for network access with privileged accounts.V-234057MEDIUMFirewall rules must be configured on the Tanium Server for Console-to-Server communications.V-234058MEDIUMThe publicly accessible Tanium application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.V-234059MEDIUMTanium must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.V-234060MEDIUMFlaw remediation Tanium applications must employ automated mechanisms to determine the state of information system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).V-234061MEDIUMTanium must notify SA and ISSO when accounts are created.V-234062MEDIUMTanium must notify SA and ISSO when accounts are modified.V-234063MEDIUMThe Tanium application must notify SA and ISSO of account enabling actions.V-234064MEDIUMThe Tanium application must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.V-234065MEDIUMThe Tanium enterprise audit log reduction option must be configured to provide alerts based off Tanium audit data.V-234066MEDIUMCommon Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.V-234067MEDIUMTanium must notify SA and ISSO for account disabling actions.V-234068MEDIUMTanium must notify SA and ISSO for account removal actions.V-234069MEDIUMThe Tanium application must prohibit user installation of software without explicit privileged status.V-234070MEDIUMDocumentation defining Tanium functional roles must be maintained.V-234071MEDIUMThe Tanium database(s) must be installed on a separate system.V-234072MEDIUMThe Tanium application database must be dedicated to only the Tanium application.V-234073MEDIUMThe access to the Tanium SQL database must be restricted. Only the designated database administrator(s) can have elevated privileges to the Tanium SQL database.V-234074MEDIUMThe Tanium Server installers account database permissions must be reduced to an appropriate level.V-234075MEDIUMFirewall rules must be configured on the Tanium Server for Server-to-Database communications.V-234076MEDIUMSQL stored queries or procedures installed during Tanium installation must be removed from the Tanium Server.V-234077MEDIUMThe Tanium Server must protect the confidentiality and integrity of transmitted information, in preparation to be transmitted and data at rest, with cryptographic signing capabilities enabled to protect the authenticity of communications sessions when making requests from Tanium Clients.V-234078MEDIUMThe Tanium Application Server console must be configured to initiate a session lock after a 15-minute period of inactivity.V-234079MEDIUMTanium Trusted Content providers must be documented.V-234080MEDIUMContent providers must provide their public key to the Tanium administrator to import for validating signed content.V-234081MEDIUMTanium public keys of content providers must be validated against documented trusted content providers.V-234082MEDIUMThe Tanium Action Approval feature must be enabled for two-person integrity when deploying actions to endpoints.V-234083MEDIUMThe Tanium documentation identifying recognized and trusted Intel streams must be maintained.V-234084MEDIUMThe Tanium Detect must be configured to receive IOC streams only from trusted sources.V-234085MEDIUMThe Tanium Connect module must be configured to forward Tanium Detect events to identified destinations.V-234086MEDIUMThe Tanium cryptographic signing capabilities must be enabled on the Tanium Server.V-234087MEDIUMThe Tanium Server must be configured to only allow signed content to be imported.V-234088MEDIUMAll installation files originally downloaded to the Tanium Server must be configured to download to a location other than the Tanium Server directory.V-234089MEDIUMFirewall rules must be configured on the Tanium Server for Client-to-Server communications.V-234090MEDIUMFirewall rules must be configured on the Tanium Zone Server for Client-to-Zone Server communications.V-234091MEDIUMThe Tanium Application Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.V-234092MEDIUMThe Tanium Server certificates must have Extended Key Usage entries for the serverAuth object TLS Web Server Authentication and the clientAuth object TLS Web Client Authentication.V-234093HIGHThe Tanium Server certificate and private/public keys directory must be protected with appropriate permissions.V-234094MEDIUMThe Tanium Module server must be installed on a separate system.V-234095MEDIUMThe Tanium Server directory must be restricted with appropriate permissions.V-234096MEDIUMThe Tanium Server http directory and sub-directories must be restricted with appropriate permissions.V-234097MEDIUMThe permissions on the Tanium Server registry keys must be restricted to only the Tanium service account and the [Tanium Admins] group.V-234098MEDIUMThe Tanium Server Logs and TDL_Logs directories must be restricted with appropriate permissions.V-234099MEDIUMAll Active Directory accounts synchronized with Tanium for non-privileged functions must be non-privileged domain accounts.V-234100MEDIUMA Tanium connector must be configured to send log data to an external audit log reduction capable system.V-234101MEDIUMFile integrity monitoring of critical executables that Tanium uses must be configured.V-234102MEDIUMFirewall rules must be configured on the Tanium module server to allow Server-to-Module Server communications from the Tanium Server.V-234103MEDIUMFirewall rules must be configured on the Tanium Server for Server-to-Module Server communications.V-234104MEDIUMFirewall rules must be configured on the Tanium Server for Server-to-Zone Server communications.V-234105MEDIUMThe SSLHonorCipherOrder must be configured to disable weak encryption algorithms on the Tanium Server.V-234106MEDIUMThe Tanium Server certificate must be signed by a DoD Certificate Authority.V-234107MEDIUMAny Tanium configured EMAIL RESULTS connectors must be configured to enable TLS/SSL to encrypt communications.V-234108MEDIUMTanium Server files must be excluded from on-access antivirus actions.V-234109MEDIUMTanium Server files must be protected from file encryption actions.V-234110MEDIUMThe SSLCipherSuite must be configured to disable weak encryption algorithms on the Tanium Server.V-234111MEDIUMThe Tanium max_soap_sessions_total setting must be explicitly enabled to limit the number of simultaneous sessions.V-234112MEDIUMThe Tanium max_soap_sessions_per_user setting must be explicitly enabled to limit the number of simultaneous sessions.V-234113MEDIUMThe Tanium soap_max_keep_alive setting must be explicitly enabled to limit the number of simultaneous sessions.V-234114MEDIUMThe Tanium documentation identifying recognized and trusted folders for Detect Local Directory Source must be maintained.V-234115MEDIUMThe Tanium Detect Local Directory Source must be configured to restrict access to only authorized maintainers of Intel.V-234116MEDIUMThe Tanium documentation identifying recognized and trusted SCAP sources must be maintained.V-234117MEDIUMThe Tanium documentation identifying recognized and trusted OVAL feeds must be maintained.V-234118MEDIUMTanium Comply must be configured to receive SCAP content only from trusted sources.V-234119MEDIUMTanium Comply must be configured to receive OVAL feeds only from trusted sources.V-234120MEDIUMThe Tanium application must be configured in a High-Availability (HA) setup to ensure minimal loss of data and minimal disruption to mission processes in the event of a system failure.V-234121MEDIUMThe bandwidth consumption for the Tanium Application server must be limited.V-234122MEDIUMThe Tanium SQL Server RDBMS must be configured with sufficient free space to ensure audit logging is not impacted.V-234123MEDIUMThe Tanium application must limit the bandwidth used in communicating with endpoints to prevent a Denial of Service (DoS) condition at the server.V-234124HIGHThe Tanium Application Server must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).V-234125MEDIUMTanium Server files must be excluded from host-based intrusion prevention intervention.V-234126MEDIUMThe Tanium application must set an absolute timeout for sessions.V-234127MEDIUMThe Tanium application must set an inactive timeout for sessions.V-234128MEDIUMThe Tanium application service must be protected from being stopped by a non-privileged user.V-234129MEDIUMThe Tanium web server must be tuned to handle the operational requirements of the hosted application.V-234130MEDIUMThe Tanium application, SQL and Module servers must all be configured to communicate using TLS 1.2 Strict Only.V-234131MEDIUMThe Tanium application must be configured to communicate using TLS 1.2 Strict Only.V-234132MEDIUMThe Tanium application must be configured to communicate using TLS 1.2 Strict Only.