STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 5 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Tanium 7.x Security Technical Implementation Guide

Version

V2R3

Release Date

May 14, 2025

SCAP Benchmark ID

Tanium_7-x_STIG

Total Checks

98

Tags

other

CAT I: 4CAT II: 94CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (98)

V-253779MEDIUMThe Tanium application must be configured to send audit records from multiple components within the system to a central location for review and analysis.V-253780MEDIUMThe application must, at a minimum, offload interconnected systems in real time and offload standalone systems weekly.V-253781MEDIUMTanium Client processes must be excluded from On-Access scan.V-253782MEDIUMThe Tanium application must be configured for LDAP user/group synchronization to map the authenticated identity to the individual user or group account for PKI-based authentication.V-253783MEDIUMThe Tanium application must uniquely identify and authenticate nonorganizational users (or processes acting on behalf of nonorganizational users).V-253784MEDIUMThe Tanium application must separate user functionality (including user interface services) from information system management functionality.V-253785MEDIUMThe Tanium Server and Client applications must have logging enabled.V-253786MEDIUMThe Tanium application must restrict the ability of individuals to use information systems to launch organization-defined denial-of-service (DoS) attacks against other information systems.V-253787MEDIUMThe Tanium application must manage bandwidth throttles to limit the effects of information flooding types of denial-of-service (DoS) attacks.V-253788MEDIUMThe Tanium application must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.V-253789MEDIUMThe Tanium application must reveal error messages only to the information system security officer (ISSO), information system security manager (ISSM), and system administrator (SA).V-253791MEDIUMThe Tanium application must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.V-253792MEDIUMThe Tanium application must offload audit records onto a different system or media than the system being audited.V-253793MEDIUMThe Tanium application must provide an immediate warning to the system administrator and information system security officer (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.V-253794MEDIUMThe Tanium application must provide an immediate real-time alert to the system administrator and information system security officer, at a minimum, of all audit failure events requiring real-time alerts.V-253795MEDIUMThe Tanium application must prohibit user installation of software without explicit privileged status.V-253796MEDIUMThe application must enforce access restrictions associated with changes to application configuration.V-253797MEDIUMThe application must employ a deny-all, permit-by-exception (allowlist) policy to allow the execution of authorized software programs.V-253798MEDIUMThe Tanium application must accept Personal Identity Verification (PIV) credentials.V-253799MEDIUMThe Tanium application must electronically verify Personal Identity Verification (PIV) credentials.V-253800MEDIUMThe Tanium application must accept Personal Identity Verification (PIV) credentials from other federal agencies.V-253801MEDIUMThe Tanium application must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).V-253802MEDIUMTanium must alert the ISSO, ISSM, and other individuals designated by the local organization when the following Indicators of Compromise (IOCs) or potential compromise are detected: real-time intrusion detection; threats identified by authoritative sources (e.g., CTOs); and Category I, II, IV, and VII incidents in accordance with CJCSM 6510.01B.V-253803MEDIUMTanium Server processes must be excluded from On-Access scan.V-253804MEDIUMThe Tanium application must authenticate endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.V-253805MEDIUMThe Tanium endpoint must have the Tanium Server's pki.db in its installation.V-253806MEDIUMAccess to Tanium logs on each endpoint must be restricted by permissions.V-253807MEDIUMThe Tanium cryptographic signing capabilities must be enabled on the Tanium Clients to safeguard the authenticity of communications sessions when answering requests from the Tanium Server.V-253808MEDIUMFirewall rules must be configured on the Tanium endpoints for client-to-server communications.V-253809MEDIUMControl of the Tanium Client service must be restricted to SYSTEM access only for all managed clients.V-253810MEDIUMThe ability to uninstall the Tanium Client service must be disabled on all managed clients.V-253811MEDIUMThe permissions on the Tanium Client directory must be restricted to only the SYSTEM account on all managed clients.V-253812MEDIUMTanium Client directory and subsequent files must be excluded from On-Access scan.V-253813MEDIUMTanium endpoint files must be excluded from host-based intrusion prevention system (HIPS) intervention.V-253814MEDIUMThe Tanium application must retain the session lock until the user reestablishes access using established identification and authentication procedures.V-253815MEDIUMThe Tanium Application Server must be configured with a connector to sync to Microsoft Active Directory for account management functions.V-253816MEDIUMThe Tanium Application Server must be configured to only use LDAP for account management functions.V-253817MEDIUMTanium Computer Groups must be used to restrict console users from effecting changes to unauthorized computers.V-253818MEDIUMDocumentation identifying Tanium console users, their respective User Groups, Computer Groups, and Roles must be maintained.V-253819MEDIUMThe Tanium application must be configured to use Tanium User Groups in a manner consistent with the model outlined in the environment's system documentation.V-253820MEDIUMDocumentation identifying Tanium console users and their respective Computer Group rights must be maintained.V-253821HIGHMultifactor authentication must be enabled on the Tanium Server for network access with privileged accounts.V-253822MEDIUMFirewall rules must be configured on the Tanium Server for Console-to-Server communications.V-253823MEDIUMThe publicly accessible Tanium application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.V-253824MEDIUMThe Tanium application must alert the information system security officer and system administrator (at a minimum) in the event of an audit processing failure.V-253825MEDIUMTanium must notify system administrator and information system security officer (ISSO) when accounts are created.V-253826MEDIUMTanium must notify system administrators and the information system security officer (ISSO) when accounts are modified.V-253827MEDIUMTanium must notify the system administrator and information system security officer (ISSO) of account enabling actions.V-253828MEDIUMMultifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.V-253829MEDIUMTanium must notify system administrators and the information system security officer (ISSO) for account disabling actions.V-253830MEDIUMTanium must notify system administrators and the information system security officer (ISSO) for account removal actions.V-253831MEDIUMThe Tanium application must prohibit user installation, modification, or deletion of software without explicit privileged status.V-253832MEDIUMThe Tanium database(s) must be installed on a separate system.V-253833MEDIUMThe Tanium application database must be dedicated to only the Tanium application.V-253834MEDIUMThe access to the Tanium SQL database must be restricted. Only the designated database administrator(s) can have elevated privileges to the Tanium SQL database.V-253835MEDIUMThe Tanium Server installer's account database permissions must be reduced to an appropriate level.V-253836MEDIUMFirewall rules must be configured on the Tanium Server for server-to-database communications.V-253837MEDIUMThe Tanium Application Server console must be configured to initiate a session lock after a 15-minute period of inactivity.V-253838MEDIUMTanium Trusted Content providers must be documented.V-253839MEDIUMContent providers must provide their public key to the Tanium administrator to import for validating signed content.V-253840MEDIUMTanium public keys of content providers must be validated against documented trusted content providers.V-253841MEDIUMThe Tanium Action Approval feature must be enabled for two-person integrity when deploying actions to endpoints.V-253842MEDIUMThe Tanium documentation identifying recognized and trusted indicator of compromise (IOC) streams must be maintained.V-253843MEDIUMTanium Threat Response must be configured to receive IOC streams only from trusted sources.V-253844MEDIUMThe Tanium applications must be configured to filter audit records for events of interest based on organization-defined criteria.V-253845MEDIUMThe Tanium cryptographic signing capabilities must be enabled on the Tanium Server.V-253846MEDIUMThe Tanium Server must be configured to allow only signed content to be imported.V-253847MEDIUMAll installation files originally downloaded to the Tanium Server must be configured to download to a location other than the Tanium Server directory.V-253848MEDIUMFirewall rules must be configured on the Tanium Server for client-to-server communications.V-253849MEDIUMFirewall rules must be configured on the Tanium Zone Server for Client-to-Zone Server communications.V-253850MEDIUMThe Tanium Application Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM Category Assurance List (CAL) and vulnerability assessments.V-253851MEDIUMThe Tanium Server certificates must have Extended Key Usage entries for the serverAuth object TLS Web Server Authentication and the clientAuth object TLS Web Client Authentication.V-253852MEDIUMThe Tanium Server directory must be restricted with appropriate permissions.V-253853MEDIUMThe Tanium Server http directory and subdirectories must be restricted with appropriate permissions.V-253854MEDIUMThe permissions on the Tanium Server registry keys must be restricted to only the Tanium service account and the [Tanium Admins] group.V-253855MEDIUMThe Tanium Server Logs and TDL_Logs directories must be restricted with appropriate permissions.V-253856MEDIUMFirewall rules must be configured on the Tanium module server to allow Server-to-Module Server communications from the Tanium Server.V-253857MEDIUMFirewall rules must be configured on the Tanium Server for Server-to-Module Server communications.V-253858MEDIUMFirewall rules must be configured on the Tanium Server for Server-to-Zone Server communications.V-253859MEDIUMThe SSLHonorCipherOrder must be configured to disable weak encryption algorithms on the Tanium Server.V-253860MEDIUMThe Tanium Server certificate must be signed by a DoD certificate authority (CA).V-253861MEDIUMTanium Server directory and subsequent files must be excluded from On-Access scan.V-253862MEDIUMThe SSLCipherSuite must be configured to disable weak encryption algorithms on the Tanium Server.V-253863MEDIUMThe Tanium "max_soap_sessions_total" setting must be explicitly enabled to limit the number of simultaneous sessions.V-253864MEDIUMThe Tanium "max_soap_sessions_per_user" setting must be explicitly enabled to limit the number of simultaneous sessions.V-253865MEDIUMThe Tanium documentation identifying recognized and trusted folders for Threat Response Local Directory Source must be maintained.V-253866MEDIUMThe Tanium Threat Response Local Directory Source must be configured to restrict access to only authorized maintainers of threat intel.V-253867MEDIUMThe Tanium documentation identifying recognized and trusted Security Content Automation Protocol (SCAP) sources must be maintained.V-253868MEDIUMThe Tanium documentation identifying recognized and trusted Open Vulnerability and Assessment Language (OVAL) feeds must be maintained.V-253869MEDIUMTanium Comply must be configured to receive Security Content Automation Protocol (SCAP) content only from trusted sources.V-253870MEDIUMTanium Comply must be configured to receive Open Vulnerability and Assessment Language (OVAL) feeds only from trusted sources.V-253871MEDIUMThe Tanium application must limit the bandwidth used in communicating with endpoints to prevent a denial-of-service (DoS) condition at the server.V-253872MEDIUMTanium Server files must be excluded from host-based intrusion prevention intervention.V-253873MEDIUMThe Tanium application must set an inactive timeout for sessions.V-253874MEDIUMThe Tanium application service must be protected from being stopped by a nonprivileged user.V-253875HIGHThe Tanium Application, SQL, and Module servers must all be configured to communicate using TLS 1.2 Strict Only.V-253876HIGHThe SchUseStrongCrypto registry value must be set.V-253877HIGHThe SSLCipherSuite registry value must be set.