The Tanium Server must be set to only allow connections from endpoints when TLS is used.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-254877	SRG-APP-000015	TANS-AP-000040	SV-254877r1067684_rule	2025-02-11	2

Description
Without cryptographic integrity protections in the Tanium Client, information could be altered by unauthorized users without detection. Cryptographic mechanisms used for protecting the integrity of Tanium communications information include signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.

Description

Without cryptographic integrity protections in the Tanium Client, information could be altered by unauthorized users without detection. Cryptographic mechanisms used for protecting the integrity of Tanium communications information include signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.

ℹ️ Check
1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Settings". 4. Click the "Advanced Settings" tab. 5. In the "Filter Items" search box type "require_client_tls_315_flag". 6. Click "Enter". If no results are returned, this is a finding. If results are returned for "require_client_tls_315_flag" but the value is not "1", this is a finding.

ℹ️ Check

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Settings". 4. Click the "Advanced Settings" tab. 5. In the "Filter Items" search box type "require_client_tls_315_flag". 6. Click "Enter". If no results are returned, this is a finding. If results are returned for "require_client_tls_315_flag" but the value is not "1", this is a finding.

✔️ Fix
1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Settings". 4. Click the "Advanced Settings" tab. 5. Click "Create Setting". 6. Select "Server" box for "Setting Type." 7. In "Create Platform Setting" dialog box, enter "require_client_tls_315_flag" for "Name". 8. Select "Numeric" radio button for "Value Type". 9. Enter "1" for "Value". 10. Click "Save".

✔️ Fix

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multifactor authentication. 2. Click "Administration" on the top navigation banner. 3. Under "Configuration", select "Settings". 4. Click the "Advanced Settings" tab. 5. Click "Create Setting". 6. Select "Server" box for "Setting Type." 7. In "Create Platform Setting" dialog box, enter "require_client_tls_315_flag" for "Name". 8. Select "Numeric" radio button for "Value Type". 9. Enter "1" for "Value". 10. Click "Save".