The Tanium Server certificates must have Extended Key Usage entries for the serverAuth object TLS Web Server Authentication and the clientAuth object TLS Web Client Authentication.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-253851 | SRG-APP-000175 | TANS-SV-000020 | SV-253851r997273_rule | 2025-02-26 | 2 |
| Description |
|---|
| Restricting this setting limits the user's ability to change their password. Passwords must be changed at specific policy-based intervals; however, if the application allows the user to immediately and continually change their password, it could be changed repeatedly in a short period of time to defeat the organization's policy regarding password reuse. |
| ℹ️ Check |
|---|
| 1. Access the Tanium application server interactively. 2. Log on to the server with an account that has administrative privileges. 3. Navigate to Program Files >> Tanium >> Tanium Server. 4. Locate the "SOAPServer.crt" file. 5. Double-click the file to open the certificate. 6. Select the "Details" tab. 7. Scroll down through the details to find and select the "Enhanced Key Usage" field. If there is no "Enhanced Key Usage" field, this is a finding. In the bottom screen, verify "Server Authentication" and "Client Authentication" are both identified. If "Server Authentication" and "Client Authentication" are not both identified, this is a finding. |
| ✔️ Fix |
|---|
| Request or regenerate the certificate being used to include both the "Server Authentication" and "Client Authentication" objects. |