Firewall rules must be configured on the Tanium Server for Client-to-Server communications.

From Tanium 7.0 Security Technical Implementation Guide

Part of SRG-APP-000142

Associated with: CCI-000382

SV-93387r1_rule Firewall rules must be configured on the Tanium Server for Client-to-Server communications.

Vulnerability discussion

In addition to the client-to-server TCP communication that takes place over port 17472, Tanium Clients also communicate to other Tanium-managed computers over port 17472. The Tanium environment can perform hundreds or thousands of times faster than other security or systems management tools because the Tanium Clients communicate in secure, linearly-controlled peer-to-peer rings. Because clients dynamically communicate with other nearby agents based on proximity and latency, rings tend to form automatically to match a customer's topology--endpoints in California will form one ring while endpoints in Germany will form a separate ring.https://docs.tanium.com/platform_install/platform_install/reference_network_ports.html

Check content

Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Server. Access the host-based firewall configuration on the Tanium Server. Validate rules exist, as required, to include: Between Tanium Clients or Zone Clients over TCP port 17472, bi-directionally. If a host-based firewall rule does not exist to allow TCP port 17472, bi-directionally, this is a finding. Consult with the network firewall administrator and validate rules exist for the following: Allow TCP traffic on port 17472 from any computer to be managed on a local area network to any other computer to be managed on the same local area network. If a network firewall rule does not exist to allow TCP port 17472 from any managed computer to any other managed computer on the same local area network, this is a finding.

Fix text

Configure host-based and network firewall rules as required, to include Tanium Clients or Zone Clients over TCP port 17472, bi-directionally allow TCP traffic on port 17472 from any computer to be managed on a local area network to any other computer to be managed on the same local area network.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer