The permissions on the Tanium Client directory must be restricted to only the SYSTEM account on all managed clients.

From Tanium 6.5 Security Technical Implementation Guide

Part of SRG-APP-000328

Associated with: CCI-002165

SV-81473r2_rule The permissions on the Tanium Client directory must be restricted to only the SYSTEM account on all managed clients.

Vulnerability discussion

By restricting access to the Tanium Client directory on managed clients, the Tanium client's ability to operate and function as designed will be protected from malicious attack and unintentional modifications by end users.

Check content

Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. From the Dashboard, under "Client Service Hardening", click on "Control Service State Permissions". The results will show a "Count" of clients with restricted and non-restricted permissions for "Tanium Client Service". Non-compliant clients will have a count other than 0 for "Service Control is set to default permissions" or "Unknown Service Control Permissions. If there is a "Count" other than "0" for "Service Control is set to default permissions" or "Unknown Service Control Permissions", this is a finding.

Fix text

Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. From the Dashboard, under "Client Service Hardening", click on "Control Service State Permissions". The results will show a "Count" of clients' compliant and non-compliant hardening for the "Tanium Client Service". Non-compliant clients will have a count other than 0 for "Service Control is set to default permissions" or "Unknown Service Control Permissions. Select each of the ""Service Control is set to default permissions" or "Unknown Service Control Permissions." statuses, right-click and select "Deploy Action...." The "Deploy Action" dialog box will display "Client Service Hardening - Control Service State Permissions" as the package. The computer names comprising the "Count" of non-compliant systems will be displayed in the bottom. Click on "Target & Schedule". Configure the schedule for the requested action depending upon internal organizational procedures and policies for maintenance. Click on "Finish". Verify settings are correct. Click on the "Confirm..." button at the bottom of the screen which will respond with a dialog box "Your action has been scheduled. It can be viewed on the actions tab."

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer