Firewall rules must be configured on the Tanium Server for Server-to-Zone Server communications.

From Tanium 7.0 Security Technical Implementation Guide

Part of SRG-APP-000383

Associated with: CCI-001762

SV-93417r1_rule Firewall rules must be configured on the Tanium Server for Server-to-Zone Server communications.

Vulnerability discussion

If you are using the Tanium Zone Server to proxy traffic from Tanium-managed computers on less trusted network segments to the Tanium Server on the core network, then the Tanium Zone Server Hub, typically installed to the Tanium Server device, must be able to connect to the Zone Server(s) in the DMZ. This is the only configuration that requires you to allow outbound traffic on port 17472 from the Tanium Server device. The ZoneServerList.txt configuration file located in the Tanium Zone Server Hub's installation folder identifies the addresses of the destination Zone Servers. See the Zone Server Configuration page for more details.Port Needed: Tanium Server to Zone Server over TCP port 17472.Network firewall rules:Allow TCP traffic on port 17472 from the Zone Server Hub, usually the Tanium Server device, to the destination DMZ devices(s) hosting the Zone Server(s).Endpoint firewall rules - for additional security, configure the following endpoint firewall rules:Allow TCP traffic outbound on port 17472 from only the Zone Server Hub process running on the Tanium Server device.Allow TCP traffic inbound on port 17472 to only the Zone Server process running on the designated Zone Server device(s).https://docs.tanium.com/platform_install/platform_install/reference_network_ports.html.

Check content

Note: If a Zone Server is not being used, this is "Not Applicable". Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Zone Server. Access the host-based firewall configuration on the Tanium Zone Server. Validate a rule exists for the following: Port Needed: Tanium Server to Zone Server over TCP port 17472. If a host-based firewall rule does not exist to allow TCP port 17472, bi-directionally, from Tanium Server to the Tanium Zone Server, this is a finding.

Fix text

Configure host-based firewall rules on the Tanium Zone server to include the following required traffic: Allow Tanium Server to Zone Server over TCP port 17472. Configure the network firewall to allow the above traffic.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer