Title

Firewall rules must be configured on the Tanium Zone Server for Client-to-Zone Server communications. (Cat II impact)

Discussion

In customer environments using the Tanium Zone Server, a Tanium Client may be configured to point to a Zone Server instead of a Tanium Server. The communication requirements for these Clients are identical to the Server-to-Client requirements. https://kb.tanium.com/Port_Configuration_v6.5

Check Content

Note: If a zone server is not being used, this is Not Applicable. Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Zone Server. Access the host-based firewall configuration on the Tanium Zone Server. Validate a rule exists for the following: Port Needed: Tanium Clients to Zone Server over TCP port 17472. If a host-based firewall rule does not exist to allow TCP port 17472, bi-directionally, from Tanium Clients to the Tanium Zone Server, this is a finding.

Fix Text

Configure host-based firewall rules as required, to include Tanium Clients to Zone Server over TCP port 17472.

Additional Identifiers

Rule ID: SV-81569r1_rule

Vulnerability ID: V-67079

Group Title: SRG-APP-000142

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.