Check: TANS-SV-000029
Tanium 6.5 STIG:
TANS-SV-000029
(in versions v1 r3 through v1 r2)
Title
A connector must be configured to send log data to offline log collection. (Cat II impact)
Discussion
While the Tanium Server records audit log entries to the Tanium SQL database, retrieval and aggregation of log data through the Tanium console is not efficient. The Tanium Connect module allows for ArcSight, McAfee SIEM, SIEM, Splunk SIEM, and LogRhythm connectors in order to facilitate forensic data retrieval and aggregation efficiently.
Check Content
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Connect" tab. Click on "Configured Connectors". Review for any configured "ArcSight", “McAfee SIEM", "SIEM", "Splunk" or "LogRhythm" connectors. If SIEM connectors are not configured for send log data to offline log collection, this is a finding.
Fix Text
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "Administration". Select the "Connect" tab. Click on "Connector Templates". Choose and configure a template for a SIEM located at the site.
Additional Identifiers
Rule ID: SV-81591r1_rule
Vulnerability ID: V-67101
Group Title: SRG-APP-000358
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001851 |
Transfer audit logs per organization-defined frequency to a different system, system component, or media than the system or system component conducting the logging. |
Controls
| Number | Title |
|---|---|
| AU-4(1) |
Transfer to Alternate Storage |