Title

The Tanium Server certificates must have Extended Key Usage entries for the serverAuth object TLS Web Server Authentication and the clientAuth object TLS Web Client Authentication. (Cat II impact)

Discussion

Restricting this setting limits the user's ability to change their password. Passwords must be changed at specific policy-based intervals; however, if the application allows the user to immediately and continually change their password, it could be changed repeatedly in a short period of time to defeat the organization's policy regarding password reuse.

Check Content

1. Access the Tanium application server interactively. 2. Log on to the server with an account that has administrative privileges. 3. Navigate to Program Files >> Tanium >> Tanium Server. 4. Locate the "SOAPServer.crt" file. 5. Double-click the file to open the certificate. 6. Select the "Details" tab. 7. Scroll down through the details to find and select the "Enhanced Key Usage" field. If there is no "Enhanced Key Usage" field, this is a finding. In the bottom screen, verify "Server Authentication" and "Client Authentication" are both identified. If "Server Authentication" and "Client Authentication" are not both identified, this is a finding.

Fix Text

Request or regenerate the certificate being used to include both the "Server Authentication" and "Client Authentication" objects.

Additional Identifiers

Rule ID: SV-253851r997273_rule

Vulnerability ID: V-253851

Group Title: SRG-APP-000175

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.