Title

The Tanium application must offload audit records onto a different system or media than the system being audited. (Cat II impact)

Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity.

Check Content

1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log in using multifactor authentication. 2. Click "Modules" on the top of the banner of the console. 3. Click "Connect". 4. Review the configured Connections under "Connections" section. If no Connections exist to send the "Tanium Audit Source" to a security information and event management (SIEM) tool, this is a finding.

Fix Text

1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log in using multifactor authentication. 2. Click "Modules" on the top of the console. 3. Click "Connect". 4. Click "Create Connection". 5. In the "Configuration" section under "Source", select "Tanium Audit Source" as the source from the drop-down menu. 6. In the "Configuration" section under "Destination", select the desired Destination and fill in the respective fields. 7. In the "Configure Output" section under "Format", select the desired file format type. 8. In the "Schedule" section, select the desired schedule. 9. Click "Save".

Additional Identifiers

Rule ID: SV-253792r997232_rule

Vulnerability ID: V-253792

Group Title: SRG-APP-000358

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.