Title

Firewall rules must be configured on the Tanium Zone Server for Client-to-Zone Server communications. (Cat II impact)

Discussion

In customer environments using the Tanium Zone Server, a Tanium Client may be configured to point to a Zone Server instead of a Tanium Server. The communication requirements for these Clients are identical to the Server-to-Client requirements. https://docs.tanium.com/platform_install/platform_install/reference_network_ports.html

Check Content

Note: If a Zone Server is not being used, this is "Not Applicable". Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Zone Server. Access the host-based firewall configuration on the Tanium Zone Server. Validate a rule exists for the following: Port Needed: Tanium Clients to Zone Server over TCP port 17472. If a host-based firewall rule does not exist to allow TCP port 17472, bi-directionally, from Tanium Clients to the Tanium Zone Server, this is a finding.

Fix Text

Configure host-based firewall rules as required, to include Tanium Clients to Zone Server over TCP port 17472.

Additional Identifiers

Rule ID: SV-93389r1_rule

Vulnerability ID: V-78683

Group Title: SRG-APP-000142

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.