Check: TANS-SV-000033
Tanium 7.0 STIG:
TANS-SV-000033
(in versions v1 r2 through v1 r1)
Title
Firewall rules must be configured on the Tanium Server for Server-to-Zone Server communications. (Cat II impact)
Discussion
If you are using the Tanium Zone Server to proxy traffic from Tanium-managed computers on less trusted network segments to the Tanium Server on the core network, then the Tanium Zone Server Hub, typically installed to the Tanium Server device, must be able to connect to the Zone Server(s) in the DMZ. This is the only configuration that requires you to allow outbound traffic on port 17472 from the Tanium Server device. The ZoneServerList.txt configuration file located in the Tanium Zone Server Hub's installation folder identifies the addresses of the destination Zone Servers. See the Zone Server Configuration page for more details. Port Needed: Tanium Server to Zone Server over TCP port 17472. Network firewall rules: Allow TCP traffic on port 17472 from the Zone Server Hub, usually the Tanium Server device, to the destination DMZ devices(s) hosting the Zone Server(s). Endpoint firewall rules - for additional security, configure the following endpoint firewall rules: Allow TCP traffic outbound on port 17472 from only the Zone Server Hub process running on the Tanium Server device. Allow TCP traffic inbound on port 17472 to only the Zone Server process running on the designated Zone Server device(s). https://docs.tanium.com/platform_install/platform_install/reference_network_ports.html.
Check Content
Note: If a Zone Server is not being used, this is "Not Applicable". Consult with the Tanium System Administrator to verify which firewall is being used as a host-based firewall on the Tanium Zone Server. Access the host-based firewall configuration on the Tanium Zone Server. Validate a rule exists for the following: Port Needed: Tanium Server to Zone Server over TCP port 17472. If a host-based firewall rule does not exist to allow TCP port 17472, bi-directionally, from Tanium Server to the Tanium Zone Server, this is a finding.
Fix Text
Configure host-based firewall rules on the Tanium Zone server to include the following required traffic: Allow Tanium Server to Zone Server over TCP port 17472. Configure the network firewall to allow the above traffic.
Additional Identifiers
Rule ID: SV-93417r1_rule
Vulnerability ID: V-78711
Group Title: SRG-APP-000383
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001762 |
The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure. |
Controls
Number | Title |
---|---|
CM-7 (1) |
Periodic Review |