Title

Tanium Comply must be configured to receive OVAL feeds only from trusted sources. (Cat II impact)

Discussion

OVAL XML documents are provided from several possible sources such as the CIS open source repository, or any number of vendor/3rd party paid repositories. These documents are used to automate the passive validation of vulnerabilities on systems and therefore require a reasonable level of confidence in their origin. Non-approved OVAL definitions lead to a false sense of security when evaluating an enterprise environment.

Check Content

Using a web browser on a system that has connectivity to Tanium, access the Tanium web user interface (UI) and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Comply". Along the left side of the interface, click on "Benchmarks" then "Vulnerability". Verify all imported vulnerability sources are from a documented trusted source. If any vulnerability sources found do not match a documented trusted source, this is a finding.

Fix Text

Using a web browser on a system that has connectivity to Tanium, access the Tanium web UI and log on with CAC. Click on the navigation button (hamburger menu) on the top left of the console. Click on "Comply". Along the left side of the interface, click on "Benchmarks" then "Vulnerability". Delete any vulnerability sources that are configured to non-trusted sources, or reconfigured to point to a trusted sources.

Additional Identifiers

Rule ID: SV-93447r1_rule

Vulnerability ID: V-78741

Group Title: SRG-APP-000039

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.