The Tanium Server certificate must be signed by a DoD Certificate Authority.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-234106 | SRG-APP-000427 | TANS-SV-000036 | SV-234106r612749_rule | 2021-12-20 | 2 |
Description
The Tanium Server has the option to use a "self-signed" certificate or a Trusted Certificate Authority signed certificate for SSL connections. During evaluations of Tanium in Lab settings, customers often conclude that a "self-signed" certificate is an acceptable risk. However, in production environments it is critical that a SSL certificate signed by a Trusted Certificate Authority be used on the Tanium Server in lieu of an untrusted and insecure "self-signed" certificate.
ℹ️ Check
Using a web browser on a system, which has connectivity to the Tanium Application, access the Tanium Application web user interface (UI).
Log on with CAC.
When connected, review the Certificate for the Tanium Server:
In Internet Explorer, right-click on the page.
Select "Properties".
Click on the "Certificates" tab.
On the "General" tab, validate the Certificate shows as issued by a DOD Root CA.
On Certification "Path" tab, validate the path top-level is a DoD Root CA.
If the certificate authority is not DoD Root CA, this is a finding.
✔️ Fix
Request or regenerate the certificate from a DoD Root Certificate Authority.