Reference: Advanced Security Settings menu

The Advanced Security Settings menu includes options to enable or disable FIPS 140-2 mode, AIDE reporting, and SELinux, as well as an option for managing the SSH cipher list.

Enable FIPS 140-2 mode

Enabling FIPS mode causes the appliance to use a FIPS-validated cryptographic module for all cryptographic operations. It also ensures that services like SSH use only cryptographic algorithms that FIPS 140-2 allows.

Enable FIPS mode only if you are required to do so for your organization.

In Tanium Core Platform 7.4.5.1200 and later, enabling FIPS mode in TanOS also puts the Tanium Platform in FIPS mode.
  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu. ClosedView screen
  3. Enter A to go to the Security menu. ClosedView screen
  4. Enter X to go to the Advanced Security menu. ClosedView screen
  5. Enter 1 and follow the prompts to enable FIPS 140-2 mode. ClosedView screen

    Note in the settings summary that FIPS 140-2 mode is disabled in the current state until you reboot the appliance. ClosedView screen

  6. Go to Appliance Maintenance (B) > Reboot / Shutdown (B) and reboot the appliance. ClosedView screen
  7. Return to the Advanced Security menu (A-A-X) and note that FIPS 140-2 is now enabled. ClosedView screen

Enable AIDE reporting

Advanced Intrusion Detection Environment (AIDE) is a host-based intrusion detection system (HIDS) for checking the integrity of files. The AIDE solution runs an initialization scan over a set of files and directories in the system and generates a reference snapshot of the environment state. Subsequent scans can be run, and the differences between initial and current scans are reported as differences to be investigated.

The set of files and directories over which the scans are run can be customized in a configuration file. If needed, contact Tanium Support for assistance.

AIDE reports will be very noisy following TanOS upgrades, Tanium role installations, and Tanium solution module or content pack imports or reimports. To mitigate the noise and allow you to track real intrusions, the following workflow is recommended:
  1. Before you perform an upgrade or installation, run an AIDE check report.
  2. Then perform the upgrade or installation.
  3. After the upgrade or installation, run AIDE initialization to reset the AIDE reference. A fresh AIDE report is run automatically at the end of the initialization process.

Enable AIDE

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter A to go to the Security menu. ClosedView screen
  4. Enter X to go to the Advanced Security menu. ClosedView screen
  5. Enter 2 to go to the AIDE menu. ClosedView screen
  6. Enter 1 to initialize AIDE, enable a weekly check report, and run a test check report.

    Note that after initialization, the AIDE menu shows status, schedule, and recent report information. ClosedView screen

Run an AIDE check report

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter A to go to the Security menu. ClosedView screen
  4. Enter X to go to the Advanced Security menu. ClosedView screen
  5. Enter 2 to go to the AIDE menu. ClosedView screen
  6. Enter 2 to run an AIDE check report.

    Note that after the report has been run, the report status is updated. ClosedView screen

Disable the weekly AIDE check report

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter A to go to the Security menu. ClosedView screen
  4. Enter X to go to the Advanced Security menu. ClosedView screen
  5. Enter 2 to go to the AIDE menu. ClosedView screen
  6. Enter 3 to disable the weekly AIDE check report.

    Note that after the disable report operation has been run, the scheduled report status is updated. ClosedView screen

Enable the weekly AIDE check report

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter A to go to the Security menu. ClosedView screen
  4. Enter X to go to the Advanced Security menu. ClosedView screen
  5. Enter 2 to go to the AIDE menu. ClosedView screen
  6. Enter 4 to enable the weekly AIDE check report.

    Note that after the enable report operation has been run, the scheduled report status is updated.

Export the weekly AIDE check report

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter A to go to the Security menu. ClosedView screen
  4. Enter X to go to the Advanced Security menu. ClosedView screen
  5. Enter 2 to go to the AIDE menu. ClosedView screen
  6. Enter 5 to export the weekly AIDE check report to the /outgoing directory. ClosedView screen
  7. Use SFTP to copy the report from /outgoing to your management computer.

Manage the SSH cipher list

You can select the SSH ciphers included in the list presented to SSH clients.

Before you save changes to the SSH cipher list, make sure the SSH client you use to make SSH connections to TanOS supports at least one of the remaining ciphers.

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter A to go to the Security menu. ClosedView screen
  4. Enter X to go to the Advanced Security menu. ClosedView screen
  5. Enter 3 to go to the SSH Ciphers menu. ClosedView screen
  6. Select numbered menu items to toggle whether the cipher is included or excluded from the cipher list.
  7. When you are done modifying the list, enter S to save it.

When FIPS 140-2 mode is enabled, only ciphers that are allowed by FIPS 140-2 appear in the SSH cipher list menu.

Toggle SELinux mode

Security-Enhanced Linux (SELinux) is a set of kernel modifications and user-space tools that make a Linux-based OS more secure.

By default, the SELinux setting is set to enforcing.

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter A to go to the Security menu. ClosedView screen
  4. Enter X to go to the Advanced Security menu. ClosedView screen
  5. Enter 4 to toggle the SELinux setting—permissive or enforcing. A reboot is not required.

Set menu timeout

The menu timeout is the amount of time that the TanOS menu system waits for user input. Enable this feature to cancel user sessions after a period of inactivity. The timeout applies to SSH sessions, but not to Tanium Console sessions. This setting takes effect when a user signs in to the appliance. By default, menus do not time out.

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter A to go to the Security menu. ClosedView screen
  4. Enter X to go to the Advanced Security menu. ClosedView screen
  5. Enter 5 to set a menu timeout, in seconds. If you want to disable menu timeouts, set the value to 0. ClosedView screen

Toggle Denial of Service protection

Use this setting to add extra protection against Denial of Service (DoS) attacks. By default, this setting is disabled.

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter A to go to the Security menu. ClosedView screen
  4. Enter X to go to the Advanced Security menu. ClosedView screen
  5. Enter 6 to enable DoS protection. The screen updates with an enabled status. ClosedView screen