This document applies only to on-premises Tanium™ installations, and you were previously viewing documentation for Tanium™ Cloud. Clear this warning and continue viewing on-premises documentation.
This document applies only to Tanium™ Cloud, and you were previously viewing documentation for on-premises Tanium™ installations. Clear this warning and continue viewing Tanium Cloud documentation.
Reference: Advanced Security Settings menu
The Advanced Security Settings menu includes options to enable or disable FIPS 140-2 mode, AIDE reporting, and SELinux, as well as an option for managing the SSH cipher list.
Enable FIPS 140-2 mode
Enabling FIPS mode causes the appliance to use a FIPS-validated cryptographic module for all cryptographic operations. It also ensures that services like SSH use only cryptographic algorithms that FIPS 140-2 allows.
Enable FIPS mode only if you are required to do so for your organization.
In Tanium Core Platform 7.4.5.1200 and later, enabling FIPS mode in TanOS also puts the Tanium Platform in FIPS mode.
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
View screen------------------------------------------------------
>>> Appliance Configuration <<<
1: Hostname/DNS Configuration
2: Networking Configuration
3: NTP Configuration
4: Syslog Configuration
5: SNMP Configuration
6: Module File Share Configuration
7: Reset all NICs to DHCP (VM only)
A: Security
I: iDRAC Management
X: Advanced Configuration
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter A to go to the Security menu.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security <<<
2: Manage SSH
3: Configure SSH Banner
4: Display SSH Fingerprints
5: Regenerate SSH Host keys
A: LDAP CA Certificate Management
B: Database Certificate Management
P: Security Policy
X: Advanced Security
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter X to go to the Advanced Security menu.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security -> Advanced <<<
Setting Current Persistent
FIPS 140-2: disabled disabled
SELinux: enforcing enforcing
AIDE: not initialized
AIDE Check: unscheduled
SSH Ciphers: [email protected],aes256-ctr,[email protected]
DOS protection: disabled
1: FIPS 140-2 mode (disabled/enabled)
2: AIDE
3: SSH Ciphers
4: Toggle SELinux mode (permissive/enforcing)
5: Set Menu Timeout
6: Toggle Denial of Service protection
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter 1 and follow the prompts to enable FIPS 140-2 mode.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security -> Advanced <<<
Setting Current Persistent
FIPS 140-2: disabled disabled
SELinux: permissive permissive
AIDE: not initialized
AIDE Check: unscheduled
SSH Ciphers: [email protected],aes256-ctr,[email protected]
1: FIPS 140-2 mode (disabled/enabled)
2: AIDE
3: SSH Ciphers
4: Toggle SELinux mode (permissive/enforcing)
5: Set Menu Timeout
6: Toggle Denial of Service protection
R: Return to previous menu RR: Return to top
------------------------------------------------------
TanOS Version: 1.7.4
TanOS_Shell Version: 1.7.4
Please select: 1
WARNING: Your current SSH Cipher list is
[email protected],aes256-ctr,[email protected]
Enabling FIPS mode changes the SSH Cipher list to:
aes128-ctr,aes192-ctr,aes256-ctr
, and disables Key Exchange algorithms:
[email protected] curve25519-sha256
FIPS mode has fewer available SSH Ciphers than normal mode; SSH does not
work correctly if it is configured to use ciphers which are unavailable.
Therefore when entering FIPS mode, the list of ciphers is changed to
predefined settings. Please keep this session open and log into SSH in
another session to confirm the new settings.
Are you sure you want to continue? [Yes|No]: yes
Generating grub configuration file ...
done
Next boot will run with "fips=1". For best results log in with SSH again
immediately, before closing this session or rebooting.
Press enter to continue
Note in the settings summary that FIPS 140-2 mode is disabled in the current state until you reboot the appliance.
View screen
------------------------------------------------------
>>> Appliance Configuration -> Security -> Advanced <<<
Setting Current Persistent
FIPS 140-2: disabled enabled
SELinux: permissive permissive
AIDE: not initialized
AIDE Check: unscheduled
SSH Ciphers: [email protected],aes256-ctr,[email protected]
DOS protection: disabled
1: FIPS 140-2 mode (disabled/enabled)
2: AIDE
3: SSH Ciphers
4: Toggle SELinux mode (permissive/enforcing)
5: Set Menu Timeout
6: Toggle Denial of Service protection
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Go to Appliance Maintenance (B) > Reboot / Shutdown (B) and reboot the appliance.
View screen------------------------------------------------------
>>> Appliance Maintenance -> Reboot/Shutdown -> Reboot <<<
Rebooting this appliance
The reboot might take a while to finish!
Would you like to continue with the reboot? [Yes|No]:
- Return to the Advanced Security menu (A-A-X) and note that FIPS 140-2 is now enabled.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security -> Advanced <<<
Setting Current Persistent
FIPS 140-2: enabled enabled
SELinux: permissive permissive
AIDE: not initialized
AIDE Check: unscheduled
SSH Ciphers: [email protected],aes256-ctr,[email protected]
DOS protection: disabled
1: FIPS 140-2 mode (disabled/enabled)
2: AIDE
3: SSH Ciphers
4: Toggle SELinux mode (permissive/enforcing)
5: Set Menu Timeout
6: Toggle Denial of Service protection
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enable AIDE reporting
Advanced Intrusion Detection Environment (AIDE) is a host-based intrusion detection system (HIDS) for checking the integrity of files. The AIDE solution runs an initialization scan over a set of files and directories in the system and generates a reference snapshot of the environment state. Subsequent scans can be run, and the differences between initial and current scans are reported as differences to be investigated.
The set of files and directories over which the scans are run can be customized in a configuration file. If needed, contact Tanium Support for assistance.
AIDE reports will be very noisy following TanOS upgrades, Tanium role installations, and Tanium solution module or content pack imports or reimports. To mitigate the noise and allow you to track real intrusions, the following workflow is recommended:
- Before you perform an upgrade or installation, run an AIDE check report.
- Then perform the upgrade or installation.
- After the upgrade or installation, run AIDE initialization to reset the AIDE reference. A fresh AIDE report is run automatically at the end of the initialization process.
Enable AIDE
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter A to go to the Security menu.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security <<<
2: Manage SSH
3: Configure SSH Banner
4: Display SSH Fingerprints
5: Regenerate SSH Host keys
A: LDAP CA Certificate Management
B: Database Certificate Management
P: Security Policy
X: Advanced Security
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter X to go to the Advanced Security menu.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security -> Advanced <<<
Setting Current Persistent
FIPS 140-2: disabled disabled
SELinux: enforcing enforcing
AIDE: not initialized
AIDE Check: unscheduled
SSH Ciphers: [email protected],aes256-ctr,[email protected]
DOS protection: disabled
1: FIPS 140-2 mode (disabled/enabled)
2: AIDE
3: SSH Ciphers
4: Toggle SELinux mode (permissive/enforcing)
5: Set Menu Timeout
6: Toggle Denial of Service protection
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter 2 to go to the AIDE menu.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security -> Advanced -> AIDE <<<
Advanced Intrusion Detection Environment
AIDE Status: not initialized
Check Schedule: unscheduled
Recent Reports: none
1: Initialize AIDE, enable weekly check report, run a test check report
2: Run AIDE check report now
3: Disable weekly AIDE check
4: Enable weekly AIDE check report
5: Copy AIDE check reports to outgoing directory
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter 1 to initialize AIDE, enable a weekly check report, and run a test check report.
Note that after initialization, the AIDE menu shows status, schedule, and recent report information.
View screen
------------------------------------------------------
>>> Appliance Configuration -> Security -> Advanced -> AIDE <<<
Advanced Intrusion Detection Environment
AIDE Status: initialized Mon Apr 06, 2020 14:58:56 UTC
Check Schedule: enabled to run 02:10 each Sunday
Recent Reports: none
1: Reinitialize AIDE, enable weekly check report, run a test check report
2: Run AIDE check report now
3: Disable weekly AIDE check
4: Enable weekly AIDE check report
5: Copy AIDE check reports to outgoing directory
R: Return to previous menu RR: Return to top
------------------------------------------------------
Run an AIDE check report
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter A to go to the Security menu.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security <<<
2: Manage SSH
3: Configure SSH Banner
4: Display SSH Fingerprints
5: Regenerate SSH Host keys
A: LDAP CA Certificate Management
B: Database Certificate Management
P: Security Policy
X: Advanced Security
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter X to go to the Advanced Security menu.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security -> Advanced <<<
Setting Current Persistent
FIPS 140-2: disabled disabled
SELinux: permissive permissive
AIDE: initialized Mon Apr 06, 2020 14:58:56 UTC
AIDE Check: enabled to run 02:10 each Sunday
SSH Ciphers: [email protected],aes256-ctr,[email protected]
DOS protection: disabled
1: FIPS 140-2 mode (disabled/enabled)
2: AIDE
3: SSH Ciphers
4: Toggle SELinux mode (permissive/enforcing)
5: Set Menu Timeout
6: Toggle Denial of Service protection
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter 2 to go to the AIDE menu.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security -> Advanced -> AIDE <<<
Advanced Intrusion Detection Environment
AIDE Status: initialized Mon Apr 06, 2020 14:58:56 UTC
Check Schedule: enabled to run 02:10 each Sunday
Recent Reports: none
1: Reinitialize AIDE, enable weekly check report, run a test check report
2: Run AIDE check report now
3: Disable weekly AIDE check
4: Enable weekly AIDE check report
5: Copy AIDE check reports to outgoing directory
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter 2 to run an AIDE check report.
Note that after the report has been run, the report status is updated.
View screen
------------------------------------------------------
>>> Appliance Configuration -> Security -> Advanced -> AIDE <<<
Advanced Intrusion Detection Environment
AIDE Status: initialized Mon Apr 06, 2020 14:58:56 UTC
Check Schedule: enabled to run 02:10 each Sunday
Recent Reports: aide_check_20200406_1458_UTC.log
1: Reinitialize AIDE, enable weekly check report, run a test check report
2: Run AIDE check report now
3: Disable weekly AIDE check
4: Enable weekly AIDE check report
5: Copy AIDE check reports to outgoing directory
R: Return to previous menu RR: Return to top
------------------------------------------------------
Disable the weekly AIDE check report
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter A to go to the Security menu.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security <<<
2: Manage SSH
3: Configure SSH Banner
4: Display SSH Fingerprints
5: Regenerate SSH Host keys
A: LDAP CA Certificate Management
B: Database Certificate Management
P: Security Policy
X: Advanced Security
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter X to go to the Advanced Security menu.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security -> Advanced <<<
Setting Current Persistent
FIPS 140-2: disabled disabled
SELinux: permissive permissive
AIDE: initialized Mon Apr 06, 2020 14:58:56 UTC
AIDE Check: enabled to run 02:10 each Sunday
SSH Ciphers: [email protected],aes256-ctr,[email protected]
DOS protection: disabled
1: FIPS 140-2 mode (disabled/enabled)
2: AIDE
3: SSH Ciphers
4: Toggle SELinux mode (permissive/enforcing)
5: Set Menu Timeout
6: Toggle Denial of Service protection
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter 2 to go to the AIDE menu.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security -> Advanced -> AIDE <<<
Advanced Intrusion Detection Environment
AIDE Status: initialized Mon Apr 06, 2020 14:58:56 UTC
Check Schedule: enabled to run 02:10 each Sunday
Recent Reports: aide_check_20200406_1458_UTC.log
1: Reinitialize AIDE, enable weekly check report, run a test check report
2: Run AIDE check report now
3: Disable weekly AIDE check
4: Enable weekly AIDE check report
5: Copy AIDE check reports to outgoing directory
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter 3 to disable the weekly AIDE check report.
Note that after the disable report operation has been run, the scheduled report status is updated.
View screen
------------------------------------------------------
>>> Appliance Configuration -> Security -> Advanced -> AIDE <<<
Advanced Intrusion Detection Environment
AIDE Status: initialized Mon Apr 06, 2020 14:58:56 UTC
Check Schedule: unscheduled
Recent Reports: aide_check_20200406_1458_UTC.log
1: Reinitialize AIDE, enable weekly check report, run a test check report
2: Run AIDE check report now
3: Disable weekly AIDE check
4: Enable weekly AIDE check report
5: Copy AIDE check reports to outgoing directory
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enable the weekly AIDE check report
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter A to go to the Security menu.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security <<<
2: Manage SSH
3: Configure SSH Banner
4: Display SSH Fingerprints
5: Regenerate SSH Host keys
A: LDAP CA Certificate Management
B: Database Certificate Management
P: Security Policy
X: Advanced Security
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter X to go to the Advanced Security menu.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security -> Advanced <<<
Setting Current Persistent
FIPS 140-2: disabled disabled
SELinux: permissive permissive
AIDE: initialized Mon Apr 06, 2020 14:58:56 UTC
AIDE Check: enabled to run 02:10 each Sunday
SSH Ciphers: [email protected],aes256-ctr,[email protected]
DOS protection: disabled
1: FIPS 140-2 mode (disabled/enabled)
2: AIDE
3: SSH Ciphers
4: Toggle SELinux mode (permissive/enforcing)
5: Set Menu Timeout
6: Toggle Denial of Service protection
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter 2 to go to the AIDE menu.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security -> Advanced -> AIDE <<<
Advanced Intrusion Detection Environment
AIDE Status: initialized Mon Apr 06, 2020 14:58:56 UTC
Check Schedule: unscheduled
Recent Reports: aide_check_20200406_1458_UTC.log
1: Reinitialize AIDE, enable weekly check report, run a test check report
2: Run AIDE check report now
3: Disable weekly AIDE check
4: Enable weekly AIDE check report
5: Copy AIDE check reports to outgoing directory
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter 4 to enable the weekly AIDE check report.
Note that after the enable report operation has been run, the scheduled report status is updated.
Export the weekly AIDE check report
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter A to go to the Security menu.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security <<<
2: Manage SSH
3: Configure SSH Banner
4: Display SSH Fingerprints
5: Regenerate SSH Host keys
A: LDAP CA Certificate Management
B: Database Certificate Management
P: Security Policy
X: Advanced Security
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter X to go to the Advanced Security menu.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security -> Advanced <<<
Setting Current Persistent
FIPS 140-2: disabled disabled
SELinux: permissive permissive
AIDE: initialized Mon Apr 06, 2020 14:58:56 UTC
AIDE Check: enabled to run 02:10 each Sunday
SSH Ciphers: [email protected],aes256-ctr,[email protected]
DOS protection: disabled
1: FIPS 140-2 mode (disabled/enabled)
2: AIDE
3: SSH Ciphers
4: Toggle SELinux mode (permissive/enforcing)
5: Set Menu Timeout
6: Toggle Denial of Service protection
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter 2 to go to the AIDE menu.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security -> Advanced -> AIDE <<<
Advanced Intrusion Detection Environment
AIDE Status: initialized Mon Apr 06, 2020 14:58:56 UTC
Check Schedule: enabled to run 02:10 each Sunday
Recent Reports: aide_check_20200406_1458_UTC.log
1: Reinitialize AIDE, enable weekly check report, run a test check report
2: Run AIDE check report now
3: Disable weekly AIDE check
4: Enable weekly AIDE check report
5: Copy AIDE check reports to outgoing directory
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter 5 to export the weekly AIDE check report to the /outgoing directory.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security -> Advanced -> AIDE <<<
Advanced Intrusion Detection Environment
AIDE Status: initialized Mon Apr 06, 2020 14:58:56 UTC
Check Schedule: enabled to run 02:10 each Sunday
Recent Reports: aide_check_20200406_1458_UTC.log
1: Reinitialize AIDE, enable weekly check report, run a test check report
2: Run AIDE check report now
3: Disable weekly AIDE check
4: Enable weekly AIDE check report
5: Copy AIDE check reports to outgoing directory
R: Return to previous menu RR: Return to top
------------------------------------------------------
TanOS Version: 1.7.4
TanOS_Shell Version: 1.7.4
Please select: 5
3 reports copied to outgoing directory.
Press enter to continue
- Use SFTP to copy the report from /outgoing to your management computer.
Manage the SSH cipher list
You can select the SSH ciphers included in the list presented to SSH clients.
Before you save changes to the SSH cipher list, make sure the SSH client you use to make SSH connections to TanOS supports at least one of the remaining ciphers.
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter A to go to the Security menu.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security <<<
2: Manage SSH
3: Configure SSH Banner
4: Display SSH Fingerprints
5: Regenerate SSH Host keys
A: LDAP CA Certificate Management
B: Database Certificate Management
P: Security Policy
X: Advanced Security
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter X to go to the Advanced Security menu.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security -> Advanced <<<
Setting Current Persistent
FIPS 140-2: disabled disabled
SELinux: enforcing enforcing
AIDE: not initialized
AIDE Check: unscheduled
SSH Ciphers: [email protected],aes256-ctr,[email protected]
DOS protection: disabled
1: FIPS 140-2 mode (disabled/enabled)
2: AIDE
3: SSH Ciphers
4: Toggle SELinux mode (permissive/enforcing)
5: Set Menu Timeout
6: Toggle Denial of Service protection
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter 3 to go to the SSH Ciphers menu.
View screen------------------------------------------------------
>>> Config -> Security -> Advanced -> SSH Ciphers <<<
Current: aes128-ctr,aes192-ctr,aes256-ctr
Pending: aes128-ctr,aes192-ctr,aes256-ctr
1: 3des-cbc : Disabled
2: blowfish-cbc : Disabled
3: cast128-cbc : Disabled
4: arcfour : Disabled
5: arcfour128 : Disabled
6: arcfour256 : Disabled
7: aes128-cbc : Disabled
8: aes192-cbc : Disabled
9: aes256-cbc : Disabled
10: [email protected] : Disabled
11: aes128-ctr (STIG) : Enabled
12: aes192-ctr (STIG) : Enabled
13: aes256-ctr (STIG) : Enabled
14: [email protected] : Disabled
15: [email protected] : Disabled
16: [email protected] : Disabled
S: Save Current Settings
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Select numbered menu items to toggle whether the cipher is included or excluded from the cipher list.
- When you are done modifying the list, enter S to save it.
When FIPS 140-2 mode is enabled, only ciphers that are allowed by FIPS 140-2 appear in the SSH cipher list menu.
Toggle SELinux mode
Security-Enhanced Linux (SELinux) is a set of kernel modifications and user-space tools that make a Linux-based OS more secure.
By default, the SELinux setting is set to enforcing.
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter A to go to the Security menu.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security <<<
2: Manage SSH
3: Configure SSH Banner
4: Display SSH Fingerprints
5: Regenerate SSH Host keys
A: LDAP CA Certificate Management
B: Database Certificate Management
P: Security Policy
X: Advanced Security
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter X to go to the Advanced Security menu.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security -> Advanced <<<
Setting Current Persistent
FIPS 140-2: disabled disabled
SELinux: enforcing enforcing
AIDE: not initialized
AIDE Check: unscheduled
SSH Ciphers: [email protected],aes256-ctr,[email protected]
DOS protection: disabled
1: FIPS 140-2 mode (disabled/enabled)
2: AIDE
3: SSH Ciphers
4: Toggle SELinux mode (permissive/enforcing)
5: Set Menu Timeout
6: Toggle Denial of Service protection
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter 4 to toggle the SELinux setting—permissive or enforcing. A reboot is not required.
Set menu timeout
The menu timeout is the amount of time that the TanOS menu system waits for user input. Enable this feature to cancel user sessions after a period of inactivity. The timeout applies to SSH sessions, but not to Tanium Console sessions. This setting takes effect when a user signs in to the appliance. By default, menus do not time out.
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter A to go to the Security menu.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security <<<
2: Manage SSH
3: Configure SSH Banner
4: Display SSH Fingerprints
5: Regenerate SSH Host keys
A: LDAP CA Certificate Management
B: Database Certificate Management
P: Security Policy
X: Advanced Security
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter X to go to the Advanced Security menu.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security -> Advanced <<<
Setting Current Persistent
FIPS 140-2: disabled disabled
SELinux: enforcing enforcing
AIDE: not initialized
AIDE Check: unscheduled
SSH Ciphers: [email protected],aes256-ctr,[email protected]
DOS protection: disabled
1: FIPS 140-2 mode (disabled/enabled)
2: AIDE
3: SSH Ciphers
4: Toggle SELinux mode (permissive/enforcing)
5: Set Menu Timeout
6: Toggle Denial of Service protection
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter 5 to set a menu timeout, in seconds. If you want to disable menu timeouts, set the value to 0.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security -> Advanced <<<
Setting Current Persistent
FIPS 140-2: disabled disabled
SELinux: permissive permissive
AIDE: not initialized
AIDE Check: unscheduled
SSH Ciphers: [email protected],aes256-ctr,[email protected]
DOS protection: disabled
1: FIPS 140-2 mode (disabled/enabled)
2: AIDE
3: SSH Ciphers
4: Toggle SELinux mode (permissive/enforcing)
5: Set Menu Timeout
6: Toggle Denial of Service protection
R: Return to previous menu RR: Return to top
------------------------------------------------------
TanOS Version: 1.7.4
TanOS_Shell Version: 1.7.4
Please select: 5
The menu timeout is the amount of time in seconds the menu system will wait
for user input. Enabling this feature will result in user sessions being
cancelled after a period of inactivity. The timeout is applied to SSH
sessions, but not to console sessions. This setting takes effect on login.
The timeout is expressed in seconds, minimum 60. 0 disables the feature.
Enter the desired timeout: 0
Toggle Denial of Service protection
Use this setting to add extra protection against Denial of Service (DoS) attacks. By default, this setting is disabled.
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter A to go to the Security menu.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security <<<
2: Manage SSH
3: Configure SSH Banner
4: Display SSH Fingerprints
5: Regenerate SSH Host keys
A: LDAP CA Certificate Management
B: Database Certificate Management
P: Security Policy
X: Advanced Security
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter X to go to the Advanced Security menu.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security -> Advanced <<<
Setting Current Persistent
FIPS 140-2: disabled disabled
SELinux: enforcing enforcing
AIDE: not initialized
AIDE Check: unscheduled
SSH Ciphers: [email protected],aes256-ctr,[email protected]
DOS protection: disabled
1: FIPS 140-2 mode (disabled/enabled)
2: AIDE
3: SSH Ciphers
4: Toggle SELinux mode (permissive/enforcing)
5: Set Menu Timeout
6: Toggle Denial of Service protection
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter 6 to enable DoS protection. The screen updates with an enabled status.
View screen------------------------------------------------------
>>> Appliance Configuration -> Security -> Advanced <<<
Setting Current Persistent
FIPS 140-2: disabled disabled
SELinux: permissive permissive
AIDE: not initialized
AIDE Check: unscheduled
SSH Ciphers: [email protected],aes256-ctr,[email protected]
DOS protection: enabled
1: FIPS 140-2 mode (disabled/enabled)
2: AIDE
3: SSH Ciphers
4: Toggle SELinux mode (permissive/enforcing)
5: Set Menu Timeout
6: Toggle Denial of Service protection
R: Return to previous menu RR: Return to top
------------------------------------------------------
TanOS Version: 1.7.4
TanOS_Shell Version: 1.7.4
Please select: 5
The menu timeout is the amount of time in seconds the menu system will wait
for user input. Enabling this feature will result in user sessions being
cancelled after a period of inactivity. The timeout is applied to SSH
sessions, but not to console sessions. This setting takes effect on login.
The timeout is expressed in seconds, minimum 60. 0 disables the feature.
Enter the desired timeout: 0