Reference: Air gap support

Use the Airgap Operations menu to configure your Taniumâ„¢ deployment to access Tanium content in an air-gapped environment.

Overview

In an ordinary Tanium deployment, the Tanium Server connects to content.tanium.com to read a manifest file that enumerates the solutions that can be imported into the deployment. This is the listing you see when you navigate to the Solutions page in the Tanium Console (see Tanium Console User Guide: Managing Tanium solutions). When a user performs the operation to import the solution, the solution imports from the remote location. In addition, a Tanium package might reference external files that exist on public sites or a local server.

Figure  1:  Importing solutions in an ordinary Tanium deployment

In an air-gapped environment, the Tanium Server does not have access to the Internet. Content that is ordinarily downloaded from content.tanium.com and other Internet locations must be imported and maintained from an authorized and accessible local server.

To support customer deployments in air-gapped environments, the Tanium content build system generates air-gapped support versions of all solution modules and content packs. The air-gapped versions replace references to content.tanium.com and other remote URLs with references to the local host.

In contrast to the ordinary deployment shown above, communication in an air-gapped environment is done on the Tanium Server host computer.

Figure  2:  Importing solutions in an air-gapped Tanium deployment

Types of air gap updates

Full updates

Tanium Server releases occur a few times per year. For each Tanium Server release, Tanium publishes an ISO archive (Windows) or RPM package (TanOS) that includes the air-gapped version of all solution modules, production content packs, and lab content packs.

Individual updates

Tanium product releases occur weekly. Usually, a few solution modules or content packs are updated. If a solution module or content pack update is published, Tanium posts a ZIP file that contains the content XML and external files for the update.

Additional external files updates

External files for Tanium Comply, Tanium Patch, and Tanium Threat Response. External files used in some module deployments might require updates on a more frequent basis than the full or individual update releases.

When to perform an update

Customer lab

Install updates at the direction of Tanium Support. Updates in the lab are done to prepare for a rollout to production. Typically:

  • Install full updates shortly after they are made available.
  • Install individual updates for the solution modules and content that you support shortly after they are made available.
  • Install additional external file updates regularly.

Make a habit of tracking weekly release announcements. Read the release notes to identify items included in the release that might improve the user experience and organizational objectives.

Customer production

Install updates only after you complete testing in the lab environment.

Install a full update

Before you begin

  • Read the release notes for the content packs and modules included in the air gap RPM file. Make sure that you understand the changes introduced in every release in the path from your current release to the target release.
  • Run a health check on each appliance in the environment to make sure each appliance is in a healthy state before you perform the update.

Download the RPM file

  1. From a computer with internet access, download the air gap RPM file.
  2. Copy the RPM file to a location that is available to the appliances.

Install the update

  1. Use SFTP to copy the air gap installer file to the /incoming directory on the Tanium Server appliance. The file name provided by Tanium must be preserved.
  2. Sign into the TanOS console as a user with the tanadmin role.
  3. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  4. Enter C to go to the Manage Content menu. ClosedView screen
  5. Enter 1 to go to the Airgap Installer menu. ClosedView screen
  6. Enter the line number of the file that you want to install.
  7. Follow the prompts to install the air gap RPM file. ClosedView screen
  8. Press Enter to return to the Manage Content menu.
  9. When you install the air gap RPM file, TanOS changes the manifest URL to the URL for the air gap server IP address. You must change the setting for the labs manifest.
    1. Enter B to go to the Manifest URL Change menu. ClosedView screen
    2. Enter 4 and follow the prompts to change the labs manifest URL to the value that populates by default. ClosedView screen

    For more information, see Change the air gap manifest URLs.

  10. If you have a secondary Tanium Server, repeat the preceding steps to set up that appliance.
  11. Import the content packs and modules.
    1. Sign into the Tanium Console on the primary Tanium Server. Go to Administration > Configuration > Solutions and import the content packs and modules.
    2. (Tanium Server 7.4.2 and earlier) If you have a secondary Tanium Server, sign into the Tanium Console on the secondary Tanium Server. Go to Administration > Configuration > Solutions and import the content packs and modules.

If you encounter errors importing content, check the trusted host list configuration on all Tanium Server and Tanium Module Server appliances to ensure the air gap server IP address is trusted. For more information, see Configure additional security.

Install an individual update

Before you begin

  • Read the release notes for the content pack or module included in the air gap installer file. Make sure that you understand the changes introduced in every release in the path from your current release to the target release.
  • Run a health check on each appliance in the environment to make sure each appliance is in a healthy state before you perform the update.

Download the update file

The installer supports both RPM and ZIP air gap files. The following instructions demonstrate an install with a ZIP file.

  1. From a computer with internet access, download the air gap ZIP file.
  2. Copy the file to a location that is available to the appliances.

Install the update

  1. Use SFTP to copy the air gap ZIP file to the /incoming directory on the Tanium Server appliance.
  2. Sign into the TanOS console as a user with the tanadmin role.
  3. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  4. Enter C to go to the Manage Content menu. ClosedView screen
  5. Enter 1 to go to the Airgap Installer menu. ClosedView screen
  6. Enter the line number of the file that you want to install.
  7. Follow the prompts to install the air gap ZIP file, but do not press Enter after the install completes. ClosedView screen
  8. Copy the URL that appears for the XML file.
  9. Press Enter to go to the Manage Content menu.
  10. Download the XML file to your local computer. For example, you can open the URL in a web browser and save the file to your computer. Depending on your configuration, you might need to change the FQDN of the server to the IP address.
  11. Use keyutility.exe to generate a cryptographic key pair and use it to sign the XML file. For more information, see Enable import of user-created content. ClosedView screen
  12. Import the content into Tanium:
    1. Sign in to the Tanium Console on the primary Tanium Server.
    2. From the Main menu, select Administration > Content > Sensors page.
    3. In the upper right, click Import Content.
    4. Click Choose File, select the XML file, and click Open.
    5. Click Import.
    6. Review the content to import. In most cases, when you import Tanium-produced content, select the options to merge the categories configuration and to overwrite all of the other configurations, including the designated content set.
    7. Click Import. If prompted, enter your credentials and click OK.
    8. Review the messages to make sure the import completes successfully, and then click Close.
  13. (Tanium Server 7.4.2 and earlier) If you have a secondary Tanium Server, repeat the preceding steps to install the update to that appliance.

If you encounter errors importing content, check the trusted host list configuration on all Tanium Server and Tanium Module Server appliances to ensure the air gap server IP address is trusted. For more information, see Edit TDownloader settings.

Update the Tanium Comply engine packages

In an ordinary environment, Tanium Comply automatically connects to content.tanium.com to download updates for key components used in endpoint scans. In an air-gapped environment, you must update these components manually through the Tanium Console. For complete instructions, see Tanium Comply User Guide: Configure Comply for an air-gapped environment.

Update Tanium Patch files

When your Tanium Server is in an air-gapped environment, the server cannot download patches from the internet. You must configure Patch to install patches from an alternate file location in the Patch settings for Windows endpoints.

To update Tanium Patch files, follow the steps in Tanium Patch User Guide: Downloading patches in an air-gapped environment, but perform the following steps after you download the remote package files:

  1. Rename the ZIP file to content-results.zip and copy to a location that is available to the Tanium Server appliance.
  2. Use SFTP to copy the ZIP file to the /incoming directory on the Tanium Server appliance.
  3. Sign into the TanOS console as a user with the tanadmin role.
  4. Enter 2 to go to the Tanium Operations menu.
  5. Enter C to go to the Manage Content menu.
  6. Enter 4 to go to the Manage Web Server Content menu.
  7. Enter 1 to go to the Tanium Web Server Content Installer menu and follow the prompts to install the content-results.zip file.
  8. Verify the configuration as instructed in the Patch documentation.

Install or update Tanium Threat Response Signals

In an ordinary environment, Tanium Threat Response automatically connects to content.tanium.com to download updates for Tanium Signals. In an air-gapped environment, you must update the Tanium Signals files manually.

Download the Tanium Signals file

  1. From a computer with internet access, go to the content download URL and download the DetectSignalsV3.zip file.
  2. Use a ZIP program to add another ZIP layer. The extra layer is required to import the ZIP file to the Tanium Server appliance. For example:
    1. Go to Administration > Content > Packages, search for Distribute Tanium Standard Utilities, and download 7za.exe.
    2. Create an archive named content-DetectSignalV3.zip that includes the file DetectSignalsV3.zip.
      cmd> 7za a content-DetectSignalsV3.zip DetectSignalsV3.zip
      7-Zip (a) 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30
      
      Scanning the drive:
      1 file, 13644 bytes (14 KiB)
      Creating archive: content-DetectSignalsV3.zip
      
      Add new data to archive: 1 file, 13644 bytes (14 KiB)
      
      Files read from disk: 1
      Archive size: 13735 bytes (14 KiB)
      
      Everything is Ok

      The file must be named content-DetectSignalsV3.zip. TanOS expects the prefix content-.

    3. Copy the file to a location that is available to the Tanium Server appliance.

Install or update the Tanium Signals file

  1. Install the content on the Tanium Server appliance:
    1. Use SFTP to copy the Tanium Signals ZIP file to the /incoming directory on the Tanium Server appliance.
    2. Sign into the TanOS console as a user with the tanadmin role.
    3. Enter 2 to go to the Tanium Operations menu.
    4. Enter C to go to the Manage Content menu.
    5. Enter 4 to go to the Manage Web Server Content menu.
    6. Enter 1 to go to the Tanium Web Server Content Installer menu and follow the prompts to install the Tanium Signals ZIP file.
  2. Specify the location on the appliance for the Tanium Signal's manifest URL setting.
    1. In a web browser, sign into the Tanium Console, and go to Modules > Threat Response.
    2. From the Threat Response menu, go to Intel > Sources.
    3. Edit the Tanium Signals source. If the source does not exist, click New Source and complete the configuration.
    4. For the manifest URL, specify the URL for the zip file that you installed in the previous steps. The URL has the following form: https://<TS FQDN>/content/files/DetectSignalsV3.zip
    5. Save the configuration.
    6. From the Sources page in Threat Response, make sure the Intel Count populates with items in the Tanium Signals row.
Troubleshooting tips
  • If your server deployment uses self-signed certificates, select the Ignore SSL option.
  • If you encounter errors importing content, check the trusted host list configuration on both the Tanium Server and Tanium Module Server to ensure the air gap server IP address is trusted.
  • After you save the configuration, the Module Server attempts to download the Tanium Signals ZIP file. On the Module Server, check the Threat Response log located at /detect3-files/logs/detect.log (TanOS menu 3-2). Search for the string signals.downloadSignalsZip to see the logs related to the download operation.

View air gap usage report

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter C to go to the Manage Content menu. ClosedView screen
  4. Enter 2 to go to the Airgap Content Usage report. ClosedView screen

Prune air gap content

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter C to go to the Manage Content menu. ClosedView screen
  4. Enter 3 to go to the Prune Airgap Content menu. ClosedView screen
  5. Follow the prompts to prune the air gap content.

Manage web server content

TanOS has menus to support installation and management of air-gapped web server content.

Before you begin

Use SFTP to copy the air gap content files to the /incoming directory on the appliance. The file names must be in the content-*.zip format. The web content installs to the <Tanium Server>/http/content/files directory.

Install content

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter C to go to the Manage Content menu. ClosedView screen
  4. Enter 4 to go to the Manage Web Server Content menu. ClosedView screen
  5. Enter 1 to go to the Tanium Web Server Content Installer menu. ClosedView screen
  6. Follow the prompts to install the content.

Delete content by name

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter C to go to the Manage Content menu. ClosedView screen
  4. Enter 4 to go to the Manage Web Server Content menu. ClosedView screen
  5. Enter 2 and follow the prompts to delete the content.

Delete content by list

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter C to go to the Manage Content menu. ClosedView screen
  4. Enter 4 to go to the Manage Web Server Content menu. ClosedView screen
  5. Enter 3 and follow the prompts to delete the content.

Edit air gap options

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter C to go to the Manage Content menu. ClosedView screen
  4. Enter A to edit the air gap options. ClosedView screen
  5. Use the menu to edit the configuration.

Change the air gap manifest URLs

The manifest and lab manifest refer to the URL the Tanium Console uses to locate solution modules and content packs available for download and use. The default locations point to content.tanium.com. In an air-gapped deployment, the manifest URLs are different. Use the TanOS menu to change them to the air gap content location.

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter C to go to the Manage Content menu. ClosedView screen
  4. Enter B to go to the Manifest URL Change menu. ClosedView screen
  5. Use the menu to change the manifest URL.