Reference: Appliance configuration

You are prompted to configure basic host and network settings when you complete the initial configuration. Use the Appliance Configuration menu to modify the configuration.

Changes to the network configuration do not go into effect until you restart network services. If you connect over a remote SSH connection and change the configuration for the interface with which you are connected, your SSH connection terminates.

Modify the host name and DNS configuration

Host, domain, DNS server, and /etc/hosts settings are configured during the initial setup. If necessary, you can use the Hostname/DNS Configuration menu to make changes.

Contact Tanium Support if you plan to change the Tanium Server host name.Tanium Support needs the new host name to update the Tanium license for you. For more information, see Contact Tanium Support.

Modify the host name

1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter A to go to the Appliance Configuration menu. View screen

   ------------------------------------------------------
   
              >>> Appliance Configuration <<< 
   
            1: Hostname/DNS Configuration
            2: Networking Configuration
            3: NTP Configuration
            4: Syslog Configuration
            5: SNMP Configuration
            6: Module File Share Configuration
            7: Reset all NICs to DHCP (VM only)
   
            A: Security
            I: iDRAC Management
            X: Advanced Configuration
   
            R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

3. Enter 1 to go to the Hostname/DNS Configuration menu. View screen

   ------------------------------------------------------
   
   >>> Appliance Configuration -> Hostname/DNS Configuration <<< 
   
             1: Manage Hostname/Domain Name
             2: Manage DNS Server
             3: Edit manual hosts entries
   
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

4. Enter 1 and follow the prompts to change the host name, which must be a fully qualified domain name (FQDN). View screen

   >>> Appliance Configuration -> Hostname/DNS Configuration -> Hostname <<< 
   
   
   Current hostname (FQDN): 
   ts1.test.tanium.local
   
   Please contact Tanium Support prior to changing the hostname of an
   active TanOS appliance!
   
   New FQDN: ts1.test.tanium.local
   
   		

Modify the DNS server

1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter A to go to the Appliance Configuration menu.
3. Enter 1 to go to the Hostname/DNS Configuration menu. View screen

   ------------------------------------------------------
   
   >>> Appliance Configuration -> Hostname/DNS Configuration <<< 
   
             1: Manage Hostname/Domain Name
             2: Manage DNS Server
             3: Edit manual hosts entries
   
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

4. Enter 2 and follow the prompts to modify the DNS server configuration. View screen

   >>> Appliance Configuration -> Hostname/DNS Configuration -> Domain Name <<< 
   
   Currently configured name server(s):
   192.168.76.2
   
   Would you like to change the DNS Server address? [Yes|No]: yes
   Please provide the first DNS server address: 10.10.10.10
   Please provide second DNS server address: 
   Finished setting new DNS Servers
   
   Press enter to continue

Modify the hosts file

1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter A to go to the Appliance Configuration menu.
3. Enter 1 to go to the Hostname/DNS Configuration menu. View screen

   ------------------------------------------------------
   
   >>> Appliance Configuration -> Hostname/DNS Configuration <<< 
   
             1: Manage Hostname/Domain Name
             2: Manage DNS Server
             3: Edit manual hosts entries
   
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

4. Enter 3 and use the manual_hosts menu to update the /etc/hosts file. View screen

     >>> Tanium TanOS -> Tools -> Edit Files -> manual_hosts <<< 
   
   #### Contents of /etc/hosts #####
   # Generated 2022-03-07 19:06:46
   127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
   ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
   
   # This appliance
   10.20.70.11 ts1.test.tanium.local ts1
   
   # Appliance array members
   10.20.70.12 ts2.test.tanium.local ts2
   10.20.70.13 tms1.test.tanium.local tms1
   10.20.70.14 tms2.test.tanium.local tms2
   10.20.70.15 tzs.test.tanium.local tzs
   
   # Manual entries
   # No manual entries
   #################################
   
                file is empty
   
             A: Add a line
   
             R: Return to previous menu  RR: Return to top
   		

Modify the network interface configuration

Contact Tanium Support before changing the IP address for the interface used by the Tanium Server. The Tanium Server IP address is used in multiple configurations.

1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter A to go to the Appliance Configuration menu.
3. Enter 2 to go to the Networking menu. View screen

   ------------------------------------------------------
   
        >>> Appliance Configuration -> Networking <<< 
   
             1: Network Interfaces
             2: IPSEC Configuration
             3: Routing Configuration
             4: Restart Networking
   
             T: NIC Teaming
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

4. Enter 1 to go to the Network Interfaces menu. View screen

   ------------------------------------------------------
   
   >>> Appliance Configuration -> Networking -> Network Interfaces <<< 
   
    Manage network interfaces and their configuration such as assigned IP address
    or MTU settings.
   
    Available network interfaces:
   
      #: Interface    State  Link MAC                IP                  Location
      1: eth0         UP     YES  ca:bc:69:8a:0d:4b  10.20.70.161/22     virtual
   
      R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

5. Enter the line number of the interface that you want to configure to go to the selected Network Interface menu. View screen

   >>> Appliance Configuration -> Networking -> Network Interface <<< 
   
    Current settings:
      Interface: ens160
      IPv4 Address: 10.10.10.60/24
      Default IPv4 Gateway: 10.10.10.2
      IPv6 Address: fe80::20c:29ff:feed:26f/64
      IPv6 Gateway:
   
             1: Manage IP address
             2: Manage MTU Size
             3: Manage Temporary Interface Status (up/down)
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

6. Use the menu to change the IP address, MTU size, or up/down status.

Set up an IPsec tunnel

Use IPsec to ensure end-to-end security between two Tanium Server appliances. An IPsec tunnel is automatically configured when you install an Appliance Array.

1. Start two SSH terminal sessions so you can copy and paste between them:
   • First Tanium Server appliance
   • Second Tanium Server appliance
2. Sign in to each of the Tanium Server appliances as a user with the tanadmin role and go to the IPsec menu:
   1. Enter A to go to the Appliance Configuration menu.
   2. Enter 2 to go to the Networking Configuration menu. View screen

      ------------------------------------------------------
      
           >>> Appliance Configuration -> Networking <<< 
      
                1: Network Interfaces
                2: IPSEC Configuration
                3: Routing Configuration
                4: Restart Networking
      
                T: NIC Teaming
      
                R: Return to previous menu  RR: Return to top
      
      ------------------------------------------------------

   3. Enter 2 to go to the IPSEC menu. View screen

      ------------------------------------------------------
      
          >>> Appliance Configuration -> IP -> IPSEC <<< 
      
                1: Display Local IPSEC host key
                2: Display IPSEC Configuration
                3: Configure IPSEC
                4: Delete IPSEC
                5: Restart IPSEC
                6: Test IPSEC
      
                R: Return to previous menu  RR: Return to top
      
      ------------------------------------------------------

3. On the second appliance, copy the IPsec host key to the clipboard:
   1. From the IPSEC menu (A-2-2), enter 1 to view the local IPsec host key. View screen

      >>> Appliance Configuration -> IP -> IPSEC -> Display Host Key <<< 
      
       Local Host Key Information:
      
      0sAwEAAbnlzZ6venWVMdFLWEHGNEd6bMnNMVBkH+Ye3f7y360CbeBa6SSTOzI0NqHNOCnTWBDEMVWpfE3Dk/2feh1rjH
      pNpMdhknhO5+8B47Q9HsH7DEGN4VoybNtH42xVKnApD51CGkH4Ns2o7JfHLUo+Dkv1Tw03b2vGNs/m//bLcUHwFKQLd1
      xKNOkR4BhbQ0d7AVctY5tIKzhA8BS+aIkI7XuKCfy9YEMPOgyWVvPY2UTRXwvTcvK0+JHyxuu0UL6yvIVKeV1H8ohSbr
      DD213ut8lDQJ6KbJQ5Zl/x3A0LrgTg8l0jNCGIB6d0oPiKpL7vePApViTTAgGh2l2b3KiwZldH6fof/h+dADWWuwcgge
      k4NzyI1DRtBbdA5bWuAEYdzC3038/N++FQnKJ5QRXe+b9O9aHf8VTUjZbFWc/5Q0wYeQ1GoTny1OiWArEDJUoW8IYUQI
      qPvmItG76zKwfIL1z07dMIAs71W3L/X0QthogKCAYYawktpgukqJ3HHGkAWQFHgHKoJxVhJeF4Lw46G2OQaO1Eg5LHzY
      GS6BnEUG896yXvlxZJWZgG7Y9yj3mIea9ltV7/ifPIbXoMRkWMYbnK81biqw1j2yPJfj6MrHet5LrI+kUpA8FUCgY1tI
      dQPdXMU6F0K+wWapSzCtbs8D343LYOMmiKgP2rZpFPOEc9
      
       Press enter to continue

   2. Copy the key to the clipboard.
4. On the first appliance, from the IPSEC menu, enter 3 and follow the prompts to configure this side of the IPsec tunnel. When prompted, paste the IPsec host key for the second appliance. View screen

   >>> Appliance Configuration -> IP -> IPSEC -> Configure IPSEC <<< 
   
    To configure IPSEC connectivity between TanOS systems the following information is required
   
    - Local IP address
    - Remote IP address
    - Remote host key
   
    Any exiting configuration will be overwritten!
   
    Would you like to continue with IPSEC configuration? [Yes|No]: yes
    Please provide the local ip address: 192.168.76.101
    Please provide the remote ip address: 192.168.76.102
    Please provide the remote hostkey: 0sAwEAAbnlzZ6venWVMdFLWEHGNEd6bMnNMVBkH+Ye3f7y360CbeBa6SSTO
   zI0NqHNOCnTWBDEMVWpfE3Dk/2feh1rjHpNpMdhknhO5+8B47Q9HsH7DEGN4VoybNtH42xVKnApD51CGkH4Ns2o7JfHLUo+
   Dkv1Tw03b2vGNs/m//bLcUHwFKQLd1xKNOkR4BhbQ0d7AVctY5tIKzhA8BS+aIkI7XuKCfy9YEMPOgyWVvPY2UTRXwvTcvK
   0+JHyxuu0UL6yvIVKeV1H8ohSbrDD213ut8lDQJ6KbJQ5Zl/x3A0LrgTg8l0jNCGIB6d0oPiKpL7vePApViTTAgGh2l2b3K
   iwZldH6fof/h+dADWWuwcggek4NzyI1DRtBbdA5bWuAEYdzC3038/N++FQnKJ5QRXe+b9O9aHf8VTUjZbFWc/5Q0wYeQ1Go
   Tny1OiWArEDJUoW8IYUQIqPvmItG76zKwfIL1z07dMIAs71W3L/X0QthogKCAYYawktpgukqJ3HHGkAWQFHgHKoJxVhJeF4
   Lw46G2OQaO1Eg5LHzYGS6BnEUG896yXvlxZJWZgG7Y9yj3mIea9ltV7/ifPIbXoMRkWMYbnK81biqw1j2yPJfj6MrHet5Lr
   I+kUpA8FUCgY1tIdQPdXMU6F0K+wWapSzCtbs8D343LYOMmiKgP2rZpFPOEc9

5. On the first appliance, copy the IPsec host key to the clipboard:
   1. From the IPSEC menu, enter 1 to view the local IPsec host key.
   2. Copy the key to the clipboard.
6. Go to the second appliance and complete the IPsec configuration:
   1. From the IPSEC menu, enter 3 and follow the prompts to configure the IPsec tunnel on the second appliance. When prompted, paste the IPsec host key for the first appliance.
   2. Enter 6 to test the connection from the second appliance. View screen

      >>> Appliance Configuration -> IP -> IPSEC -> Test IPSEC <<< 
      
       Testing secured connectivity to the remote ip.
      
       Secure connectivity to remote IP 192.168.76.101 is working
      
      
       Press enter to continue

7. Go back to the first appliance and enter 6 to test the connection.

Modify the routing configuration

You can add a static route, if necessary.

1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter A to go to the Appliance Configuration menu.
3. Enter 2 to go to the Networking menu. View screen

   ------------------------------------------------------
   
        >>> Appliance Configuration -> Networking <<< 
   
             1: Network Interfaces
             2: IPSEC Configuration
             3: Routing Configuration
             4: Restart Networking
   
             T: NIC Teaming
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

4. Enter 3 to go to the Routing menu. View screen

   >>> Appliance Configuration -> Networking -> Routing  <<< 
   
    Manage local routing entries.
    Note: this appliance is NOT a router! 
   
    Routing table:
   
             #: Destination               Interface  Next Hop
   
             1: default                   ens160     10.10.10.2
             2: 10.10.10.0/24             ens160     LOCAL
             3: 169.254.0.0/16            ens160     LOCAL
             4: 169.254.0.0/16            ens192     LOCAL
             5: 169.254.0.0/16            ens224     LOCAL
             6: 169.254.0.0/16            ens256     LOCAL
   
             A: Add a routing entry
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

5. Use the menu to manage the routing table.

Modify the NTP configuration

1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter A to go to the Appliance Configuration menu.
3. Enter 3 to go to the NTP Configuration menu. View screen

   ------------------------------------------------------
   
     >>> Appliance Configuration -> NTP Configuration <<< 
   
    Currently configured ntp servers: 
    pool.ntp.org
   
    Current NTP Status:
    synchronised to NTP server (167.248.49.102) at stratum 3
    time correct to within 77 ms
    polling server every 512 s
   
    Current NTP Peers:
    remote           refid      st t when poll reach   delay   offset  jitter
    ==============================================================================
    *167-248-49-102. 68.97.68.79      2 u  177  512  377   44.861   -0.222   0.234
   
    		1: pool.ntp.org
   
    		A: Add NTP server
   
    		R: Return to previous menu  RR: Return to top
   			
   TanOS Version:        1.7.3
   TanOS_Shell Version:  1.7.3
   
   Please select: a
   Please enter the NTP server address: 
   Does this server require authentication? [Yes|No]: y
   Please enter the NTP key ID (1-65534): 
   Please enter the NTP key type: 
   Please enter the NTP key: 0123456789012345678
   Save changes and restart NTP? [Yes|No]: y
   Press enter to continue 

4. Enter the line number of the existing NTP server to modify or remove, or enter A to add a new NTP server.
5. Follow the prompts to add, modify, or remove the NTP server. To add or modify an NTP server, enter the NTP server address and whether the server requires authentication. If the NTP server requires authentication, enter the NTP key ID, NTP key type, and NTP key at the prompts.
6. Enter yes to save changes and restart the NTP server.

Configuring syslog

You can forward appliance logs to a remote syslog server.

Syslog forwarding versus alerts

The syslog forwarding configuration under Appliance Configuration is separate from the syslog alert configuration in the Appliance Maintenance menu. Note these key differences:

• Syslog forwarding configuration sends all messages located in /var/logs/messages to a syslog destination.

• Syslog configuration for alerts sends events that match the specified alert threshold severity (info, warn, and error). See Configure alerts for more information.

Check syslog status

1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter A to go to the Appliance Configuration menu.
3. Enter 4 to go to the Syslog Configuration menu. View screen

   ------------------------------------------------------
   
   >>> Appliance Configuration -> Syslog Configuration <<< 
   
   Note: If using TLS, set the cert before configuring forwarding
   
    Syslog forwarding is disabled
    
             1: Check current status
             2: View Trust Certificate
             3: Upload Trust Certificate
             4: Remove Trust Certificate
             5: Configure syslog forwarding
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

4. Enter 1 to view the last 5 logs and current syslog status. View screen

   ------------------------------------------------------
   
   >>> Appliance Configuration -> Syslog Configuration -> Check Status <<< 
   
    Checking existing syslog configuration
   
    ###
    Found TanOS syslog configuration with destination logfile Kernel
   
    Current size of /var/log/tanos :76924
   
    Last 5 entries in /var/log/tanos:
   2020-05-22T14:00:01.756970+00:00 appliance-160 TanOS_Shell: privileged_support_health_check.sh: 
   DEBUG called by root -b
   2020-05-22T14:15:01.908001+00:00 appliance-160 TanOS_Shell: privileged_support_health_check.sh: 
   DEBUG called by root -b
   2020-05-22T14:30:01.962601+00:00 appliance-160 TanOS_Shell: privileged_support_health_check.sh: 
   DEBUG called by root -b
   2020-05-22T14:31:19.706181+00:00 appliance-160 TanOS_Shell: privileged_appliance_configuration_
   ntp.sh: DEBUG called by tanadmin
   2020-05-22T14:33:36.632542+00:00 appliance-160 TanOS_Shell: privileged_appliance_sub_configurat
   ion_syslog.sh: DEBUG called by tanadmin
   
    ###
    No existing TanOS syslog forwarding configuration found
   
    Press enter to continue

Import a syslog server trust certificate

1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter A to go to the Appliance Configuration menu.
3. Enter 4 to go to the Syslog Configuration menu. View screen

   ------------------------------------------------------
   
   >>> Appliance Configuration -> Syslog Configuration <<< 
   
   Note: If using TLS, set the cert before configuring forwarding
   
    Syslog forwarding is disabled
    
             1: Check current status
             2: View Trust Certificate
             3: Upload Trust Certificate
             4: Remove Trust Certificate
             5: Configure syslog forwarding
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

4. Enter 2 to view the trust certificate, 3 to paste it (PEM format), or 4 to remove it.

Enable syslog forwarding

Syslog Forwarding sends the same data that gets logged in /var/log/messages to the destination.

1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter A to go to the Appliance Configuration menu.
3. Enter 4 to go to the Syslog Configuration menu. View screen

   ------------------------------------------------------
   
   >>> Appliance Configuration -> Syslog Configuration <<< 
   
   Note: If using TLS, set the cert before configuring forwarding
   
    Syslog forwarding is disabled
    
             1: Check current status
             2: View Trust Certificate
             3: Upload Trust Certificate
             4: Remove Trust Certificate
             5: Configure syslog forwarding
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

4. Enter 5 and follow the prompts to specify the IP address or fully qualified domain name (FQDN), port, and protocol for the remote syslog server. View screen

   ------------------------------------------------------
   
   >>> Appliance Configuration -> Syslog Configuration -> Configure <<< 
   
   Configuring syslog forwarding (empty destination to disable forwarding)
   
   Please enter the destination host: 10.10.10.10
   Please enter the destination port: 514
   Enable TLS? [Yes|No]: n
   Please enter the destination protocol [tcp/udp]: tcp
   
   Will create syslog forwarding configuration
   Finished configuring syslog forwarding
   Press enter to continue

Configuring SNMP

SNMP is disabled by default. You can configure SNMPv3 credentials for the default SNMP user tansnmp. This user can make a remote SNMP connection to the appliance to walk the MIB from a remote host or SNMP manager.

Set password and start the SNMP service

Passwords must contain at least 8 characters.

1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter A to go to the Appliance Configuration menu.
3. Enter 5 to go to the SNMP Configuration menu. View screen

   ------------------------------------------------------
   
    >>> Appliance Configuration -> SNMP Configuration <<< 
   
   State:     Enabled
   Username:  tansnmp
   Location:  New York, NY
   Contact:   [email protected]
   EngineID:  0x80001f8880d6736914ae15e56000000000
   
   Sample:
   snmpwalk -v3 -u tansnmp -A 'password' -X 'password' -a sha -x AES -l authPriv 10.10.10.61
   
             U: Change the Username
             L: Change the Location
             C: Change the Contact
             V: View SNMP Service Status
             D: Stop the SNMP Service
             S: Set Password and Start the SNMP Service
   
             R: Return to previous menu  RR: Return to top

4. Enter S , enter the desired SNMP password at the prompt, and hit enter to save the password and enable the SNMP service. View screen

   ------------------------------------------------------
   
   >>> Appliance Configuration -> SNMP Configuration <<< 
   
   State:     Enabled
   Username:  tansnmp
   Location:  New York, NY
   Contact:   [email protected]
   EngineID:  0x80001f8880d6736914ae15e56000000000
   
   Sample:
   snmpwalk -v3 -u tansnmp -A 'password' -X 'password' -a sha -x AES -l authPriv 10.10.10.61
   
             U: Change the Username
             L: Change the Location
             C: Change the Contact
             V: View SNMP Service Status
             D: Stop the SNMP Service
             S: Set Password and Start the SNMP Service
   
             R: Return to previous menu  RR: Return to top
   			
   ------------------------------------------------------
   
    TanOS Version:        1.7.3
    TanOS_Shell Version:  1.7.3
    
   	Please select: s
   	Enter the desired SNMP password: 
   
   	Successfully saved and enabled the SNMP service
   
   	Press enter to continue

Change the SNMP user name, location, or contact

1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter A to go to the Appliance Configuration menu.
3. Enter 5 to go to the SNMP Configuration menu.
4. Enter U to change the user name, L to change the location, or C to change the contact and follow the prompts to enter the new value.

View SNMP service status

1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter A to go to the Appliance Configuration menu.
3. Enter 5 to go to the SNMP Configuration menu.
4. Enter V to view the SNMP service status details.

Stop the SNMP service

1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter A to go to the Appliance Configuration menu.
3. Enter 5 to go to the SNMP Configuration menu.
4. Enter D to stop and disable the SNMP service.

Configure solution module file share mounts

Tanium™ Connect, Tanium™ Detect, and Tanium™ Trends write consumable files to disk. You can configure the Tanium™ Server to copy these files to a Common Internet File System (CIFS) or Network File System (NFS) share.

When two module servers are deployed in an active standby configuration its recommended that you configure each module server in the same way, because file share mounts are not replicated. This will ensure functionality is maintained in the event of a failover.

Add a file share mount

1. Sign in to the TanOS console on the Tanium Module Server as a user with the tanadmin role.
2. Enter A to go to the Appliance Configuration menu.
3. Enter 6 to go to the Share Configuration menu. View screen

   ------------------------------------------------------
   
   >>> Appliance Configuration -> Share Configuration <<< 
   
            1: Create a new Connect mount
            2: Create a new Detect mount
            3: Create a new Trends mount
            4: Delete an existing Connect mount
            5: Delete an existing Detect mount
            6: Delete an existing Trends mount
   
            A: List existing mounts
            B: Test existing mounts
            C: Re-attempt mounts
   
            R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

4. Enter the line number of the mount you want to create and complete the configuration to add a file share mount. View screen

   >>> Appliance Configuration -> Share Configuration -> Create Mount Connect <<< 
   
   Before configuring shares, ensure you have the following information at hand:
   
   - Type of share - NFS or CIFS
   - CIFS: hostname/IP of the server, share name, credentials (username, domain, password)
   - CIFS: please do NOT use a cname as the host name, if the server is running a Windows OS
   - NFS: hostname/IP of the server, export name
   
   Would you like to continue? [Yes|No]: yes
   
   Please enter the servername for mount: 192.168.154.219
   Please enter the share name / export: connect
   Please enter share type (cifs/nfs): cifs
   Please enter the user name: bernd
   Please enter the domain name: tam.local
   Please enter the password (will not be displayed): 
   Checking if CIFS mounting would be successful (might take a while)
   Mount successfully established, creating permanent connection
   Added CIFS share permanently.
   Press enter to exit

List a file share mount

1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter A to go to the Appliance Configuration menu.
3. Enter 6 to go to the Share Configuration menu. View screen

   ------------------------------------------------------
   
   >>> Appliance Configuration -> Share Configuration <<< 
   
            1: Create a new Connect mount
            2: Create a new Detect mount
            3: Create a new Trends mount
            4: Delete an existing Connect mount
            5: Delete an existing Detect mount
            6: Delete an existing Trends mount
   
            A: List existing mounts
            B: Test existing mounts
            C: Re-attempt mounts
   
            R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

4. Enter A to go to the List Mounts menu. View screen

   >>> Appliance Configuration -> Share Configuration -> List Mounts <<< 
   
    Hint: This should finish in less than 1 second
    If it takes a long time, the target system may be down!
   
    Service  State        Target                              Persistent  Type 
   
    Connect  Mounted      192.168.154.62:/opt/share           Yes         nfs
    Detect   Mounted      //192.168.154.219/detect$           Yes         cifs
    Trends   Not Mounted  N/A                                 No          N/A
   
   Press enter to exit

Test a file share mount

1. Sign in to the TanOS console on the Tanium Module Server as a user with the tanadmin role.
2. Enter A to go to the Appliance Configuration menu.
3. Enter 6 to go to the Share Configuration menu. View screen

   ------------------------------------------------------
   
   >>> Appliance Configuration -> Share Configuration <<< 
   
            1: Create a new Connect mount
            2: Create a new Detect mount
            3: Create a new Trends mount
            4: Delete an existing Connect mount
            5: Delete an existing Detect mount
            6: Delete an existing Trends mount
   
            A: List existing mounts
            B: Test existing mounts
            C: Re-attempt mounts
   
            R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

4. Enter B to test file share mounts. View screen

   >>> Appliance Configuration -> Share Configuration -> Test Mounts <<< 
   
   Share for connect service mounted, we expect write access to succeed:
   Write test successful
   Read test successful
   
   Share for detect service mounted - we expect write access to succeed:
   Write test successful
   Read test successful
   
   Share for Trends service NOT mounted.
   
   
   Press enter to exit

Change from a static IP address to DHCP (Tanium Virtual Appliance only)

1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter A to go to the Appliance Configuration menu.
3. Enter 7 and follow the prompts to use DHCP.

Configure additional security

Use the Security menu to manage SSH trusted host list configurations.

Manage inbound SSH access rules

1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter A to go to the Appliance Configuration menu.
3. Enter A to go to the Security menu. View screen

   ------------------------------------------------------
   
        >>> Appliance Configuration -> Security <<< 
   			
             2: Manage SSH
             3: Configure SSH Banner
             4: Display SSH Fingerprints
             5: Regenerate SSH Host keys
   
             A: LDAP CA Certificate Management
             B: Database Certificate Management
   
             P: Security Policy
   
             X: Advanced Security
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

4. Enter 2 to go to the Manage SSH menu. View screen

   >>> Appliance Configuration -> Security -> Manage SSH <<< 
   
    The following rules allowing inbound SSH are currently active
   
             #: Source
   
             1: 0.0.0.0/0
             2: ::/0
   
             A: Add Rule
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

5. From this menu, you can add or delete rules that restrict SSH access to hosts from specified subnets only.
   • Enter A and follow the prompts to add a new rule.
   • Enter the line number of an existing rule and follow the prompts to delete the rule.

Configure SSH banner text

You can add custom SSH banner text to TanOS.

1. Use SFTP to copy a file named banner_ssh.txt to the /incoming folder.
2. Sign in to the TanOS console as a user with the tanadmin role.
3. Enter A to go to the Appliance Configuration menu.
4. Enter A to go to the Security menu. View screen

   ------------------------------------------------------
   
        >>> Appliance Configuration -> Security <<< 
   			
             2: Manage SSH
             3: Configure SSH Banner
             4: Display SSH Fingerprints
             5: Regenerate SSH Host keys
   
             A: LDAP CA Certificate Management
             B: Database Certificate Management
   
             P: Security Policy
   
             X: Advanced Security
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

5. Enter 3 to add the banner file. View screen

   >>> Appliance Configuration -> Security -> Manage SSH -> Configure SSH Banner <<< 
   
   Uploaded banner_ssh.txt file found in tancopy incoming.
   TanOS will replace the existing banner with the new file.
   Log out of ssh and re-connect to view the banner.
   
   Banner file copy successful
   
   Press enter to continue

View SSH fingerprints

1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter A to go to the Appliance Configuration menu.
3. Enter A to go to the Security menu. View screen

   ------------------------------------------------------
   
        >>> Appliance Configuration -> Security <<< 
   			
             2: Manage SSH
             3: Configure SSH Banner
             4: Display SSH Fingerprints
             5: Regenerate SSH Host keys
   
             A: LDAP CA Certificate Management
             B: Database Certificate Management
   
             P: Security Policy
   
             X: Advanced Security
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

4. Enter 4 to view the SSH fingerprints. View screen

   >>> Appliance Configuration -> Security -> Manage SSH -> Display SSH Fingerprints <<< 
   
    ecdsa 
    MD5: 256 SHA256:L0IXFHyMonAdPYs/ohgDVwdO23wDi0zCo4bRW4Gafog no comment (ECDSA)
    SHA256: L0IXFHyMonAdPYs/ohgDVwdO23wDi0zCo4bRW4Gafog=
   
    ed25519 
    MD5: 256 SHA256:KT7IGcJHsm3ZO+iOXrxCUk0Wuvdl2/NoybHvHT5al3Q no comment (ED25519)
    SHA256: KT7IGcJHsm3ZO+iOXrxCUk0Wuvdl2/NoybHvHT5al3Q=
   
    rsa 
    MD5: 2048 SHA256:Mb6VUEjcXGBd+d+gVF3isQ2zPztAY1KkYH17xTB+vOQ no comment (RSA)
    SHA256: Mb6VUEjcXGBd+d+gVF3isQ2zPztAY1KkYH17xTB+vOQ=
   
    Press enter to continue

Configure LDAPS or StartTLS

If you have requirements to use the LDAPS or StartTLS protocol for the LDAP sync connection to the back-end LDAP server, you must import the LDAP server root certificate authority (CA) certificate and then enable the LDAPS/StartTLS configuration. You can import multiple root CA certificates if necessary. The certificates must be in PEM format. On the appliance, you have the option to paste the contents of the LDAP server root CA certificate or import the file. You do not have to do both.

The LDAP server root CA certificate must be able to validate the LDAP server certificate. The subject field of the LDAP server certificate must match the host field in the LDAP configuration.

In a clustered environment, upload the LDAP server CA certificate to both Tanium Servers.

Paste the LDAP server root CA contents

To add multiple CA certificate files, put all certificates in one file and paste them in them in together.

1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter A to go to the Appliance Configuration menu.
3. Enter A to go to the Security menu. View screen

   ------------------------------------------------------
   
        >>> Appliance Configuration -> Security <<< 
   			
             2: Manage SSH
             3: Configure SSH Banner
             4: Display SSH Fingerprints
             5: Regenerate SSH Host keys
   
             A: LDAP CA Certificate Management
             B: Database Certificate Management
   
             P: Security Policy
   
             X: Advanced Security
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

4. Enter A to go to the LDAP CA Certificate Management menu. View screen

   ------------------------------------------------------
   
   >>> Appliance Configuration -> LDAP CA Certificate Management <<< 
   
             Current LDAPS or STARTTLS Status: ENABLED 
   
             1: Add Certificate
             2: Import Certificate
             3: LDAPS or STARTTLS Configuration
             4: Disable TLS Certificate Validation
             5: List Certificates
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

5. Enter 1 and follow the prompts to paste the contents of the LDAP server root CA certificate file. View screen

   >>> Appliance Configuration -> LDAPS Configuration -> Create Certificate <<< 
   
    Please paste the certificate text (Empty line to end): 
   -----BEGIN CERTIFICATE-----
   MIIC+TCCAeGgAwIBAgIgT6zZwxXi3vGl+DFiachhuiDEc/Rak9ECxUEhRcHZx8ww
   DQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTA5MTIwNDA4
   MTY1NVoXDTI5MTIwNDA0NDA1NVowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjAN
   BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2xC69YszWNu1p4pdyC1rWGtiqEWg
   X+s1Hykq23bDzA56CqbsM3FO+HkDSty6HLCDZttDOJ4EG+DvVjOGSdyTPDF/O2B1
   Ztc1hxr/YSGu/4zm/SEgrHpw4iU4+fEcyK8LXlS19o36mZ1J/jy7LU4JFe6MLcIQ
   c6Stq1FbUJl7M7qO6NwIAaWnjX0gw3jpCtYHPqwGw9K0Sg0a5Rrsbam64srrm2Yl
   q9P7lMtJqTpwmglg8CxJ6QEPEyzprF6VNaNnT6KUlNhc634KChGXw5otwsU4lfvW
   2Yti1C8ofG96fGwFr189KqjWTCXI/K7eCDi/9AYnmFgvJbuUdUF9fVS/oQIDAQAB
   ozcwNTAdBgNVHQ4EFgQU9P/VO7ipszDcUQaWdE3RmH0w/gwwFAYDVR0RBA0wC4IJ
   bG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQAb0TK8LhdsdWbaPIQFI2K2QgKt
   OvBuf4j1Mbm0rT1hyOyvpP0Bl429gr7AwDlnSZgBQzjIVjtUpgLlTlarZmAnaaLz
   /EBY4cq9PGPXeLEiFGNh6/LQfGt5Gx7y/hpv+xutPS2uo2IBhidlePNuLoAX3tY4
   B4vW1LFcD2mkPXvZHeZ4vrmpls1nxLo+wP7pgvLxL6GqYi6hZVAuHrKmsvsT0E09
   3JDYgvGm5drX+Y3hsmMn7IaG4e/53qm7TiVjFGAFVwd+3K6apdMUabVaz5oQ161I
   tgcXvdk4RvVOdFL/ZSC+PsPyhZrwyXFQF9C494P7utu4Lnqc/Ke5buWeHTz5
   -----END CERTIFICATE-----
   
    Validating input
    Please enter a short name for this certificate: ldaps_ca
    Installing certificate
    Finished adding LDAPS certificate
   You will need to restart the Tanium Server service for this change to take effect.
   Do you wish to restart the service now? [Yes|No]: 
   

6. Restart the Tanium Server service. See Start, stop, and restart Tanium services.

Import the LDAP server root CA certificate files

To add multiple CA certificate files, put all certificates in one file and use the Add Certificate option to paste them in together. See Paste the LDAP server root CA contents.

1. Use SFTP to copy the file to the /incoming directory of the Tanium Server appliance.
2. Sign in to the TanOS console as a user with the tanadmin role.
3. Enter A to go to the Appliance Configuration menu.
4. Enter A to go to the Security menu. View screen

   ------------------------------------------------------
   
        >>> Appliance Configuration -> Security <<< 
   			
             2: Manage SSH
             3: Configure SSH Banner
             4: Display SSH Fingerprints
             5: Regenerate SSH Host keys
   
             A: LDAP CA Certificate Management
             B: Database Certificate Management
   
             P: Security Policy
   
             X: Advanced Security
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

5. Enter A to go to the LDAP CA Certificate Management menu. View screen

   ------------------------------------------------------
   
   >>> Appliance Configuration -> LDAP CA Certificate Management <<< 
   
             Current LDAPS or STARTTLS Status: ENABLED 
   
             1: Add Certificate
             2: Import Certificate
             3: LDAPS or STARTTLS Configuration
             4: Disable TLS Certificate Validation
             5: List Certificates
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

6. Enter 2 and follow the prompts to import the LDAP server root CA certificate file.
   • For the file ID, enter a short, unique string that you can use to reference the certificate.
7. Restart the Tanium Server service. See Start, stop, and restart Tanium services.

Enable/Disable the LDAPS or StartTLS configuration

You can toggle the LDAPS or StartTLS configuration on and off. When disabled, the connection is unencrypted LDAP.

1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter A to go to the Appliance Configuration menu.
3. Enter A to go to the Security menu. View screen

   ------------------------------------------------------
   
        >>> Appliance Configuration -> Security <<< 
   			
             2: Manage SSH
             3: Configure SSH Banner
             4: Display SSH Fingerprints
             5: Regenerate SSH Host keys
   
             A: LDAP CA Certificate Management
             B: Database Certificate Management
   
             P: Security Policy
   
             X: Advanced Security
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

4. Enter A to go to the LDAP CA Certificate Management menu. View screen

   ------------------------------------------------------
   
   >>> Appliance Configuration -> LDAP CA Certificate Management <<< 
   
             Current LDAPS or STARTTLS Status: ENABLED 
   
             1: Add Certificate
             2: Import Certificate
             3: LDAPS or STARTTLS Configuration
             4: Disable TLS Certificate Validation
             5: List Certificates
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

5. Enter 3 to enable or disable the LDAPS configuration.

Enable/Disable TLS certificate validation

If necessary during troubleshooting, you can disable TLS certificate validation to help you determine if there is a problem with the certificate.

1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter A to go to the Appliance Configuration menu.
3. Enter A to go to the Security menu. View screen

   ------------------------------------------------------
   
        >>> Appliance Configuration -> Security <<< 
   			
             2: Manage SSH
             3: Configure SSH Banner
             4: Display SSH Fingerprints
             5: Regenerate SSH Host keys
   
             A: LDAP CA Certificate Management
             B: Database Certificate Management
   
             P: Security Policy
   
             X: Advanced Security
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

4. Enter A to go to the LDAP CA Certificate Management menu. View screen

   ------------------------------------------------------
   
   >>> Appliance Configuration -> LDAP CA Certificate Management <<< 
   
             Current LDAPS or STARTTLS Status: ENABLED 
   
             1: Add Certificate
             2: Import Certificate
             3: LDAPS or STARTTLS Configuration
             4: Disable TLS Certificate Validation
             5: List Certificates
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

5. Enter 4 to disable TLS certificate validation for connections with the LDAP server. View screen

   ------------------------------------------------------
   
   >>> Appliance Configuration -> Configure LDAPS -> Disable Certificate Validation <<< 
   
   
   Disable LDAPS Certificate validation
   LDAPS certificate validation has been Disabled
   Press enter to continue

Manage LDAPS certificates

1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter A to go to the Appliance Configuration menu.
3. Enter A to go to the Security menu. View screen

   ------------------------------------------------------
   
        >>> Appliance Configuration -> Security <<< 
   			
             2: Manage SSH
             3: Configure SSH Banner
             4: Display SSH Fingerprints
             5: Regenerate SSH Host keys
   
             A: LDAP CA Certificate Management
             B: Database Certificate Management
   
             P: Security Policy
   
             X: Advanced Security
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

4. Enter A to go to the LDAP CA Certificate Management menu. View screen

   ------------------------------------------------------
   
   >>> Appliance Configuration -> LDAP CA Certificate Management <<< 
   
             Current LDAPS or STARTTLS Status: ENABLED 
   
             1: Add Certificate
             2: Import Certificate
             3: LDAPS or STARTTLS Configuration
             4: Disable TLS Certificate Validation
             5: List Certificates
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

5. Enter 5 to list and manage the LDAPS certificates that have been imported. View screen

   ------------------------------------------------------
   
   >>> Appliance Configuration -> Configure LDAPS -> List Certificate <<< 
   
   
    # CN                         Expires                   MD5 Sum                           Name
    1                            Dec  4 04:40:55 2030 GMT  dae8ad7e536540e97ddac0b75316a32b  ldaps_ca
   
    Select a line number or enter to quit): 1
   
    Enter V to view details, D to Delete or enter to quit ? v

Configure security policy rules

The TanOS user access security policy has the following factory settings.

Setting	Factory default	Description
Password Lifetime	Minimum: 0 days Maximum: 90 days	The minimum sets the minimum number of days between password changes. A value of 0 indicates the password can be changed at any time. The maximum sets the age at which a current password expires.
Password History	4 most recent	The number of most recent passwords to disallow reuse. A setting of 0 allows reuse of any previous passwords. This setting does not apply to the tanadmin account.
Password Minimum Length	10 characters	The minimum number of characters allowed in a password. Valid range is 6 -10 characters.
Password Minimum Characters Changed	0 (disabled)	The minimum number of characters in the new password that must not be present in the previous password. 5 is a common practice. STIG requires a minimum of 8. A setting of 0 allows reuse of any character. This setting does not apply to the tanadmin account.
Login Failure Delay	0 seconds	The time, in seconds, between a failed sign in attempt and the next time the prompt is returned to prompt the user for the password.
Expired Passwords Effect	Force Password Change	Determine the effect on a user account when a password expires. Two options: Disable the user account Force password change on next sign in
Account Lockout Time	900 seconds after 3 failures	The number of seconds to lock an account after three consecutive unsuccessful sign in attempts. Valid range is 0-604800 seconds.
Maximum Concurrent Logins	10	The number of concurrent sign in sessions for a user account. A setting of 0 disables remote access.

To modify security policy settings:

1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter A to go to the Appliance Configuration menu.
3. Enter A to go to the Security menu. View screen

   ------------------------------------------------------
   
        >>> Appliance Configuration -> Security <<< 
   			
             2: Manage SSH
             3: Configure SSH Banner
             4: Display SSH Fingerprints
             5: Regenerate SSH Host keys
   
             A: LDAP CA Certificate Management
             B: Database Certificate Management
   
             P: Security Policy
   
             X: Advanced Security
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

4. Enter P to go to the Appliance Configuration Security Policy menu. View screen

   ------------------------------------------------------
   
      >>> Appliance Configuration Security Policy <<< 
   
    Current Settings:
      Password Lifetime: min 0 days, max 90 days
      Password History: remember 4 most recent
      Password Minimum length: 10 characters
      Minimum changed: disabled
      Login Failure delay: 0 seconds
      Expired Passwords Effect: Force Password Change
      Account lockout: 900 seconds after 3 failures
      Max concurent logins: 10 users
      Login Timeout: 120 seconds
   
             1: Password Lifetime
             2: Password History Reuse Limit
             3: Password Minimum Length
             4: Password Minimum Characters Changed
   
             D: Login Failure Delay
             E: Expired Passwords Effect
             L: Account Lockout Time
             M: Maximum Concurrent Logins
   		  T: Login Timeout
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

5. Use the menu to view and edit password, sign in, and lockout rules.

After you modify password policy settings, it is expected that password prompts in TanOS menus provide users with guidance on the updated requirements.