You are prompted to configure basic host and network settings when you complete the initial configuration. Use the Appliance Configuration menu to modify the configuration.
Changes to the network configuration do not go into effect until you restart network services. If you connect over a remote SSH connection and change the configuration for the interface with which you are connected, your SSH connection terminates.
Modify the host name and DNS configuration
Host, domain, DNS server, and /etc/hosts settings are configured during the initial setup. If necessary, you can use the Hostname/DNS Configuration menu to make changes.
Modify the host name
Sign into the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration <<<1: Hostname/DNS Configuration
2: Networking Configuration
3: NTP Configuration
4: Syslog Configuration
5: SNMP Configuration
6: Module File Share Configuration
7: Reset all NICs to DHCP (VM only)
A: Security
X: Advanced Configuration
H: Help
R: Return to previous menu
------------------------------------------------------
Enter 1 to go to the Hostname/DNS Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Hostname/DNS Configuration <<<1: Manage Hostname/Domain Name
2: Manage DNS Server
3: Edit hosts file
H: Help
R: Return to previous menu
------------------------------------------------------
Enter 1 and follow the prompts to change the host name and domain name. View screen
>>> Appliance Configuration -> Hostname/DNS Configuration -> Hostname <<<
Current hostname: appliance-ts1
Current domain name: tam.local
Please contact your TAM prior changing the hostname of an active TanOS appliance!
Would you like to change the hostname/domain name? [Yes|No]:
Modify the DNS server
Sign into the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
Enter 1 to go to the Hostname/DNS Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Hostname/DNS Configuration <<<1: Manage Hostname/Domain Name
2: Manage DNS Server
3: Edit hosts file
H: Help
R: Return to previous menu
------------------------------------------------------
Enter 2 and follow the prompts to modify the DNS server configuration. View screen
>>> Appliance Configuration -> Hostname/DNS Configuration -> Domain Name <<<
Currently configured name server(s):
192.168.76.2
Would you like to change the DNS Server address? [Yes|No]: yes
Please provide the first DNS server address: 10.10.10.10
Please provide second DNS server address:
Finished setting new DNS Servers
Press enter to continue
Modify the hosts file
Sign into the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
Enter 1 to go to the Hostname/DNS Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Hostname/DNS Configuration <<<1: Manage Hostname/Domain Name
2: Manage DNS Server
3: Edit hosts file
H: Help
R: Return to previous menu
------------------------------------------------------
Enter 3 and use the hosts menu to update the /etc/hosts file. View screen
>>> Tanium TanOS -> Tools -> Edit Files -> hosts <<<
#: Line Content
1: 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
2: ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
3: 10.10.10.60 appliance-160.tam.local
A: Add a line
R: Return to previous menu
------------------------------------------------------
TanOS Version: 1.6.3
TanOS_Shell Version: 1.6.3
Please select:
Modify the network interface configuration
Contact Tanium Support before changing the IP address for the interface used by the Tanium Server. The Tanium Server IP address is used in multiple configurations. For information on how to contact Tanium Support, see Contact Tanium Support.
Sign into the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
------------------------------------------------------
>>> Appliance Configuration -> Networking <<<1: Network Interfaces
2: IPSEC Configuration
3: Routing Configuration
4: Restart Networking
T: NIC Teaming
H: Help
R: Return to previous menu
------------------------------------------------------
------------------------------------------------------
>>> Appliance Configuration -> Networking <<<1: Network Interfaces
2: IPSEC Configuration
3: Routing Configuration
4: Restart Networking
H: Help
R: Return to previous menu
------------------------------------------------------
Enter 1 to go to the Network Interfaces menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Networking -> Network Interfaces <<<
Manage network interfaces and their configuration such as assigned IP address
or MTU settings.
Available network interfaces:
#: Interface State Link MAC IP Location
1: eth0 UP YES ca:bc:69:8a:0d:4b 10.20.70.161/22 virtual
R: Return to previous menu
------------------------------------------------------
Enter the line number of the interface that you want to configure to go to the selected Network Interface menu. View screen
>>> Appliance Configuration -> Networking -> Network Interface <<<
Current settings:
Interface: ens160
IPv4 Address: 10.10.10.60/24
Default IPv4 Gateway: 10.10.10.2
IPv6 Address: fe80::20c:29ff:feed:26f/64
IPv6 Gateway:
1: Manage IP address
2: Manage MTU Size
3: Manage Temporary Interface Status (up/down)
H: Help
R: Return to previous menu
------------------------------------------------------
Use the menu to change the IP address, MTU size, or up/down status.
Set up an IPsec tunnel
Use IPsec to ensure end-to-end security between two Tanium Server appliances. An IPsec tunnel is automatically configured when you install an Appliance Array.
Start two SSH terminal sessions so you can copy and paste between them:
First Tanium Server appliance
Second Tanium Server appliance
Sign into each of the Tanium Server appliances as a user with the tanadmin role and go to the IPsec menu:
Enter A to go to the Appliance Configuration menu.
Enter 2 to go to the Networking Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Networking <<<1: Network Interfaces
2: IPSEC Configuration
3: Routing Configuration
4: Restart Networking
T: NIC Teaming
H: Help
R: Return to previous menu
------------------------------------------------------
------------------------------------------------------
>>> Appliance Configuration -> Networking <<<1: Network Interfaces
2: IPSEC Configuration
3: Routing Configuration
4: Restart Networking
H: Help
R: Return to previous menu
------------------------------------------------------
------------------------------------------------------
>>> Appliance Configuration -> IP -> IPSEC <<<1: Display Local IPSEC host key
2: Display IPSEC Configuration
3: Configure IPSEC
4: Delete IPSEC
5: Restart IPSEC
6: Test IPSEC
H: Help
R: Return to previous menu
------------------------------------------------------
On the second appliance, copy the IPsec host key to the clipboard:
From the IPSEC menu (A-2-2), enter 1 to view the local IPsec host key. View screen
>>> Appliance Configuration -> IP -> IPSEC -> Display Host Key <<<
Local Host Key Information:
0sAwEAAbnlzZ6venWVMdFLWEHGNEd6bMnNMVBkH+Ye3f7y360CbeBa6SSTOzI0NqHNOCnTWBDEMVWpfE3Dk/2feh1rjHpNp
MdhknhO5+8B47Q9HsH7DEGN4VoybNtH42xVKnApD51CGkH4Ns2o7JfHLUo+Dkv1Tw03b2vGNs/m//bLcUHwFKQLd1xKNOkR
4BhbQ0d7AVctY5tIKzhA8BS+aIkI7XuKCfy9YEMPOgyWVvPY2UTRXwvTcvK0+JHyxuu0UL6yvIVKeV1H8ohSbrDD213ut8l
DQJ6KbJQ5Zl/x3A0LrgTg8l0jNCGIB6d0oPiKpL7vePApViTTAgGh2l2b3KiwZldH6fof/h+dADWWuwcggek4NzyI1DRtBb
dA5bWuAEYdzC3038/N++FQnKJ5QRXe+b9O9aHf8VTUjZbFWc/5Q0wYeQ1GoTny1OiWArEDJUoW8IYUQIqPvmItG76zKwfIL
1z07dMIAs71W3L/X0QthogKCAYYawktpgukqJ3HHGkAWQFHgHKoJxVhJeF4Lw46G2OQaO1Eg5LHzYGS6BnEUG896yXvlxZJ
WZgG7Y9yj3mIea9ltV7/ifPIbXoMRkWMYbnK81biqw1j2yPJfj6MrHet5LrI+kUpA8FUCgY1tIdQPdXMU6F0K+wWapSzCtb
s8D343LYOMmiKgP2rZpFPOEc9
Press enter to continue
Copy the key to the clipboard.
On the first appliance, from the IPSEC menu, enter 3 and follow the prompts to configure this side of the IPsec tunnel. When prompted, paste the IPsec host key for the second appliance. View screen
>>> Appliance Configuration -> IP -> IPSEC -> Configure IPSEC <<<
To configure IPSEC connectivity between TanOS systems the following information is required
- Local IP address
- Remote IP address
- Remote host key
Any exiting configuration will be overwritten!
Would you like to continue with IPSEC configuration? [Yes|No]: yes
Please provide the local ip address: 192.168.76.101
Please provide the remote ip address: 192.168.76.102
Please provide the remote hostkey: 0sAwEAAbnlzZ6venWVMdFLWEHGNEd6bMnNMVBkH+Ye3f7y360CbeBa6SSTO
zI0NqHNOCnTWBDEMVWpfE3Dk/2feh1rjHpNpMdhknhO5+8B47Q9HsH7DEGN4VoybNtH42xVKnApD51CGkH4Ns2o7JfHLUo+
Dkv1Tw03b2vGNs/m//bLcUHwFKQLd1xKNOkR4BhbQ0d7AVctY5tIKzhA8BS+aIkI7XuKCfy9YEMPOgyWVvPY2UTRXwvTcvK
0+JHyxuu0UL6yvIVKeV1H8ohSbrDD213ut8lDQJ6KbJQ5Zl/x3A0LrgTg8l0jNCGIB6d0oPiKpL7vePApViTTAgGh2l2b3K
iwZldH6fof/h+dADWWuwcggek4NzyI1DRtBbdA5bWuAEYdzC3038/N++FQnKJ5QRXe+b9O9aHf8VTUjZbFWc/5Q0wYeQ1Go
Tny1OiWArEDJUoW8IYUQIqPvmItG76zKwfIL1z07dMIAs71W3L/X0QthogKCAYYawktpgukqJ3HHGkAWQFHgHKoJxVhJeF4
Lw46G2OQaO1Eg5LHzYGS6BnEUG896yXvlxZJWZgG7Y9yj3mIea9ltV7/ifPIbXoMRkWMYbnK81biqw1j2yPJfj6MrHet5Lr
I+kUpA8FUCgY1tIdQPdXMU6F0K+wWapSzCtbs8D343LYOMmiKgP2rZpFPOEc9
On the first appliance, copy the IPsec host key to the clipboard:
From the IPSEC menu, enter 1 to view the local IPsec host key.
Copy the key to the clipboard.
Go to the second appliance and complete the IPsec configuration:
From the IPSEC menu, enter 3 and follow the prompts to configure the IPsec tunnel on the second appliance. When prompted, paste the IPsec host key for the first appliance.
Enter 6 to test the connection from the second appliance. View screen
>>> Appliance Configuration -> IP -> IPSEC -> Test IPSEC <<<
Testing secured connectivity to the remote ip.
Secure connectivity to remote IP 192.168.76.101 is working
Press enter to continue
Go back to the first appliance and enter 6 to test the connection.
Modify the routing configuration
You can add a static route, if necessary.
Sign into the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
>>> Appliance Configuration -> Networking -> Routing <<<
Manage local routing entries.
Note: this appliance is NOT a router!
Routing table:
#: Destination Interface Next Hop
1: default ens160 10.10.10.2
2: 10.10.10.0/24 ens160 LOCAL
3: 169.254.0.0/16 ens160 LOCAL
4: 169.254.0.0/16 ens192 LOCAL
5: 169.254.0.0/16 ens224 LOCAL
6: 169.254.0.0/16 ens256 LOCAL
A: Add a routing entry
H: Help
R: Return to previous menu
------------------------------------------------------
Use the menu to manage the routing table.
Configure the iDRAC interface
Before you begin
Use the tanremote user account to sign into the iDRAC virtual console when the TanOS system has become unavailable and you want to diagnose hardware and network interface issues.
You must use a cable to connect the iDRAC interface to your network and use TanOS to configure the iDRAC interface IP address before you enable the tanremote user.
Configure the iDRAC interface
Sign into the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration <<<1: Hostname/DNS Configuration
2: Networking Configuration
3: NTP Configuration
4: Syslog Configuration
5: SNMP Configuration
6: Module File Share Configuration
7: Reset all NICs to DHCP (VM only)
A: Security
X: Advanced Configuration
H: Help
R: Return to previous menu
------------------------------------------------------
Enter 2 to go to the Networking menu.
Enter I to go to the Configure iDrac menu. View screen
>>> Appliance Configuration -> Networking -> Configure iDrac <<<
These configuration settings will be applied to the iDrac interface
iDrac user configuration can be performed in the user administration menu.
Current iDrac IP Address: 10.20.0.139
Would you like to continue with the iDrac IP configuration [YES/NO]:
Follow the prompts to configure the iDrac interface.
Tanium™ Appliance supports active/passive network interface controller (NIC) teaming. Active/passive NIC teaming allows multiple interfaces to be placed in a group to support NIC failover. When you configure the NIC team, you must select interfaces of the same type.
------------------------------------------------------
>>> Appliance Configuration -> Networking <<<1: Network Interfaces
2: IPSEC Configuration
3: Routing Configuration
4: Restart Networking
T: NIC Teaming
H: Help
R: Return to previous menu
------------------------------------------------------
Enter T to go to the NIC Teaming menu. View screen
>>> Appliance Configuration -> Networking -> NIC Teaming <<<
NIC Teaming is enabled when appliance has more than one NIC interface and
if on physical appliance tanremote user is enabled and iDRAC IP is configured.
#: Interface State MAC IP Location
A: Create a network team
R: Return to previous menu
------------------------------------------------------
Enter A and follow the prompts to create the NIC team configuration.
Manage NIC team
Sign into the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration <<<1: Hostname/DNS Configuration
2: Networking Configuration
3: NTP Configuration
4: Syslog Configuration
5: SNMP Configuration
6: Module File Share Configuration
7: Reset all NICs to DHCP (VM only)
A: Security
X: Advanced Configuration
H: Help
R: Return to previous menu
------------------------------------------------------
------------------------------------------------------
>>> Appliance Configuration -> Networking <<<1: Network Interfaces
2: IPSEC Configuration
3: Routing Configuration
4: Restart Networking
T: NIC Teaming
H: Help
R: Return to previous menu
------------------------------------------------------
Enter T to go to the NIC Teaming menu. View screen
>>> Appliance Configuration -> Networking -> NIC Teaming <<<
#: Interface State MAC IP Location
1: team1 DOWN None No IPv4 address team
A: Create a network team
R: Return to previous menu
------------------------------------------------------
Enter the line number of the NIC team that you want to manage.
Use the NIC Team menu to change the IP address, delete the NIC team, or view the status. View screen
>>> Appliance Configuration -> Networking -> NIC Team <<<
Current settings:
Interface: team1
IPv4 Address: 10.10.10.61/24
Default IPv4 Gateway: 10.10.10.2
IPv6 Address:
IPv6 Gateway:
C: Change Team IP Address
D: Delete
S: Show Status
R: Return to previous menu
------------------------------------------------------
Modify the NTP configuration
Sign into the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
Enter 3 and follow the prompts to change the NTP configuration. View screen
------------------------------------------------------
>>> Appliance Configuration -> NTP Configuration <<<Currently configured ntp servers:
0.pool.ntp.org
Current NTP Status
synchronised to NTP server (199.254.229.43) at stratum 3
time correct to within 162 ms
polling server every 512 s
Current NTP Peers
remote local st poll reach delay offset disp
=======================================================================
*herber.us 10.10.10.60 2 512 377 0.13385 -0.004868 0.10327
Would you like to remove the current NTP servers and enter new information? [Yes|No]:
Configuring syslog
You can forward appliance logs to a remote syslog server.
Figure 1: A syslog reader
The Appliance Configuration syslog configuration is separate from the Alerting syslog configuration in the Appliance Maintenance menu. This configuration sends all logs to a syslog destination. The Alerting syslog configuration sends alerts only for events that match the specified alert threshold severity.
Check syslog status
Sign into the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
Enter 4 to go to the Syslog Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Syslog Configuration <<<
Note: If using TLS, set the cert before configuring forwarding
1: Check current status
2: View Trust Certificate
3: Upload Trust Certificate
4: Remove Trust Certificate
5: Configure syslog forwarding
H: Help
R: Return to previous menu
------------------------------------------------------
Enter 1 to view the last 5 logs and current syslog status. View screen
------------------------------------------------------
>>> Appliance Configuration -> Syslog Configuration -> Check Status <<<
Checking existing syslog configuration
###
Found TanOS syslog configuration with destination logfile Kernel
Current size of /var/log/tanos :76924
Last 5 entries in /var/log/tanos:
2020-05-22T14:00:01.756970+00:00 appliance-160 TanOS_Shell: privileged_support_health_check.sh: DEBUG called by root -b
2020-05-22T14:15:01.908001+00:00 appliance-160 TanOS_Shell: privileged_support_health_check.sh: DEBUG called by root -b
2020-05-22T14:30:01.962601+00:00 appliance-160 TanOS_Shell: privileged_support_health_check.sh: DEBUG called by root -b
2020-05-22T14:31:19.706181+00:00 appliance-160 TanOS_Shell: privileged_appliance_configuration_ntp.sh: DEBUG called by tanadmin
2020-05-22T14:33:36.632542+00:00 appliance-160 TanOS_Shell: privileged_appliance_sub_configuration_syslog.sh: DEBUG called by tanadmin
###
No existing TanOS syslog forwarding configuration found
Press enter to continue
Import a syslog server trust certificate
Sign into the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
Enter 4 to go to the Syslog Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Syslog Configuration <<<
Note: If using TLS, set the cert before configuring forwarding
1: Check current status
2: View Trust Certificate
3: Upload Trust Certificate
4: Remove Trust Certificate
5: Configure syslog forwarding
H: Help
R: Return to previous menu
------------------------------------------------------
Enter 2 to view the trust certificate, 3 to paste it (PEM format), or 4 to remove it.
Enable syslog forwarding
Sign into the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
Enter 4 to go to the Syslog Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Syslog Configuration <<<
Note: If using TLS, set the cert before configuring forwarding
1: Check current status
2: View Trust Certificate
3: Upload Trust Certificate
4: Remove Trust Certificate
5: Configure syslog forwarding
H: Help
R: Return to previous menu
------------------------------------------------------
Enter 5 and follow the prompts to specify the IP address, port, and protocol for the remote syslog server. View screen
------------------------------------------------------
>>> Appliance Configuration -> Syslog Configuration -> Configure <<<
Configuring syslog forwarding (empty destination to disable forwarding)
Please enter the destination host: 10.10.10.10
Please enter the destination port: 514
Enable TLS? [Yes|No]: n
Please enter the destination protocol [tcp/udp]: tcp
Will create syslog forwarding configuration
Finished configuring syslog forwarding
Press enter to continue
Configuring SNMP
SNMP is disabled by default. You can configure SNMPv3 credentials for the user tanuser. This user can make a remote SNMP connection to the appliance to walk the MIB from a remote host or SNMP manager.
Figure 2: SNMP walk
To configure SNMPv3 access:
Sign into the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
Enter 5 and follow the prompts to change the SNMPv3 credentials for tanuser. View screen
------------------------------------------------------
>>> Appliance Configuration -> SNMP Configuration <<<
This menu will allow you to change the snmp v3 credentials for tanuser
Example snmpwalk to verify:
snmpwalk -v 3 -u tanuser -A <password> -a sha -t 10 -x DES -l authnoPriv <appliance IP>
The SNMP Daemon will be stopped prior configuration changes.
Would you like to continue? [Yes|No]: yes
Stopping the SNMP Daemon
Would you like to use different authentication and encryption password? [Yes|No]: no
SNMP Password for tanuser (password will not echo):
SNMP Password for tanuser again for verification:
SNMP Encryption algorythm DES or AES [D/A]:D
Creating user with DES encrption
Restarting SNMP.
Press enter to continue
Configure solution module file share mounts
Tanium™ Connect, Tanium™ Detect, and Tanium™ Trends write consumable files to disk. You can configure the Tanium™ Server to copy these files to a Common Internet File System (CIFS) or Network File System (NFS) share.
Watch the tutorial on configuring remote mounts on the Tanium Appliance on the Tanium Community website.
Add a file share mount
Sign into the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
Enter 6 to go to the Share Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Share Configuration <<<1: Create a new Connect mount
2: Create a new Detect mount
3: Create a new Trends mount
4: Delete an existing Connect mount
5: Delete an existing Detect mount
6: Delete an existing Trends mount
A: List existing mounts
B: Test existing mounts
C: Re-attempt mounts
H: Help
R: Return to previous menu
------------------------------------------------------
Enter the line number of the mount you want to create and complete the configuration to add a file share mount. View screen
>>> Appliance Configuration -> Share Configuration -> Create Mount Connect <<<
Before configuring shares, ensure you have the following information at hand:
- Type of share - NFS or CIFS
- CIFS: hostname/IP of the server, share name, credentials (username, domain, password)
- CIFS: please do NOT use a cname as the host name, if the server is running a Windows OS
- NFS: hostname/IP of the server, export name
Would you like to continue? [Yes|No]: yes
Please enter the servername for mount: 192.168.154.219
Please enter the share name / export: connect
Please enter share type (cifs/nfs): cifs
Please enter the user name: bernd
Please enter the domain name: tam.local
Please enter the password (will not be displayed):
Checking if CIFS mounting would be successful (might take a while)
Mount successfully established, creating permanent connection
Added CIFS share permanently.
Press enter to exit
List a file share mount
Sign into the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
Enter 6 to go to the Share Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Share Configuration <<<1: Create a new Connect mount
2: Create a new Detect mount
3: Create a new Trends mount
4: Delete an existing Connect mount
5: Delete an existing Detect mount
6: Delete an existing Trends mount
A: List existing mounts
B: Test existing mounts
C: Re-attempt mounts
H: Help
R: Return to previous menu
------------------------------------------------------
Enter A to go to the List Mounts menu. View screen
>>> Appliance Configuration -> Share Configuration -> List Mounts <<<
Hint: This should finish in less than 1 second
If it takes a long time, the target system may be down!
Service State Target Persistent Type
Connect Mounted 192.168.154.62:/opt/share Yes nfs
Detect Mounted //192.168.154.219/detect$ Yes cifs
Trends Not Mounted N/A No N/A
Press enter to exit
Test a file share mount
Sign into the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
Enter 6 to go to the Share Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Share Configuration <<<1: Create a new Connect mount
2: Create a new Detect mount
3: Create a new Trends mount
4: Delete an existing Connect mount
5: Delete an existing Detect mount
6: Delete an existing Trends mount
A: List existing mounts
B: Test existing mounts
C: Re-attempt mounts
H: Help
R: Return to previous menu
------------------------------------------------------
>>> Appliance Configuration -> Share Configuration -> Test Mounts <<<
Share for connect service mounted, we expect write access to succeed:
Write test successful
Read test successful
Share for detect service mounted - we expect write access to succeed:
Write test successful
Read test successful
Share for Trends service NOT mounted.
Press enter to exit
Change from a static IP address to DHCP (VM-only)
Sign into the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
Enter 7 and follow the prompts to use DHCP.
Configure additional security
Use the Security menu to manage SSH trusted host list configurations.
Use the Security menu to enable/disable factory reset and SSH trusted host list configurations.
Enable/disable factory reset
Sign into the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration <<<1: Hostname/DNS Configuration
2: Networking Configuration
3: NTP Configuration
4: Syslog Configuration
5: SNMP Configuration
6: Module File Share Configuration
7: Reset all NICs to DHCP (VM only)
A: Security
X: Advanced Configuration
H: Help
R: Return to previous menu
------------------------------------------------------
------------------------------------------------------
>>> Appliance Configuration -> Security <<<1: Disable/Enable reset from console
2: Manage SSH
3: Configure SSH Banner
4: Display SSH Fingerprints
5: Regenerate SSH Host keys
A: LDAP CA Certificate Management
B: Database Certificate Management
P: Security Policy
X: Advanced Security
H: Help
R: Return to previous menu
------------------------------------------------------
Enter 1 and follow the prompts to disable the tanfactory account that is used to perform a factory reset. View screen
------------------------------------------------------
>>> Appliance Configuration -> Security -> Disable reset <<<
The tanfactory account exists to reset an appliance to its factory state
in case no login credentials for a privileged user exist.
The tanfactory is only allowed to logon locally!
The account is enabled or disabled during the initial configuration!
This process will remove all data including Tanium keys from the appliance!If no off-box backup exists, all clients will have to be updated/re-installed!
tanfactory enabled
Would you like to disable the tanfactory? [Yes|No]:
Manage inbound SSH access rules
Sign into the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
>>> Appliance Configuration -> Security -> Manage SSH <<<
The following rules allowing inbound SSH are currently active
#: Source
1: 0.0.0.0/0
2: ::/0
A: Add Rule
R: Return to previous menu
------------------------------------------------------
From this menu, you can add or delete rules that restrict SSH access to hosts from specified subnets only.
Enter A and follow the prompts to add a new rule.
Enter the line number of an existing rule and follow the prompts to delete the rule.
Configure SSH banner text
You can add custom SSH banner text to TanOS.
Use SFTP to copy a file named banner_ssh.txt to the /incoming folder.
Sign into the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
>>> Appliance Configuration -> Security -> Manage SSH -> Configure SSH Banner <<<
Uploaded banner_ssh.txt file found in tancopy incoming.
TanOS will replace the existing banner with the new file.
Log out of ssh and re-connect to view the banner.
Banner file copy successful
Press enter to continue
View SSH fingerprints
Sign into the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
>>> Appliance Configuration -> Security -> Manage SSH -> Display SSH Fingerprints <<<ecdsa
MD5: 256 SHA256:L0IXFHyMonAdPYs/ohgDVwdO23wDi0zCo4bRW4Gafog no comment (ECDSA)
SHA256: L0IXFHyMonAdPYs/ohgDVwdO23wDi0zCo4bRW4Gafog=
ed25519
MD5: 256 SHA256:KT7IGcJHsm3ZO+iOXrxCUk0Wuvdl2/NoybHvHT5al3Q no comment (ED25519)
SHA256: KT7IGcJHsm3ZO+iOXrxCUk0Wuvdl2/NoybHvHT5al3Q=
rsa
MD5: 2048 SHA256:Mb6VUEjcXGBd+d+gVF3isQ2zPztAY1KkYH17xTB+vOQ no comment (RSA)
SHA256: Mb6VUEjcXGBd+d+gVF3isQ2zPztAY1KkYH17xTB+vOQ=
Press enter to continue
Configure LDAPS
If you have requirements to use the LDAPS protocol for the LDAP sync connection to the back-end LDAP server, you must import the LDAP server root CA certificate and then enable the LDAPS configuration. You can import multiple root CA certificates if necessary. The certificates must be in PEM format. On the appliance, you have the option to paste the contents of the LDAP server root CA certificate or import the file. You do not have to do both.
Paste the LDAP server root CA contents
To add multiple CA certificate files, put all certificates in one file and paste them in them in together.
Sign into the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
------------------------------------------------------
>>> Appliance Configuration -> Security <<<1: Disable/Enable reset from console
2: Manage SSH
3: Configure SSH Banner
4: Display SSH Fingerprints
5: Regenerate SSH Host keys
A: LDAP CA Certificate Management
B: Database Certificate Management
P: Security Policy
X: Advanced Security
H: Help
R: Return to previous menu
------------------------------------------------------
Enter A to go to the LDAP CA Certificate Management menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> LDAP CA Certificate Management <<<
Current LDAPS Status: ENABLED1: Add Certificate
2: Import Certificate
3: Enable LDAPS Configuration
4: Disable TLS Certificate Validation
5: List Certificates
H: Help
R: Return to previous menu
------------------------------------------------------
Enter 1 and follow the prompts to paste the contents of the LDAP server root CA certificate file. View screen
>>> Appliance Configuration -> LDAPS Configuration -> Create Certificate <<<
Please paste the certificate text (Empty line to end):
-----BEGIN CERTIFICATE-----
MIIC+TCCAeGgAwIBAgIgT6zZwxXi3vGl+DFiachhuiDEc/Rak9ECxUEhRcHZx8ww
DQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTA5MTIwNDA4
MTY1NVoXDTI5MTIwNDA0NDA1NVowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2xC69YszWNu1p4pdyC1rWGtiqEWg
X+s1Hykq23bDzA56CqbsM3FO+HkDSty6HLCDZttDOJ4EG+DvVjOGSdyTPDF/O2B1
Ztc1hxr/YSGu/4zm/SEgrHpw4iU4+fEcyK8LXlS19o36mZ1J/jy7LU4JFe6MLcIQ
c6Stq1FbUJl7M7qO6NwIAaWnjX0gw3jpCtYHPqwGw9K0Sg0a5Rrsbam64srrm2Yl
q9P7lMtJqTpwmglg8CxJ6QEPEyzprF6VNaNnT6KUlNhc634KChGXw5otwsU4lfvW
2Yti1C8ofG96fGwFr189KqjWTCXI/K7eCDi/9AYnmFgvJbuUdUF9fVS/oQIDAQAB
ozcwNTAdBgNVHQ4EFgQU9P/VO7ipszDcUQaWdE3RmH0w/gwwFAYDVR0RBA0wC4IJ
bG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQAb0TK8LhdsdWbaPIQFI2K2QgKt
OvBuf4j1Mbm0rT1hyOyvpP0Bl429gr7AwDlnSZgBQzjIVjtUpgLlTlarZmAnaaLz
/EBY4cq9PGPXeLEiFGNh6/LQfGt5Gx7y/hpv+xutPS2uo2IBhidlePNuLoAX3tY4
B4vW1LFcD2mkPXvZHeZ4vrmpls1nxLo+wP7pgvLxL6GqYi6hZVAuHrKmsvsT0E09
3JDYgvGm5drX+Y3hsmMn7IaG4e/53qm7TiVjFGAFVwd+3K6apdMUabVaz5oQ161I
tgcXvdk4RvVOdFL/ZSC+PsPyhZrwyXFQF9C494P7utu4Lnqc/Ke5buWeHTz5
-----END CERTIFICATE-----
Validating input
Please enter a short name for this certificate: ldaps_ca
Adding certificate to LDAPS after validation
Finished adding LDAPS certificate
Press enter to continue
To add multiple CA certificate files, put all certificates in one file and use the Add Certificate option to paste them in together. See Paste the LDAP server root CA contents.
Use SFTP to copy the file to the /incoming directory of the Tanium Server appliance.
Sign into the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
------------------------------------------------------
>>> Appliance Configuration -> Security <<<1: Disable/Enable reset from console
2: Manage SSH
3: Configure SSH Banner
4: Display SSH Fingerprints
5: Regenerate SSH Host keys
A: LDAP CA Certificate Management
B: Database Certificate Management
P: Security Policy
X: Advanced Security
H: Help
R: Return to previous menu
------------------------------------------------------
Enter A to go to the LDAP CA Certificate Management menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> LDAP CA Certificate Management <<<
Current LDAPS Status: ENABLED1: Add Certificate
2: Import Certificate
3: Enable LDAPS Configuration
4: Disable TLS Certificate Validation
5: List Certificates
H: Help
R: Return to previous menu
------------------------------------------------------
Enter 5 to list and manage the LDAPS certificates that have been imported. View screen
------------------------------------------------------
>>> Appliance Configuration -> Configure LDAPS -> List Certificate <<<
# CN Expires MD5 Sum Name
1 Dec 4 04:40:55 2029 GMT dae8ad7e536540e97ddac0b75316a32b ldaps_ca
Select a line number or enter to quit): 1
Enter V to view details, D to Delete or enter to quit ? v
Manage CA certificates for the Tanium database server
The Tanium database server uses self-signed certificates for SSL connections. The Tanium PostgreSQL database is an application database. Users do not have direct access to the database. However, if you have requirements to use a CA-issued certificate for the database SSL connections, you can use TanOS menus to import the CA certificates. You can also import a root certificate revocation list (CRL) certificate file. The files you copy to the /incoming folder must be named root.crt, root.crl.pem, server.crt, and server.key.
Import a server certificate
Use SFTP to copy the database server certificate and key files to the /incoming folder.
Sign into the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
------------------------------------------------------
>>> Appliance Configuration -> Security <<<1: Disable/Enable reset from console
2: Manage SSH
3: Configure SSH Banner
4: Display SSH Fingerprints
5: Regenerate SSH Host keys
A: LDAP CA Certificate Management
B: Database Certificate Management
P: Security Policy
X: Advanced Security
H: Help
R: Return to previous menu
------------------------------------------------------
Enter B to go to the Database Certificate Management menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Security -> Database Certificate Management <<<1: Import Server Certificate
2: Export Server Certificate
3: Import Client Certificate
L: List Certificates
H: Help
R: Return to previous menu
------------------------------------------------------
Enter 2 and follow the prompts to export the certificate to the /outgoing folder. View screen
------------------------------------------------------
>>> Appliance Configuration -> Database Certificate Management -> Export Certificate <<<
Do you want to export database certificates ? [Yes|No]: yes
Exporting database certficates
Database certficates have been exported to outgoing
Press enter to continue
Use SFTP to copy the certificate from the /outgoing folder to your management computer.
Import a client certificate
Use SFTP to copy the database server certificate file to the /incoming folder.
Sign into the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
------------------------------------------------------
>>> Appliance Configuration -> Security <<<1: Disable/Enable reset from console
2: Manage SSH
3: Configure SSH Banner
4: Display SSH Fingerprints
5: Regenerate SSH Host keys
A: LDAP CA Certificate Management
B: Database Certificate Management
P: Security Policy
X: Advanced Security
H: Help
R: Return to previous menu
------------------------------------------------------
Enter B to go to the Database Certificate Management menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Security -> Database Certificate Management <<<1: Import Server Certificate
2: Export Server Certificate
3: Import Client Certificate
L: List Certificates
H: Help
R: Return to previous menu
------------------------------------------------------
Enter L to go to the List Certificate menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Database Certificate Management -> List Certificate <<<
# CN Expires MD5 Sum Name
1 CN=appliance-156.tam.local Apr 4 03:32:56 2030 GMT 42118dbbfd822226e99093cc9de39933 postgresql.crt
538e1911a6b194c99ddeb4686dab8361 postgresql.key
2 CN=appliance-156.tam.local Apr 4 03:32:56 2030 GMT 42118dbbfd822226e99093cc9de39933 server.crt
538e1911a6b194c99ddeb4686dab8361 server.key
3 5925b2c2ef5481f495a656232ecff585 root.crl
4 CN=appliance-156.tam.local Apr 3 17:20:58 2020 GMT b5ab17805f4448a36109e765bd880300 root.crl.pem
5 CN=appliance-156.tam.local Apr 4 03:32:56 2030 GMT 42118dbbfd822226e99093cc9de39933 postgresql.crt
538e1911a6b194c99ddeb4686dab8361 postgresql.key
Select a line number to view details or enter to quit):
Use the menu to view the certificates that have been imported.
Configure security policy rules
The TanOS user access security policy has the following factory settings.
Setting
Factory default
Description
Password Lifetime
Minimum: 0
days
Maximum: 90 days
The minimum sets the minimum number of days between password changes.
A value of 0 indicates the password can be changed at any time.
The maximum sets the age at which a current password expires.
Password History
4 most recent
The number of most recent passwords to disallow reuse. A setting of 0 allows reuse of any previous passwords.
This setting does not apply to the tanadmin account.
Password Minimum Length
10 characters
The minimum number of characters allowed in a password. Valid range is 6 -10 characters.
Password Minimum Characters Changed
0 (disabled)
The minimum number of characters in the new password that must not be present in the previous password. 5 is a common practice. STIG requires a minimum of 8.
A setting of 0 allows reuse of any character.
This setting does not apply to the tanadmin account.
Login Failure Delay
0 seconds
The time, in seconds, between a failed sign-in and the next time the prompt is returned to prompt the user for the password.
Expired Passwords Effect
Force Password Change
Determine the effect on a user account when a password expires. Two options:
Disable the user account
Force password change on next sign-in
Account Lockout Time
900 seconds after 3 failures
The number of seconds to lock an account after three consecutive unsuccessful sign-in attempts. Valid range is 0-604800 seconds.
Maximum Concurrent Logins
10
The number of concurrent sign-ins for a user account. A setting of 0 disables remote access.
To modify security policy settings:
Sign into the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
------------------------------------------------------
>>> Appliance Configuration -> Security <<<1: Disable/Enable reset from console
2: Manage SSH
3: Configure SSH Banner
4: Display SSH Fingerprints
5: Regenerate SSH Host keys
A: LDAP CA Certificate Management
B: Database Certificate Management
P: Security Policy
X: Advanced Security
H: Help
R: Return to previous menu
------------------------------------------------------
Enter P to go to the Appliance Configuration Security Policy menu. View screen
------------------------------------------------------
>>> Appliance Configuration Security Policy <<<
Current Settings:
Password Lifetime: min 0 days, max 90 days
Password History: remember 4 most recent
Password Minimum length: 10 characters
Minimum changed: disabled
Login Failure delay: 0 seconds
Expired Passwords Effect: Force Password Change
Account lockout: 900 seconds after 3 failures
Max concurent logins: 10 users
1: Password Lifetime
2: Password History Reuse Limit
3: Password Minimum Length
4: Password Minimum Characters Changed
D: Login Failure Delay
E: Expired Passwords Effect
L: Account Lockout Time
M: Maximum Concurrent Logins
R: Return to previous menu
------------------------------------------------------
Use the menu to view and edit password, sign-in, and lockout rules.
After you modify password policy settings, it is expected that password prompts in TanOS menus provide users with guidance on the updated requirements.
View screen
