Tanium™ Appliance 1.4 Deployment Guide

PDF 1.4
PDF 1.3
  • All Files
Documentation Home > Tanium Appliance Deployment Guide

Reference: Appliance configuration

You are prompted to configure basic host and network settings when you complete the initial configuration. You can use the TanOS Appliance Configuration menu to modify the configuration.

Changes to the network configuration do not go into effect until you restart network services. If you are connected over a remote SSH connection and change the configuration for the interface with which you are connected, your SSH connection will be terminated.

Modify the hostname and DNS configuration

  1. Log into the TanOS console as the user tanadmin.

    The TanOS console displays the tanadmin menu.

  2. Enter A to display the Appliance Configuration menu.
  3. Enter 1 and then follow the prompts to change the hostname or DNS service configuration.

Modify the network interface configuration

Contact your TAM before changing the IP address for the interface used by the Tanium Server. The Tanium Server IP address is used in multiple configurations.

  1. Log into the TanOS console as the user tanadmin.
  2. Enter A to display the Appliance Configuration menu.
  3. Enter 2 to display the Networking Configuration menu.
  4. Enter 1 to display the Network Interfaces menu.
  5. Enter the line number of the interface you want to configure to display the Selected Network Interface menu.
  6. Use the menu to change the IP address, MTU size, or up/down status.

Modify the routing configuration

You can add a static route, if necessary.

  1. Log into the TanOS console as the user tanadmin.
  2. Enter A to display the Appliance Configuration menu.
  3. Enter 2 to display the Networking Configuration menu.
  4. Enter 3 to display the Routing Configuration menu.
  5. Use the menu to manage the routing table.

Configure the iDRAC interface

The tanremote user is a special user account that you can use to log into the iDRAC virtual console when the TanOS system has become unavailable and you want to diagnose hardware and network interface issues.

You must use a cable to connect the iDRAC interface to your network and use TanOS to configure the iDRAC interface IP address before you enable the tanremote user.

Configure the iDRAC interface

  1. Log into the TanOS console as the user tanadmin.
  2. Enter A to display the Appliance Configuration menu.
  3. Enter 2 to display the Networking Configuration menu.
  4. Enter I to display the iDrac Interface Configuration menu.

Next steps

Enable the tanremote user. See Enable tanremote user.

Configure NIC teaming

Tanium™ Appliance supports active/passive NIC teaming. Active/passive NIC teaming allows multiple interfaces to be placed in a group to support NIC failover. When you configure the NIC team, you must select interfaces of the same type.

For the Tanium Server role, Tanium recommends you use one pair of interfaces to create a NIC team that handles Tanium core traffic and another pair of interfaces to create a NIC team for the IPsec tunnel used for HA sync traffic.

Create NIC team

  1. Log into the TanOS console as the user tanadmin.
  2. Enter A to display the Appliance Configuration menu.
  3. Enter 2 to display the Networking Configuration menu.
  4. Enter X and follow the prompts to display the Advanced Configuration menu.
  5. Enter 1 to display the NIC Teaming menu.
  6. Enter 1 and follow the prompts to create the NIC team configuration.

Delete NIC team

  1. Log into the TanOS console as the user tanadmin.
  2. Enter A to display the Appliance Configuration menu.
  3. Enter 2 to display the Networking Configuration menu.
  4. Enter X and follow the prompts to display the Advanced Configuration menu.
  5. Enter 1 to display the NIC Teaming menu.
  6. Enter 2 and follow the prompts to delete the NIC team configuration.

Display NIC team status

  1. Log into the TanOS console as the user tanadmin.
  2. Enter A to display the Appliance Configuration menu.
  3. Enter 2 to display the Networking Configuration menu.
  4. Enter X and follow the prompts to display the Advanced Configuration menu.
  5. Enter 1 to display the NIC Teaming menu.
  6. Enter 3 to display NIC team status.

Modify the NTP configuration

  1. Log into the TanOS console as the user tanadmin.
  2. Enter A to display the Appliance Configuration menu.
  3. Enter 3 and then follow the prompts to change the NTP configuration.

Configuring syslog

You can forward appliance logs to a remote syslog server.

Figure  1:  A syslog reader

The Appliance Configuration syslog configuration is separate from the Alerting syslog configuration in the Appliance Maintenance menu. This configuration sends all logs to a syslog destination. The Alerting syslog configuration sends alerts only for events that match the specified alert threshold severity.

Check syslog status

  1. Log into the TanOS console as the user tanadmin.
  2. Enter A to display the Appliance Configuration menu.
  3. Enter 4 to display the Syslog Configuration menu.
  4. Enter 1 to view the last 5 logs and current syslog status.

Enable syslog forwarding

  1. Log into the TanOS console as the user tanadmin.
  2. Enter A to display the Appliance Configuration menu.
  3. Enter 4 to display the Syslog Configuration menu.
  4. Enter 2 and then specify the IP address, port, and protocol for the remote syslog server.

Import a syslog server trust certificate

  1. Log into the TanOS console as the user tanadmin.
  2. Enter A to display the Appliance Configuration menu.
  3. Enter 4 to display the Syslog Configuration menu.
  4. Enter 2 to view the trust certificate, 3 to paste it (PEM format), or 4 to remove it.

Configuring SNMP

SNMP is disabled by default. You can configure SNMPv3 credentials for the user tanuser. This user can make a remote SNMP connection to the appliance to walk the MIB from a remote host or SNMP manager.

Figure  2:  SNMP walk

To configure SNMPv3 access:

  1. Log into the TanOS console as the user tanadmin.
  2. Enter A to display the Appliance Configuration menu.
  3. Enter 5 and then follow the prompts to change the SNMPv3 credentials for tanuser.

Configure solution module file share mounts

Tanium™ Connect, Tanium™ Detect, and Tanium™ Trends write consumable files to disk. You can configure the Tanium™ Server to copy these files to a Common Internet File System (CIFS) or Network File System (NFS) share.

Watch the tutorial on configuring remote mounts on the Tanium Appliance on the Tanium Community website.

Add a file share mount

  1. Log into the TanOS console as the user tanadmin.
  2. Enter A to display the Appliance Configuration menu.
  3. Enter 6 to display the Share Configuration menu.
  4. Enter 1 and complete the configuration to add a file share mount.

List a file share mount

  1. Log into the TanOS console as the user tanadmin.
  2. Enter A to display the Appliance Configuration menu.
  3. Enter 6 to display the Share Configuration menu.
  4. Enter A to list file share mounts.

Test a file share mount

  1. Log into the TanOS console as the user tanadmin.
  2. Enter A to display the Appliance Configuration menu.
  3. Enter 6 to display the Share Configuration menu.
  4. Enter B to test file share mounts.

Change from a static IP address to DHCP (VM-only)

  1. Log into the TanOS console as the user tanadmin.
  2. Enter A to display the Appliance Configuration menu.
  3. Enter 7 and then follow the prompts to use DHCP.

Configure additional security

You can use the Security menu to enable/disable factory reset and SSH trusted host list configurations.

Enable/disable factory reset

  1. Log into the TanOS console as the user tanadmin.
  2. Enter A to display the Appliance Configuration menu.
  3. Enter A to display the Security menu.
  4. Enter 1 and then follow the prompts to disable the tanfactory account that is used to perform a factory reset.

Manage inbound SSH access rules

  1. Log into the TanOS console as the user tanadmin.
  2. Enter A to display the Appliance Configuration menu.
  3. Enter A to display the Security menu.
  4. Enter 2 and then follow the prompts to edit the rules that restrict SSH access to hosts from specified subnets only.

Configure SSH banner text

You can add custom SSH banner text to TanOS.

  1. Use SFTP to copy a file named banner_ssh.txt to the /incoming folder.
  2. Log into the TanOS console as the user tanadmin.
  3. Enter A to display the Appliance Configuration menu.
  4. Enter A to display the Security menu.
  5. Enter 3 to add the banner file.

Display SSH fingerprints

  1. Log into the TanOS console as the user tanadmin.
  2. Enter A to display the Appliance Configuration menu.
  3. Enter A to display the Security menu.
  4. Enter 4 to display the SSH fingerprints.

Configure LDAPS

If you are required to use the LDAPS protocol for the LDAP sync connection to the back-end LDAP server, you must import the LDAP server root CA certificate. The certificate must be in PEM format.

  1. Use SFTP to copy the LDAP server certificate file to the /incoming folder.
  2. Log into the TanOS console as the user tanadmin.
  3. Enter A to display the Appliance Configuration menu.
  4. Enter A to display the Security menu.
  5. Enter 5 to display the LDAPS menu.
  6. Use the menu to enable/disable the LDAPS configuration and to install, view, or delete the LDAPS certificate.

Configure security policy rules

You can modify default security rules for password expiration, password reuse, password length, concurrent logins, and account lockout duration.

  1. Log into the TanOS console as the user tanadmin.
  2. Enter A to display the Appliance Configuration menu.
  3. Enter A to display the Security menu.
  4. Enter P to display the Security Policy menu.
  5. Use the menu to view and edit password, login, and lockout rules.

Last updated: 4/19/2019 11:23 AM | Feedback