Reference: Appliance configuration

You are prompted to configure basic host and network settings when you complete the initial configuration. Use the Appliance Configuration menu to modify the configuration.

Changes to the network configuration do not go into effect until you restart network services. If you connect over a remote SSH connection and change the configuration for the interface with which you are connected, your SSH connection will terminate.

Modify the hostname and DNS configuration

Host, domain, DNS server, and /etc/hosts settings are configured during the initial setup. If necessary, you can use the Hostname/DNS Configuration menu to make changes.

Modify the hostname

  1. Log into the TanOS console as a user with the tanadmin role.
  2. The TanOS console displays the tanadmin menu. ClosedView screen

  3. Enter A to display the Appliance Configuration menu. ClosedView screen
  4. Enter 1 to display the Hostname/DNS Configuration menu. ClosedView screen
  5. Enter 1 and follow the prompts to change the hostname and domain name. ClosedView screen

Modify the DNS server

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  3. Enter 1 to display the Hostname/DNS Configuration menu. ClosedView screen
  4. Enter 2 and follow the prompts to modify the DNS server configuration. ClosedView screen

Modify the hosts file

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  3. Enter 1 to display the Hostname/DNS Configuration menu. ClosedView screen
  4. Enter 3 and use the hosts menu to update the /etc/hosts file. ClosedView screen

Modify the network interface configuration

Contact your TAM before changing the IP address for the interface used by the Tanium Server. The Tanium Server IP address is used in multiple configurations.

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  3. Enter 2 to display the Networking menu. ClosedView screen
  4. Enter 1 to display the Network Interfaces menu. ClosedView screen
  5. Enter the line number of the interface that you want to configure to display the selected Network Interface menu. ClosedView screen
  6. Use the menu to change the IP address, MTU size, or up/down status.

Set up an IPsec tunnel

Use IPsec to ensure end-to-end security between two Tanium Server appliances. An IPsec tunnel is automatically configured when you install an Appliance Array.

  1. Start two SSH terminal sessions so you can copy and paste between them:
    • First Tanium Server
    • Second Tanium Server
  2. Log into each of the Tanium Server appliances as a user with the tanadmin role and go to the IPsec menu:
    1. From the tanadmin menu, enter A to go to the Appliance Configuration menu. ClosedView screen
    2. Enter 2 to go to the Networking Configuration menu. ClosedView screen
    3. Enter 2 to go to the IPSEC menu. ClosedView screen
  3. On the second appliance, copy the IPsec host key to the clipboard:
    1. From the IPSEC menu (A-2-2), enter 1 to display the local IPsec host key. ClosedView screen
    2. Copy the key to the clipboard.
  4. On the first appliance, from the IPSEC menu, enter 3 and follow the prompts to configure this side of the IPsec tunnel. When prompted, paste the IPsec host key for the second appliance. ClosedView screen
  5. On the first appliance, copy the IPsec host key to the clipboard:
    1. From the IPSEC menu, enter 1 to display the local IPsec host key.
    2. Copy the key to the clipboard.
  6. Go to the second appliance and complete the IPsec configuration:
    1. From the IPSEC menu, enter 3 and follow the prompts to configure the IPsec tunnel on the second appliance. When prompted, paste the IPsec host key for the first appliance.
    2. Enter 6 to test the connection from the second appliance. ClosedView screen
  7. Go back to the first appliance and enter 6 to test the connection.

Modify the routing configuration

You can add a static route, if necessary.

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  3. Enter 2 to display the Networking menu. ClosedView screen
  4. Enter 3 to display the Routing menu. ClosedView screen
  5. Use the menu to manage the routing table.

Configure the iDRAC interface

Before you begin

Use the tanremote user account to log into the iDRAC virtual console when the TanOS system has become unavailable and you want to diagnose hardware and network interface issues.

You must use a cable to connect the iDRAC interface to your network and use TanOS to configure the iDRAC interface IP address before you enable the tanremote user.

Configure the iDRAC interface

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  3. Enter 2 to display the Networking menu.
  4. Enter I to display the Configure iDrac menu. ClosedView screen
  5. Follow the prompts to configure the iDrac interface.

Next steps

Enable the tanremote user. See Enable tanremote user.

Configure NIC teaming

Tanium™ Appliance supports active/passive network interface controller (NIC) teaming. Active/passive NIC teaming allows multiple interfaces to be placed in a group to support NIC failover. When you configure the NIC team, you must select interfaces of the same type.

For the Tanium Server role, Tanium recommends that you use one pair of interfaces to create a NIC team that handles Tanium core traffic, and another pair of interfaces to create a NIC team for the IPsec tunnel used for redundant cluster sync traffic.

Create NIC team

To create a NIC team, there must be two NICs available for teaming. If you have a hardware appliance, make sure to enable the tanremote user and the configure the iDRAC interface.

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  3. Enter 2 to display the Networking menu. ClosedView screen
  4. Enter T to display the NIC Teaming menu. ClosedView screen
  5. Enter A and follow the prompts to create the NIC team configuration.

Manage NIC team

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  3. Enter 2 to display the Networking menu. ClosedView screen
  4. Enter T to display the NIC Teaming menu. ClosedView screen
  5. Enter the line number of the NIC team that you want to manage.
  6. Use the NIC Team menu to change the IP address, delete the NIC team, or display the status. ClosedView screen

Modify the NTP configuration

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  3. Enter 3 and follow the prompts to change the NTP configuration. ClosedView screen

Configuring syslog

You can forward appliance logs to a remote syslog server.

Figure  1:  A syslog reader

The Appliance Configuration syslog configuration is separate from the Alerting syslog configuration in the Appliance Maintenance menu. This configuration sends all logs to a syslog destination. The Alerting syslog configuration sends alerts only for events that match the specified alert threshold severity.

Check syslog status

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  3. Enter 4 to display the Syslog Configuration menu. ClosedView screen
  4. Enter 1 to view the last 5 logs and current syslog status. ClosedView screen

Import a syslog server trust certificate

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  3. Enter 4 to display the Syslog Configuration menu. ClosedView screen
  4. Enter 2 to view the trust certificate, 3 to paste it (PEM format), or 4 to remove it.

Enable syslog forwarding

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  3. Enter 4 to display the Syslog Configuration menu. ClosedView screen
  4. Enter 5 and follow the prompts to specify the IP address, port, and protocol for the remote syslog server. ClosedView screen

Configuring SNMP

SNMP is disabled by default. You can configure SNMPv3 credentials for the user tanuser. This user can make a remote SNMP connection to the appliance to walk the MIB from a remote host or SNMP manager.

Figure  2:  SNMP walk

To configure SNMPv3 access:

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  3. Enter 5 and follow the prompts to change the SNMPv3 credentials for tanuser. ClosedView screen

Configure solution module file share mounts

Tanium™ Connect, Tanium™ Detect, and Tanium™ Trends write consumable files to disk. You can configure the Tanium™ Server to copy these files to a Common Internet File System (CIFS) or Network File System (NFS) share.

Watch the tutorial on configuring remote mounts on the Tanium Appliance on the Tanium Community website.

Add a file share mount

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  3. Enter 6 to display the Share Configuration menu. ClosedView screen
  4. Enter the line number of the mount you want to create and complete the configuration to add a file share mount. ClosedView screen

List a file share mount

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  3. Enter 6 to display the Share Configuration menu. ClosedView screen
  4. Enter A to display the List Mounts menu. ClosedView screen

Test a file share mount

  1. Log into the TanOS console as a user with the tanadmin role.
  2. Enter A to display the Appliance Configuration menu. ClosedView screen
  3. Enter 6 to display the Share Configuration menu. ClosedView screen
  4. Enter B to test file share mounts. ClosedView screen

Change from a static IP address to DHCP (VM-only)

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  3. Enter 7 and follow the prompts to use DHCP.

Configure additional security

You can use the Security menu to enable/disable factory reset and SSH trusted host list configurations.

Enable/disable factory reset

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  3. Enter A to display the Security menu. ClosedView screen
  4. Enter 1 and follow the prompts to disable the tanfactory account that is used to perform a factory reset. ClosedView screen

Manage inbound SSH access rules

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  3. Enter A to display the Security menu. ClosedView screen
  4. Enter 2 to display the Manage SSH menu. ClosedView screen
  5. From this menu, you can add or delete rules that restrict SSH access to hosts from specified subnets only.
    • Enter A and follow the prompts to add a new rule.
    • Enter the line number of an existing rule and follow the prompts to delete the rule.

Configure SSH banner text

You can add custom SSH banner text to TanOS.

  1. Use SFTP to copy a file named banner_ssh.txt to the /incoming folder.
  2. Log into the TanOS console as a user with the tanadmin role.
  3. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  4. Enter A to display the Security menu. ClosedView screen
  5. Enter 3 to add the banner file. ClosedView screen

Display SSH fingerprints

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  3. Enter A to display the Security menu. ClosedView screen
  4. Enter 4 to display the SSH fingerprints. ClosedView screen

Configure LDAPS

If you have requirements to use the LDAPS protocol for the LDAP sync connection to the back-end LDAP server, you must import the LDAP server root CA certificate and then enable the LDAPS configuration. You can import multiple root CA certificates if necessary. The certificates must be in PEM format. On the appliance, you have the option to paste the contents of the LDAP server root CA certificate or import the file. You do not have to do both.

Paste the LDAP server root CA contents

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  3. Enter A to display the Security menu. ClosedView screen
  4. Enter A to display the LDAP CA Certificate Management menu. ClosedView screen
  5. Enter 1 and follow the prompts to paste the contents of the LDAP server root CA certificate file. ClosedView screen
  6. Restart the Tanium Server service. See Start, stop, and restart Tanium services.

Import the LDAP server root CA certificate files

  1. Use SFTP to copy the file to the /incoming directory of the Tanium Server appliance.
  2. Log into the TanOS console as a user with the tanadmin role.
  3. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  4. Enter A to display the Security menu. ClosedView screen
  5. Enter A to display the LDAP CA Certificate Management menu. ClosedView screen
  6. Enter 2 and follow the prompts to import the LDAP server root CA certificate file.
    • For the file ID, enter a short, unique string that you can use to reference the certificate.
  7. Restart the Tanium Server service. See Start, stop, and restart Tanium services.

Enable/Disable the LDAPS configuration

You can toggle the LDAPS configuration on and off. When disabled, the connection is unencrypted LDAP.

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  3. Enter A to display the Security menu. ClosedView screen
  4. Enter A to display the LDAP CA Certificate Management menu. ClosedView screen
  5. Enter 3 to enable or disable the the LDAPS configuration.

Enable/Disable TLS certificate validation

If necessary during troubleshooting, you can disable TLS certificate validation to help you determine if there is a problem with the certificate.

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  3. Enter A to display the Security menu. ClosedView screen
  4. Enter A to display the LDAP CA Certificate Management menu. ClosedView screen
  5. Enter 4 to disable TLS certificate validation for connections with the LDAP server. ClosedView screen

Manage LDAPS certificates

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  3. Enter A to display the Security menu. ClosedView screen
  4. Enter A to display the LDAP CA Certificate Management menu. ClosedView screen
  5. Enter 5 to list and manage the LDAPS certificates that have been imported. ClosedView screen

Manage CA certificates for the Tanium database server

The Tanium database server uses self-signed certificates for SSL connections. The Tanium PostgreSQL database is an application database. Users do not have direct access to the database. However, if you have requirements to use a CA-issued certificate for the database SSL connections, you can use TanOS menus to import the CA certificates. You can also import a root certificate revocation list (CRL) certificate file. The files you copy to the /incoming folder must be named root.crt, root.crl.pem, server.crt, and server.key.

Import a server certificate

  1. Use SFTP to copy the database server certificate and key files to the /incoming folder.
  2. Log into the TanOS console as a user with the tanadmin role.
  3. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  4. Enter A to display the Security menu. ClosedView screen
  5. Enter B to display the Database Certificate Management menu. ClosedView screen
  6. Enter 1 and follow the prompts to import the certificate. ClosedView screen

Export a server certificate

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  3. Enter A to display the Security menu. ClosedView screen
  4. Enter B to display the Database Certificate Management menu. ClosedView screen
  5. Enter 2 and follow the prompts to export the certificate to the /outgoing folder. ClosedView screen
  6. Use SFTP to copy the certificate form the /outgoing folder to your management computer.

Import a client certificate

  1. Use SFTP to copy the database server certificate file to the /incoming folder.
  2. Log into the TanOS console as a user with the tanadmin role.
  3. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  4. Enter A to display the Security menu. ClosedView screen
  5. Enter B to display the Database Certificate Management menu. ClosedView screen
  6. Enter 3 and follow the prompts to import the certificate.

View database certificates

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  3. Enter A to display the Security menu. ClosedView screen
  4. Enter B to display the Database Certificate Management menu. ClosedView screen
  5. Enter L to display the List Certificate menu. ClosedView screen
  6. Use the menu to view the certificates that have been imported.

Configure security policy rules

The TanOS user access security policy has the following factory settings.

Setting Factory default Description
Password Lifetime Minimum: 0 days

Maximum: 90 days

The minimum sets the minimum number of days between password changes. A value of 0 indicates the password can be changed at any time.

The maximum sets the age at which a current password expires.

Password History 4 most recent The number of most recent passwords to disallow reuse. A setting of 0 allows reuse of any previous passwords.

This setting does not apply to the tanadmin account.

Password Minimum Length 10 characters The minimum number of characters allowed in a password. Valid range is 6 -10 characters.
Password Minimum Characters Changed 0 (disabled) The minimum number of characters in the new password that must bot be present in the previous password. 5 is a common practice. STIG requires a minimum of 8. A setting of 0 allows reuse of any character.

This setting does not apply to the tanadmin account.

Login Failure Delay 0 seconds The time, in seconds, between a failed login and the next time the prompt is returned to prompt the user for the password.
Expired Passwords Effect Force Password Change Determine the effect on a user account when a password expires. Two options:
  • Disable the user account
  • Force password change on next login
Account Lockout Time 900 seconds after 3 failures The number of seconds to lock an account after three consecutive unsuccessful login attempts. Valid range is 0-604800 seconds.
Maximum Concurrent Logins 10 The number of concurrent logins for a user account. A seting of 0 disables remote access.

To modify security policy settings:

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu. ClosedView screen
  3. Enter A to display the Security menu. ClosedView screen
  4. Enter P to display the Appliance Configuration Security Policy menu. ClosedView screen
  5. Use the menu to view and edit password, login, and lockout rules.

After you modify password policy settings, it is expected that password prompts in TanOS menus provide users with guidance on the updated requirements.