Reference: Appliance configuration
You are prompted to configure basic host and network settings when you complete the initial configuration. Use the Appliance Configuration menu to modify the configuration.
Changes to the network configuration do not go into effect until you restart network services. If you connect over a remote SSH connection and change the configuration for the interface with which you are connected, your SSH connection terminates.
Modify the host name and DNS configuration
Host, domain, DNS server, and /etc/hosts settings are configured during the initial setup. If necessary, you can use the Hostname/DNS Configuration menu to make changes.
Contact Tanium Support if you plan to change the Tanium Server host name.Tanium Support needs the new host name to update the Tanium license for you. For more information, see Support for Tanium Appliances.
Modify the host name
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
View screen
- Enter 1 to go to the Hostname/DNS Configuration menu.
View screen
- Enter 1 and follow the prompts to change the host name, which must be a fully qualified domain name (FQDN).
View screen
Modify the DNS server
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter 1 to go to the Hostname/DNS Configuration menu.
View screen
- Enter 2 and follow the prompts to modify the DNS server configuration.
View screen
Modify the hosts file
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter 1 to go to the Hostname/DNS Configuration menu.
View screen
- Enter 3 and use the manual_hosts menu to update the /etc/hosts file.
View screen
Modify the network interface configuration
Contact Tanium Support before changing the IP address for the interface used by the Tanium Server. The Tanium Server IP address is used in multiple configurations.
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter 2 to go to the Networking menu.
View screen
- Enter 1 to go to the Network Interfaces menu.
View screen
- Enter the line number of the interface that you want to configure to go to the selected Network Interface menu.
View screen
- Use the menu to change the IP address, MTU size, or up/down status.
Set up an IPsec tunnel
Use IPsec to ensure end-to-end security between two Tanium Server appliances. An IPsec tunnel is automatically configured when you install an Appliance Array.
- Start two SSH terminal sessions so you can copy and paste between them:
- First Tanium Server appliance
- Second Tanium Server appliance
- Sign in to each of the Tanium Server appliances as a user with the tanadmin role and go to the IPsec menu:
- Enter A to go to the Appliance Configuration menu.
- Enter 2 to go to the Networking Configuration menu.
View screen
- Enter 2 to go to the IPSEC menu.
View screen
- On the second appliance, copy the IPsec host key to the clipboard:
- From the IPSEC menu (A-2-2), enter 1 to view the local IPsec host key.
View screen
- Copy the key to the clipboard.
- From the IPSEC menu (A-2-2), enter 1 to view the local IPsec host key.
- On the first appliance, from the IPSEC menu, enter 3 and follow the prompts to configure this side of the IPsec tunnel. When prompted, paste the IPsec host key for the second appliance.
View screen
-
On the first appliance, copy the IPsec host key to the clipboard:
- From the IPSEC menu, enter 1 to view the local IPsec host key.
- Copy the key to the clipboard.
- Go to the second appliance and complete the IPsec configuration:
- From the IPSEC menu, enter 3 and follow the prompts to configure the IPsec tunnel on the second appliance. When prompted, paste the IPsec host key for the first appliance.
- Enter 6 to test the connection from the second appliance.
View screen
- Go back to the first appliance and enter 6 to test the connection.
Modify the routing configuration
You can add a static route, if necessary.
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter 2 to go to the Networking menu.
View screen
- Enter 3 to go to the Routing menu.
View screen
- Use the menu to manage the routing table.
Configure NIC teaming
Tanium™ Appliance supports active/passive network interface controller (NIC) teaming. Active/passive NIC teaming allows multiple interfaces to be placed in a group to support NIC failover. When you configure the NIC team, you must select interfaces of the same type.
Create NIC team
To create a NIC team, there must be two NICs available for teaming. If you have a physical Tanium Appliance, make sure to enable the tanremote user and configure the iDRAC interface.
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
View screen
- Enter 2 to go to the Networking menu.
View screen
- Enter T to go to the NIC Teaming menu.
View screen
- Enter A and follow the prompts to create the NIC team configuration.
When you create a NIC team, the system automatically assigns a MAC address from one of the NICs to the team. The NIC Teaming menu displays the details for each NIC team, including the assigned MAC address.
Manage NIC team
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
View screen
- Enter 2 to go to the Networking menu.
View screen
- Enter T to go to the NIC Teaming menu.
View screen
- Enter the line number of the NIC team that you want to manage.
- Use the NIC Team menu to change the IP address, delete the NIC team, or view the status.
View screen
Modify the NTP configuration
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter 3 to go to the NTP Configuration menu.
View screen
- Enter the line number of the existing NTP server to modify or remove, or enter A to add a new NTP server.
- Follow the prompts to add, modify, or remove the NTP server. To add or modify an NTP server, enter the NTP server address and whether the server requires authentication. If the NTP server requires authentication, enter the NTP key ID, NTP key type, and NTP key at the prompts.
- Enter yes to save changes and restart the NTP server.
Configuring syslog
You can forward appliance logs to a remote syslog server.
Syslog forwarding versus alerts
The syslog forwarding configuration under Appliance Configuration is separate from the syslog alert configuration in the Appliance Maintenance menu. Note these key differences:
-
Syslog forwarding configuration sends all messages located in /var/logs/messages to a syslog destination.
- Syslog configuration for alerts sends events that match the specified alert threshold severity (info, warn, and error). See Configure alerts for more information.
Check syslog status
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter 4 to go to the Syslog Configuration menu.
View screen
- Enter 1 to view the last 5 logs and current syslog status.
View screen
Import a syslog server trust certificate
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter 4 to go to the Syslog Configuration menu.
View screen
- Enter 2 to view the trust certificate, 3 to paste it (PEM format), or 4 to remove it.
Enable syslog forwarding
Syslog Forwarding sends the same data that gets logged in /var/log/messages to the destination.
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter 4 to go to the Syslog Configuration menu.
View screen
- Enter 5 and follow the prompts to specify the settings for the remote syslog server.
View screen
If you do not enable RFC5424 output format, TanOS defaults to RFC3164 syslog output.
Configuring SNMP
Tanium Appliances support SNMP v3, though the SNMP service is not enabled by default. You can configure SNMP credentials and start the service to allow remote SNMP connections to the appliance or to the iDRAC interface of a physical Tanium Appliance. The default user name for SNMP connections is tansnmp. A remote host or SNMP manager can use the configured credentials to conduct SNMP polling on the appliance. Tanium Appliances only respond to SNMP requests; they do not send SNMP traps.
There is not a Tanium-specific MIB. Tanium Appliances report a specific SNMPv2 sysObjectID and include the following standard MIBs:
- SNMPv2-MIB
- IP-MIB
- IF-MIB
- TCP-MIB
- UDP-MIB
- HOST-RESOURCES-MIB
- UCD-SNMP-MIB
For a physical Tanium Appliance, see Dell Technologies: SNMP Reference Guide for iDRAC and Chassis Management Controller for information about the MIB used with iDRAC. Some limitations apply for the iDRAC implementation in the Tanium Appliance. For example, the Tanium Appliance does not support SNMP v1 or v2, nor does it send SNMP traps.

Set password and start the SNMP service
Passwords must contain at least 8 characters.
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter 5 to go to the SNMP Configuration menu.
View screen
- Enter S , enter the desired SNMP password at the prompt, and hit enter to save the password and enable the SNMP service.
View screen
Change the SNMP user name, location, or contact
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter 5 to go to the SNMP Configuration menu.
- Enter U to change the user name, L to change the location, or C to change the contact and follow the prompts to enter the new value.
View SNMP service status
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter 5 to go to the SNMP Configuration menu.
- Enter V to view the SNMP service status details.
Stop the SNMP service
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter 5 to go to the SNMP Configuration menu.
- Enter D to stop and disable the SNMP service.
Configure solution module file share mounts
Tanium™ Connect and Tanium™ Detect write consumable files to disk. You can configure the Module Server to copy these files to a Common Internet File System (CIFS) or Network File System (NFS) share on a file server, or to an internal share on the appliance itself. An internal share is a directory that the tancopy user can access using SFTP.
If you configure an internal share, the tancopy user can make an SFTP connection to the appliance with SSH key authentication and copy files to or from the /modules/connect or /modules/detect directory (depending on which shares are configured). For information about adding SSH keys for the tancopy user, see one of the following sections:
- physical Tanium Appliance: Configure SSH keys
- virtual Tanium Appliance: Configure SSH keys
- cloud-based Tanium Appliance: Configure SSH keys
When two module servers are deployed in an active standby configuration, file share mounts are not replicated. Configure each module server in the same way to maintain functionality in the event of a failover.
Add a file share mount
- Sign in to the TanOS console on the Tanium Module Server as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter 6 to go to the Share Configuration menu.
View screen
- Enter the line number of the mount you want to create and complete the configuration to add a file share mount.
View screen
List a file share mount
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter 6 to go to the Share Configuration menu.
View screen
- Enter A to go to the List Mounts menu.
View screen
Test a file share mount
- Sign in to the TanOS console on the Tanium Module Server as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter 6 to go to the Share Configuration menu.
View screen
- Enter B to test file share mounts.
View screen
Change from a static IP address to DHCP (virtual Tanium Appliance only)
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter 7 and follow the prompts to use DHCP.
Configure additional security
Use the Security menu to manage SSH trusted host list configurations.
Manage inbound SSH access rules
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter A to go to the Security menu.
View screen
- Enter 2 to go to the Manage SSH menu.
View screen
- From this menu, you can add or delete rules that restrict SSH access to hosts from specified subnets only.
- Enter A and follow the prompts to add a new rule.
- Enter the line number of an existing rule and follow the prompts to delete the rule.
Configure SSH banner text
You can add custom SSH banner text to TanOS.
- Use SFTP to copy a file named banner_ssh.txt to the /incoming folder.
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter A to go to the Security menu.
View screen
- Enter 3 to add the banner file.
View screen
View SSH fingerprints
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter A to go to the Security menu.
View screen
- Enter 4 to view the SSH fingerprints.
View screen
Configure LDAPS or StartTLS
If you have requirements to use the LDAPS or StartTLS protocol for the LDAP sync connection to the back-end LDAP server, you must import the LDAP server root certificate authority (CA) certificate and then enable the LDAPS/StartTLS configuration. You can import multiple root CA certificates if necessary. The certificates must be in PEM format. On the appliance, you have the option to paste the contents of the LDAP server root CA certificate or import the file. You do not have to do both.
The LDAP server root CA certificate must be able to validate the LDAP server certificate. The subject field of the LDAP server certificate must match the host field in the LDAP configuration.
In a clustered environment, upload the LDAP server CA certificate to both Tanium Servers.
Paste the LDAP server root CA contents
To add multiple CA certificate files, put all certificates in one file and paste them in them in together.
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter A to go to the Security menu.
View screen
- Enter A to go to the LDAP CA Certificate Management menu.
View screen
- Enter 1 and follow the prompts to paste the contents of the LDAP server root CA certificate file.
View screen
- Restart the Tanium Server service. See Start, stop, and restart Tanium services.
Import the LDAP server root CA certificate files
To add multiple CA certificate files, put all certificates in one file and use the Add Certificate option to paste them in together. See Paste the LDAP server root CA contents.
- Use SFTP to copy the file to the /incoming directory of the Tanium Server appliance.
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter A to go to the Security menu.
View screen
- Enter A to go to the LDAP CA Certificate Management menu.
View screen
- Enter 2 and follow the prompts to import the LDAP server root CA certificate file.
- For the file ID, enter a short, unique string that you can use to reference the certificate.
- Restart the Tanium Server service. See Start, stop, and restart Tanium services.
Enable/Disable the LDAPS or StartTLS configuration
You can toggle the LDAPS or StartTLS configuration on and off. When disabled, the connection is unencrypted LDAP.
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter A to go to the Security menu.
View screen
- Enter A to go to the LDAP CA Certificate Management menu.
View screen
- Enter 3 to enable or disable the LDAPS configuration.
Enable/Disable TLS certificate validation
If necessary during troubleshooting, you can disable TLS certificate validation to help you determine if there is a problem with the certificate. After troubleshooting, re-enable certificate validation.
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter A to go to the Security menu.
View screen
- Enter A to go to the LDAP CA Certificate Management menu.
View screen
- Enter 4 and then E to enable or D to disable TLS certificate validation for connections with the LDAP server, and follow the prompt to restart the Tanium Server service.
View screen
View and manage LDAPS certificates
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter A to go to the Security menu.
View screen
- Enter A to go to the LDAP CA Certificate Management menu.
View screen
- Enter 5 to list the LDAPS certificates that have been imported.
View screen
- Enter the number of a certificate to view its details, delete it, or copy it to a secondary Tanium Server.
View screen
Copy the LDAPS configuration and certificates to another Tanium Server in a Cluster
- Sign in to a Tanium Server appliance as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter A to go to the Security menu.
View screen
- Enter A to go to the LDAP CA Certificate Management menu.
View screen
- Enter S to go to the Sync Configuration to Peer TS screen, and follow the prompts to copy the configuration to the other Tanium Server appliance.
The LDAPS configuration and certificates are copied automatically when you add a new Tanium Server to the array.
To copy only an individual certificate, follow the steps in View and manage LDAPS certificates.
Configure security policy rules
The TanOS user access security policy has the following factory settings.
Setting | Factory default | Description |
---|---|---|
Password Lifetime |
Minimum: 0
days Maximum: 90 days |
The minimum sets the minimum number of days between password changes.
A value of 0 indicates the password can be changed at any time. The maximum sets the age at which a current password expires. |
Password History | 4 most recent |
The number of most recent passwords to disallow reuse. A setting of 0 allows reuse of any previous passwords. This setting does not apply to the tanadmin account. |
Password Minimum Length | 10 characters | The minimum number of characters allowed in a password. Valid range is 6 -10 characters. |
Password Minimum Characters Changed | 0 (disabled) | The minimum number of characters in the new password that must not be present in the previous password. 5 is a common practice. STIG requires a minimum of 8.
A setting of 0 allows reuse of any character. This setting does not apply to the tanadmin account. |
Login Failure Delay | 0 seconds | The time, in seconds, between a failed sign in attempt and the next time the prompt is returned to prompt the user for the password. |
Expired Passwords Effect | Force Password Change |
Determine the effect on a user account when a password expires. Two options:
|
Account Lockout Time | 900 seconds after 3 failures | The number of seconds to lock an account after three consecutive unsuccessful sign in attempts. Valid range is 0-604800 seconds. |
Maximum Concurrent Logins | 10 | The number of concurrent sign in sessions for a user account. A setting of 0 disables remote access. |
To modify security policy settings:
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
- Enter A to go to the Security menu.
View screen
- Enter P to go to the Appliance Configuration Security Policy menu.
View screen
- Use the menu to view and edit password, sign in, and lockout rules.
After you modify password policy settings, it is expected that password prompts in TanOS menus provide users with guidance on the updated requirements.
Manage the iDRAC interface
Use the tanremote user account to sign in to the iDRAC virtual console to diagnose hardware and network interface issues in the event the TanOS system becomes unavailable. The tanremote user is not a TanOS user or a Tanium Console user.
Before you begin
- You must use a cable to connect the iDRAC interface to your network and use TanOS to configure the iDRAC interface before you enable the tanremote user.
Configure the iDRAC interface
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
View screen
- Enter I to go to the Manage iDRAC menu.
View screen
- Enter N and follow the prompts to configure the iDRAC interface.
Set password for the tanremote user
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
View screen
- Enter I to go to the Manage iDRAC menu.
View screen
- Enter P and follow the prompts to change the password of the tanremote user.
View screen
Enable the tanremote user
Set the password for the tanremote user before you enable the user.
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
View screen
- Enter I to go to the Manage iDRAC menu.
View screen
- Enter E and follow the prompts to enable the tanremote user.
Disable the tanremote user
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
View screen
- Enter I to go to the Manage iDRAC menu.
View screen
- Enter D and follow the prompts to disable the tanremote user.
Close all iDRAC sessions
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
View screen
- Enter I to go to the Manage iDRAC menu.
View screen
- Enter C and follow the prompts the close all iDRAC sessions.
Reset iDRAC
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu.
View screen
- Enter I to go to the Manage iDRAC menu.
View screen
- Enter R and follow the prompts to reset the iDRAC interface.
Access the iDRAC virtual console
You can access the iDRAC virtual console at http://<iDRAC interface IP address>. Sign in with username tanremote and the password that was set with this procedure.
Last updated: 3/24/2023 12:43 PM | Feedback