Tanium™ Appliance 1.5 Deployment Guide

PDF 1.5
PDF 1.4
  • All Files
Documentation Home > Tanium Appliance Deployment Guide

Reference: Appliance configuration

You are prompted to configure basic host and network settings when you complete the initial configuration. You can use the TanOS Appliance Configuration menu to modify the configuration.

Changes to the network configuration do not go into effect until you restart network services. If you are connected over a remote SSH connection and change the configuration for the interface with which you are connected, your SSH connection will be terminated.

Modify the hostname and DNS configuration

Host, domain, DNS server, and /etc/hosts settings are configured during the initial setup. If necessary, you can use the Hostname/DNS Configuration menu to make changes.

Modify the hostname

  1. Log into the TanOS console as a user with the tanadmin role.

    2. The TanOS console displays the tanadmin menu.

  2. Enter A to display the Appliance Configuration menu.
  3. Enter 1 to display the Hostname/DNS Configuration menu.
  4. Enter 1 and follow the prompts to change the hostname and domain name.

Modify the DNS server

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  3. Enter 1 to display the Hostname/DNS Configuration menu.
  4. Enter 2 and follow the prompts to modify the DNS server configuration.

Modify the hosts file

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  3. Enter 1 to display the Hostname/DNS Configuration menu.
  4. Enter 3 and use the menu to update the /etc/hosts file.

Modify the network interface configuration

Contact your TAM before changing the IP address for the interface used by the Tanium Server. The Tanium Server IP address is used in multiple configurations.

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  3. Enter 2 to display the Networking Configuration menu.
  4. Enter 1 to display the Network Interfaces menu.
  5. Enter the line number of the interface you want to configure to display the Selected Network Interface menu.
  6. Use the menu to change the IP address, MTU size, or up/down status.

Modify the routing configuration

You can add a static route, if necessary.

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  3. Enter 2 to display the Networking Configuration menu.
  4. Enter 3 to display the Routing Configuration menu.
  5. Use the menu to manage the routing table.

Configure the iDRAC interface

The tanremote user is a special user account that you can use to log into the iDRAC virtual console when the TanOS system has become unavailable and you want to diagnose hardware and network interface issues.

You must use a cable to connect the iDRAC interface to your network and use TanOS to configure the iDRAC interface IP address before you enable the tanremote user.

Configure the iDRAC interface

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  3. Enter 2 to display the Networking Configuration menu.
  4. Enter I to display the iDrac Interface Configuration menu.

Next steps

Enable the tanremote user. See Enable tanremote user.

Modify the NTP configuration

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  3. Enter 3 and then follow the prompts to change the NTP configuration.

Configuring syslog

You can forward appliance logs to a remote syslog server.

Figure  1:  A syslog reader

The Appliance Configuration syslog configuration is separate from the Alerting syslog configuration in the Appliance Maintenance menu. This configuration sends all logs to a syslog destination. The Alerting syslog configuration sends alerts only for events that match the specified alert threshold severity.

Check syslog status

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  3. Enter 4 to display the Syslog Configuration menu.
  4. Enter 1 to view the last 5 logs and current syslog status.

Import a syslog server trust certificate

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  3. Enter 4 to display the Syslog Configuration menu.
  4. Enter 2 to view the trust certificate, 3 to paste it (PEM format), or 4 to remove it.

Enable syslog forwarding

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  3. Enter 4 to display the Syslog Configuration menu.
  4. Enter 5 and then specify the IP address, port, and protocol for the remote syslog server.

Configuring SNMP

SNMP is disabled by default. You can configure SNMPv3 credentials for the user tanuser. This user can make a remote SNMP connection to the appliance to walk the MIB from a remote host or SNMP manager.

Figure  2:  SNMP walk

To configure SNMPv3 access:

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  3. Enter 5 and then follow the prompts to change the SNMPv3 credentials for tanuser.

Configure solution module file share mounts

Tanium™ Connect, Tanium™ Detect, and Tanium™ Trends write consumable files to disk. You can configure the Tanium™ Server to copy these files to a Common Internet File System (CIFS) or Network File System (NFS) share.

Watch the tutorial on configuring remote mounts on the Tanium Appliance on the Tanium Community website.

Add a file share mount

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  3. Enter 6 to display the Share Configuration menu.
  4. Enter 1 and complete the configuration to add a file share mount.

List a file share mount

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  3. Enter 6 to display the Share Configuration menu.
  4. Enter A to list file share mounts.

Test a file share mount

  1. Log into the TanOS console as a user with the tanadmin role.
  2. Enter A to display the Appliance Configuration menu.
  3. Enter 6 to display the Share Configuration menu.
  4. Enter B to test file share mounts.

Change from a static IP address to DHCP (VM-only)

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  3. Enter 7 and then follow the prompts to use DHCP.

Configure additional security

You can use the Security menu to enable/disable factory reset and SSH trusted host list configurations.

Enable/disable factory reset

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  3. Enter A to display the Security menu.
  4. Enter 1 and then follow the prompts to disable the tanfactory account that is used to perform a factory reset.

Manage inbound SSH access rules

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  3. Enter A to display the Security menu.
  4. Enter 2 and then follow the prompts to edit the rules that restrict SSH access to hosts from specified subnets only.

Configure SSH banner text

You can add custom SSH banner text to TanOS.

  1. Use SFTP to copy a file named banner_ssh.txt to the /incoming folder.
  2. Log into the TanOS console as a user with the tanadmin role.
  3. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  4. Enter A to display the Security menu.
  5. Enter 3 to add the banner file.

Display SSH fingerprints

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  3. Enter A to display the Security menu.
  4. Enter 4 to display the SSH fingerprints.

Configure LDAPS

If you have requirements to use the LDAPS protocol for the LDAP sync connection to the back-end LDAP server, you must import the LDAP server root CA certificate and then enable the LDAPS configuration. You can import multiple root CA certificates if necessary. The certificates must be in PEM format. On the appliance, you have the option to paste the contents of the LDAP server root CA certificate or import the file. You do not have to do both.

Paste the LDAP server root CA contents

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  3. Enter A to display the Security menu.
  4. Enter A to display the LDAPS menu.
  5. Enter 1 and follow the prompts to paste the contents of the LDAP server root CA certificate file.
  6. Restart the Tanium Server service. See Start, stop, and restart Tanium services.

Import the LDAP server root CA certificate files

  1. Use SFTP to copy the file to the /incoming directory of the Tanium Server appliance.
  2. Log into the TanOS console as a user with the tanadmin role.
  3. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  4. Enter A to display the Appliance Configuration menu.
  5. Enter A to display the Security menu.
  6. Enter A to display the LDAPS menu.
  7. Enter 2 and follow the prompts to import the LDAP server root CA certificate file.
    • For the file ID, enter a short, unique string that you can use to reference the certificate.
  8. Restart the Tanium Server service. See Start, stop, and restart Tanium services.

Enable/Disable the LDAPS configuration

You can toggle the LDAPS configuration on and off. When disabled, the connection is unencrypted LDAP.

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  3. Enter A to display the Security menu.
  4. Enter A to display the LDAPS menu.
  5. Enter 3 to enable or disable the the LDAPS configuration.

Enable/Disable TLS certificate validation

If necessary during troubleshooting, you can disable TLS certificate validation to help you determine if there is a problem with the certificate.

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  3. Enter A to display the Security menu.
  4. Enter A to display the LDAPS menu.
  5. Enter 4 to disable TLS certificate validation for connections with the LDAP server.

Manage LDAPS certificates

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  3. Enter A to display the Security menu.
  4. Enter A to display the LDAPS menu.
  5. Enter 5 to list and manage the LDAPS certificates that have been imported.

Manage CA certificates for the Tanium database server

The Tanium database server uses self-signed certificates for SSL connections. The Tanium PostgreSQL database is an application database. Users do not have direct access to the database. However, if you have requirements to use a CA-issued certificate for the database SSL connections, you can use TanOS menus to import the CA certificates. You can also import a root certificate revocation list (CRL) certificate file. The files you copy to the /incoming folder must be named root.crt, root.crl.pem, server.crt, and server.key.

Import a server certificate

  1. Use SFTP to copy the database server certificate and key files to the /incoming folder.
  2. Log into the TanOS console as a user with the tanadmin role.
  3. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  4. Enter A to display the Security menu.
  5. Enter A to display the Database Certificate Management menu.
  6. Enter 1 and follow the prompts to import the certificate.

Export a server certificate

  1. Use SFTP to copy the database server certificate file to the /incoming folder.
  2. Log into the TanOS console as a user with the tanadmin role.
  3. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  4. Enter A to display the Security menu.
  5. Enter A to display the Database Certificate Management menu.
  6. Enter 3 and follow the prompts to export the certificate to the /outgoing folder.
  7. Use SFTP to copy the certificate form the /outgoing folder to your management computer.

Import a client certificate

  1. Use SFTP to copy the database server certificate file to the /incoming folder.
  2. Log into the TanOS console as a user with the tanadmin role.
  3. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  4. Enter A to display the Security menu.
  5. Enter A to display the Database Certificate Management menu.
  6. Enter 3 and follow the prompts to import the certificate.

View database certificates

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  3. Enter A to display the Security menu.
  4. Enter A to display the Database Certificate Management menu.
  5. Enter L to display the List Certificates menu.
  6. Use the menu to view the certificates that have been imported.

Configure security policy rules

The TanOS user access security policy has the following factory settings.

Setting Factory default Guidelines
Password Lifetime Minimum 0

Maximum 90

 Minimum sets the minimum number of days between password changes. A value of 0 indicates the password can be changed at any time.

Maximum sets the age at which a current password expires.
Password History Reuse Limit 4 most recent 0 disables.

Does not apply to the tanadmin account.
Password Minimum Length 10 characters Must be at least 6 characters.
Password Minimum Characters Changed 0 (disabled) 0-20 changed from the previous password string. 5 is a common practice. STIG requires a minimum of 8.

Does not apply to the tanadmin account.
Login Failure Delay 0 seconds Time between a failed login and the next time the prompt is returned to prompt the user for the password.
Expired Passwords Effect Disable account Two options:
  • Disable account
  • Force password change
Account Lockout Time 900 seconds after 3 failures 0-604800 seconds lockout for failed authentication attempt.
Maximum Concurrent Logins 10 0 effectively disables remote access.

To modify security policy settings:

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  3. Enter A to display the Security menu.
  4. Enter P to display the Security Policy menu.
  5. Use the menu to view and edit password, login, and lockout rules.

After you modify password policy settings, it is expected that password prompts in TanOS menus provide users with guidance on the updated requirements.

Last updated: 11/13/2019 8:27 AM | Feedback