Reference: Appliance Maintenance menu

Use the Appliance Maintenance menu to perform backups, factory resets, TanOS upgrades, and system reboots or shutdowns.

Backup overview

There are several options to back up the Tanium Appliance. You can back up to an inactive partition on the appliance, perform minimal and full backups, and back up the Tanium database. For external backups (minimal, full, and database), you can schedule automatic backups or perform a manual backup. The following sections describe the available options:

Backup types

Minimal backup

A minimal backup is a quick backup of a number of key files that can help you recover more quickly in the case of a failure. Perform a minimal backup after the initial configuration of your Tanium Appliance is complete. You do not have to stop Tanium services prior to a minimal backup.

On a Tanium Server appliance, the minimal backup includes the following:

  • Tanium public and private key files
  • Web server SSL certificates
  • Tanium Server configuration database
  • Tanium Downloader configuration database
  • Tanium license file

After the initial configuration completes, these files do not change frequently. A monthly minimal backup is sufficient.

TanOS saves the backup file to the /outgoing directory where you can use SFTP to download it.

Full backup

A full backup is a complete backup of the /opt/Tanium directory. A complete backup enables you to completely restore the Tanium installation in the event of a hardware failure or corruption of the Tanium installation. This option takes a significant amount of time to complete and requires that you stop the services on the Tanium Appliance.

For Active-Active deployments, take the following steps to minimize downtime:

  1. Confirm that your database replication between your primary and secondary Tanium database is running successfully.
  2. Stop all Tanium services on your Tanium Server that hosts the secondary database (this includes the PostgreSQL service).
  3. Complete the backup.
  4. Start the Tanium services.

This process ensures that you have a backup of your entire Tanium installation, including the Tanium database, without the need to stop both Tanium Servers.

For environments with only a single Tanium Server, there will be an outage while the backup runs.

For the Tanium Module Server, stop all Tanium Services while the backup runs. During this time, users can still access Tanium and ask questions, but the module workbenches are unavailable until the Module Server restarts.

Partition sync

TanOS has two partitions: an active partition, and an inactive partition for use in case of failover or troubleshooting. A partition sync is a backup procedure that uses the rsync utility to copy the active partition to the inactive partition.

Perform a partition sync before you upgrade TanOS or a Tanium server component, so that you have an alternate partition in case issues occur during the upgrade process or the Tanium server update. You can also use the inactive partition if the active partition fails to boot. During the TanOS boot process, you have the option to select the inactive partition if needed.

Database backup

A database backup backs up the Tanium PostgreSQL database. In a new installation, an automatic backup is configured to back up the Tanium PostgreSQL database nightly at 2:01 AM. In the event of a database failure, use the daily backups to restore the database to a known good state.

The backup automatically saves to the /outgoing directory. You can configure the backup to run at a different time, and you can also schedule daily retrieval of the database backup using sftp as the tancopy user.

Configure and run automatic backups

Use TanOS to configure and run automatic backups for the Tanium Appliance. Through TanOS, you can set up an automatic minimal backup, a full backup, and a database backup. The general process to set up an automatic backup includes the following steps:

  1. Add encryption keys for the backups
  2. Configure the backup
  3. Test the backup
  4. Set the backup schedule

Add encryption keys for the backups

Tanium requires that you encrypt all full, minimal, and database backups with a key pair. This is required for both automatic and manual backups.

  1. Use OpenSSL to generate a public/private key pair in a PEM file. Enter a passphrase when prompted.

    openssl genrsa -aes256 -out ssl-pvk.pem 3072

  2. Extract the public key from the PEM file. Enter your passphrase when prompted.

    openssl pkey -in ssl-pvk.pem -pubout -out ssl-pub.pem

  3. Extract the identifier for the public key. This identifier is visible in the backup file, and can be useful to find a particular public key.

    openssl pkey -pubin -in ssl-pub.pem -outform DER | openssl dgst -sha1

  4. Copy the contents of the ssl-pub.pem file (the public key) to the clipboard.
  5. Log into the TanOS console as a user with the tanadmin role.
  6. Enter B to go to the Appliance Maintenance menu.
  7. Enter 1 to go to the Backup menu.
  8. Enter E, paste the public key from the clipboard, and press Ctrl-D.
  9. Press Enter to return to the Backup menu.
  10. To test the encryption, perform a minimal backup using the steps described in Perform a full or minimal backup.
    1. After the backup completes, download the backup file. Note that you are not prompted to set a password.
    2. Extract the backup file. The folder contains a README.txt file that describes how to decrypt the backup.

Configure an automatic backup

In a new installation, an automatic backup is configured to back up the Tanium PostgreSQL database nightly at 2:01 AM. You can edit the database backup or configure automatic minimal and full backups.

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter B to go to the Appliance Maintenance menu.
  3. Enter 1 to go to the Backup menu.
  4. Enter C to configure an automatic backup.
  5. Select the type of backup to configure:
    • To configure a minimal backup, enter N.
    • To configure a full backup, enter F.
    • To configure a database backup, enter T.
  6. Follow the prompts to enable the backup and to specify file transfer options.
    • Automatic backups always save the backup files to the /outgoing directory for download with SFTP.
    • You can specify a username and IP address for a destination server to reach with secure copy protocol (SCP). If you set up a file transfer with SCP, copy the public key of the user that you are using to configure the backup to the ~/.ssh/authorized_keys file on the remote system. Ensure proper privileges on the remote system; you may need to run CHMOD 600 on the ~/.ssh/authorized_keys file.

Test an automatic backup

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter B to go to the Appliance Maintenance menu.
  3. Enter 1 to go to the Backup menu.
  4. Enter A to run an automatic backup now.
  5. Select the type of backup to run.
  6. Verify the backup settings and enter Yes to run the backup.
  7. Verify the backup completes successfully.
    • If the backup exports to a remote server with SCP, log in to the remote server and verify the backup file exists.
    • Extract the backup file. The folder contains a README.txt file that describes how to decrypt the backup.

Schedule an automatic backup

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter B to go to the Appliance Maintenance menu.
  3. Enter 1 to go to the Backup menu.
  4. Enter S to schedule an automatic backup.
  5. Select the type of backup to view the schedule settings. The schedule settings include the current settings and the pending settings.
    • Enter 1 to disable the backup.
    • Enter 2 to enable the backup.
    • Enter 4 to enter the days of the month to run the backup. You can enter a date range or comma-separated days.
    • Enter 5 to enter the days of the week to run the backup. You can enter a range or comma-separated values.
    • Enter 6 to select the time to run the backup. Enter the hours and minutes in UTC time.
    • To confirm the pending settings, enter 7 to activate the settings. The active settings update to match the pending settings.
    • If you enter R and not activate the settings, the changes do not save.

Configure and run manual backups

Tanium requires that you encrypt all full, minimal, and database backups with a key pair. This is required for both automatic and manual backups. For steps on how to set up encryption, see Add encryption keys for the backups.

Perform a partition sync

  1. Log into the TanOS console as a user with the tanadmin role.

    The TanOS console displays the tanadmin menu.

  2. Enter B to go to the Appliance Maintenance menu.
  3. Enter 1 to go to the Backup menu.
  4. Enter P to display the Partition Sync menu.
  5. Follow the prompts to complete the backup.
  6. After the backup completes, press Enter to return to the Backup menu.

For information on how to change the active partition to the inactive partition, see Change the active partition.

Perform a full or minimal backup

Complete the following steps to perform a manual backup of the Tanium Appliance:

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter B to go to the Appliance Maintenance menu.
  3. Enter 1 to go to the Backup menu.
  4. Use the menu to create an off-box backup:
    • Enter N to display the Backup off-box minimal menu.
    • Enter F to display the Backup off-box full menu.
  5. Follow the prompts to confirm the backup and to specify file transfer options. You can save the backup file to the /outgoing directory for download with SFTP, and you can specify a username and IP address for a destination server that can be reached with secure copy protocol (SCP).
  6. After the backup completes, press Enter to return to the Backup menu.

Back up the Tanium database

Complete the following steps to perform a manual backup of the database:

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter B to go to the Appliance Maintenance menu.
  3. Enter 1 to go to the Backup menu.
  4. Enter T and then follow the prompts to create a database backup. The backup is saved to the /outgoing folder.
  5. Use SFTP to copy the backup file from the /outgoing directory on the appliance to your management computer.

Manage Tanium database backups

To select a specific backup from the last 7 days, including manual backups, you can navigate to menu B-1-5.

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter B to go to the Appliance Maintenance menu.
  3. Enter 1 to go to the Backup menu.
  4. Enter L to list the Tanium database backups menu.
  5. Follow the prompts to export, rename, or delete the backup.

Configure alerts

TanOS can send alerts to a syslog server or to an email recipient. Tanium recommends that you configure an SMTP email recipient. If the syslog server fails, the SMTP recipient receives a failure notification every 15 minutes until the failure is resolved or the syslog forwarding is disabled.

Configure alerts

Use the Alerts Configuration menu to set severity threshold to info, warn, or error. If you set it to warn, it also includes error. If you set it to info, it also includes warn and error.

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter B to go to the Appliance Maintenance menu.
  3. Enter 2 to go to the Alerting menu.
  4. Enter 3 to display the Configure Alerts menu.
  5. Use the menu to set a severity level and enable/disable alerting.

Configure syslog destination

The Alerting syslog configuration is separate from the syslog configuration in the Appliance Configuration menu. This configuration sends alerts for the alert threshold severity. The syslog configuration in the Appliance Configuration menu sends all logs.

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter B to go to the Appliance Maintenance menu.
  3. Enter 2 to go to the Alerting menu.
  4. Enter 1 to display the Syslog Destination menu.
  5. Enter 2 and follow the prompts to configure a syslog destination.
  6. Enter 1 to enable syslog alerts.
  7. Enter 3 to send a test alert to the syslog server.

The test alert appears in the syslog server logs.

Configure SMTP destination

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter B to go to the Appliance Maintenance menu.
  3. Enter 2 to go to the Alerting menu.
  4. Enter 2 to display the SMTP Destination menu.
  5. Enter 2 and then follow the prompts to configure an SMTP destination.
  6. Enter 1 to enable SMTP alerts.
  7. Enter 3 to send a test alert to the mail recipient.

Upgrade TanOS

See Upgrade TanOS.

Upgrade the TanOS shell

See Upgrade the TanOS shell.

Request a shell access key

If necessary for troubleshooting, you can request OS shell access to examine OS processes and files written to the file system. See Examine OS processes and files.

Clean up generated files

You can clean directories to clear up disk space or clear logs to make it easier to work with new entries in the log viewer.

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter B to go to the Appliance Maintenance menu.
  3. Enter A to go to the Clean Directories menu.
  4. Use the menu to delete files that have been generated in the SFTP /incoming and /outgoing directories, core dump files, application logs, and so on.

Reboot or shut down

Tasks that you complete with TanOS menus typically do not require you to reboot the system. A reboot might be required during troubleshooting workflows.

Shutdown turns off the system and powers down the appliance.

You must have physical access to the appliance to power it on. Do not perform a system shutdown unless you are prepared to power the appliance back on.

Reboot

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter B to go to the Appliance Maintenance menu.
  3. Enter B to go to the Reboot/Shutdown menu.
  4. Enter 1 to display the Reboot menu.
  5. Follow the prompts to reboot the appliance.

Shut down

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter B to go to the Appliance Maintenance menu.
  3. Enter B to go to the Reboot/Shutdown menu.
  4. Enter 2 to display the Shutdown menu.
  5. Follow the prompts to shut down the appliance.

Exit maintenance mode

Some maintenance procedures that you perform with TanOS menus prompt you to enter maintenance mode to ensure Tanium services are not affected by the maintenance operation. When the operation completes, exit maintenance mode to resume normal operations.

  1. From the tanadmin menu, enter B to go to the Appliance Maintenance menu.
  2. Enter C to go to the Maintenance Mode menu.
  3. Enter 2 and follow the prompts to toggle off maintenance mode.