Reference: Appliance Maintenance menu

Use the Appliance Maintenance menu to perform backups, system resets, TanOS upgrades, and system reboots or shutdowns.

Backup overview

TanOS contains the options to perform core and comprehensive backups. Physical appliances and virtual appliances with an inactive partition also have the option to back up the active partition to the inactive partition. For core and comprehensive backups, you can schedule automatic backups or perform a manual backup. The following sections describe the available options:

TanOS contains the options to perform core and comprehensive backups. Additionally, you can take snapshots of the virtual image. For core and comprehensive backups, you can schedule automatic backups or perform a manual backup. The following sections describe the available options:

Configure and run automatic backups

Use TanOS to schedule automatic backups for the Tanium Appliance. Through TanOS, you can schedule core and comprehensive backups.

After you perform the initial setup for an appliance, a core backup is scheduled by default. The TanOS health check reports an error that automatic backups cannot complete until you set up an encryption key. To remove the error from the health check, you can either add an encryption key or disable the scheduled core backup. For more information on the TanOS health check, see Run the Health Check.

The general process to set up an automatic backup includes the following steps:

  1. Add an encryption key for all backups.
  2. Configure a core or comprehensive backup.
  3. Test the automatic backup.
  4. Schedule the automatic backup.

When you schedule an automatic backup, TanOS prompts you to select a remote host to which to save the recovery bundle. TanOS also saves the recovery bundle to the /outgoing directory, where you can use SFTP to download the recovery bundle.

Add encryption key for the backups

Encrypt all core and comprehensive backup recovery bundles with a key pair. Encryption is required for both automatic and manual backups.

  1. Use OpenSSL to generate a public/private key pair in a PEM file. Enter a passphrase when prompted.

    openssl genrsa -aes256 -out ssl-pvk.pem 3072

  2. Extract the public key from the PEM file. Enter your passphrase when prompted.

    openssl pkey -in ssl-pvk.pem -pubout -out ssl-pub.pem

  3. Extract the identifier for the public key. This identifier is visible in the backup file and can be useful to find a particular public key.

    openssl pkey -pubin -in ssl-pub.pem -outform DER | openssl dgst -sha1

  4. Copy the contents of the ssl-pub.pem file (the public key) to the clipboard.
  5. Sign into the TanOS console as a user with the tanadmin role.
  6. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  7. Enter 1 to go to the Backup menu. ClosedView screen
  8. Enter E, paste the public key from the clipboard, and press Ctrl-D. ClosedView screen
  9. Press Enter to go to the Backup menu.
  10. To test the encryption, perform a manual core backup using the steps described in Perform a core or comprehensive backup.
    1. After the backup completes, download the recovery bundle. Note that you are not prompted to set a password.
    2. Extract the recovery bundle. The folder contains a README.txt file that describes how to decrypt the recovery bundle.

Configure an automatic backup

In a new installation with a Tanium role installed, an automatic core backup is scheduled to run nightly at 2:01 AM UTC. You can edit the backup, disable the backup, or configure an automatic comprehensive backup.

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter 1 to go to the Backup menu. ClosedView screen
  4. Enter C to configure an automatic backup. ClosedView screen
  5. Select the type of backup to configure:
    • To configure a core backup, enter N.
    • To configure a comprehensive backup, enter F.
  6. Follow the prompts to enable the backup and to specify file transfer options.
    • Automatic backups always save the recovery bundles to the /outgoing directory for download with SFTP.
    • You can specify a username and IP address for a destination server to reach with secure copy protocol (SCP). If you set up a file transfer with SCP, copy the public key of the user that you are using to configure the backup to the ~/.ssh/authorized_keys file on the remote system. Ensure proper privileges on the remote system; you may need to run CHMOD 600 on the ~/.ssh/authorized_keys file.

Test an automatic backup

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter 1 to go to the Backup menu. ClosedView screen
  4. Enter A to go to the Run Now menu. ClosedView screen
  5. Select the type of backup to run.
  6. Verify the backup settings and enter Yes to run the backup.
  7. Verify the backup completes successfully. ClosedView screen
    • If the backup exports the recovery bundle to a remote server with SCP, sign in to the remote server and verify the recovery bundle exists.
    • Extract the recovery bundle. The folder contains a README.txt file that describes how to decrypt the recovery bundle.

Schedule an automatic backup

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter 1 to go to the Backup menu. ClosedView screen
  4. Enter S to go to the Schedule menu. ClosedView screen
  5. Select the type of backup to view the schedule settings. The schedule settings include the current settings and the pending settings. ClosedView screen
    • Enter 1 to disable the backup.
    • Enter 2 to enable the backup.
    • Enter 4 to enter the days of the month to run the backup. You can enter a date range or comma-separated days.
    • Enter 5 to enter the days of the week to run the backup. You can enter a range or comma-separated values.
    • Enter 6 to select the time to run the backup. Enter the hours and minutes in UTC time.
    • To confirm the pending settings, enter 7 to activate the settings. The active settings update to match the pending settings.
  6. If you enter R and not activate the settings, the changes do not save.

Configure and run manual backups

You must encrypt all backups with a key pair. Encryption is required for both automatic and manual backups. For steps on how to set up encryption, see Add encryption key for the backups.

Perform a partition sync

In TanOS 1.6.1 and later, virtual appliances contain only one partition by default. Appliances with only one partition do not contain the option to perform a partition sync.

To protect data consistency, the partition sync job disables (shuts down) the Tanium Server, Tanium database server, and other related services for the duration of the partition sync. Make sure to set a partition sync schedule that does not disrupt solution processes.

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter 1 to go to the Backup menu. ClosedView screen
  4. Enter P to go to the Partition Sync menu. ClosedView screen
  5. Follow the prompts to complete the backup.
  6. After the backup completes, press Enter to go to the Backup menu.

For information on how to change the active partition to the inactive partition, see Change the active partition.

Perform a core or comprehensive backup

Complete the following steps to perform a manual backup of the Tanium Appliance:

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter 1 to go to the Backup menu.
  4. Use the menu to create a backup:
    • Enter N to go to the Backup off-box Core menu.
    • Enter F to go to the Backup off-box Comprehensive menu.
  5. Follow the prompts to confirm the backup and to specify file transfer options. You can save the backup file to the /outgoing directory for download with SFTP, and you can specify a username and IP address for a destination server that can be reached with secure copy protocol (SCP). ClosedView screen
  6. After the backup completes, press Enter to go to the Backup menu.

Manage Tanium database backups

Beginning with TanOS 1.6.3, Tanium database backups are included with core backups and comprehensive backups. TanOS contains the option to manage Tanium database backups produced prior to TanOS 1.6.3.

To select a specific backup from the last 7 days, navigate to the List Tanium Database Backups menu.

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter 1 to go to the Backup menu.
  4. Enter L to list the Tanium database backups.
  5. Follow the prompts to export, rename, or delete the backup.

Configure alerts

TanOS can send alerts to a syslog server or to an email recipient. For optimal results, configure an SMTP email recipient. If the syslog server fails, the SMTP recipient receives a failure notification every 15 minutes until the failure is resolved or syslog forwarding is disabled.

Configure alerts

Use the Configure Alerts menu to set the alert severity threshold to info, warn, or error.

  • Info: Includes all alerts
  • Warn: Includes all error and warning alerts
  • Error: Includes error alerts
  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter 2 to go to the Alerting menu. ClosedView screen
  4. Enter 3 to go to the Configure Alerts menu. ClosedView screen
  5. Use the menu to set a severity level and enable/disable alerting.

Configure syslog destination

The syslog alert configuration is separate from the syslog configuration in the Appliance Configuration menu. This configuration sends alerts for the alert threshold severity. The syslog configuration in the Appliance Configuration menu sends all logs.

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter 2 to go to the Alerting menu. ClosedView screen
  4. Enter 1 to go to the Configure Syslog Destination menu. ClosedView screen
  5. Enter 2 and follow the prompts to configure a syslog destination. ClosedView screen
  6. Enter 1 to enable syslog alerts. The Configure Syslog Destination menu updates to show the current status. ClosedView screen
  7. Enter 3 to send a test alert to the syslog server.

The test alert appears in the syslog server logs.

Configure SMTP destination

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter 2 to go to the Alerting menu. ClosedView screen
  4. Enter 2 to go to the Configure SMTP Destination menu. ClosedView screen
  5. Enter 2 and follow the prompts to configure the SMTP destination. ClosedView screen
  6. Enter 1 to enable SMTP alerts. The Configure SMTP Destination menu updates to show the current status. ClosedView screen
  7. Enter 3 to send a test alert to the mail recipient.

Upgrade TanOS

See Upgrade TanOS.

Request a shell access key

You can request OS shell access to examine OS processes and files written to the file system. See Examine OS processes and files.

Clean up generated files

Clean directories to clear up disk space or clear logs to make it easier to work with new entries in the log viewer.

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter A to go to the Clean directories menu. ClosedView screen
  4. Use the menu to delete files that have been generated in the SFTP /incoming and /outgoing directories, core dump files, application logs, and so on.

Reboot or shut down

Tasks that you complete with TanOS menus typically do not require you to reboot the system. A reboot might be required during troubleshooting workflows.

Shutdown turns off the system and powers down the appliance.

You must have physical access to the appliance to power it on. Do not perform a system shutdown unless you are prepared to power the appliance back on.

Reboot

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter B to go to the Reboot/Shutdown menu. ClosedView screen
  4. Enter 1 to go to the Reboot menu. ClosedView screen
  5. Follow the prompts to reboot the appliance.

Shut down

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter B to go to the Reboot/Shutdown menu. ClosedView screen
  4. Enter 2 to go to the Shutdown menu. ClosedView screen
  5. Follow the prompts to shut down the appliance.

Exit maintenance mode

Some maintenance procedures that you perform with TanOS menus prompt you to enter maintenance mode to ensure Tanium services are not affected by the maintenance operation. When the operation completes, exit maintenance mode to resume normal operations.

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter C to go to the Maintenance Mode menu.
  4. Enter 1 to clear any maintenance actions.

Enable partitions

In TanOS 1.6.1 and later, virtual appliances contain only one partition set by default. On virtual appliances, you can add an alternate (inactive) partition set to use as a backup partition.

The option to enable partitions only appears if you have a single partition on a virtual appliance.

  1. If needed, modify the virtual image to add disk storage.

    This action is not reversible. Storage that you add to the appliance is permanently allocated. Do not attempt to remove disk storage from an appliance, as the appliance will become unusable.

  2. Sign into the TanOS console as a user with the tanadmin role.
  3. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  4. Enter E and follow the prompts to enable alternate partitions.

Disable partitions

Use this option on virtual appliances to remove the alternate (inactive) partition set. Use this option if you do not need the alternate partition. After you remove the alternate partition set, you can allocate the unused storage to the primary partition.

Do not disable the alternate partition set with the intent to reclaim disk storage. Disk storage on the appliance is permanently allocated. Do not attempt to remove disk storage from an appliance, as the appliance will become unusable.

In TanOS 1.6.1 and later, virtual images contain only one partition set by default. If you upgrade from a previous version of TanOS, the existing partition configuration is preserved. This menu option only appears if your virtual appliance has an alternate partition set.

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter D and follow the prompts to remove all alternate partitions. ClosedView screen

Use the Increase storage option to reallocate the storage from the deleted partition set.

Increase storage

On virtual appliances, you can add a disk to the virtual image to increase the amount of available storage.

On a Tanium Cloud Appliance, you can add a disk to the virtual image to increase the amount of available storage.

This action is not reversible. Storage that you add to the appliance is permanently allocated. Do not attempt to remove disk storage from an appliance, as the appliance will become unusable.

  1. Modify the virtual image to add disk storage.
  2. Sign into the TanOS console as a user with the tanadmin role.
  3. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  4. Enter I to go to the Increase Storage menu. ClosedView screen
  5. Follow the prompts to add the disk storage. ClosedView screen

    If you have an inactive partition set, any new storage is evenly allocated across the active (/OPT) and inactive (/ALTOPT) partitions.