Configuring Appliance security

Manage inbound SSH access rules

Sign in to the TanOS console as a user with the tanadmin role.
Enter A-A-2 (Appliance Configuration > Security > Manage SSH).
From this menu, you can add or delete rules that restrict SSH access to hosts from specified subnets only.
- Enter A and follow the prompts to add a new rule.
- Enter the line number of an existing rule and follow the prompts to delete the rule.

Configure SSH banner text

You can add custom SSH banner text to TanOS.

Use SFTP to copy a file named banner_ssh.txt to the /incoming folder.
Sign in to the TanOS console as a user with the tanadmin role.
Enter A-A (Appliance Configuration > Security).

Enter 3 to add the banner file.

>>> Appliance Configuration -> Security -> Manage SSH -> Configure SSH Banner <<< 

Uploaded banner_ssh.txt file found in tancopy incoming.
TanOS will replace the existing banner with the new file.
Log out of ssh and re-connect to view the banner.

Banner file copy successful

Press enter to continue

View SSH fingerprints

Sign in to the TanOS console as a user with the tanadmin role.
Enter A-A (Appliance Configuration > Security).

Enter 4 to view the SSH fingerprints.

View screen

>>> Appliance Configuration -> Security -> Manage SSH -> Display SSH Fingerprints <<< 

2048 SHA256:Mb6VUEjcXGBd+d+gVF3isQ2zPztAY1KkYH17xTB+vOQ= /etc/ssh/ssh_host_rsa_key.pub (RSA)
256 SHA256:L0IXFHyMonAdPYs/ohgDVwdO23wDi0zCo4bRW4Gafog= /etc/ssh/ssh_host_ecdsa_key.pub (ECDSA)
256 SHA256:KT7IGcJHsm3ZO+iOXrxCUk0Wuvdl2/NoybHvHT5al3Q= /etc/ssh/ssh_host_ed25519_key.pub (ED25519)

Press enter to continue

Manage inbound HTTPS access rules

Sign in to the TanOS console as a user with the tanadmin role.
Enter A-A-6 (Appliance Configuration > Security > Manage HTTPS).
From this menu, you can add or delete rules that restrict HTTPS access to hosts from specified subnets only.
- Enter A and follow the prompts to add a new rule.
- Enter the line number of an existing rule and follow the prompts to delete the rule.

Configure LDAPS or StartTLS

If you have requirements to use the LDAPS or StartTLS protocol for the LDAP sync connection to the back-end LDAP server, you must import the LDAP server root certificate authority (CA) certificate and then enable the LDAPS/StartTLS configuration. You can import multiple root CA certificates if necessary. The certificates must be in PEM format. On the appliance, you have the option to paste the contents of the LDAP server root CA certificate or import the file. You do not have to do both.

The LDAP server root CA certificate must be able to validate the LDAP server certificate. The subject field of the LDAP server certificate must match the host field in the LDAP configuration.

In a clustered environment, upload the LDAP server CA certificate to both Tanium Servers.

Paste the LDAP server root CA contents

To add multiple CA certificate files, put all certificates in one file and paste them in them in together.

Sign in to the TanOS console as a user with the tanadmin role.
Enter A-A-A (Appliance Configuration > Security > LDAP CA Certificate Management).

Enter 1 and follow the prompts to paste the contents of the LDAP server root CA certificate file.

View screen

>>> Appliance Configuration -> LDAP Sync CA Cert Mgmt -> Create Certificate <<< 

 Please paste the certificate text (Empty line to end): 
-----BEGIN CERTIFICATE-----
MIIC+TCCAeGgAwIBAgIgT6zZwxXi3vGl+DFiachhuiDEc/Rak9ECxUEhRcHZx8ww
DQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTA5MTIwNDA4
MTY1NVoXDTI5MTIwNDA0NDA1NVowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2xC69YszWNu1p4pdyC1rWGtiqEWg
X+s1Hykq23bDzA56CqbsM3FO+HkDSty6HLCDZttDOJ4EG+DvVjOGSdyTPDF/O2B1
Ztc1hxr/YSGu/4zm/SEgrHpw4iU4+fEcyK8LXlS19o36mZ1J/jy7LU4JFe6MLcIQ
c6Stq1FbUJl7M7qO6NwIAaWnjX0gw3jpCtYHPqwGw9K0Sg0a5Rrsbam64srrm2Yl
q9P7lMtJqTpwmglg8CxJ6QEPEyzprF6VNaNnT6KUlNhc634KChGXw5otwsU4lfvW
2Yti1C8ofG96fGwFr189KqjWTCXI/K7eCDi/9AYnmFgvJbuUdUF9fVS/oQIDAQAB
ozcwNTAdBgNVHQ4EFgQU9P/VO7ipszDcUQaWdE3RmH0w/gwwFAYDVR0RBA0wC4IJ
bG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQAb0TK8LhdsdWbaPIQFI2K2QgKt
OvBuf4j1Mbm0rT1hyOyvpP0Bl429gr7AwDlnSZgBQzjIVjtUpgLlTlarZmAnaaLz
/EBY4cq9PGPXeLEiFGNh6/LQfGt5Gx7y/hpv+xutPS2uo2IBhidlePNuLoAX3tY4
B4vW1LFcD2mkPXvZHeZ4vrmpls1nxLo+wP7pgvLxL6GqYi6hZVAuHrKmsvsT0E09
3JDYgvGm5drX+Y3hsmMn7IaG4e/53qm7TiVjFGAFVwd+3K6apdMUabVaz5oQ161I
tgcXvdk4RvVOdFL/ZSC+PsPyhZrwyXFQF9C494P7utu4Lnqc/Ke5buWeHTz5
-----END CERTIFICATE-----

 Validating input
 Please enter a short name for this certificate: ldaps_ca
 Installing certificate
 Finished adding LDAPS certificate
You will need to restart the Tanium Server service for this change to take effect.
Do you wish to restart the service now? [Yes|No]:

Restart the Tanium Server service. See Start, stop, and restart Tanium services.

Import the LDAP server root CA certificate files

To add multiple CA certificate files, put all certificates in one file and use the Add Certificate option to paste them in together. See Paste the LDAP server root CA contents.

Use SFTP to copy the file to the /incoming directory of the Tanium Server appliance.
Sign in to the TanOS console as a user with the tanadmin role.
Enter A-A-A (Appliance Configuration > Security > LDAP CA Certificate Management).
Enter 2 and follow the prompts to import the LDAP server root CA certificate file.
- For the file ID, enter a short, unique string that you can use to reference the certificate.
Restart the Tanium Server service. See Start, stop, and restart Tanium services.

Enable/Disable the LDAPS or StartTLS configuration

You can toggle the LDAPS or StartTLS configuration on and off. When disabled, the connection is unencrypted LDAP.

Sign in to the TanOS console as a user with the tanadmin role.
Enter A-A-A (Appliance Configuration > Security > LDAP CA Certificate Management).
Enter 3 to enable or disable the LDAPS configuration.

Enable/Disable TLS certificate validation

If necessary during troubleshooting, you can disable TLS certificate validation to help you determine if there is a problem with the certificate. After troubleshooting, re-enable certificate validation.

Sign in to the TanOS console as a user with the tanadmin role.
Enter A-A-A (Appliance Configuration > Security > LDAP CA Certificate Management).

Enter 4 and then E to enable or D to disable TLS certificate validation for connections with the LDAP server, and follow the prompt to restart the Tanium Server service.

View screen

------------------------------------------------------

>>> Appliance Configuration -> LDAP Sync CA Cert Mgmt -> Validation <<< 

Ignore certificate validity when using LDAPS or StartTLS.

Certificate Validation: Enabled

  E: Enable Certificate Validation
  D: Disable Certificate Validation

  R: Return to previous menu  RR: Return to top

Please select: D

You will need to restart the Tanium Server service for this change to
take effect.
Do you wish to restart the service now? [Yes|No]: Yes

Press enter to continue

View and manage LDAPS certificates

Sign in to the TanOS console as a user with the tanadmin role.
Enter A-A-A (Appliance Configuration > Security > LDAP CA Certificate Management).

Enter 5 to list the LDAPS certificates that have been imported.

View screen

------------------------------------------------------

>>> Appliance Configuration -> LDAP Sync CA Cert Mgmt -> List Certificate <<< 

  1: subject= /O=Certificate Authority/OU=user.name@localdomain (User Name) / Lab
     e36063435f55542df19191d85105784d / Nov 25 17:42:29 2024 GMT

  R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter the number of a certificate to view its details, delete it, or copy it to a secondary Tanium Server.

View screen

------------------------------------------------------

>>> Appliance Configuration -> LDAP Sync CA Cert Mgmt -> List Certificates <<< 


Common Name: Certificate Authority
Expiration:  Nov 25 17:42:29 2024 GMT
Fingerprint: e36063435f55542df19191d85105784d

  V: View Cert Details
  D: Delete Cert
  C: Copy Cert to ts2.localdomain (10.0.1.11)

  R: Return to previous menu  RR: Return to top

--------------------------------------------------------------------------------

Copy the LDAPS configuration and certificates to another Tanium Server in a Cluster

Sign in to a Tanium Server appliance as a user with the tanadmin role.
Enter A-A-A (Appliance Configuration > Security > LDAP CA Certificate Management).
Enter S to go to the Sync Configuration to Peer TS screen, and follow the prompts to copy the configuration to the other Tanium Server appliance.

The LDAPS configuration and certificates are copied automatically when you add a new Tanium Server to the array.

To copy only an individual certificate, follow the steps in View and manage LDAPS certificates.

Configure security policy rules

The TanOS user access security policy has the following factory settings.

Setting	Factory default	Description
Password Lifetime	Minimum: 0 days Maximum: 90 days	The minimum sets the minimum number of days between password changes. A value of 0 indicates the password can be changed at any time. The maximum sets the age at which a current password expires.
Password History	4 most recent	The number of most recent passwords to disallow reuse. A setting of 0 allows reuse of any previous passwords. This setting does not apply to the tanadmin account.
Password Minimum Length	10 characters	The minimum number of characters allowed in a password. Valid range is 6 -10 characters.
Password Minimum Characters Changed	0 (disabled)	The minimum number of characters in the new password that must not be present in the previous password. 5 is a common practice. STIG requires a minimum of 8. A setting of 0 allows reuse of any character. This setting does not apply to the tanadmin account.
Login Failure Delay	0 seconds	The time, in seconds, between a failed sign in attempt and the next time the prompt is returned to prompt the user for the password.
Expired Passwords Effect	Force Password Change	Determine the effect on a user account when a password expires. Two options: Disable the user account Force password change on next sign in
Account Lockout Time	900 seconds after 3 failures	The number of seconds to lock an account after three consecutive unsuccessful sign in attempts. Valid range is 0-604800 seconds.
Maximum Concurrent Logins	10	The number of concurrent sign in sessions for a user account. A setting of 0 disables remote access.

To modify security policy settings:

Sign in to the TanOS console as a user with the tanadmin role.
Enter A-A-P (Appliance Configuration > Security > Appliance Configuration Security Policy).
Use the menu to view and edit password, sign in, and lockout rules.

After you modify password policy settings, it is expected that password prompts in TanOS menus provide users with guidance on the updated requirements.

Enable FIPS 140-3 mode

Enabling FIPS mode causes the appliance to use a FIPS-validated cryptographic module for all cryptographic operations. It also ensures that services like SSH use only cryptographic algorithms that FIPS 140-3 allows.

Enable FIPS mode only if you are required to do so for your organization.
If FIPS mode is required for your organization, enable it before initial setup so that the password and keys that you configure during setup are FIPS-compliant. See one of the following sections:

In Tanium Core Platform 7.4.5.1200 and later, enabling FIPS mode in TanOS also puts the Tanium Platform in FIPS mode.

Changing the FIPS mode affects the available ciphers and keys used while connecting to the appliance over SSH. After you change the FIPS mode, the appliance reboots immediately, and you might not be able to use SSH to access the TanOS console until you regenerate SSH keys. Before you change the FIPS mode, make sure you can access the appliance another way, such as through iDRAC or the VM console.

Sign in to the TanOS console as a user with the tanadmin role.
Enter A-A-X (Appliance Configuration > Security > Advanced Security).

Enter 1 and follow the prompts to enable FIPS 140-3 mode and reboot for the changes to take effect. View screen

------------------------------------------------------

>>> Appliance Configuration -> Security -> Advanced <<< 

        Setting     Current         Persistent 
     FIPS 140-2:    disabled        disabled
        SELinux:    permissive      permissive

           AIDE:    not initialized
     AIDE Check:    unscheduled
    SSH Ciphers:    chacha20-poly[email protected],aes256-ctr,[email protected]

          1: FIPS 140-2 mode (disabled/enabled)
          2: AIDE
          3: SSH Ciphers
          4: Toggle SELinux mode (permissive/enforcing)
          5: Set Menu Timeout
          6: Toggle Denial of Service protection

          R: Return to previous menu  RR: Return to top

 ------------------------------------------------------

 TanOS Version:1.8.1 

 Please select: 1

WARNING: Changing the FIPS mode affects the available ciphers and keys used
while connecting to the appliance over SSH. It is recommended that you ensure
you have an alternate means of connecting before continuing -- e.g. iDRAC
or VM console.

The appliance will immediately reboot for the FIPS mode change to take effect.

Are you sure you want to continue? [Yes|No]:

To confirm that FIPS 140-3 mode is enabled after rebooting the appliance, return to the Advanced Security menu (A-A-X). View screen

------------------------------------------------------

>>> Appliance Configuration -> Security -> Advanced <<< 

        Setting     Current         Persistent 
     FIPS 140-2:    enabled         enabled
        SELinux:    permissive      permissive

           AIDE:    not initialized
     AIDE Check:    unscheduled
    SSH Ciphers:    [email protected],aes256-ctr,ae[email protected]
 DOS protection:    disabled

          1: FIPS 140-2 mode (disabled/enabled)
          2: AIDE
          4: Toggle SELinux mode (permissive/enforcing)
          5: Set Menu Timeout
          6: Toggle Denial of Service protection

          R: Return to previous menu  RR: Return to top

 ------------------------------------------------------

If necessary, regenerate SSH keys for users who access the TanOS console using SSH. See Manage SSH keys.

Use AIDE reporting

Advanced Intrusion Detection Environment (AIDE) is a host-based intrusion detection system (HIDS) for checking the integrity of files. The AIDE solution runs an initialization scan over a set of files and directories in the system and generates a reference snapshot of the environment state. Subsequent scans can be run, and the differences between initial and current scans are reported as differences to be investigated.

The set of files and directories over which the scans are run can be customized in a configuration file. If needed, contact Tanium Support for assistance.

AIDE reports will be very noisy following TanOS upgrades, Tanium role installations, and Tanium solution module or content pack imports or reimports. To mitigate the noise and allow you to track real intrusions, the following workflow is recommended:

Before you perform an upgrade or installation, run an AIDE check report.
Then perform the upgrade or installation.
After the upgrade or installation, run AIDE initialization to reset the AIDE reference. A fresh AIDE report is run automatically at the end of the initialization process.

Enable AIDE

Sign in to the TanOS console as a user with the tanadmin role.
Enter A-A-X-2 (Appliance Configuration > Security > Advanced Security > AIDE).

Enter 1 to initialize AIDE, enable a weekly check report, and run a test check report.

Note that after initialization, the AIDE menu shows status, schedule, and recent report information. View screen

------------------------------------------------------

>>> Appliance Configuration -> Security -> Advanced -> AIDE <<< 

         Advanced Intrusion Detection Environment

        AIDE Status: initialized Mon Apr 06, 2020  14:58:56 UTC
     Check Schedule: enabled to run 02:10 each Sunday
     Recent Reports: none                

          1: Reinitialize AIDE, enable weekly check report, run a test check report
          2: Run AIDE check report now
          3: Disable weekly AIDE check
          4: Enable weekly AIDE check report
          5: Copy AIDE check reports to outgoing directory

          R: Return to previous menu  RR: Return to top

 ------------------------------------------------------

Run an AIDE check report

Sign in to the TanOS console as a user with the tanadmin role.
Enter A-A-X-2 (Appliance Configuration > Security > Advanced Security > AIDE).

Enter 2 to run an AIDE check report.

Note that after the report has been run, the report status is updated. View screen

------------------------------------------------------

>>> Appliance Configuration -> Security -> Advanced -> AIDE <<< 

         Advanced Intrusion Detection Environment

        AIDE Status: initialized Mon Apr 06, 2020  14:58:56 UTC
     Check Schedule: enabled to run 02:10 each Sunday
     Recent Reports: aide_check_20200406_1458_UTC.log                

          1: Reinitialize AIDE, enable weekly check report, run a test check report
          2: Run AIDE check report now
          3: Disable weekly AIDE check
          4: Enable weekly AIDE check report
          5: Copy AIDE check reports to outgoing directory

          R: Return to previous menu  RR: Return to top

 ------------------------------------------------------

Disable the weekly AIDE check report

Sign in to the TanOS console as a user with the tanadmin role.
Enter A-A-X-2 (Appliance Configuration > Security > Advanced Security > AIDE).

Enter 3 to disable the weekly AIDE check report.

Note that after the disable report operation has been run, the scheduled report status is updated. View screen

------------------------------------------------------

>>> Appliance Configuration -> Security -> Advanced -> AIDE <<< 

         Advanced Intrusion Detection Environment

        AIDE Status: initialized Mon Apr 06, 2020  14:58:56 UTC
     Check Schedule: unscheduled
     Recent Reports: aide_check_20200406_1458_UTC.log                

          1: Reinitialize AIDE, enable weekly check report, run a test check report
          2: Run AIDE check report now
          3: Disable weekly AIDE check
          4: Enable weekly AIDE check report
          5: Copy AIDE check reports to outgoing directory

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enable the weekly AIDE check report

Sign in to the TanOS console as a user with the tanadmin role.
Enter A-A-X-2 (Appliance Configuration > Security > Advanced Security > AIDE).
Enter 4 to enable the weekly AIDE check report.
Note that after the enable report operation has been run, the scheduled report status is updated.

Export the weekly AIDE check report

Sign in to the TanOS console as a user with the tanadmin role.
Enter A-A-X-2 (Appliance Configuration > Security > Advanced Security > AIDE).

Enter 5 to export the weekly AIDE check report to the /outgoing directory.

View screen

------------------------------------------------------

>>> Appliance Configuration -> Security -> Advanced -> AIDE <<< 

         Advanced Intrusion Detection Environment

        AIDE Status: initialized Mon Apr 06, 2020  14:58:56 UTC
     Check Schedule: enabled to run 02:10 each Sunday
     Recent Reports: aide_check_20200406_1458_UTC.log                

         1: Reinitialize AIDE, enable weekly check report, run a test check report
         2: Run AIDE check report now
         3: Disable weekly AIDE check
         4: Enable weekly AIDE check report
         5: Copy AIDE check reports to outgoing directory

         R: Return to previous menu  RR: Return to top

 ------------------------------------------------------

TanOS Version:1.8.1 

Please select: 5

3 reports copied to outgoing directory.

Press enter to continue

Use SFTP to copy the report from /outgoing to your management computer.

Toggle SELinux mode

Security-Enhanced Linux (SELinux) is a set of kernel modifications and user-space tools that make a Linux-based OS more secure.

By default, the SELinux setting is set to enforcing.

Sign in to the TanOS console as a user with the tanadmin role.
Enter A-A-X (Appliance Configuration > Security > Advanced Security).
Enter 4 to toggle the SELinux setting—permissive or enforcing. A reboot is not required.

Set menu timeout

The menu timeout is the amount of time that the TanOS menu system waits for user input. Enable this feature to cancel user sessions after a period of inactivity. The timeout applies to SSH sessions, but not to Tanium Console sessions. This setting takes effect when a user signs in to the appliance. By default, menus do not time out.

Sign in to the TanOS console as a user with the tanadmin role.
Enter A-A-X (Appliance Configuration > Security > Advanced Security).

Enter 5 to set a menu timeout, in seconds. If you want to disable menu timeouts, set the value to 0.

View screen

------------------------------------------------------

>>> Appliance Configuration -> Security -> Advanced <<< 

        Setting     Current         Persistent 
     FIPS 140-2:    disabled        disabled       
        SELinux:    permissive      permissive     

           AIDE:    not initialized
     AIDE Check:    unscheduled
    SSH Ciphers:    [email protected],aes256-ctr,ae[email protected]
 DOS protection:    disabled

          1: FIPS 140-2 mode (disabled/enabled)
          2: AIDE
          3: SSH Ciphers
          4: Toggle SELinux mode (permissive/enforcing)
          5: Set Menu Timeout
          6: Toggle Denial of Service protection

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

 TanOS Version:1.8.1 

 Please select: 5

 The menu timeout is the amount of time in seconds the menu system will wait
 for user input. Enabling this feature will result in user sessions being
 cancelled after a period of inactivity. The timeout is applied to SSH
 sessions, but not to console sessions. This setting takes effect on login.

 The timeout is expressed in seconds, minimum 60. 0 disables the feature.
 Enter the desired timeout: 0

Toggle Denial of Service protection

Use this setting to add extra protection against Denial of Service (DoS) attacks. By default, this setting is disabled.

Sign in to the TanOS console as a user with the tanadmin role.
Enter A-A-X (Appliance Configuration > Security > Advanced Security).

Enter 6 to enable DoS protection. The screen updates with an enabled status.

View screen

------------------------------------------------------

>>> Appliance Configuration -> Security -> Advanced <<< 

        Setting     Current         Persistent 
     FIPS 140-2:    disabled        disabled       
        SELinux:    permissive      permissive     

           AIDE:    not initialized
     AIDE Check:    unscheduled
    SSH Ciphers:    [email protected],aes256-ctr,ae[email protected]
 DOS protection:    enabled
 
          1: FIPS 140-2 mode (disabled/enabled)
          2: AIDE
          3: SSH Ciphers
          4: Toggle SELinux mode (permissive/enforcing)
          5: Set Menu Timeout
          6: Toggle Denial of Service protection

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

 TanOS Version:1.8.1 

 Please select: 5

 The menu timeout is the amount of time in seconds the menu system will wait
 for user input. Enabling this feature will result in user sessions being
 cancelled after a period of inactivity. The timeout is applied to SSH
 sessions, but not to console sessions. This setting takes effect on login.

 The timeout is expressed in seconds, minimum 60. 0 disables the feature.
 Enter the desired timeout: 0

Manage the RAID controller security key

Export the RAID controller security key (physical Tanium Appliance only)

The RAID controller security key is used by the controller to lock and unlock access to encryption-capable physical disks. You can export the key and store it in a safe location. During recovery from controller failure, you will need to provide the key. When you run a Health Check, you might see messages alerting you to export the RAID controller security key.

Boot Check: Pass (EFI Boot)
Active partition: pass (VolGroup1-root)

>>> Hardware health (will take 1-12 seconds) <<<
hardware type: pass (TV-220)
RAID controller RAID.Integrated.1-1 Security Key: pass
disk encryption: pass


>>> RAID Controller Security Key <<<

RAID Security key check: fail (key has NOT been exported)  <-------- 

>>> Tanium Application file Permissions <<<

executed checks: 48
failed checks: 4
new health status setting: warning

Sign in to the TanOS console as a user with the tanadmin role.
Enter A-X-5 (Appliance Configuration > Advanced Configuration > Export RAID Controller Security Key).

Follow the prompts to export the RAID controller security key to the /outgoing directory.

View screen

>>> Appliance Configuration -> Advanced Menu -> Export Security Key <<< 

Once the security key has been placed in the outgoing directory it
will remain until the nightly cleanup job is run. After this time it
will be deleted and must be exported again.
Please be sure to download it and save in a secure location.

Would you like to export the security key? [Yes|No]: yes

The security key has been placed in the sftp outgoing directory.
This location will be cleaned daily at 02:00am appliance time!

Press enter to continue

Use SFTP to copy the file from the /outgoing directory to your local computer.

Change the RAID controller security key (physical Tanium Appliance only)

You can change the RAID controller key in the event of a failure, but you need to have the existing key decrypted to do so.

This is a lengthy process and can take 10 minutes or more to complete.

Before you begin

The passphrase that is associated with the existing key must be decrypted by Tanium. Contact Tanium Support for assistance.

Change the key with the decrypted previous key

Sign in to the TanOS console as a user with the tanadmin role.
Enter A-X-4 (Appliance Configuration > Advanced Configuration > Change RAID Controller Security Key).

Type Yes to proceed, enter your decrypted previous key, and then type in a new key that meets the password policy requirements.

View screen

>>>  Appliance Configuration -> Advanced Menu -> Change RAID Security Key <<< WARNING

 The active RAID Controller Security Key is stored in the RAID Controller and is
 used by the appliance to access data on the appliance's disks. A backup copy of
 the key would be required in the event of a RAID Controller failure. Without
 the backup key you will NOT be able to recover any data from the appliance's
 disks.

 This option is used to change the RAID Controller Security key. To change the
 key you will need the existing key. The key would have been exported and stored
 in a safe location when your appliance was initially configured. The backup key
 is encrypted before export, and may only be decrypted with the assistance of
 Tanium Support.

 CAUTION: This is a lengthy process and can take 10 minutes or more to complete.

 Would you like to change the RAID Controller Security Key? [Yes|No]: Yes
 Please enter the CURRENT RAID Controller Security Key or enter to quit:

 The password policy requires meeting these rules:
  - Minimum 20 characters long
  - Maximum 32 characters long
  - At least 1 upper case character
  - At least 1 lower case character
  - At least 1 numeric character
  - At least 1 other character
  - Must not be based on a dictionary word
  - Must not contain part of the username

 Please enter password (will not be displayed):
 Password score: 100 out of 100 (strong)
 Please enter password again:
 
 WARNING: SECURELY SAVE THIS PASSWORD SO YOU CAN RECOVER FROM A CONTROLLER FAILURE
 Starting the process to replace the RAID Controller Security Key.
 This can take 10 minutes or more to complete.

Export the new RAID controller security key and download the key immediately from the /outgoing folder through SFTP.
For export steps, see Export the RAID controller security key (physical Tanium Appliance only).

Manage the grub key (physical Tanium Appliance or virtual Tanium Appliance only)

Export the grub key

Sign in to the TanOS console as a user with the tanadmin role.
Enter A-X (Appliance Configuration > Advanced Configuration).

Enter 6 and follow the prompts to export the grub key to the /outgoing folder.

View screen

>>> Appliance Configuration -> Advanced Menu -> Export Security Key <<< 

Once the security key has been placed in the outgoing directory it
will remain until the nightly cleanup job is run. After this time it
will be deleted and must be exported again.
Please be sure to download it and save in a secure location.

Would you like to export the security key? [Yes|No]: yes

The security key has been placed in the sftp outgoing directory.
This location will be cleaned daily at 02:00am appliance time!

Press enter to continue

Use SFTP to copy the file from the /outgoing directory to your local computer.

Change the grub key password

If necessary, you can regenerate the grub key and password.

Sign in to the TanOS console as a user with the tanadmin role.
Enter A-X (Appliance Configuration > Advanced Configuration).

Enter 7 and follow the prompts to generate a new grub key and export it to the /outgoing folder.

View screen

>>> Appliance Configuration -> Advanced Menu -> Generate New Grub Key <<< 

Attention: 

Generating new grub key will invalidate prior key and any emergency
recovery access it would have provided.  A system administrator must
export newly generated grub key file for emergency recovery use.

Are you sure you want to generate a new grub key? [Yes|No]: yes

Generating new grub password ...
Generating new grub key ...

Success.

Press enter to continue

For export steps, see Export the grub key.

Use SFTP to copy the file from the /outgoing directory to your local computer.