Completing the initial setup (Tanium Cloud Appliance)

Obtain a virtual appliance image file and virtual appliance license from Tanium Support. For more information, see Contact Tanium Support.

Requirements

Deploy the virtual image to the cloud provider

Contact Tanium Support to obtain a TanOS Cloud Appliance image. When you configure the image with your cloud provider, you must specify a encryption key pair to initially connect to the image. You can use an existing key pair or generate a new key pair.

Remote access to TanOS

Network and host settings enable the appliance to establish connections with other computers in your local network and with other servers and hosts on the Internet. Specify appropriate settings for the network in which the appliance is deployed.

• Your local "management computer" must be connected to a subnet that can reach the appliance IP address.
• Your management computer must have an SSH client application or terminal emulator that can make a client connection to the appliance.
• You must have an SSH client such as PuTTY to sign in to the TanOS console. For PuTTY, use version 0.71 or later.
• You must have an SSH key generator such as ssh-keygen to generate keys for the tancopy user.
• You must have an SFTP client such as WinSCP to copy files to and from the appliance. For WinSCP, use version 5.15.2 or later.

Watch the tutorial on setting up WinSCP for the Tanium Appliance on the Tanium Community website.

Configure network and host settings

1. Make sure your virtual image is configured to use an encryption key pair, and that the private key is set up on your local computer.
2. Sign in to your cloud provider and use an SSH client to connect to the TanOS console as a user with the tanadmin role. View screen

   $ ssh [email protected]
   	
   ######################## WARNING ########################
   
          Unauthorized access is strictly prohibited.
   
   #########################################################
   
   
               >>> Appliance not configured <<<
   
                   TanOS Version 1.6.3.0073
   
    This appliance is not configured yet - please perform the initial configuration.
   
    Press enter to continue

3. When prompted, indicate that you want to complete the initial configuration. View screen

    ------------------------------------------------------
   
    >>> Appliance Operations -> Initial Configuration <<<
   
    Initial configuration workflow for a new TanOS appliance
   
    At least the following information is required to complete this section:
    - IP address, Netmask & Default Gateway
    - Hostname & Domain name
    - Domain Name Server (DNS) IP address
    - NTP Server address
   
    The workflow will not allow you to stop until fully completed,
    please ensure you have all the required information before beginning.
   
    Once the configurations have been completed the system will close the session
    and force a re-login, on initial login a password change will be required for
    all users. Verification of the configuration and any changes required can be
    performed using the menus.
   
    ------------------------------------------------------
   
    TanOS Version:        1.6.3
    TanOS_Shell Version:  1.6.3
   
    Would you like to continue with the initial configuration? [Yes|No]:

4. Use the spacebar to page through the end-user license agreement (EULA). When complete, press the Q key, enter your email address, and enter YES to accept it.

   The email address is stored locally only. It is not used externally for any reason.

5. When prompted, enter the one-time password that appears on the screen for the tanadmin and tanuser users. View screen

   >>> Password Configuration <<< 
   
   Passwords for tanadmin and tanuser will be reset to a temporary password now.
   Upon next login a password change will be enforced. 
   
   The password policy requires meeting these rules:
   - Minimum of 10 characters long
   - At least 1 upper case character
   - At least 1 lower case character
   - At least 1 numeric character
   - At least 1 other character
   - Must not match any of recent 4 passwords
   - Must not be based on a dictionary word
   - Must not contain part of the username
   
   
   The temporary password will use letters only.
   The temporary password for tanadmin and tanuser is: goodbeigejaguar 
   
   Please enter temporary password (goodbeigejaguar) to continue
   You entered: [goodbeigejaguar]
   
   Finished password changes

6. Make a note of the one-time password. You must provide the password the next time you sign in. At that time, you will be prompted to specify a new password.

   The console configures SSH keys and IPSec settings, and then notifies you that the initial configuration is complete. Press the Enter key to terminate the session. View screen

   >>> Password Configuration <<< 
   
   Passwords for tanadmin and tanuser will be reset to a temporary password now.
   Upon next login a password change will be enforced. 
   
   The password policy requires meeting these rules:
   - Minimum of 10 characters long
   - At least 1 upper case character
   - At least 1 lower case character
   - At least 1 numeric character
   - At least 1 other character
   - Must not match any of recent 4 passwords
   - Must not be based on a dictionary word
   - Must not contain part of the username
   
   
   The temporary password will use letters only.
   The temporary password for tanadmin and tanuser is: goodbeigejaguar 
   
   Please enter temporary password (goodbeigejaguar) to continue
   You entered: [goodbeigejaguar]
   
   Finished password changes
   
   
                >>> SSH key Configuration <<< 
   
    keygen process finished successful
    Finished generating keys for tanadmin
    keygen process finished successful
    Finished generating keys for tancomm
   
                 >>> IPSec Configuration <<< 
   
   Generated RSA key pair with CKAID 450ef72e5132fb62c06bc380227b65763179f330 was stored in the NSS database
    Generating new grub password ...
    Generating new grub key ...
   
           >>> Initial Configuration Completed <<< 
   
    The initial configuration workflow for new the TanOS appliance has completed.
    The system will now log out the current user and activate the settings. If
    network settings have been modified reconnect on the new IP address.
    Please login again and verify the configured settings are as expected.  If
    changes are required use the tanadmin menu, all settings configured during
    this dialogue can be modified there.
   
    Press enter to exit

Configure user access

TanOS has built-in user accounts to access the appliance operating system and perform tasks.

Before you install a Tanium Appliance role, you must configure new passwords or add SSH keys to authenticate access for the following accounts:

• tanuser: Can make an SSH connection with SSH key authentication or password authentication to the TanOS console and access temporary settings and status menus only.
• tanadmin: Can make an SSH connection with SSH key authentication or password authentication to the TanOS console and access all menus. By default, the tanadmin user is configured to use key authentication only. Any user with the tanadmin role is a highest-level administrator in TanOS.
• tancopy: Can make an SFTP connection with SSH key authentication to TanOS and copy files to and from the /incoming and /outgoing directories.

TanOS does not support self-service password reset methods. If you forget your password, you must ask a tanadmin user to reset it for you. You can avoid this risk by setting up SSH key authentication.

Watch the tutorial on how to configure SSH key authentication for the Tanium Appliance on the Tanium Community website.

Before you begin

• Be ready to specify new passwords for the tanuser and tanadmin accounts. The password string must be at least 10 characters long and have at least 1 uppercase character, 1 lowercase character, 1 numeric character, and 1 non-alphanumeric character.
• You must have an SSH client to sign in to the TanOS console and an SFTP client to copy files to and from the appliance.
• You must have an SSH key generator to generate keys for the tancopy user.

Change the default passwords

1. Open an SSH connection to the TanOS console as tanadmin and follow the prompts to change the password. View screen

   ######################## WARNING ########################
   
   Unauthorized access is strictly prohibited.
   
   #########################################################
   
   Password: 
   You are required to change your password immediately (root enforced)
   Changing password for tanadmin.
   (current) UNIX password: 
   New password: 
   Retype new password: 

2. After the password changes, the tanadmin menu appears. Enter Z to sign out.
3. Open an SSH connection to the TanOS console as tanuser and follow the prompts to change the password. View screen

   ######################## WARNING ########################
   
   Unauthorized access is strictly prohibited.
   
   #########################################################
   
   Password: 
   You are required to change your password immediately (root enforced)
   Changing password for tanuser.
   (current) UNIX password: 
   New password: 
   Retype new password: 

4. After the password changes, the tanuser menu appears. Enter Z to sign out.

You can disable password access for any user except the tanadmin special user. When you disable password access for a user, the user can only sign in through SSH using the configured SSH private key. For steps, see Disable password access.

Add SSH keys

You must set up an SSH key for the tancopy user. Tanium strongly recommends that you set up SSH key authentication for TanOS user accounts.

Add SSH keys for the tancopy user

You must set up an SSH key for the tancopy user. The SSH key is used to transfer files via SFTP to the /incoming and /outgoing folders.

1. Use an SSH key generator such as ssh-keygen to generate a public/private key pair. Note:
   • Specify an RSA key with 2048 bits (such as ssh-keygen -t rsa -b 2048).
   • Specify a passphrase that is easy to remember.
   • Save the private key to a location that you can access when you set up your SFTP client.
2. Copy all of the text in the public key file to the clipboard. If you use ssh-keygen, copy the contents of the .pub file that you created.

   In an SSH key exchange, the keys must match exactly, including line endings.

3. Sign in to the TanOS console as a user with the tanadmin role.
4. Enter C to go to the User Administration menu. View screen

   ------------------------------------------------------
   
                 >>> User Administration <<< 
   
   		U: TanOS User Management
   		I: Recent Login Information
   
   		L: Local Tanium User Management
   
   		H: Help
   		R: Return to previous menu
   
   ------------------------------------------------------

5. Enter U to go to the TanOS User Management menu.
6. Enter the line number for the tancopy user to go to the user administration menu for this user. View screen

   >>> User Administration -> TanOS -> tancopy <<< 
   
   Username:        tancopy
   Account Enabled: Yes
   Authentication:  SSH Key Only
   SSH Lockout:     No (0)
   
   Notes:
     * This user account cannot be deleted
     * This user account cannot have a password
   
   	A: Manage SSH Authorized Keys
   	P: Manage SSH Key Pair
   	L: Reset SSH Lockout
   	C: [DISABLED] Change Password
   	N: [DISABLED] Disable Password Access
   
   	E: Enable Account
   	D: Disable Account
   	X: [DISABLED] Delete User
   
   	F: Edit known hosts file
   
   	R: Return to previous menu
   
   ------------------------------------------------------

7. Enter A to go to the Manage SSH Authorized Keys menu. View screen

   >>> User Administration -> TanOS -> tancopy -> Authorized Keys <<< 
   
   Username: tancopy
   Select an entry to view or delete.
   
   	1: 2048 SHA256:m/0rT0o+rDfKLWQQULUQqbOUdMkojZhco60dCuu3elY 
   	2: 2048 SHA256:8OV4S5V30aFu9pZKexRVaElF3BgJNEx+Y91fgbnzxIU
   			
          A: Add key
   
          R: Return to previous menu
   
   ------------------------------------------------------

8. Enter A and follow the prompts to add the contents of the public key generated in Step 1. View screen

   >>> User Administration -> TanOS -> tancopy -> Authorized Keys -> Add <<< 
   
   Account: tancopy
   Please paste the public key and press enter: 
   ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA1ClmgkMrbbxB7jND/Y4/Giupck35xAuGNKfZWqVLM5F0CNXuTScf6v2zMDxW5TO5tm/U
   8P9sqh19RDEzTn2RayXzsoZmXyB8abCCpHG4+03Zv05RHiX4i5QomAMBnbZejdA9/fGTxO1rPo1rdtTqZ+KCgzbEhHLWUD44+If5RtG+
   U4kgyzlYsyjgwhfho+BrRY6e7QYBsXVbuBQ9ROGV6PCTB80jXZVAKrAbsTQ1DVkpuBuemftv7vOn3b8MKzJ/IY/LLL1tIgpSGvgvjr2m
   OJJ+JoZF2XnPVUFmYiDSCkPAzhCyFHILHfOVAfws9n1G6p3fwILqNhvBoPeaCFaApQ== rsa-key-20200123
    Validating input
    Adding key to authorized keys after validation
    Finished adding authorized keys for tancopy
   
   
    Press enter to continue

9. To test it, on your management computer, set up an SFTP client such as WinSCP to connect to the Tanium Server appliance:
   1. Specify tancopy for user name.
   2. Click Advanced.
   3. Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance.
   4. Save the configuration and click Login to initiate the connection.

   You should be able to connect to the appliance and see the /incoming and /outgoing directories.

You might see permission denied messages because WinSCP attempts to read the listing of the /incoming directory. This is expected. The user tancopy has permission to write to /incoming but not read /incoming.

Add SSH keys for TanOS users

Tanium strongly recommends that you set up SSH key authentication for TanOS user accounts.

If you plan to set up multiple appliances through an Appliance Array, use these steps to copy the public key for the tanadmin user on the primary appliance to the tanadmin user accounts on the remaining appliances.

You can also use ssh-copy-id to add an SSH public key to any TanOS user with the tanadmin profile.

1. Use an SSH key generator such as ssh-keygen to generate a public/private key pair. Note:
   • Specify an RSA key with 2048 bits (such as ssh-keygen -t rsa -b 2048).
   • Specify a passphrase that is easy to remember.
   • Save the private key to a location that you can access when you set up your SFTP client.
2. Copy all of the text in the public key file to the clipboard. If you use ssh-keygen, copy the contents of the .pub file that you created.

   In an SSH key exchange, the keys must match exactly, including line endings.

3. Sign in to the TanOS console as a user with the tanadmin role.
4. Enter C to go to the User Administration menu. View screen

   ------------------------------------------------------
   
                 >>> User Administration <<< 
   
   		U: TanOS User Management
   		I: Recent Login Information
   
   		L: Local Tanium User Management
   
   		H: Help
   		R: Return to previous menu
   
   ------------------------------------------------------

5. Enter U to go to the TanOS User Management menu.

6. Enter the line number of the user account that you want to manage. View screen

   >>> User Administration -> TanOS -> tanadmin <<<
   
   Username:        tanadmin
   Account Enabled: Yes
   Authentication:  SSH Key or Password
   SSH Lockout:     No (0)
   
   Notes:
     * This user account must always have a password
     * This user account cannot be deleted
     * This user account cannot be disabled
   
   A: Manage SSH Authorized Keys
   P: Manage SSH Key Pair
   L: Reset SSH Lockout
   C: Change/Enable Password (Chosen)
   N: [DISABLED] Disable Password Access
   
   E: [DISABLED] Enable Account
   D: [DISABLED] Disable Account
   X: [DISABLED] Delete User
   
   F: Edit known hosts file
   
   R: Return to previous menu
   
   

7. Enter A to go to the Authorized Keys menu. View screen

   >>> User Administration -> TanOS -> tanadmin -> Authorized Keys <<< 
   
   	Username: tanadmin
   	Select an entry to view or delete.
   
   	1: 2048 SHA256:m/0rT0o+rDfKLWQQULUQqbOUdMkojZhco60dCuu3elY 
   			
   	A: Add key
   
   	R: Return to previous menu

8. Enter A and follow the prompts to paste the public key generated in Step 1. View screen

   >>> User Administration -> TanOS -> tanadmin -> Authorized Keys -> Add <<< 
   
   Account: tanadmin
   Please paste the public key and press enter: 
   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqXUnoyrg4opYQp4DGZoasYy8ud5oJEar9BqRr2RVHMm/Sxcl4T1sthsN
   WS0ECo0j32mCSM3ynYZn2AdJTU6HbKnFM30gtQL7+tpmGrgbkaVEJ9OXoA47JP0o5hbI16UUpuEKJrEBOYovIsrN2gtwKbz
   YdOVCxVq5amzqg7/UrQyUO3rmt54qStiqNIiHI3UjzPWYJwUxz90vU7LWsXYz1CAWBTXnh51kg0lBPFgbRmUZJb0DwLb4Sw
   lFZAe5P0RO4RwdmZVgTfsqy+MVuyzaBzGD1z4MlIZ83R6sW+nXtipbzqhFTLykLRLIXobuHjuf0Yy1H7/ZDJh/qlojce4TC
   g/+5e2h1RQ8ZKgECZDJoCdrkAM6y9arHCoZwqEP9MXugQXCO6EMrP39vXajnV3YrDKKLYP1pxWZGOA4ylNqY5mG1+AofVdG
   vAUBztjXfXgC3bgL0Qgp+d3E8JvLRHXfkmRijppvj+BCJUawXJfkMtBEgrxQP9PoDwHrqJj6ey80v8P7DgojQw83JumsG3S
   +7l0e0Ia02q/05s2EpOv9jE9aJiLRGKbb4WkjvUSpK1VmDK54qfeSKj6yp3IIt13GBKmkVqKbbZS6gaZ3UTpzq3dj+53YeP
   eOe8XMECuxl6aH4nLT4u3CqrCqxTfTa5y1Fi3/e9zI5/AKJlTXWF3ISCQ== [email protected]
    Validating input
    Adding key to authorized keys after validation
    Finished adding authorized keys for tanadmin
   
   
    Press enter to continue

9. To test it, on your management computer, set up an SSH client such as PuTTY to connect to the Tanium Server appliance:
   1. Specify the Tanium Server IP address, port 22, and SSH connection type.
   2. Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance.
   3. Open the SSH session and enter the tanadmin username.
   4. You are prompted for the SSH key passphrase instead of the tanadmin password. View screen

      login as: tanadmin
      
      ######################## WARNING ########################
      
             Unauthorized access is strictly prohibited.
      
      #########################################################
      
      Authenticating with public key "rsa-key-20200119"
      Passphrase for key "rsa-key-20200119":

Upload the license file (Tanium Core Platform 7.3 or earlier)

After you complete the initial network configuration, upload a valid Tanium license file.

These steps only apply to Tanium Core Platform 7.3 or earlier. If you plan to install Tanium Core Platform 7.4 or later, you will use the Tanium Console to upload the license file after you install a Tanium Server role or Tanium All-in-One role.

Before you begin

• Obtain a valid license from Tanium Support. Use the same license file to activate all Tanium appliances in your deployment. Tanium Support must know the fully qualified domain name (FQDN) for each appliance to generate your license file. For more information, see Contact Tanium Support.
• You can activate an appliance with a license file if:
• The license file is named tanium.license.
• The license is not expired.
• The FQDN that was specified in the Tanium license generator matches the FQDN of the appliance.
• You must have added the public key for the tancopy user to the appliance so you can use SFTP to upload the license file.

After you complete the initial network configuration, upload a valid Tanium license file or request an activation key from Tanium.

1. On your management computer, set up an SFTP client such as WinSCP to connect to the appliance.
2. Use SFTP to copy your license file (tanium.license) to the /incoming directory on the appliance.
3. Sign in to the TanOS console as a user with the tanadmin role.

   When the tanadmin menu loads, TanOS detects the license and copies it to the appropriate location to activate the appliance.

Export the grub key

The grub key can be used during the boot sequence to diagnose and recover from failure conditions. You can export the key and store it in a safe location. During recovery, you will need to provide the key.

1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter A to go to the Appliance Configuration menu. View screen

   ------------------------------------------------------
   
              >>> Appliance Configuration <<< 
   
            1: Hostname/DNS Configuration
            2: Networking Configuration
            3: NTP Configuration
            4: Syslog Configuration
            5: SNMP Configuration
            6: Module File Share Configuration
            7: Reset all NICs to DHCP (VM only)
   
            A: Security
            X: Advanced Configuration
   
            H: Help
            R: Return to previous menu
   
   ------------------------------------------------------

3. Enter X to go to the Advanced Configuration menu. View screen

   ------------------------------------------------------
   
      >>> Appliance Configuration -> Advanced Menu <<< 
   
   Attention: The options in this menu can affect performance 
   and emergency recovery. 
   Please consult your TAM before utilizing the below options.
   
            1: Auto-Disable
            2: TanOS Log
   
            6: Export Grub Key
            7: Generate New Grub Key
   
            H: Help
            R: Return to previous menu
   
   ------------------------------------------------------

4. Enter 6 and follow the prompts to export the grub key to the /outgoing folder. View screen

   >>> Appliance Configuration -> Advanced Menu -> Export Security Key <<< 
   
   Once the security key has been placed in the outgoing directory it
   will remain until the nightly cleanup job is run. After this time it
   will be deleted and must be exported again.
   Please be sure to download it and save in a secure location.
   
   Would you like to export the security key? [Yes|No]: yes
   
   The security key has been placed in the sftp outgoing directory.
   This location will be cleaned daily at 02:00am appliance time!
   
   Press enter to continue

5. Use SFTP to copy the file from the /outgoing directory to your local computer.

Add TanOS system users

Create additional TanOS system users based on tanadmin (privileged) and tanuser (restricted) profiles. It is useful to have more than one privileged user in case you forget the password for the initial tanadmin user.

1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter C to go to the User Administration menu. View screen

   ------------------------------------------------------
   
                 >>> User Administration <<< 
   
   		U: TanOS User Management
   		I: Recent Login Information
   
   		L: Local Tanium User Management
   
   		H: Help
   		R: Return to previous menu
   
   ------------------------------------------------------

3. Enter U to go to the TanOS User Management menu. View screen

   >>> User Administration -> TanOS <<<
   
   #: User ID       Role       Locked  Name
   
   1: tanadmin     tanadmin   No (0)  Tanium Privileged User
   2: tancopy      tanuser    No (0)  Tanium Copy User
   3: tanuser      tanuser    No (0)  Tanium Restricted User
   
   A: Add System User
   
   R: Return to previous menu
   
   ------------------------------------------------------

4. Enter A and follow the prompts to add a system user. View screen

   >>> User Administration -> System Users -> Add System User <<< 
   
    Adding a system user requires first name, last name, user name and user role.
   
    Attention: 
    TanUser Role:  Monitor/Check the status of the appliance, no changes are allowed
    TanAdmin Role: Full administrative role to manage the appliance
   
    A temporary password will be generated and the new user is required to change 
    their password upon first login! 
   
    The password policy requires meeting these rules:
    - Minimum of 10 characters long
    - At least 1 upper case character
    - At least 1 lower case character
    - At least 1 numeric character
    - At least 1 other character
    - Must not match any of recent 4 passwords
    - Must not be based on a dictionary word
    - Must not contain part of the username
   
    Please enter first name: John
    Please enter last name: Doe
    Please enter desired user name (max 30 chars): john.doe
    Which role should be assigned to john.doe?
   
    1: TanUser (Monitoring)
    2: TanAdmin (Administrative)
   
    Please select: 2
   
    The temporary password for john.doe is: proudbrownwildfowl
   
    Adding local user john doe ...
    Successfully added user john doe (username: john.doe) with role tanadmin.
   
    Press enter to continue

What to do next

• To save time, Tanium recommends you complete advanced network configuration before you install Tanium servers. See Reference: Appliance configuration.
• When these steps are completed, or if none of them apply, you can continue with the installation of a Tanium role (for example, All-in-One, Tanium Server, Tanium Module Server, or Tanium Zone Server).