Completing the initial setup (cloud-based Tanium Appliance)

Contact Tanium Support to obtain a Tanium Appliance image file for use in a customer cloud.

Requirements

License	Contact Tanium Support to obtain a valid license. Tanium Support must know the fully qualified domain name (FQDN) for each Tanium Server appliance in your deployment to generate your license file.
Cloud provider	AWS (x86-64 processors) AWS GovCloud Google Cloud Platform (GCP) IBM Cloud Microsoft Azure Microsoft Azure GovCloud

Deploy the virtual image to the cloud provider

Contact Tanium Support to obtain a Tanium Appliance image file for use in a customer cloud. When you configure the image with your cloud provider, you must specify an encryption key pair to initially connect to the image. You can use an existing key pair or generate a new key pair.

Considerations for specific cloud providers

Microsoft Azure

For a Microsoft Azure deployment, you must change the initial user name from azureuser to tanadmin before you deploy the image.

Google Cloud Platform or IBM Cloud

Use the following steps to prepare the virtual image:

1. Create a cloud storage bucket with appropriate security, and upload the TanOS artifact file (tar.gz for Google Cloud Platform or qcow2 for IBM Cloud) to the bucket.

2. Create an image from the artifact file in cloud storage.

3. Create a VM for each TanOS appliance using the image that you created.

   The default boot disk size is inadequate for a production Tanium Appliance. At least 500GB of storage is recommended. Increase the size of the boot disk when you create the VM (Google Cloud Platform), or add a new disk to the VM (Google Cloud Platform or IBM Cloud). If you use an additional disk, you must increase the storage on the Tanium Appliance after initial setup. See Increase storage.

Additionally, for Google Cloud Platform, you must set up an SSH key for the tanadmin user account, even if you primarily plan to use other user accounts with the tanadmin role. See Configure SSH keys.

For more information, see the Google Cloud Platform or IBM Cloud documentation.

(FIPS-compliant organizations) Enable FIPS 140-2 mode before initial setup

Perform full initial configuration

1. Make sure your virtual image is configured to use an encryption key pair, and that the private key is set up on your local computer.
2. Sign in to your cloud provider and use an SSH client to connect to the TanOS console as a user with the tanadmin role. If prompted to accept the key fingerprint, enter yes. View screen

   $ ssh [email protected]
   	
      >>> Initial Configuration <<<
   
    Initial configuration workflow for a new TanOS appliance.
    All items must be complete before the appliance can be used.
   
    Keymap:     n/a
    IP Address: 10.0.20.12
    Hostname:   TanOS-173-AZURE.example.net
    FIPS 140-2: disabled 
   
             1: Set Virtual Console Keymap
             M: Toggle FIPS 140-2 Mode
             
             N: Set FQDN (hostname)            (complete)
             D: Set DNS Nameservers            (complete)
             T: Set NTP (time)                 (INCOMPLETE)
             E: View and Accept EULA           (INCOMPLETE)
   
             F: [DISABLED] Finish Initial Configuration
             S: Shutdown
   
             Z: Log out
   
    ------------------------------------------------------
   
    TanOS Version:        1.7.6 

3. Enter T and follow the prompts to set one or more NTP servers. View screen

   $ ssh [email protected]
   	
      >>>  NTP Configuration <<<
   
    Timezone will be automatically set to UTC.
   
    Enter the NTP server information for up to two NTP servers. Each entry consist
    of a server name or IP address.
    Optionally each server may indicate authentication information using
    colons as a separator: <server>:<key-id>:<SHA1|MD5>:key
   
    1.2.3.4
    pool.ntp.org
    ntp.secret.corp:999:SHA1:0123456789abcdef0123456789abcdef01234567
   
   Please provide the NTP server address: pool.ntp.org
   Please provide the second NTP server address (enter blank value for none): 
     
    The following settings will be used:
   
        NTP Server 1: pool.ntp.org
        NTP Server 2:
   
    Are these settings correct? [Yes|No]: 

4. Enter E, press Enter, and then use the spacebar to page through the end-user license agreement (EULA).
5. When complete, enter Q, enter your email address, and enter yes to accept the EULA.

   The email address is stored locally only. It is not used externally for any reason.

6. Enter F to confirm that you finished initial configuration and to end the session. View screen

   >>> Initial Configuration <<<
   
    Initial configuration workflow for a new TanOS appliance.
    All requirements are met to finish Initial Config.
   
    Keymap:     n/a
    IP Address: 10.13.0.6
    Hostname:   TanOS-173-AZURE.hzavr5qms02ujnqr20gh0gorhb.gx.internal.cloudapp.net
    FIPS 140-2: disabled 
   
             1: Set Virtual Console Keymap
             M: Toggle FIPS 140-2 Mode
   
             N: Set FQDN (hostname)            (complete)
             D: Set DNS Nameservers            (complete)
             T: Set NTP (time)                 (complete)
             E: View and Accept EULA           (complete)
   
             F: Finish Initial Configuration
             S: Shutdown
   
             Z: Log out
   
    ------------------------------------------------------
   
    TanOS Version:        1.7.6 
   
    Please select:
   

The console configures SSH keys and IPSec settings, and then notifies you that the initial configuration is complete.

Access TanOS remotely

To access your Tanium Appliances remotely, note the following requirements.

• Your local management computer must be connected to a subnet that can reach the appliance IP address.
• Your management computer must have an SSH client application or terminal emulator that can make a client connection to the appliance.
• You must have an SSH client such as PuTTY to sign in to the TanOS console. For PuTTY, use version 0.71 or later.
• You must have an SSH key generator such as ssh-keygen to generate keys for the tancopy user.
• You must have an SFTP client such as WinSCP to copy files to and from the appliance. For WinSCP, use version 5.15.2 or later.

Watch the tutorial about how to configure WinSCP for the Tanium Appliance.

Add TanOS system users

Create additional TanOS system users based on tanadmin (privileged) and tanuser (restricted) profiles.

Create more than one privileged user with the tanadmin role in case you forget the password for the built-in tanadmin user.

1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter C to go to the User Administration menu. View screen

   ------------------------------------------------------
   
   >>> User Administration <<< 
   
             U: TanOS User Management
             I: Recent Login Information
             M: Multi-Factor Global Settings
             A: AD/LDAP TanOS Authentication
   
             L: Local Tanium User Management
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

3. Enter U to manage TanOS users. View screen

    ------------------------------------------------------
             >>> User Administration -> TanOS <<< 
   
             #: User ID              Role       Auth       Name
   
             1: tanadmin             tanadmin   Key+Pwd    Tanium Privileged User
             2: tancopy              tanuser    Key        Tanium Copy User
   
             A: Add System User
   
             R: Return to previous menu  RR: Return to top
   
    ------------------------------------------------------

4. Enter A and follow the prompts to add a system user. View screen

   >>> User Administration -> System Users -> Add System User <<< 
   
    Adding a system user requires first name, last name, user name and user role.
   
    Attention: 
    TanUser Role:  Monitor/Check the status of the appliance, no changes are allowed
    TanAdmin Role: Full administrative role to manage the appliance
   
    A temporary password will be generated and the new user is required to change 
    their password upon first login! 
   
    The password policy requires meeting these rules:
    - Minimum of 10 characters long
    - At least 1 upper case character
    - At least 1 lower case character
    - At least 1 numeric character
    - At least 1 other character
    - Must not match any of recent 4 passwords
    - Must not be based on a dictionary word
    - Must not contain part of the username
   
    Please enter first name: John
    Please enter last name: Doe
    Please enter desired user name (max 30 chars): john.doe
    Which role should be assigned to john.doe?
   
    1: TanUser (Monitoring)
    2: TanAdmin (Administrative)
   
    Please select: 2
   
    The temporary password for john.doe is: proudbrownwildfowl
   
    Adding local user john doe ...
    Successfully added user john doe (username: john.doe) with role tanadmin.
   
    Press enter to continue

 

Configure SSH keys

TanOS has built-in and customer-created user accounts to access the appliance operating system and perform tasks.

Before you install a Tanium Appliance role, you must add SSH keys to authenticate access for the tancopy built-in user. tancopy can make an SFTP connection with SSH key authentication to TanOS and copy files to and from the /incoming and /outgoing directories.

TanOS does not support self-service password reset methods. If you forget your password, you must ask a user with the tanadmin role to reset it for you. You can avoid this risk by setting up SSH key authentication.

Watch the tutorial about how to configure SSH key authentication for the Tanium Appliance.

Before you begin

• You must have an SSH client to sign in to the TanOS console, and an SFTP client to copy files to and from the appliance.
• You must have an SSH key generator to generate keys for the tancopy user.

Add SSH keys

You must set up an SSH key for the tancopy user. For Google Cloud Platform, you must also set up an SSH key for the tanadmin user account, even if you primarily plan to use other user accounts with the tanadmin role. For the best results, set up SSH key authentication for TanOS user accounts.

Add SSH keys for the tancopy user

You must set up an SSH key for the tancopy user. The SSH key is used when you transfer files through SFTP to the /incoming and /outgoing directories.

1. Use an SSH key generator such as ssh-keygen to generate a public/private key pair. Note:
   • Specify an RSA key with 2048 bits (such as ssh-keygen -t rsa -b 2048).
   • Specify a passphrase that is easy to remember.
   • Save the private key to a location that you can access when you set up your SFTP client.
2. Copy the text in the public key file to the clipboard. If you use ssh-keygen, copy the contents of the .pub file that you created.

   In an SSH key exchange, the keys must match exactly, including line endings.

3. Sign in to the TanOS console as a user with the tanadmin role.
4. Enter C to go to the User Administration menu.
5. Enter U to manage TanOS users.
6. Enter the line number for the tancopy user to go to the user administration menu for this user. View screen

   >>> User Administration -> TanOS -> tancopy <<< 
   
    Username:        tancopy 
    Account Enabled: Yes
    Authentication:  SSH Key Only
    SSH Lockout:     No (0)
    Multi-Factor:    Not configured
    
    Notes:
      * This user account cannot be deleted
      * This user account cannot have a password
      * This user account cannot use multi-factor
   
             A: Manage SSH Authorized Keys
             P: Manage SSH Key Pair
             L: Reset SSH Lockout
             C: [DISABLED] Change Password
             N: [DISABLED] Disable Password Access
             M: [DISABLED] Multi-Factor Authentication
   
             E: Enable Account
             D: Disable Account
             X: [DISABLED] Delete User
   
             F: Edit known hosts file
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

7. Enter A to go to the Authorized Keys menu. View screen

   >>> User Administration -> TanOS -> tancopy -> Authorized Keys <<< 
   
    Account: tancopy 
    Select an entry to view or delete.
   
          1: 2048 SHA256:m/0rT0o+rDfKLWQQULUQqbOUdMkojZhco60dCuu3elY 
          2: 2048 SHA256:8OV4S5V30aFu9pZKexRVaElF3BgJNEx+Y91fgbnzxIU
   
          A: Add key
   
          R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

8. Enter A and follow the prompts to add the contents of the public key generated in Step 1. View screen

   >>> User Administration -> TanOS -> tancopy -> Authorized Keys -> Add <<< 
   
   Account: tancopy
   Please paste the public key and press enter: 
   ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA1ClmgkMrbbxB7jND/Y4/Giupck35xAuGNKfZWqVLM5F0CNXuTScf6v2z
   MDxW5TO5tm/U8P9sqh19RDEzTn2RayXzsoZmXyB8abCCpHG4+03Zv05RHiX4i5QomAMBnbZejdA9/fGTxO1rPo1rdtTq
   Z+KCgzbEhHLWUD44+If5RtG+U4kgyzlYsyjgwhfho+BrRY6e7QYBsXVbuBQ9ROGV6PCTB80jXZVAKrAbsTQ1DVkpuBue
   mftv7vOn3b8MKzJ/IY/LLL1tIgpSGvgvjr2mOJJ+JoZF2XnPVUFmYiDSCkPAzhCyFHILHfOVAfws9n1G6p3fwILqNhvB
   oPeaCFaApQ== rsa-key-20200123
    Validating input
    Adding key to authorized keys after validation
    Finished adding authorized keys for tancopy
   
   
    Press enter to continue

9. To test, on your management computer, set up an SFTP client such as WinSCP to connect to the Tanium Server appliance:
   1. Specify tancopy for user name.
   2. Click Advanced.
   3. Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance.
   4. Save the configuration and click Login to initiate the connection.

   You should be able to connect to the appliance and see the /incoming and /outgoing directories.

 

Add SSH keys for TanOS users

It is a best practice to also set up SSH key authentication for TanOS user accounts.

For Google Cloud Platform, you must set up an SSH key for the tanadmin user account, even if you primarily plan to use other user accounts with the tanadmin role.

As an alternative to the following procedure, you can use ssh-copy-id to add an SSH public key to any TanOS user with the tanadmin profile.

1. Use an SSH key generator such as ssh-keygen to generate a public/private key pair. Note:
   • Specify an RSA key with 2048 bits (such as ssh-keygen -t rsa -b 2048).
   • Specify a passphrase that is easy to remember.
   • Save the private key to a location that you can access when you set up your SFTP client.
2. Copy all of the text in the public key file to the clipboard. If you use ssh-keygen, copy the contents of the .pub file that you created.

   In an SSH key exchange, the keys must match exactly, including line endings.

3. Sign in to the TanOS console as a user with the tanadmin role.
4. Enter C to go to the User Administration menu. View screen

   ------------------------------------------------------
   
   >>> User Administration <<< 
   
             U: TanOS User Management
             I: Recent Login Information
             M: Multi-Factor Global Settings
             A: AD/LDAP TanOS Authentication
   
             L: Local Tanium User Management
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

5. Enter U to manage TanOS users.
6. Enter the line number of the user account that you want to manage. View screen

   >>> User Administration -> TanOS -> tanadmin <<<
   
    Username:        tanadmin 
    Account Enabled: Yes
    Authentication:  SSH Key or Password
    SSH Lockout:     No (0)
   
    Notes:
      * This user account must always have a password
      * This user account cannot be deleted
      * This user account cannot be disabled
   
             A: Manage SSH Authorized Keys
             P: Manage SSH Key Pair
             L: Reset SSH Lockout
             C: Change/Enable Password (Chosen)
             N: [DISABLED] Disable Password Access
             M: Multi-Factor Authentication
   
             E: [DISABLED] Enable Account
             D: [DISABLED] Disable Account
             X: [DISABLED] Delete User
   
             F: Edit known hosts file
   
             R: Return to previous menu  RR: Return to top

7. Enter A to go to the Authorized Keys menu. View screen

   >>> User Administration -> TanOS -> tanadmin -> Authorized Keys <<< 
   
    Account: tanadmin 
    Select an entry to view or delete.
   
             1: 2048 SHA256:m/0rT0o+rDfKLWQQULUQqbOUdMkojZhco60dCuu3elY 
   
             A: Add key
   
             R: Return to previous menuRR: Return to top
       

8. Enter A and follow the prompts to paste the public key generated in Step 1. View screen

   >>> User Administration -> TanOS -> tanadmin -> Authorized Keys -> Add <<< 
   
    Account: tanadmin 
    Please paste the public key and press enter: 
   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqXUnoyrg4opYQp4DGZoasYy8ud5oJEar9BqRr2RVHMm/Sxcl4T1sthsN
   WS0ECo0j32mCSM3ynYZn2AdJTU6HbKnFM30gtQL7+tpmGrgbkaVEJ9OXoA47JP0o5hbI16UUpuEKJrEBOYovIsrN2gtwKbz
   YdOVCxVq5amzqg7/UrQyUO3rmt54qStiqNIiHI3UjzPWYJwUxz90vU7LWsXYz1CAWBTXnh51kg0lBPFgbRmUZJb0DwLb4Sw
   lFZAe5P0RO4RwdmZVgTfsqy+MVuyzaBzGD1z4MlIZ83R6sW+nXtipbzqhFTLykLRLIXobuHjuf0Yy1H7/ZDJh/qlojce4TC
   g/+5e2h1RQ8ZKgECZDJoCdrkAM6y9arHCoZwqEP9MXugQXCO6EMrP39vXajnV3YrDKKLYP1pxWZGOA4ylNqY5mG1+AofVdG
   vAUBztjXfXgC3bgL0Qgp+d3E8JvLRHXfkmRijppvj+BCJUawXJfkMtBEgrxQP9PoDwHrqJj6ey80v8P7DgojQw83JumsG3S
   +7l0e0Ia02q/05s2EpOv9jE9aJiLRGKbb4WkjvUSpK1VmDK54qfeSKj6yp3IIt13GBKmkVqKbbZS6gaZ3UTpzq3dj+53YeP
   eOe8XMECuxl6aH4nLT4u3CqrCqxTfTa5y1Fi3/e9zI5/AKJlTXWF3ISCQ== [email protected]
    Validating input
    Adding key to authorized keys after validation
    Finished adding authorized keys for tanadmin
   
   
    Press enter to continue

9. To test, on your management computer, set up an SSH client such as PuTTY to connect to the Tanium Server appliance:
   1. Specify the Tanium Server IP address, port 22, and SSH connection type.
   2. Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance.
   3. Open the SSH session and enter the tanadmin user name.
   4. You are prompted for the SSH key passphrase instead of the tanadmin password. View screen

      login as: tanadmin
      
      ######################## WARNING ########################
      
             Unauthorized access is strictly prohibited.
      
      #########################################################
      
      Authenticating with public key "rsa-key-20200119"
      Passphrase for key "rsa-key-20200119":

Export the grub key

The grub key can be used during the boot sequence to diagnose and recover from failure conditions. You can export the key and store it in a safe location. During recovery, you need to provide the key.

1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter A to go to the Appliance Configuration menu. View screen

   ------------------------------------------------------
   
              >>> Appliance Configuration <<< 
   
            1: Hostname/DNS Configuration
            2: Networking Configuration
            3: NTP Configuration
            4: Syslog Configuration
            5: SNMP Configuration
            6: Module File Share Configuration
            7: Reset all NICs to DHCP (VM only)
   
            A: Security
            I: iDRAC Management
            X: Advanced Configuration
   
            R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

3. Enter X to go to the Advanced Configuration menu. View screen

   ------------------------------------------------------
   
      >>> Appliance Configuration -> Advanced Menu <<< 
   
   Attention: The options in this menu can affect performance 
   and emergency recovery. 
   Please consult your TAM before utilizing the below options.
   
            1: Auto-Disable
            2: TanOS Log
            3: Change Active Partition
            4: Change RAID Controller Security Key
            5: Export RAID Controller Security Key
            6: Export Grub Key
   
            R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

4. Enter 6 and follow the prompts to export the grub key to the /outgoing folder. View screen

   >>> Appliance Configuration -> Advanced Menu -> Export Security Key <<< 
   
   Once the security key has been placed in the outgoing directory it
   will remain until the nightly cleanup job is run. After this time it
   will be deleted and must be exported again.
   Please be sure to download it and save in a secure location.
   
   Would you like to export the security key? [Yes|No]: yes
   
   The security key has been placed in the sftp outgoing directory.
   This location will be cleaned daily at 02:00am appliance time!
   
   Press enter to continue

5. Use SFTP to copy the file from the /outgoing directory to your local computer.

What to do next

• To save time, complete advanced network configuration before you install Tanium Servers. See Reference: Appliance configuration.
• In an IBM Cloud deployment, add an additional disk to increase the storage volume before you continue with array or role installation. For instructions, see Increase storage.
• When these steps are completed, you can continue with the installation of an Appliance Array.