Configure basic network, host, and user settings before you install a Tanium Appliance role.
Requirements
| License |
Obtain a valid license from your Technical Account Manager (TAM). Your TAM must know the fully qualified domain name (FQDN) for each Tanium Server appliance in your deployment to generate your license file. |
| Network |
Be ready to specify the static IP address in CIDR format (such as 192.168.2.0/24), default gateway IP address, host name, domain name, primary and secondary DNS servers, and NTP servers. |
Configure temporary bootstrap network settings
The Tanium Appliance Quick Start Guide describes how to install the appliance into a machine room and configure bootstrap network settings so that you can make a remote SSH connection and complete the setup and appliance role installation from your desk. The Quick Start steps are repeated here to give context to the starting point for your initial workflows. You do not need to complete the steps twice.
View steps
The Quick Start steps can be completed by a restricted user (tanuser) who does not have privileges required to install or manage Tanium servers, or by the privileged user (tanadmin).
Before you begin
- Connect a keyboard, video, and mouse (KVM) to the console port.
Configure the temporary settings
- Power on the appliance.
The boot and start-up processes take a few minutes.
- When prompted to log in, specify the user name tanuser and the default password Tanium1.
- When prompted, indicate that you want to configure temporary settings. View screen
>>> Appliance not configured <<<
TanOS Version 1.6.1.0101
This appliance is not configured yet. To complete permanent
configuration the Tanium administrator should login with tanadmin
credentials and perform the full initial configuration routine.
If you need remote access to perform the initial configuration, then you
can configure a temporary IP address for this system.
Please note this temporary IP address will not persist across reboots.
Current available interfaces and configuration:
Interface State MAC IP
ens160 UP 00:0c:29:35:f4:fa No IPv4 address
ens192 UP 00:0c:29:35:f4:04 No IPv4 address
ens224 UP 00:0c:29:35:f4:0e No IPv4 address
ens256 UP 00:0c:29:35:f4:18 No IPv4 address
Would you like to configure a temporary IP address? [Yes|No]:
- When prompted, specify the IPv4 address with prefix, and the default IPv4 gateway. You can also configure the IPv6 address with prefix, and the IPv6 gateway.
The TanOS console confirms that the settings are applied and logs you out. View screen
>>> Appliance not configured - temporary IP address <<<
>>> Network Configuration <<<
#: Interface State MAC IP
1: ens160 UP 00:0c:29:35:f4:fa No IPv4 address
2: ens192 UP 00:0c:29:35:f4:04 No IPv4 address
3: ens224 UP 00:0c:29:35:f4:0e No IPv4 address
4: ens256 UP 00:0c:29:35:f4:18 No IPv4 address
Please select: 1
Current settings:
Interface: ens160
IPv4 Address:
Default IPv4 Gateway:
IPv6 Address: fe80::20c:29ff:fe6d:746a/64
IPv6 Gateway:
Enter the IPv4 address/prefix (e.g. 10.2.3.4/24): 10.10.10.60/24
Enter the IPv4 gateway address (e.g. 10.2.3.1): 10.10.10.2
Manually assign an IPv6 address? [Yes|No]: no
New settings:
Interface: ens160
IPv4 Address: 10.10.10.60/24
Default IPv4 Gateway: 10.10.10.2
Manual IPv6: No
IPv6 Address: fe80::20c:29ff:fe6d:746a/64
IPv6 Gateway:
Are these settings correct? [Yes|No]: yes
Finished configuring the temporary IP address!
Press enter to exit
Remote access to TanOS
Network and host settings enable the appliance to establish connections with other computers in your local network and with other servers and hosts on the Internet. Specify appropriate settings for the network in which the appliance is deployed.
- Your local "management computer" must be connected to a subnet that can reach the appliance IP address.
- Your management computer must have an SSH client application or terminal emulator that can make a client connection to the appliance.
- You must have an SSH client such as PuTTY to log into the TanOS console. For PuTTY, use version 0.71 or later.
- You must have an SSH key generator such as ssh-keygen to generate keys for the tancopy user.
- You must have an SFTP client such as WinSCP to copy files to and from the appliance. For WinSCP, use version 5.15.2 or later.
Watch the tutorial on how to set up WinSCP for the Tanium Appliance on the Tanium Community website.
Configure network and host settings
-
Use an SSH client to connect to the appliance IP address that you configured in the previous section.
- When prompted to log in, specify the user name tanadmin and the default password Tanium1. View screen
#########################################################
_____ _____ _____ _____ _____
|_ _| _ | | | | __|
| | | | | | | | |__ |
|_| |__|__|_|___|_____|_____|
Unauthorized access is prohibited
#########################################################
localhost login: tanadmin
Password:
>>> Appliance not configured <<<
TanOS Version 1.6.1.0101
This appliance is not configured yet - please perform the initial configuration.
Press enter to continue
- When prompted, indicate that you want to complete the initial configuration. View screen
------------------------------------------------------
>>> Appliance Operations -> Initial Configuration <<<
Initial configuration workflow for a new TanOS appliance
At least the following information is required to complete this section:
- IP address, Netmask & Default Gateway
- Hostname & Domain name
- Domain Name Server (DNS) IP address
- NTP Server address
The workflow will not allow you to stop until fully completed,
please ensure you have all the required information before beginning.
Once the configurations have been completed the system will close the session
and force a re-login, on initial login a password change will be required for
all users. Verification of the configuration and any changes required can be
performed using the menus.
------------------------------------------------------
TanOS Version: 1.6.1
TanOS_Shell Version: 1.6.1
Would you like to continue with the initial configuration? [Yes|No]:
- Use the spacebar key to page through the end-user license agreement (EULA). When complete, press the Q key, enter your email address, and enter YES to accept it.
The email address is stored locally only. It is not used externally for any reason.
- When prompted, specify network and host configuration settings. The time zone is set to UTC automatically. View screen
>>> Network Configuration <<< r/>
Note: any existing IP address listed below is NOT persistent/DHCP assigned.
Please provide a static IP address below regardless of the current
configuration. At the end of the initial configuration routine you will be
logged out. If the IP address is changed then you will need to modify your
connection settings to reach the TanOS menu.
Available interfaces:
#: Interface State MAC IP Location
1: ens160 UP 00:0c:29:35:f4:fa 10.10.10.60/24 virtual
2: ens192 DOWN 00:0c:29:35:f4:04 No IPv4 address virtual
3: ens224 DOWN 00:0c:29:35:f4:0e No IPv4 address virtual
4: ens256 DOWN 00:0c:29:35:f4:18 No IPv4 address virtual
Please select: 1
Current settings:
Interface: ens160
IPv4 Address: 10.10.10.60/24
Default IPv4 Gateway: 10.10.10.2
IPv6 Address: fe80::20c:29ff:fe6d:746a/64
IPv6 Gateway:
Enter the IPv4 address/prefix (e.g. 10.2.3.4/24): 10.10.10.60/24
Enter the IPv4 gateway address (e.g. 10.2.3.1): 10.10.10.2
Manually assign an IPv4 address? [Yes|No]: no
New settings:
Interface: ens160
IPv4 Address: 10.10.10.60/24
Default IPv4 Gateway: 10.10.10.2
Manual IPv6: No
IPv6 Address: fe80::20c:29ff:fe6d:746a/64
IPv6 Gateway:
Are these settings correct? [Yes|No]: yes
Finished installing interface configuration
>>> Hostname & DNS Configuration <<<
Please enter the hostname (NOT FQDN) for this appliance: appliance-160
Please enter the domain name for this appliance: tam.local
Please provide the DNS server address: 10.10.10.10
Please provide second DNS server address (enter blank value for none):
The following settings will be used:
Hostname: appliance-160
Domain Name: tam.local
DNS Server 1: 10.10.10.10
DNS Server 2:
Are these settings correct? [Yes|No]:yes
Setting new hostname appliance-160.tam.local
Finished setting host/domainname
Setting DNS Server
Finished configuring DNS & Hostname
>>> NTP Configuration <<<
Timezone will be automatically set to UTC.
Either a fully qualified domain name or an IP address is accepted.
Please provide the NTP server address: 0.pool.ntp.org
Please provide second NTP server address (enter blank value for none):
The following settings will be used:
NTP Server 1: 0.pool.ntp.org
NTP Server 2:
Are these settings correct? [Yes|No]:yes
Enabled NTP service
- When prompted, specify whether you want to enable and configure the tanfactory user. The tanfactory user is a special account that has one capability: performing a factory reset. View screen
>>> Factory Reset User <<<
The tanfactory user allows for a factory reset of a TanOS system when all
other user passwords have been lost. Logging in as the tanfactory user will
provide a single option to factory reset the system. Once performed the system
will be returned to factory defaults and initial configuration will be
required. Enabling the tanfactory user will require setting a password.
Would you like to enable the TanFactory user? [Yes|No]: yes
The password policy requires meeting these rules:
- Minimum 10 characters long
- At least 1 upper case character
- At least 1 lower case character
- At least 1 numeric character
- At least 1 other character
- Must not be based on a dictionary word
- Must not contain part of the username
Please enter password (will not be displayed):
Password score: 50 out of 100 (strong)
Please enter password again:
Successfully set password for tanfactory.
- When prompted, enter the one-time password that displays on the screen for the tanadmin and tanuser users. View screen
>>> Password Configuration <<<
Passwords for tanadmin and tanuser will be reset to a temporary password now.
Upon next login a password change will be enforced.
The password policy requires meeting these rules:
- Minimum of 10 characters long
- At least 1 upper case character
- At least 1 lower case character
- At least 1 numeric character
- At least 1 other character
- Must not match any of recent 4 passwords
- Must not be based on a dictionary word
- Must not contain part of the username
The temporary password will use letters only.
The temporary password for tanadmin and tanuser is: goodbeigejaguar
Please enter temporary password (goodbeigejaguar) to continue
You entered: [goodbeigejaguar]
Finished password changes
- Make a note of the one-time password. You must provide it the next time you log in. At that time, you will be prompted to specify a new password.
The console configures SSH keys and IPSec settings, and then displays a notice that the initial configuration is complete. Press the Enter key to terminate the session.
Configure user access
TanOS has built-in user accounts to access the appliance operating system and perform tasks.
Before you install a Tanium Appliance role, you must configure new passwords or add SSH keys to authenticate access for the following accounts:
- tanuser: Can make an SSH connection with SSH key authentication or password authentication to the TanOS console and access temporary settings and status menus only.
- tanadmin: Can make an SSH connection with SSH key authentication or password authentication to the TanOS console and access all menus. Any user with the tanadmin role is a highest-level administrator in TanOS.
- tancopy: Can make an SFTP connection with SSH key authentication to TanOS and copy files to and from the /incoming and /outgoing directories.
TanOS does not support self-service password reset methods. If you forget your password, you must ask a tanadmin user to reset it for you. If all tanadmin users are locked out, you must log in as the tanfactory user and perform a factory reset. You can avoid this risk by setting up SSH key authentication.
Watch the tutorial on how to configure SSH key authentication for the Tanium Appliance on the Tanium Community website.
Before you begin
- Be ready to specify new passwords for the tanuser and tanadmin accounts. The password string must be at least 10 characters long and have at least 1 uppercase character, 1 lowercase character, 1 numeric character, and 1 non-alphanumeric character.
- You must have an SSH client to log into the TanOS console, and an SFTP client to copy files to and from the appliance.
- You must have an SSH key generator to generate keys for the tancopy user.
Change the default passwords
- Open an SSH connection to the TanOS console as tanadmin and follow the prompts to change the password. View screen
######################## WARNING ########################
Unauthorized access is strictly prohibited.
#########################################################
Password:
You are required to change your password immediately (root enforced)
Changing password for tanadmin.
(current) UNIX password:
New password:
Retype new password:
- After the password changes, the tanadmin menu displays. Enter Z to log out.
- Open an SSH connection to the TanOS console as tanuser and follow the prompts to change the password. View screen
######################## WARNING ########################
Unauthorized access is strictly prohibited.
#########################################################
Password:
You are required to change your password immediately (root enforced)
Changing password for tanuser.
(current) UNIX password:
New password:
Retype new password:
- After the password changes, the tanuser menu displays. Enter Z to log out.
You can disable password access for any user except the tanadmin special user. When you disable password access for a user, the user can only log in through SSH using the configured SSH private key. For steps, see Disable password access.
Add SSH keys
You must set up an SSH key for the tancopy user. Tanium strongly recommends that you set up SSH key authentication for TanOS user accounts.
Add SSH keys for the tancopy user
You must set up an SSH key for the tancopy user. The SSH key is used when you transfer files through SFTP to the /incoming and /outgoing directories.
This procedure adds an authorized key for the tancopy user to the appliance configuration. The purpose of this key is to enable you to use an SFTP client on your management computer to copy files to the /incoming and from the /outgoing directories on the appliance. In the Tanium Module Server and redundant cluster installations, you are instructed to add a different authorized key for the tancopy user. Be careful not to mistake one for the other. The authorized keys serve different purposes. Both are required.
- Use an SSH key generator such as ssh-keygen to generate a public/private key pair. Note:
- Specify an RSA key with 2048 bits (such as ssh-keygen -t rsa -b 2048).
- Specify a passphrase that is easy to remember.
- Save the private key to a location that you can access when you set up your SFTP client.
- Copy all of the text in the public key file to the clipboard. If you use ssh-keygen, copy the contents of the .pub file that you created.
In an SSH key exchange, the keys must match exactly, including line endings.
- Log into the TanOS console as a user with the tanadmin role.
The TanOS console displays the tanadmin menu. View screen
------------------------------------------------------
>>> tanadmin menu <<<
1: Tanium Installation Menu
2: Tanium Operations Menu
3: Tanium Support Menu
4: Status Menu
A: Appliance Configuration Menu
B: Appliance Maintenance Menu
C: User Administration Menu
P: Password change (current user)
Q: View End User License Agreement (EULA)
F: Flexible Menu Search
@: About this Appliance
H: Help
Z: Log out
------------------------------------------------------
- Enter C to go to the User Administration menu. View screen
------------------------------------------------------
>>> User Administration <<<
1: Restricted User (tanuser) Password Reset
2: Factory-Reset User (tanfactory) Password Reset
3: SSH Key Management
A: System User Management
B: Local Authentication Service
H: Help
R: Return to previous menu
------------------------------------------------------
- Enter 3 to go to the SSH Key Management menu. View screen
>>> User Administration -> SSH Key Management <<<
1: tanadmin
2: tanuser
3: tancopy
H: Help
R: Return to previous menu
------------------------------------------------------
- Enter the line number for the tancopy user to manage the keys for this user. View screen
>>> User Administration -> SSH Key Management -> tancopy <<<
Username: tancopy
1: Generate ssh key pair
2: Display public key
3: Manage authorized key(s)
R: Return to previous menu
------------------------------------------------------
- Enter 3 to go to the Authorized Keys menu. View screen
>>> AUA -> SSH Key Management -> tancopy -> Authorized Keys <<<
Username: tancopy
1: List keys
2: Add keys
3: Delete key
R: Return to previous menu
------------------------------------------------------
- Enter 2 and follow the prompts to paste the public key generated in Step 1. View screen
>>> AUA -> SSH Key Management -> tancopy -> Authorized Keys -> Add <<<
Please paste the public key and press enter:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA1ClmgkMrbbxB7jND/Y4/Giupck35xAuGNKfZWqVLM5F0CNXuTScf6v2zMDxW5TO5tm/U
8P9sqh19RDEzTn2RayXzsoZmXyB8abCCpHG4+03Zv05RHiX4i5QomAMBnbZejdA9/fGTxO1rPo1rdtTqZ+KCgzbEhHLWUD44+If5RtG+
U4kgyzlYsyjgwhfho+BrRY6e7QYBsXVbuBQ9ROGV6PCTB80jXZVAKrAbsTQ1DVkpuBuemftv7vOn3b8MKzJ/IY/LLL1tIgpSGvgvjr2m
OJJ+JoZF2XnPVUFmYiDSCkPAzhCyFHILHfOVAfws9n1G6p3fwILqNhvBoPeaCFaApQ== rsa-key-20200123
Validating input
Adding key to authorized keys after validation
Finished adding authorized keys for tancopy
Press enter to continue
- To test, on your management computer, set up an SFTP client such as WinSCP to connect to the Tanium Server appliance:
- Specify tancopy for user name.
- Click Advanced.
- Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance.
- Save the configuration and click Login to initiate the connection.
You should be able to connect to the appliance and see the /incoming and /outgoing directories.
You might see permission denied messages because WinSCP attempts to read the listing of the /incoming directory. This is expected. The user tancopy has permission to write to /incoming but not read /incoming.
Add SSH keys for TanOS users
Tanium strongly recommends that you set up SSH key authentication for TanOS user accounts.
Alternatively, you can use ssh-copy-id to add an SSH public key to any TanOS user with the tanadmin profile.
- Use an SSH key generator such as ssh-keygen to generate a public/private key pair. Note:
- Specify an RSA key with 2048 bits (such as ssh-keygen -t rsa -b 2048).
- Specify a passphrase that is easy to remember.
- Save the private key to a location that you can access when you set up your SFTP client.
- Copy all of the text in the public key file to the clipboard. If you use ssh-keygen, copy the contents of the .pub file that you created.
In an SSH key exchange, the keys must match exactly, including line endings.
- Log into the TanOS console as a user with the tanadmin role.
The TanOS console displays the tanadmin menu. View screen
------------------------------------------------------
>>> tanadmin menu <<<
1: Tanium Installation Menu
2: Tanium Operations Menu
3: Tanium Support Menu
4: Status Menu
A: Appliance Configuration Menu
B: Appliance Maintenance Menu
C: User Administration Menu
P: Password change (current user)
Q: View End User License Agreement (EULA)
F: Flexible Menu Search
@: About this Appliance
H: Help
Z: Log out
------------------------------------------------------
- Enter C to go to the User Administration menu. View screen
------------------------------------------------------
>>> User Administration <<<
1: Restricted User (tanuser) Password Reset
2: Factory-Reset User (tanfactory) Password Reset
3: SSH Key Management
A: System User Management
B: Local Authentication Service
H: Help
R: Return to previous menu
------------------------------------------------------
- Enter 3 to go to the SSH Key Management menu. View screen
>>> User Administration -> SSH Key Management <<<
1: tanadmin
2: tanuser
3: tancopy
H: Help
R: Return to previous menu
------------------------------------------------------
- Enter the line number for the tanadmin user to manage the keys for this user. View screen
>>> Appliance User Administration -> SSH Key Management -> tanadmin <<<
Username: tanadmin
1: Generate ssh key pair
2: Display public key
3: Manage authorized key(s)
R: Return to previous menu
------------------------------------------------------
- Enter 3 to go to the Authorized Keys menu. View screen
>>> AUA -> SSH Key Management -> tanadmin -> Authorized Keys <<<
Username: tanadmin
1: List keys
2: Add keys
3: Delete key
R: Return to previous menu
------------------------------------------------------
- Enter 2 and follow the prompts to paste the public key generated in Step 1. View screen
>>> AUA -> SSH Key Management -> tancopy -> Authorized Keys -> Add <<<
Please paste the public key and press enter:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqXUnoyrg4opYQp4DGZoasYy8ud5oJEar9BqRr2RVHMm/Sxcl4T1sthsN
WS0ECo0j32mCSM3ynYZn2AdJTU6HbKnFM30gtQL7+tpmGrgbkaVEJ9OXoA47JP0o5hbI16UUpuEKJrEBOYovIsrN2gtwKbz
YdOVCxVq5amzqg7/UrQyUO3rmt54qStiqNIiHI3UjzPWYJwUxz90vU7LWsXYz1CAWBTXnh51kg0lBPFgbRmUZJb0DwLb4Sw
lFZAe5P0RO4RwdmZVgTfsqy+MVuyzaBzGD1z4MlIZ83R6sW+nXtipbzqhFTLykLRLIXobuHjuf0Yy1H7/ZDJh/qlojce4TC
g/+5e2h1RQ8ZKgECZDJoCdrkAM6y9arHCoZwqEP9MXugQXCO6EMrP39vXajnV3YrDKKLYP1pxWZGOA4ylNqY5mG1+AofVdG
vAUBztjXfXgC3bgL0Qgp+d3E8JvLRHXfkmRijppvj+BCJUawXJfkMtBEgrxQP9PoDwHrqJj6ey80v8P7DgojQw83JumsG3S
+7l0e0Ia02q/05s2EpOv9jE9aJiLRGKbb4WkjvUSpK1VmDK54qfeSKj6yp3IIt13GBKmkVqKbbZS6gaZ3UTpzq3dj+53YeP
eOe8XMECuxl6aH4nLT4u3CqrCqxTfTa5y1Fi3/e9zI5/AKJlTXWF3ISCQ== [email protected]
Validating input
Adding key to authorized keys after validation
Finished adding authorized keys for tancopy
Press enter to continue
- To test, on your management computer, set up an SSH client such as PuTTY to connect to the Tanium Server appliance:
- Specify the Tanium Server IP address, port 22, and SSH connection type.
- Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance.
- Open the SSH session and enter the tanadmin username.
- You are prompted for the SSH key passphrase instead of the tanadmin password. View screen
login as: tanadmin
######################## WARNING ########################
Unauthorized access is strictly prohibited.
#########################################################
Authenticating with public key "rsa-key-20200119"
Passphrase for key "rsa-key-20200119":
Upload the license file (Tanium Core Platform 7.3 or earlier)
After you complete the initial network configuration, upload a valid Tanium license file.
These steps only apply to Tanium Core Platform 7.3 or earlier. If you plan to install Tanium Core Platform 7.4 or later, you will use the Tanium Console to upload the license file after you install a Tanium Server role or Tanium All-in-One role.
Steps for Tanium Core Platform 7.3 or earlier
Before you begin
- Obtain a valid license from your TAM. Use the same license file to activate all Tanium appliances in your deployment. Your TAM must know the fully qualified domain name (FQDN) for each appliance to generate your license file.
- You can activate an appliance with a license file if:
- The license file is named tanium.license.
- The license is not expired.
- The FQDN that was specified in the Tanium license generator matches the FQDN of the appliance.
- You must have added the public key for the tancopy user to the appliance so you can use SFTP to upload the license file.
After you complete the initial network configuration, upload a valid Tanium license file or request an activation key from Tanium.
- On your management computer, set up an SFTP client such as WinSCP to connect to the appliance.
- Use SFTP to copy your license file (tanium.license) to the /incoming directory on the appliance.
- Log into the TanOS console as a user with the tanadmin role.
When the tanadmin menu loads, TanOS detects the license and copies it to the appropriate location to activate the appliance.
Export the RAID controller security key
The RAID controller security key is used by the controller to lock and unlock access to encryption-capable physical disks. You can export the key and store it in a safe location. During recovery from controller failure, you will need to provide the key. When you run a Health Check, you might see messages alerting you to export the RAID controller security key.
Boot Check: Pass (EFI Boot)
Active partition: pass (VolGroup1-root)
>>> Hardware health (will take 1-12 seconds) <<<
hardware type: pass (TV-220)
RAID controller RAID.Integrated.1-1 Security Key: pass
disk encryption: pass
>>> RAID Controller Security Key <<<
RAID Security key check: fail (key has NOT been exported) <--------
>>> Tanium Application file Permissions <<<
executed checks: 48
failed checks: 4
new health status setting: warning
- Log into the TanOS console as a user with the tanadmin role.
- From the tanadmin menu, enter A to display the Appliance Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration <<<
1: Hostname/DNS Configuration
2: Networking Configuration
3: NTP Configuration
4: Syslog Configuration
5: SNMP Configuration
6: Module File Share Configuration
7: Reset all NICs to DHCP (VM only)
A: Security
X: Advanced Configuration
H: Help
R: Return to previous menu
------------------------------------------------------
- Enter X and follow the prompts to display the Advanced Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Advanced Menu <<<
Attention: The options in this menu can affect performance
and emergency recovery.
Please consult your TAM before utilizing the below options.
1: Auto-Disable
2: TanOS Log
3: Change Active Partition
4: Change RAID Controller Key
5: Export RAID Controller Key
6: Export Grub Key
H: Help
R: Return to previous menu
------------------------------------------------------
- Enter 5 to display the Export Security Key menu.
- If prompted to enter maintenance mode, enter Yes.
- Follow the prompts to export the RAID controller security key to the /outgoing directory. View screen
>>> Appliance Configuration -> Advanced Menu -> Export Security Key <<<
Once the security key has been placed in the outgoing directory it
will remain until the nightly cleanup job is run. After this time it
will be deleted and must be exported again.
Please be sure to download it and save in a secure location.
Would you like to export the security key? [Yes|No]: yes
The security key has been placed in the sftp outgoing directory.
This location will be cleaned daily at 02:00am appliance time!
Press enter to continue
- Exit Maintenance Mode:
- From the Maintenance Mode menu, enter 2 and follow the prompts to toggle off Maintenance Mode.
- Use SFTP to copy the file from the /outgoing directory to your local computer.
Files copied to the /outgoing directory are deleted every day at 02:00 AM. You should copy the RAID controller security key file from the /outgoing directory to your local computer immediately after you have used the TanOS menu to export it and save it in a protected location. If you lose the RAID controller key file, you can return to the Advanced Menu and select option 4 to change the RAID controller key.
The default name of the RAID controller key file is TanOS-key-controller-Cfg.tgz. It is recommended to change the name to include the host name or serial number of the appliance it came from before you store it. You likely have more than one appliance, so a name based on a unique host name or serial number is useful if you later need to locate the correct file.
Export the grub key
The grub key can be used during the boot sequence to diagnose and recover from failure conditions. You can export the key and store it in a safe location. During recovery, you will need to provide the key.
- Log into the TanOS console as a user with the tanadmin role.
- From the tanadmin menu, enter A to display the Appliance Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration <<<
1: Hostname/DNS Configuration
2: Networking Configuration
3: NTP Configuration
4: Syslog Configuration
5: SNMP Configuration
6: Module File Share Configuration
7: Reset all NICs to DHCP (VM only)
A: Security
X: Advanced Configuration
H: Help
R: Return to previous menu
------------------------------------------------------
- Enter X and follow the prompts to display the Advanced Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Advanced Menu <<<
Attention: The options in this menu can affect performance
and emergency recovery.
Please consult your TAM before utilizing the below options.
1: Auto-Disable
2: TanOS Log
3: Change Active Partition
4: Change RAID Controller Key
5: Export RAID Controller Key
6: Export Grub Key
H: Help
R: Return to previous menu
------------------------------------------------------
- Enter 6 and follow the prompts to export the grub key to the /outgoing folder. View screen
>>> Appliance Configuration -> Advanced Menu -> Export Security Key <<<
Once the security key has been placed in the outgoing directory it
will remain until the nightly cleanup job is run. After this time it
will be deleted and must be exported again.
Please be sure to download it and save in a secure location.
Would you like to export the security key? [Yes|No]: yes
The security key has been placed in the sftp outgoing directory.
This location will be cleaned daily at 02:00am appliance time!
Press enter to continue
-
Use SFTP to copy the file from the /outgoing directory to your local computer.
Add TanOS system users
Create additional TanOS system users based on tanadmin (privileged) and tanuser (restricted) profiles. It is useful to have more than one privileged user in case you forget the password for the initial tanadmin user.
- Log into the TanOS console as a user with the tanadmin role.
- From the tanadmin menu, enter C to go to the User Administration menu. View screen
------------------------------------------------------
>>> User Administration <<<
1: Restricted User (tanuser) Password Reset
2: Factory-Reset User (tanfactory) Password Reset
3: SSH Key Management
A: System User Management
B: Local Authentication Service
H: Help
R: Return to previous menu
------------------------------------------------------
- Enter A to go to the System Users menu. View screen
------------------------------------------------------
>>> User Administration -> System Users <<<
System users can login to monitor the appliance
or perform administrative tasks.
1: Add System User
2: Manage System User(s)
A: View Last 20 Successful Logins
B: View Last 20 Failed Logins
C: View Login Statistics
H: Help
R: Return to previous menu
------------------------------------------------------
- Enter 1 and follow the prompts to add a system user. View screen
>>> Appliance User Administration -> System Users -> Add System User <<<
Adding a system user requires first name, last name, user name and user role.
Attention:
TanUser Role: Monitor/Check the status of the appliance, no changes are allowed
TanAdmin Role: Full administrative role to manage the appliance
A temporary password will be generated and the new user is required to change
their password upon first login!
The password policy requires meeting these rules:
- Minimum of 10 characters long
- At least 1 upper case character
- At least 1 lower case character
- At least 1 numeric character
- At least 1 other character
- Must not match any of recent 4 passwords
- Must not be based on a dictionary word
- Must not contain part of the username
Please enter first name: John
Please enter last name: Doe
Please enter desired user name (max 30 chars): john.doe
Which role should be assigned to john.doe?
1: TanUser (Monitoring)
2: TanAdmin (Administrative)
Please select: 2
The temporary password for john.doe is: proudbrownwildfowl
Adding local user john doe ...
Successfully added user john doe (username: john.doe) with role tanadmin.
Press enter to continue
What to do next
- To save time, Tanium recommends you complete advanced network configuration before you install Tanium servers. See Reference: Appliance configuration.
- When these steps are completed, or if none of them apply, you can continue with the installation of a Tanium role (for example, All-in-One, Tanium Server, Tanium Module Server, or Tanium Zone Server).
