Completing the initial setup (hardware appliances)

Configure basic network, host, and user settings, and upload a license file before you install a Tanium Appliance role.

Requirements

License Your Technical Account Manager (TAM) must issue a special physical appliance license type for the Tanium appliances in your deployment. Your TAM must know the fully qualified domain names (FQDN) for each appliance to generate your license file.
Network Be ready to specify the static IP address, subnet mask (dotted-decimal), default gateway IP address, hostname, domain name, primary and secondary DNS servers, and NTP servers.

Configure temporary bootstrap network settings

The Tanium Appliance Quick Start Guide describes how to install the appliance into a machine room and configure bootstrap network settings so that you can make a remote SSH connection and complete the setup and appliance role installation from your desk. The Quick Start steps are repeated here to give context to the starting point for your initial workflows. You do not need to complete the steps twice.

The Quick Start steps can be completed by a restricted user (tanuser) who does not have privileges required to install or manage Tanium servers, or by the privileged user (tanadmin).

Before you begin

  • Connect a keyboard, video, and mouse (KVM) to the console port.
  • Obtain an IPv4 address from your network administrator and be prepared to specify the IP address, subnet mask (dotted-decimal), and default gateway IP address.

Configure the temporary settings

  1. Power on the appliance.

    The boot and start-up processes take a few minutes.

  2. When prompted to log in, specify the user name tanuser and the default password Tanium1.
  3. When prompted, indicate that you want to configure temporary settings.
  4. Specify the IPv4 address, subnet mask, and default gateway IP address.

    The TanOS console confirms that the settings are applied and logs you out.

Remote access to TanOS

Network and host settings enable the appliance to establish connections with other computers in your local network and with other servers and hosts on the Internet. Specify appropriate settings for the network in which the appliance is deployed.

  • Your local "management computer" must be connected to a subnet that can reach the appliance IP address.
  • Your management computer must have an SSH client application or terminal emulator that can make a client connection to the appliance.
  • You must have an SSH client such as PuTTY to log into the TanOS console. For PuTTY, use version 0.71 or later.
  • You must have an SSH key generator such as ssh-keygen to generate keys for the tancopy user.
  • You must have an SFTP client such as WinSCP to copy files to and from the appliance. For WinSCP, use version 5.15.2 or later.

Watch the tutorial on how to set up WinSCP for the Tanium Appliance on the Tanium Community website.

Configure network and host settings

  1. Make an SSH connection to the appliance IP address that was configured in the previous step.

  2. When prompted to log in, specify the user name tanadmin and the default password Tanium1.
  3. When prompted, indicate that you want to complete the initial configuration.
  4. Use the spacebar key to page through the end-user license agreement (EULA). When complete, press the Q key, enter your email address, and enter YES to accept it.

    The email address is stored locally only. It is not used externally for any reason.

  5. Specify network and host configuration settings. The time zone is set to UTC automatically.
  6. When prompted, specify whether you want to enable and configure the tanfactory user. The tanfactory user is a special account that has one capability: performing a factory reset.
  7. When prompted, enter the one-time password that displays on the screen for the tanadmin and tanuser users.
  8. Make a note of the one-time password. You must provide it the next time you log in. At that time, you will be prompted to specify a new password.

    The console displays a notice that the initial configuration workflow is complete and the session terminates.

Configure user access

TanOS has a few built-in user accounts to access the appliance operating system and perform tasks.

Before you install a Tanium Appliance role, you must configure new passwords or add SSH keys to authenticate access for the following accounts:

  • tanuser: Can make an SSH connection with SSH key authentication or password authentication to the TanOS console and access temporary settings and status menus only.
  • tanadmin: Can make an SSH connection with SSH key authentication or password authentication to the TanOS console and access all menus. Any user with the tanadmin role is a highest-level administrator in TanOS.
  • tancopy: Can make an SFTP connection with SSH key authentication to TanOS and copy files to and from the /incoming and /outgoing directories.

Tanium strongly recommends that you set up both SSH key authentication and password authentication for TanOS user accounts. TanOS does not support self-service password reset methods. If you forget your password, you must ask a tanadmin user to reset it for you. If all tanadmin users are locked out, you must log in as the tanfactory user and perform a factory reset. You can avoid this risk by setting up both authentication types.

Watch the tutorial on how to configure SSH key authentication for the Tanium Appliance on the Tanium Community website.

Before you begin

  • Be ready to specify new passwords for the tanuser and tanadmin accounts. The password string must be at least 10 characters long and have at least 1 uppercase character, 1 lowercase character, 1 numeric character, and 1 nonalphanumeric character.
  • You must have an SSH client to log into the TanOS console, and an SFTP client to copy files to and from the appliance.
  • You must have an SSH key generator to generate keys for the tancopy user.

Change the default passwords

  1. Open an SSH connection to the TanOS console as tanadmin and follow the prompts to change the password.

    To complete the change, the session terminates.

  2. Open an SSH connection to the TanOS console as tanuser and follow the prompts to change the password.

    To complete the change, the session terminates.

Add SSH keys

You must set up an SSH key for the tancopy user. Tanium strongly recommends that you set up both password authentication and SSH key authentication for TanOS user accounts.

Add SSH keys for the tancopy user

You must set up an SSH key for the tancopy user. The SSH key is used when you transfer files through SFTP to the /incoming and /outgoing directories.

This procedure adds an authorized key for the tancopy user to the appliance configuration. The purpose of this key is to enable you to use an SFTP client on your management computer to copy files to the /incoming and from the /outgoing directories on the appliance. In the Tanium Module Server and redundant cluster installations, you are instructed to add a different authorized key for the tancopy user. Be careful not to mistake one for the other. The authorized keys serve different purposes. Both are required.
  1. Use an SSH key generator such as ssh-keygen to generate a public/private key pair. Note:
    • Specify an RSA key with 2048 bits (such as ssh-keygen -t rsa -b 2048).
    • Specify a passphrase that is easy to remember.
    • Save the private key to a location that you can access when you set up your SFTP client.
  2. Copy all of the text in the public key file to the clipboard. If you use ssh-keygen, copy the contents of the .pub file that you created.

    In an SSH key exchange, the keys must match exactly, including line endings.

  3. Log into the TanOS console as a user with the tanadmin role.

    The TanOS console displays the tanadmin menu.

  4. Enter C to go to the User Administration menu.
  5. Enter 3 to go to the SSH Key Management menu.
  6. Enter the line number for the tancopy user to display the key management menu for this user.
  7. Enter 3 to go to the Authorized Keys menu.
  8. Enter 2 and follow the prompts to paste the public key generated in Step 1.
  9. To test, on your management computer, set up an SFTP client such as WinSCP to connect to the Tanium Server appliance:
    1. Specify tancopy for user name.
    2. Click Advanced.
    3. Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance.
    4. Save the configuration and click Login to initiate the connection.

      5. You should be able to connect to the appliance and see the /incoming and /outgoing directories.

 

You might see permission denied messages because WinSCP attempts to read the listing of the /incoming directory. This is expected. The user tancopy has permission to write to /incoming but not read /incoming.

Add SSH keys for TanOS users

Tanium strongly recommends that you set up both password authentication and SSH key authentication for TanOS user accounts.

  1. Use an SSH key generator such as ssh-keygen to generate a public/private key pair. Note:
    • Specify an RSA key with 2048 bits (such as ssh-keygen -t rsa -b 2048).
    • Specify a passphrase that is easy to remember.
    • Save the private key to a location that you can access when you set up your SFTP client.
  2. Copy all of the text in the public key file to the clipboard. If you use ssh-keygen, copy the contents of the .pub file that you created.

    In an SSH key exchange, the keys must match exactly, including line endings.

  3. Log into the TanOS console as a user with the tanadmin role.
  4. From the tanadmin menu, enter C to go to the User Administration menu.
  5. Enter 3 to go to the SSH Key Management menu.
  6. Enter the line number for the tanadmin user to display the key management menu for this user.
  7. Enter 3 to go to the Authorized Keys menu.
  8. Enter 2 and follow the prompts to paste the public key generated in Step 1.
  9. To test, on your management computer, set up an SSH client such as PuTTY to connect to the Tanium Server appliance:
    1. Specify the Tanium Server IP address, port 22, and SSH connection type.
    2. Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance.
    3. Open the SSH session and enter the tanadmin username.
    4. You are prompted for the SSH key passphrase instead of the tanadmin password.

Upload the license file

After you complete the initial network configuration, upload a valid Tanium license file.

Before you begin

  • Obtain a valid license from your TAM. A special physical appliance license type must be issued. Use the same license file to activate all Tanium appliances in your deployment. Your TAM must know the fully qualified domain name (FQDN) for each appliance to generate your license file.
  • You can activate an appliance with a license file if:
    • The license file is named tanium.license.
    • The license is not expired.
    • The FQDN that was specified in the Tanium license generator matches the FQDN of the appliance.
  • You must have added the public key for the tancopy user to the appliance so you can use SFTP to upload the license file.

Tanium Core Platform 7.4 or later

Use the Tanium Console to upload the license file. For more information, see "Managing the Tanium license" in the Tanium Console User Guide.

Tanium Core Platform 7.3 or earlier

  1. On your management computer, set up an SFTP client such as WinSCP to connect to the appliance.
  2. Use SFTP to copy your license file (tanium.license) to the /incoming directory on the appliance.

TanOS detects the license and copies it to the appropriate location to activate the appliance.

When you go to the tanadmin menu, the activation notice no longer displays.

Export the RAID controller security key

The RAID controller security key is used by the controller to lock and unlock access to encryption-capable physical disks. You can export the key and store it in a safe location. During recovery from controller failure, you will need to provide the key. When you run a Health Check, you might see messages alerting you to export the RAID controller security key.

Figure  1:  Health Check: RAID key
  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  3. Enter X and follow the prompts to display the Advanced Configuration menu.
  4. Enter 5 to display the Export Security Key menu.
  5. When prompted to enter maintenance mode, enter Yes.
  6. Follow the prompts to export the RAID controller security key to the /outgoing directory.
  7. Exit Maintenance Mode:
    • From the Maintenance Mode menu, enter 2 and follow the prompts to toggle off Maintenance Mode.
  8. Use SFTP to copy the file from the /outgoing directory to your local computer.

Files copied to the /outgoing directory are deleted every day at 02:00 AM. It is, therefore, of critical importance that you copy the RAID controller security key file from the /outgoing directory to your local computer immediately after you have used the TanOS menu to export it and save it in a protected location. If you lose the RAID controller key file, you can return to the Advanced Menu and select option 4 to change the RAID controller key.

The default name of the RAID controller key file is TanOS-key-controller-Cfg.tgz. It is recommended to change the name to include the hostname or serial number of the appliance it came from before you store it. You likely have more than one appliance, so a name based on unique hostname or serial number is useful if you later need to locate the correct file.

Export the grub key

The grub key can be used during the boot sequence to diagnose and recover from failure conditions. You can export the key and store it in a safe location. During recovery, you will need to provide the key.

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter A to display the Appliance Configuration menu.
  3. Enter X and follow the prompts to display the Advanced Configuration menu.
  4. Enter 6 and follow the prompts to export the grub key to the /outgoing directory.
  5. Use SFTP to copy the file from the /outgoing directory to your local computer.

 

Add TanOS system users

Create additional TanOS system users based on tanadmin (privileged) and tanuser (restricted) profiles. It is useful to have more than one privileged user in case you forget the password for the initial tanadmin user.

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter C to go to the User Administration menu.
  3. Enter A to go to the System Users menu.
  4. Enter 1 and follow the prompts to add a system user.

What to do next

  • To save time, Tanium recommends you complete advanced network configuration before you install Tanium servers. See Reference: Appliance configuration.
  • When these steps are completed, or if none of them apply, you can continue with the installation of a Tanium role (for example, All-in-One, Tanium Server, Tanium Module Server, or Tanium Zone Server).