Reference: Tanium Operations menu

Tanium™ operations include management of Tanium services, configuration settings, and certificate and public key files.

Start, stop, and restart Tanium services

Manage Tanium™ Core Platform servers and the database server with these common service control commands:

  • Start
  • Stop
  • Restart
  • Disable
  • Enable

Use the TanOS menus to stop, start, or restart a service, regardless if the service is enabled or disabled.

To issue a command:

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 1 to go to the Tanium Service Control menu. ClosedView screen
  4. Enter the line number of the service that you want to manage to view the service commands. ClosedView screen
  5. Enter the number associated with the service control command to issue it.

Change a Tanium server configuration

Use the Configuration Settings menu to change the log level or the Tanium component server configuration settings. Contact Tanium Support before changing Tanium configuration settings.

Edit server settings

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 2 to go to the Configuration Settings menu. ClosedView screen
  4. Use the menu to view and edit Tanium component server settings.
For detailed guidelines on Tanium Core Platform server settings, see the Tanium Core Platform Deployment Reference Guide: Settings.

Add an authentication user for TDownloader

Tanium Downloader (TDL) is a utility that the Tanium Core Platform uses to download files from other servers, including updates from content.tanium.com. Some servers require user authentication. Use this menu to add user credentials for the Tanium Server TDownloader instance or the Module Server TDownloader instance.

If you have Tanium Core Platform 7.5.3 or later, and Tanium Console 3.1 or later, you can use the Tanium Console to manage authentication certificates for remote sources. For information, see Tanium Console User Guide: Managing downloads authentication.

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 2 to go to the Configuration Settings menu. ClosedView screen
  4. Enter 3 (Tanium Server TDL Auth User) or 7 (Tanium Module Server TDL Auth User) and follow the prompts to configure user credentials for the server URL or Windows file share from which you want to download files. ClosedView screen

    The URL field can contain the path for a Windows file share, such as \\tam.local\dc1\share. For file access using Tanium, read-only permissions are sufficient. If you want to share files from a Windows share location, you must provide read-write permissions at a minimum. See the Microsoft Windows documentation for information about file and share permissions.

    For security reasons, Tanium does not support hidden shares, such as c$.

  5. Review the resulting configuration.

Edit TDownloader settings

Use this menu to add and edit settings for the Tanium Server TDownloader instance or the Module Server TDownloader instance. For example, if your deployment uses proxies and contains only IPV6 addresses, add the ForceIPV6 setting to force the TDownloader to resolve proxy addresses as IPV6.

For a list of supported settings, see Tanium Core Platform Deployment Reference Guide: Tanium Core Platform server settings.

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 2 to go to the Configuration Settings menu. ClosedView screen
  4. Enter 2 to show the TDL settings. ClosedView screen
    • To add a new setting, enter A and follow the prompts to enter a key-value pair.
    • To edit a setting, enter the line number of the setting, enter E, and type in the new value of the setting.
    • To delete a setting, enter the line number of the setting, and enter D.
    • For a list of settings, see Tanium Core Platform Deployment Reference Guide: Proxy server settings.

    You can use the Tanium Console to manage proxy settings. For information, see Tanium Console User Guide: Configure proxy server settings.

Add an authentication certificate for TDownloader

If you have Tanium Core Platform 7.5.3 or later, and Tanium Console 3.1 or later, you can use the Tanium Console to manage authentication certificates for remote sources. For information, see Tanium Console User Guide: Managing downloads authentication.

Servers from which you want to download files might require certificate authentication. Use this menu to add a client certificate and key to the Tanium Server TDownloader instance or the Module Server TDownloader instance.

  1. Use SFTP to copy the client certificate file and key file to the /incoming folder.

  2. Sign in to the TanOS console as a user with the tanadmin role.
  3. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  4. Enter 2 to go to the Configuration Settings menu. ClosedView screen
  5. Enter 4 (Add Tanium Server TDL Auth Cert) or 8 (Add Tanium Module Server TDL Auth Cert) and follow the prompts to upload the certificate and key file and configure TDownloader to use them for the server URL from which you want to download files. ClosedView screen
  6. Review the resulting configuration.

Manage authentication certificates for Tanium Patch connections with Red Hat

Tanium™ Patch downloads files from a Red Hat Satellite Server that requires certificate authentication.

If you have Tanium Core Platform 7.5.3 or later, and Tanium Console 3.1 or later, you can use the Tanium Console to manage authentication certificates for remote sources. For information, see Tanium Console User Guide: Managing downloads authentication.

  1. Download a client certificate and key file from the Red Hat website that is specific to your subscription entitlement and create files named client-certificate.pem and client-key.pem. For more information, see Tanium Patch User Guide: Enable and configure Linux features.
  2. Use SFTP to copy the certificate file and key file to the /incoming folder.
  3. Sign in to the TanOS console as a user with the tanadmin role.
  4. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  5. Enter 2 to go to the Configuration Settings menu. ClosedView screen
  6. Enter 4 (Tanium Server TDL Auth Cert) and follow the prompts to upload the certificate file and key file and to configure TDownloader to use them for the server URL from which you want to download files. ClosedView screen
  7. Enter 13 and use the menu to install the Red Hat enterprise CA certificate file (redhat-uep.pem). ClosedView screen

Edit Zone Server list

This option is deprecated for Tanium Core Platform 7.4 and does not appear in the menu.

  1. Sign in to the Zone Server Hub appliance as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 2 to go to the Configuration Settings menu. ClosedView screen
  4. Enter 10 to edit the zoneserverlist.txt file.
  5. Add the IP address or FQDN for each Zone Server and save the file.

Edit Zone Server isolated subnets list

Use the TanOS menus to configure the isolated subnets list for Zone Servers.

For Tanium Servers (not Zone Servers), use the Tanium Console to configure the isolated subnets list. For more information, see Tanium Client Management User Guide: Configure isolated subnets.

  1. Sign in to the TanOS console of the Zone Server appliance as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 2 to go to the Configuration Settings menu. ClosedView screen
  4. Enter 11 to edit the IsolatedSubnets.txt file. ClosedView screen
  5. Use the menu to specify the CIDR IP address for subnets in which clients should never peer.

Change a Tanium component server port

Perform the following steps to change a Tanium component server port. For more information about appliance ports, see Tanium network ports.

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 2 to go to the Configuration Settings menu. ClosedView screen
  4. Enter the line number for the Tanium component server to modify.
  5. Use the menu to select and edit the Tanium component server port settings.
  6. Restart the service for the modified server. For more information, see Start, stop, and restart Tanium services.

Install a custom SOAP certificate

You can replace the self-signed certificates generated by the Tanium Server and Tanium Module Server installers with an SSL certificate issued by a commercial or enterprise certificate authority (CA).

In a Tanium cluster, repeat the following procedures to upload and install the certificate and key files to each Tanium Server.

For detailed information about the SSL certificates used in a Tanium deployment, see the Tanium Core Platform Deployment Reference Guide: Securing Tanium Console, API, and Module Server access.

Upload the CA certificate file

  1. Set up an SFTP client to connect to the Tanium Appliance:
    1. Specify tancopy for user name.
    2. Click Advanced.
    3. Under SSH, browse and select the private key that pairs with the public key that is uploaded to the appliance. For information, see Configure user access (Tanium™ Physical Appliance) or Configure user access (virtual appliance).
  2. Use SFTP to copy the SOAP certificate and key files to the /incoming directory on the appliance.

Install the SOAP certificate file

Install the new, CA-issued certificate and associated private key on the Tanium Server. In an active-active deployment, perform these steps on each Tanium Server. Because the steps include stopping and restarting the servers, perform this task during a maintenance window.

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 4 to go to the Install Custom SOAP Cert procedure. ClosedView screen
  4. Follow the prompts to install the certificate and key files that you uploaded:
    1. Enter Yes at the prompt to proceed with the installation.
    2. Select the certificate that you are importing, verify that the displayed certificate details are correct, and enter Yes at the prompt. ClosedView screen
    3. Select the private key that you are importing.

      The Appliance verifies that the key is valid and matches the certificate. ClosedView screen

    4. Enter Yes at the prompt to create a backup of the files in the /outgoing directory of the tancopy user.

      The Tanium Appliance stops the Tanium Server service, installs the new certificate and key, and restarts the service. ClosedView screen

    5. If the Appliances are in an array, the last step is to re-register the Module Server: enter Yes at the prompt and enter the password of the Tanium Console admin user. ClosedView screen

      Otherwise, if the Appliance is not in an array, press Enter to continue and perform the steps described in Re-register the remote Module Server with each Tanium Server. ClosedView screen

Re-register the remote Module Server with each Tanium Server

After you replace the certificate and private key on the Tanium Server, re-register the Module Server if you did not already do so in the preceding task. In an active-active deployment, you must re-register with each Tanium Server. Because the steps include stopping and restarting services, perform this task during a maintenance window.

  1. Repeat the remote Module Server configuration steps to update the certificates that are used to validate SOAPServer.crt and ssl.crt on each server: trusted.crt on the Module Server appliance and trusted-module-servers.crt on the Tanium Server appliance. See Manually register a Tanium Module Server with the Tanium Server.
  2. Restart all Tanium services on the Module Server appliance. See Start, stop, and restart Tanium services.

Manage content signing keys

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 5 to go to the Install Content Signing Keys menu. ClosedView screen
  4. Use the menus to add, delete, or list the key files.

Enable import of user-created content

The Tanium Server requires content files that are imported into the Tanium Console to be signed, and the signatures are verified by public keys stored on the Tanium Server. The public keys for content developed by Tanium and delivered through content.tanium.com are included with the installation. To import user-created content, you must use a utility provided by Tanium to sign the content, and you must upload the public key from that pair to the Tanium Server. In an active-active cluster, perform the following steps for each active Tanium Server in the deployment.

  1. Contact Tanium Support for instructions on how to download the content signing key utility (keyutility.exe). For more information, see Contact Tanium Support.
  2. Use keyutility.exe to generate a cryptographic key pair and use it to sign the user-created content you want to import into the Tanium Server. See Tanium Core Platform User Guide: Authenticating content files.
  3. Rename the public key file from that key pair import.pub and use SFTP to upload it to the /incoming folder of the Tanium Server appliance.
  4. Sign in to the TanOS console as a user with the tanadmin role.
  5. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  6. Enter 5 to go to the Install Content Signing Keys menu. ClosedView screen
  7. Enter A to go to the Add Content Signing Key menu and follow the prompts to import the public key file. ClosedView screen

You can now upload signed user-created content to the Tanium Server on the appliance. In a Tanium Cluster, Tanium Servers write content to the shared Tanium database. Therefore, after you import content on a Tanium Server in an Tanium cluster, the content is available on the other Tanium Server.

Watch the tutorial about how to manage content signing keys for the Tanium Appliance.

Download the Tanium Server SOAP certificate

Download the Tanium Server SOAP certificate file for configuration of a remote Windows Module Server, or other use.

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 7 to go to the Download SOAP Certificate procedure.
  4. Follow any prompts to copy the SOAP certificate file to the /outgoing directory. ClosedView screen
  5. Use SFTP to copy the tanium.pub file from the /outgoing directory on the appliance to your management computer.




Import a common access card certificate file

The Tanium Console supports smart card authentication. A smart card is a physical credential that has a microchip and data, such as secure certificates and keys. Smart cards are also known as common access cards (CAC) and personal identity verification (PIV) cards. Endpoint systems are set up with smart card readers, and end users use their smart card to authenticate and gain access. For more information, see the Tanium Core Platform Deployment Reference Guide: Smart card authentication.

Upload the certificate file

  1. Use SFTP to copy the certificate file (PEM format) to the /incoming directory on the Tanium Server appliance.

Install the certificate file

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 9 and follow the prompts to import and install the CAC certificate file.

Manually register a Tanium Module Server with the Tanium Server

If you manually install a Tanium Module Server, or if you replace the certificate and private key on the Tanium Server, you must manually register the Module Server with the Tanium Server. This process includes configuring the Module Server on the Tanium Server and then enabling the Module Server. In an active-active deployment, you must register the Module Server with each Tanium Server.

Configure the Module Server on the Tanium Server

  1. Sign in to a Tanium Server appliance as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter A to go to the Configure Module Server(s) menu. ClosedView screen
  4. Enter 1 and follow the prompts to configure the Module Server address, which specifies the address the Tanium Server uses to connect to the Module Server. Be sure to copy the certificate fingerprint. You need the certificate fingerprint to configure the Module Server. ClosedView screen

Enable the remote Module Server

  1. Sign in to the Tanium Module Server appliance as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter A to go to the Register Module Server menu.
  4. Enter 2 and follow the prompts to enable the remote Module Server and to configure its connection with the Tanium Server. Specify the Tanium Console admin user (tanium, not a TanOS user). ClosedView screen

    For a cluster, register the Tanium servers individually. ClosedView screen

Configure a Tanium cluster

You can deploy two Tanium Servers in an active-active cluster to ensure continuous availability in the event of an outage or scheduled maintenance. This active-active cluster is referred to as a Tanium cluster, where the Tanium Server application is active-active, and the database component is active-passive. A Tanium cluster (the Active-Active Tanium Server pair) communicates with other components of the Tanium Core Platform, including Tanium Module Servers and Tanium Zone Servers.

Before you begin

  • Install the Tanium Server role on both members of the cluster.
  • Set up the IPsec tunnel to ensure end-to-end security between appliances. An IPsec tunnel is automatically configured when you set up an array. For instructions, see Set up an IPsec tunnel.
  • Note the host name and domain name of both the primary and secondary members of the cluster, as you will need these to configure the cluster.
  • Create an authorized key for the tancopy user on the secondary appliance using the public key for the user performing the cluster configuration on the primary appliance.

Initialize Cluster

  1. On the primary appliance to use in the cluster, sign in to the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter B to go to the Cluster Configuration menu. ClosedView screen
  4. Enter 1 to go to the Step 1 -> Initialize Cluster screen.
  5. Follow the prompts to enter the host name and domain name of the secondary appliance and complete cluster initialization.

Join cluster

  1. On the secondary appliance to use in the cluster, sign in to the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter B to go to the Configure Tanium Cluster menu. ClosedView screen
  4. Enter 2 to go to the Step 2 -> Join Cluster screen.
  5. Follow the prompts to enter the host name and domain name of the primary appliance and complete adding the secondary appliance to the cluster.

Perform database failover

  1. On the secondary, or passive, appliance, sign in to the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter B to go to the Cluster Configuration menu. ClosedView screen
  4. Enter A to go to the Database Server Failover screen.
  5. Follow the prompts to to perform the failover to the secondary appliance database and promote the secondary appliance database to primary.
  6. To demote the original primary Tanium Server database to the passive role, on the original primary appliance, reinitialize replication. For instructions, see Reinitialize replication.

Check replication status

  1. On either Tanium Server in the cluster, sign in to the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter B to go to the Cluster Configuration menu. ClosedView screen
  4. Enter S to display the replication status between the cluster members.

Remove server from cluster

Perform the following steps to remove the Tanium Server cluster configuration from the current appliance.

  1. On the Tanium Server that is the primary node in the cluster, sign in to the TanOS console as a user with the tanadmin role.

    Enter @ to go to the About This Appliance menu, where you can check which Tanium Server is the primary node.

  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter B to go to the Cluster Configuration menu. ClosedView screen
  4. Enter L, and follow the prompts to remove the cluster configuration.

Reinitialize replication

You can reinitialize replication on the passive, or secondary, database, which removes all existing database contents and replaces them with the contents from the currently active database. After you perform a failover, you can initialize replication from the newly active secondary appliance to the original primary appliance by performing this procedure on the original primary appliance.

  1. On the Tanium Server appliance with the passive database, sign in to the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter B to go to the Cluster Configuration menu. ClosedView screen
  4. Enter B to go to the Reinitialize Replication screen.
  5. Follow the prompts to reinitialize replication between the cluster members, and, if applicable, demote the original primary Tanium Server.

Change the Tanium content manifest URL

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter C to go to the Manage Content menu. ClosedView screen
  4. Enter B to go to the Manifest URL Change menu. ClosedView screen
  5. Use the menu to change the manifest URL.

Schedule sync jobs

  1. Sign in to the source Module Server appliance as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter D to go to the Module Server Sync menu.
  4. Enter 5 to go to the Schedule TMS Sync menu. ClosedView screen

    The top of the menu shows active and pending settings. The changes you make are pending until you use menu 7 to make them active.

  5. Use the menu to configure the schedule:
    1. Enter 1 or 2 to toggle the enabled/disabled status for the schedule.
    2. Enter 4 or 5 to set the schedule by days of the month or days in a week.
      • A comma (,) indicates separate days. For example, 1,15.
      • A hyphen (-) indicates contiguous days. For example, mon-fri.
      • Specify days of the week with three-letter abbreviations: sun, mon, tue, wed, thu, fri, sat.
    3. Enter 6 to set the time of day.
    4. Enter 7 to make your changes active.

    View detailed status for Module Server sync

    The top of the Module Server Sync menu shows configuration status and the last return code for the sync job. You can use menu 1 to view detailed status.

    1. Sign in to the source Module Server appliance as a user with the tanadmin role.
    2. Enter 2 to go to the Tanium Operations menu.
    3. Enter D to go to the Module Server Sync menu.
    4. Enter 1 to view the status. ClosedView screen

    Promote the standby Module Server

    The Module Server service on the standby appliance is not enabled while the active appliance is running. To make the standby appliance active, such as in the event of a failure on the active Module Server, perform the following steps to promote the standby Module Server.

    1. Sign in to the Tanium Server appliance as a user with the tanadmin role.
    2. Enter 2 to go to the Tanium Operations menu.
    3. Enter A to go to the Configure Module Server(s) menu.
    4. Enter P to Promote TMS. ClosedView screen
    5. Enter the line number of the Module Server to promote to active.
    6. Enter the administrative user name for the web-based Tanium Console. This is different from TanOS console tanadmin users.
    7. Enter the password for the Tanium Console administrative user and press Enter.

    After you perform this procedure, the two Module Servers are disconnected from each other and the standby Module Server is active and registered with the Tanium Server. To use the non-active Module Server as a standby appliance, disable synchronization on the non-active Module Server, assign the Module Server synchronization role of source to the active Module Server, and assign the Module Server synchronization role of target to the new standby Module Server.