Managing the Tanium Core Platform on TanOS

Tanium™ operations include management of Tanium services, configuration settings, and certificate and public key files.

Start, stop, and restart Tanium services

Manage Tanium™ Core Platform servers and the database server with these common service control commands:

  • Start
  • Stop
  • Restart
  • Disable
  • Enable

Use the TanOS menus to stop, start, or restart a service, regardless if the service is enabled or disabled.

To issue a command:

  1. Sign in to the TanOS console as a user with the tanadmin role.

  2. Enter 2-1 (Tanium Operations > Tanium Service Control).

  3. Enter the line number of the service that you want to manage to view the service commands. ClosedView screen
  4. Enter the number associated with the service control command to issue it.

Manage Tanium Core Platform settings

  1. Sign in to the TanOS console as a user with the tanadmin role.

  2. Enter 2-2 (Tanium Operations > Configuration Settings).

  3. Enter the line number for the Tanium Core Platform server on which to modify settings.
  4. Use the menu to view and edit settings. Enter the line number for a setting to edit that setting, or enter A to add a new setting.

For a reference of Tanium Core Platform server settings, see Tanium Core Platform Deployment Reference Guide: Tanium Appliance Settings.

Some changes to settings, such as changing the ServerPort setting, require you to restart the service for the modified server for the change to take effect. See Start, stop, and restart Tanium services.

Manage the TDownloader configuration

Tanium Downloader (TDL) is a utility that the Tanium Core Platform uses to download files from other servers, including updates from content.tanium.com.

Add an authentication user for TDownloader

Some servers require user authentication. If necessary, add user credentials for the Tanium Server TDownloader instance and the Module Server TDownloader instance.

You can use the Tanium Console to manage authentication certificates for remote sources. For information, see Tanium Console User Guide: Managing downloads authentication.

  1. Sign in to the TanOS console as a user with the tanadmin role.

  2. Enter 2-2 (Tanium Operations > Configuration Settings).

  3. Enter 3 (Tanium Server TDL Auth User) or 7 (Tanium Module Server TDL Auth User) and follow the prompts to configure user credentials for the server URL or Windows file share from which you want to download files. ClosedView screen

    The URL field can contain the path for a Windows file share, such as \\tam.local\dc1\share. For file access using Tanium, read-only permissions are sufficient. If you want to share files from a Windows share location, you must provide read-write permissions at a minimum. See the Microsoft Windows documentation for information about file and share permissions.

    For security reasons, Tanium does not support hidden shares, such as c$.

  4. Review the resulting configuration.

Edit TDownloader settings

Use this menu to add and edit settings for the Tanium Server TDownloader instance or the Module Server TDownloader instance. For example, if your deployment uses proxies and contains only IPV6 addresses, add the ForceIPV6 setting to force the TDownloader to resolve proxy addresses as IPV6.

For a list of supported settings, see Tanium Core Platform Deployment Reference Guide: Tanium Core Platform server settings.

  1. Sign in to the TanOS console as a user with the tanadmin role.

  2. Enter 2-2 (Tanium Operations > Configuration Settings).

  3. Enter 2 to show the TDL settings. ClosedView screen
    • To add a new setting, enter A and follow the prompts to enter a key-value pair.
    • To edit a setting, enter the line number of the setting, enter E, and type in the new value of the setting.
    • To delete a setting, enter the line number of the setting, and enter D.
    • For a list of settings, see Tanium Core Platform Deployment Reference Guide: Proxy server settings.

    You can use the Tanium Console to manage proxy settings. For information, see Tanium Console User Guide: Configure proxy server settings.

Add an authentication certificate for TDownloader

You can use the Tanium Console to manage authentication certificates for remote sources. For information, see Tanium Console User Guide: Managing downloads authentication.

Servers from which you want to download files might require certificate authentication. Use this menu to add a client certificate and key to the Tanium Server TDownloader instance or the Module Server TDownloader instance.

  1. Use SFTP to copy the client certificate file and key file to the /incoming folder.

  2. Sign in to the TanOS console as a user with the tanadmin role.

  3. Enter 2-2 (Tanium Operations > Configuration Settings).

  4. Enter 4 (Add Tanium Server TDL Auth Cert) or 8 (Add Tanium Module Server TDL Auth Cert) and follow the prompts to upload the certificate and key file and configure TDownloader to use them for the server URL from which you want to download files. ClosedView screen
  5. Review the resulting configuration.

Manage authentication certificates for Tanium Patch connections with Red Hat

Tanium™ Patch downloads files from a Red Hat Satellite Server that requires certificate authentication.

If you have Tanium Core Platform 7.5.3 or later, and Tanium Console 3.1 or later, you can use the Tanium Console to manage authentication certificates for remote sources. For information, see Tanium Console User Guide: Managing downloads authentication.

  1. Download a client certificate and key file from the Red Hat website that is specific to your subscription entitlement and create files named client-certificate.pem and client-key.pem. For more information, see Tanium Patch User Guide: Enable and configure Linux features.
  2. Use SFTP to copy the certificate file and key file to the /incoming folder.
  3. Sign in to the TanOS console as a user with the tanadmin role.

  4. Enter 2-2 (Tanium Operations > Configuration Settings).

  5. Enter 4 (Tanium Server TDL Auth Cert) and follow the prompts to upload the certificate file and key file and to configure TDownloader to use them for the server URL from which you want to download files. ClosedView screen
  6. Enter 13 (Control Root CA Certs) and use the menu to install the Red Hat enterprise CA certificate file (redhat-uep.pem). ClosedView screen

Edit the Zone Server isolated subnets or separated subnets list

Though isolated subnets and separated subnet configurations on Tanium Servers are synchronized to Zone Servers in Tanium Core Platform 7.4.6 and later, you can override these settings with settings on individual zone servers. Use the TanOS menus to configure the isolated subnets list or the separated subnets list for Zone Servers.

Isolated subnets contain endpoints for which you want to disable Tanium Client peering. Separated subnets specify exceptions to the peering boundaries that the address mask configured for the Tanium Server defines. For more information, see Tanium Client Management User Guide: Overview of Tanium Client peering settings.

For information about configuring isolated or separated subnets on Tanium Servers, see Tanium Client Management User Guide: Configure isolated subnets and Tanium Client Management User Guide: Configure separated subnets.

In versions of Tanium Core Platform earlier than 7.4.6, isolated and separated subnets configurations are not synchronized to Zone Servers. If you are using an earlier version of Tanium Core Platform, you must use these steps to configure isolated or separated subnets on a Zone Server.

  1. Sign in to the TanOS console of the Zone Server appliance as a user with the tanadmin role.

  2. Enter 2-2 (Tanium Operations > Configuration Settings).

  3. Enter 11 to edit the IsolatedSubnets.txt file or 12 to edit the SeparatedSubnets.txt file. ClosedView screen
  4. Use the menu to specify the subnet in CIDR format.

Install a custom SOAP certificate

You can replace the self-signed certificates generated by the Tanium Server and Tanium Module Server installers with an SSL certificate issued by a commercial or enterprise certificate authority (CA).

Though this menu is available on the Tanium Server, in Tanium Core Platform 7.6.1 or later, use the Tanium Console to replace the certificate on the Tanium Server. See Tanium Console User Guide: Managing SSL/TLS certificates.

In a Tanium cluster, repeat the following procedures to upload and install the certificate and key files to each Tanium Server.

For detailed information about the SSL certificates used in a Tanium deployment, see the Tanium Core Platform Deployment Reference Guide: Securing Tanium Console, API, and Module Server access.

Install the SOAP certificate file

Install the new, CA-issued certificate and associated private key on the Tanium Server. In an active-active deployment, perform these steps on each Tanium Server. Because the steps include stopping and restarting the servers, perform this task during a maintenance window.

  1. Use SFTP to copy the new CA-issued SOAP certificate and key files to the /incoming directory on the appliance.

  2. Sign in to the TanOS console as a user with the tanadmin role.

  3. Enter 2 (Tanium Operations).

  4. Enter 4 to initiate the Install Custom SOAP Cert process. ClosedView screen
  5. Follow the prompts to install the certificate and key files that you uploaded:
    1. Enter Yes at the prompt to proceed with the installation.

    2. Select the certificate that you are importing, verify that the displayed certificate details are correct, and enter Yes at the prompt. ClosedView screen

    3. Select the private key that you are importing.

      The appliance verifies that the key is valid and matches the certificate. ClosedView screen

    4. Enter Yes at the prompt to create a backup of the files in the /outgoing directory of the tancopy user.

      The Tanium Appliance stops the Tanium Server service, installs the new certificate and key, and restarts the service. ClosedView screen

    5. If the appliances are in an array, the last step is to re-register the Module Server: enter Yes at the prompt and enter the password of the Tanium Console admin user. ClosedView screen

      Otherwise, if the appliance is not in an array, press Enter to continue and perform the steps described in Manually register the remote Module Server with each Tanium Server. ClosedView screen

Manually register the remote Module Server with each Tanium Server

After you replace the certificate and private key on the Tanium Server, you must manually register the Module Server with the Tanium Server. This process includes configuring the Module Server on the Tanium Server and then enabling the Module Server. In an active-active deployment, you must register the Module Server with each Tanium Server. Because the steps include stopping and restarting services, perform this task during a maintenance window.

Configure the Module Server on the Tanium Server
  1. Sign in to a Tanium Server appliance as a user with the tanadmin role.

  2. Enter 2-A (Tanium Operations > Configure Module Server(s)).

  3. Enter 1 and follow the prompts to configure the Module Server address, which specifies the address the Tanium Server uses to connect to the Module Server. Be sure to copy the certificate fingerprint. You need the certificate fingerprint to configure the Module Server. ClosedView screen
Enable the remote Module Server
  1. Sign in to the Tanium Module Server appliance as a user with the tanadmin role.

  2. Enter 2-A (Tanium Operations > Register Module Server).

  3. Enter 2 and follow the prompts to enable the remote Module Server and to configure its connection with the Tanium Server. Specify the Tanium Console admin user (tanium, not a TanOS user). ClosedView screen

    For a cluster, register the Tanium Servers individually. ClosedView screen

Restart Module Server services

Restart all Tanium services on the Module Server appliance. See Start, stop, and restart Tanium services.

Download the Tanium Server SOAP certificate

  1. Sign in to the TanOS console as a user with the tanadmin role.

  2. Enter 2-7 (Tanium Operations > Download SOAP Certificate).

  3. If a certificate already exists, answer the prompt to copy the SOAP certificate file to the /outgoing directory. ClosedView screen
  4. Use SFTP to copy the tanium.pub file from the /outgoing directory on the appliance to your management computer.

Enable import of user-created content

The Tanium Server requires content files that are imported into the Tanium Console to be signed, and the signatures are verified by public keys stored on the Tanium Server. The public keys for content developed by Tanium and delivered through content.tanium.com are included with the installation. To import user-created content, you must use a utility provided by Tanium to sign the content, and you must upload the public key from that pair to the Tanium Server. In an active-active cluster, perform the following steps for each active Tanium Server in the deployment.

  1. Contact Tanium Support for instructions on how to download the content signing key utility (keyutility.exe). For more information, see Support for Tanium Appliances.
  2. Use keyutility.exe to generate a cryptographic key pair and use it to sign the user-created content you want to import into the Tanium Server. See Tanium Core Platform User Guide: Authenticating content files.
  3. Rename the public key file from that key pair import.pub and use SFTP to upload it to the /incoming folder of the Tanium Server appliance.
  4. Sign in to the TanOS console as a user with the tanadmin role.

  5. Enter 2-5 (Tanium Operations > Install Content Signing Keys).

  6. Enter A to go to the Add Content Signing Key menu and follow the prompts to import the public key file. ClosedView screen

You can also use the Install Content Signing Keys menu to list and delete existing key files.

You can now upload signed user-created content to the Tanium Server on the appliance. In a Tanium Cluster, Tanium Servers write content to the shared Tanium database. Therefore, after you import content on a Tanium Server in an Tanium cluster, the content is available on the other Tanium Server.

Watch the tutorial about how to manage content signing keys for the Tanium Appliance.

Import a common access card certificate file

The Tanium Console supports smart card authentication. A smart card is a physical credential that has a microchip and data, such as secure certificates and keys. Smart cards are also known as common access cards (CAC) and personal identity verification (PIV) cards. Endpoint systems are set up with smart card readers, and end users use their smart card to authenticate and gain access. For more information, see the Tanium Core Platform Deployment Reference Guide: Smart card authentication.

  1. Use SFTP to copy the certificate file (PEM format) to the /incoming directory on the Tanium Server appliance.
  2. Sign in to the TanOS console as a user with the tanadmin role.

  3. Enter 2 (Tanium Operations).

  4. Enter 9 and follow the prompts to import and install the CAC certificate file.

Manage a Tanium cluster

A Tanium cluster uses two Tanium Servers to provide continuous availability during scheduled maintenance or an outage. For more information, see Configuring a Tanium cluster.

Manually configure a Tanium cluster

For the best results, use an Appliance Array for easier setup and management of the appliances in your deployment. When you install two Tanium Server roles in an array, TanOS automatically configures a Tanium cluster. For instructions on how to install an Appliance Array, including the necessary Tanium Appliance server roles, see Installing and managing an Appliance Array.

If you are unable to use the Appliance Array, see Tanium Appliance Deployment Guide (version 1.7.2): Configure a Tanium cluster for instructions to manually configure a Tanium cluster.

Perform database failover

  1. On the secondary, or passive, appliance, sign in to the TanOS console as a user with the tanadmin role.

  2. Enter 2-B-A (Tanium Operations > Cluster Configuration > Database Server Failover).

  3. Follow the prompts to to perform the failover to the secondary appliance database and promote the secondary appliance database to primary.
  4. To demote the original primary Tanium Server database to the passive role, on the original primary appliance, reinitialize replication. For instructions, see Reinitialize replication.

Check replication status

  1. On either Tanium Server in the cluster, sign in to the TanOS console as a user with the tanadmin role.

  2. Enter 2-B (Tanium Operations > Cluster Configuration).

  3. Enter S to display the replication status between the cluster members.

Reinitialize replication

You can reinitialize replication on the passive, or secondary, database, which removes all existing database contents and replaces them with the contents from the currently active database. After you perform a failover, you can initialize replication from the newly active secondary appliance to the original primary appliance by performing this procedure on the original primary appliance.

  1. On the Tanium Server appliance with the passive database, sign in to the TanOS console as a user with the tanadmin role.

  2. Enter 2-B-B(Tanium Operations > Cluster Configuration > Reinitialize Replication).

  3. Follow the prompts to reinitialize replication between the cluster members, and, if applicable, demote the original primary Tanium Server.

Change the Tanium content manifest URL

  1. Sign in to the TanOS console as a user with the tanadmin role.

  2. Enter 2-C-B (Tanium Operations > Manage Content > Manifest URL Change).

  3. Use the menu to change the manifest URL.

Manage the standby Module Server

Schedule sync jobs

  1. Sign in to the source Module Server appliance as a user with the tanadmin role.

  2. Enter 2-D-5 (Tanium Operations > Module Server Sync > Schedule TMS Sync).

  3. Use the menu to configure the schedule:
    1. Enter 1 or 2 to toggle the enabled/disabled status for the schedule.
    2. Enter 4 or 5 to set the schedule by days of the month or days in a week.
      • A comma (,) indicates separate days. For example, 1,15.
      • A hyphen (-) indicates contiguous days. For example, mon-fri.
      • Specify days of the week with three-letter abbreviations: sun, mon, tue, wed, thu, fri, sat.
    3. Enter 6 to set the time of day.
    4. Enter 7 to make your changes active.

View detailed status for Module Server sync

The top of the Module Server Sync menu shows configuration status and the last return code for the sync job. You can use menu 1 to view detailed status.

  1. Sign in to the source Module Server appliance as a user with the tanadmin role.

  2. Enter 2-D (Tanium Operations > Module Server Sync).

  3. Enter 1 to view the status. ClosedView screen

Promote the standby Module Server

The Module Server service on the standby appliance is not enabled while the active appliance is running. To make the standby appliance active, such as in the event of a failure on the active Module Server, perform the following steps to promote the standby Module Server.

  1. Sign in to the Tanium Server appliance as a user with the tanadmin role.

  2. Enter 2-A (Tanium Operations > Configure Module Server(s)).

  3. Enter P to Promote TMS. ClosedView screen
  4. Enter the line number of the Module Server to promote to active.
  5. Enter the administrative user name for the web-based Tanium Console. This is different from TanOS console tanadmin users.
  6. Enter the password for the Tanium Console administrative user and press Enter.

After you perform this procedure, the two Module Servers are disconnected from each other and the standby Module Server is active and registered with the Tanium Server. To use the non-active Module Server as a standby appliance, disable synchronization on the non-active Module Server, assign the Module Server synchronization role of source to the active Module Server, and assign the Module Server synchronization role of target to the new standby Module Server.

Configure solution module file share mounts

Tanium™ Connect and Tanium™ Detect can write consumable files to disk. You can configure the Module Server to copy these files to a Common Internet File System (CIFS) or Network File System (NFS) share on a file server, or to an internal share on the appliance itself. An internal share is a directory that the tancopy user can access using SFTP.

If you configure an internal share, the tancopy user can make an SFTP connection to the appliance with SSH key authentication and copy files to or from the /modules/connect or /modules/detect directory (depending on which shares are configured). For information about adding SSH keys for the tancopy user, see one of the following sections:

When two module servers are deployed in an active standby configuration, file share mounts are not replicated. Configure each module server in the same way to maintain functionality in the event of a failover.

Add a file share mount

  1. Sign in to the TanOS console on the Tanium Module Server as a user with the tanadmin role.

  2. Enter A-6 (Appliance Configuration > Share Configuration).

  3. Enter the line number of the mount you want to create and complete the configuration to add a file share mount. ClosedView screen

List a file share mount

  1. Sign in to the TanOS console as a user with the tanadmin role.

  2. Enter A-6-A (Appliance Configuration > Share Configuration > List Mounts).

Test a file share mount

  1. Sign in to the TanOS console on the Tanium Module Server as a user with the tanadmin role.

  2. Enter A-6 (Appliance Configuration > Share Configuration).

  3. Enter B to test file share mounts. ClosedView screen

Manage advanced Tanium Core Platform features

Use the Advanced Operations menu to make additional changes that might be required in atypical environments.

Contact Tanium Support before you change advanced options.

Enable UseTBBAllocatorStats

  1. Sign in to the TanOS console as a user with the tanadmin role.

  2. Enter 2-X (Tanium Operations > Advanced Operations).

  3. Enter 2 and follow the prompts to enable UseTBBAllocatorStats. ClosedView screen

Upload an HTML banner

You can add a page to provide information or warnings to users before they sign in to the Tanium Console. For complete details, see Tanium Console User Guide: Customizing the Console and Interact. You can use the TanOS Advanced Operations menu to upload the banner.html file.

  1. Use SFTP to upload the HTML banner file to the /incoming folder.

  2. Enter 2-X (Tanium Operations > Advanced Operations).

  3. Enter 4 and follow the prompts to copy the HTML banner file to the appropriate location.