Reference: Tanium Operations menu

Tanium™ operations include management of Tanium services, configuration settings, and certificate and public key files.

Start, stop, and restart Tanium services

Tanium™ component servers and the database server can be managed with common service control commands:

  • Start
  • Stop
  • Restart
  • Disable
  • Enable

You can use the TanOS menu to stop a service whether or not it is enabled. You can use the TanOS menu to start or restart a service even if the service is disabled.

To issue a command:

  1. Log into the TanOS console as a user with the tanadmin role.
  2. The TanOS console displays the tanadmin menu.

  3. Enter 2 to go to the Tanium Operations menu.
  4. Enter 1 to go to the Tanium Service Control menu.
  5. Enter the line number of the service that you want to manage to display the service commands.
  6. Enter the number associated with the service control command to issue it.

Change a Tanium server configuration

You can use the Configuration Settings menu to change the log level or the Tanium component server configuration settings. Contact your Technical Account Manager (TAM) before changing Tanium configuration settings.

Edit server settings

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter 2 to go to the Tanium Operations menu.
  3. Enter 2 to go to the Tanium Configuration Settings menu.
  4. Use the menu to view and edit Tanium component server settings.
For detailed guidelines on Tanium Core Platform server settings, see the Tanium Core Platform Deployment Reference Guide: Settings.

Add an authentication user for TDownloader

TDownloader is a utility used by the Tanium Core Platform to perform file downloads. A destination server might require user authentication. Use this menu to add user credentials for the Tanium Server TDownloader instance or the Module Server TDownloader instance.

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter 2 to go to the Tanium Operations menu.
  3. Enter 2 to go to the Tanium Configuration Settings menu.
  4. Enter 3 (Tanium Server TDL Auth User) or 7 (Tanium Module Server TDL Auth User) and follow the prompts to configure user credentials for the specified destination server URL.
  5. Review the resulting configuration.

Add an authentication certificate for TDownloader

A destination server might require certificate authentication. Use this menu to add a client certificate and key to Tanium Server TDownloader instance or the Module Server TDownloader instance.

  1. Use SFTP to copy the client certificate file and key file to the /incoming folder.

  2. Log into the TanOS console as a user with the tanadmin role.
  3. From the tanadmin menu, enter 2 to go to the Tanium Operations menu.
  4. Enter 2 to go to the Tanium Configuration Settings menu.
  5. Enter 4 (Tanium Server TDL Auth Cert) or 8 (Tanium Module Server TDL Auth Cert) and follow the prompts to upload the certificate and key file and configure TDownloader to use them for the specified destination server URL.
  6. Review the resulting configuration.

Manage authentication certificates for Tanium Patch connections with RedHat

Tanium Patch downloads files from a RedHat satellite server that requires certificate authentication.

  1. Obtain from RedHat a client certificate and key file that is specific to your subscription entitlement and create files named client-certificate.pem and client-key.pem as described in the Tanium Support KB: Creating a RedHat certficate for Tanium downloads (login required).
  2. Use SFTP to copy the certificate file and key file to the /incoming folder.
  3. Log into the TanOS console as a user with the tanadmin role.
  4. From the tanadmin menu, enter 2 to go to the Tanium Operations menu.
  5. Enter 2 to go to the Tanium Configuration Settings menu.
  6. Enter 4 (Tanium Server TDL Auth Cert)  and follow the prompts to upload the certificate file and key file and to configure TDownloader to use them for the specified destination server URL.
  7. Enter 13 (Control RedHat CA Cert) and use the menu to install the RedHat enterprise CA certificate file (redhat-uep.pem).

Edit zone server list

This option is deprecated for Tanium Core Platform 7.4 and does not appear in the menu.

  1. Log into the Zone Server Hub appliance as a user with the tanadmin role.
  2. From the tanadmin menu, enter 2 to go to the Tanium Operations menu.
  3. Enter 2 to go to the Configuration Settings menu.
  4. Enter 10 to edit the zoneserverlist.txt file.
  5. Add the IP address or FQDN for each Zone Server and save the file.

Edit zone server isolated subnets list

You can use the Tanium Console to configure the isolated subnets list for Tanium Servers but not Zone Servers. You can use the TanOS menus to configure the list for Zone Servers.

  1. On the Zone Server appliance, log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter 2 to go to the Tanium Operations menu.
  3. Enter 2 to go to the Tanium Configuration Settings menu.
  4. Enter 11 to edit the isolatedsubnets.txt file.
  5. Use the menu to specify the CIDR IP address for subnets in which clients should never peer.

Change a Tanium component server port

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter 2 to go to the Tanium Operations menu.
  3. Enter 3 to go to the Change Tanium Port menu.
  4. Use the menu to change the port configuration.

Install a custom SOAP certificate

You can replace the self-signed certificates generated by the Tanium Server and Tanium Module Server installers with an SSL certificate issued by a commercial or enterprise certificate authority (CA).

In a redundant cluster, repeat the following procedures to upload and install the certificate and key files to each Tanium Server.

For detailed information about the SSL certificates used in a Tanium deployment, see the Tanium Core Platform Deployment Reference Guide: SSL certificates.

Upload the CA certificate file

  1. Set up an SFTP client to connect to the Tanium appliance:
    1. Specify tancopy for user name.
    2. Click Advanced.
    3. Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance in Completing the initial setup (hardware appliances).
  2. Use SFTP to copy the SOAP certificate and key files to the /incoming directory on the appliance.

Install the SOAP certificate file

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter 2 to go to the Tanium Operations menu.
  3. Enter 4 to go to the Install Custom SOAP Cert procedure.
  4. Follow the prompts to install the certificate and key files you uploaded in the previous procedure.
After you replace the self-signed SOAP certificate on the Tanium Server with an SSL certificate signed by a CA, you must take the following actions:
  1. Redo both remote Module Server configuration steps to update the certificates that are derived from that certificate on each server. See Configure the Tanium Server to use the remote Module Server .
  2. Restart all Tanium services on the Module Server appliance. See Start, stop, and restart Tanium services.

Enable import of user-created content

The Tanium Server requires content files that are imported into the Tanium Console to be signed and the signatures are verified by public keys stored on the Tanium Server. The public keys for content developed by Tanium and delivered via content.tanium.com are included with the installation. To import user-created content, you must use a utility provided by Tanium to sign the content, and you must upload the public key from that pair to the Tanium Server.

  1. Contact your TAM for instructions on how to download the content signing key utility (keyutility.exe).
  2. Use keyutility.exe to generate a cryptographic key pair and use it to sign the user-created content you want to import into the Tanium Server. See the Tanium Core Platform User Guide.
  3. Rename the public key file from that key pair import.pub and use SFTP to upload it to the /incoming folder of the Tanium Server appliance.
  4. Log into the TanOS console as a user with the tanadmin role.
  5. From the tanadmin menu, enter 2 to go to the Tanium Operations menu.
  6. Enter 5 to go to the Manage Custom Signing Keys menu.
  7. Enter 3 to go to the Add Content Signing Key menu and then follow the prompts to import the public key file.

Watch the tutorial on managing content signing keys for the Tanium Appliance on the Tanium Community website.

Manage content signing keys

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter 2 to go to the Tanium Operations menu.
  3. Enter 5 to go to the Manage Custom Signing Keys menu.
  4. Use the menus to add, remove, or list the key files.

Download the Tanium Server public key file

Download the Tanium Server public key file so you can include it in Tanium Client installation packages.

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter 2 to go to the Tanium Operations menu.
  3. Enter 6 to go to the Download Public Key procedure.
  4. Follow the prompts to copy the public key to the /outgoing directory.
  5. Use SFTP to copy the tanium.pub file from the /outgoing directory on the appliance to your management computer.

Download the Tanium Server SOAP certificate

Download the Tanium Server SOAP certificate file for configuration of a remote Windows Module Server, or other use.

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter 2 to go to the Tanium Operations menu.
  3. Enter 7 to go to the Download SOAP Certificate procedure.
  4. Follow the prompts to copy the SOAP certificate file to the /outgoing directory.
  5. Use SFTP to copy the tanium.pub file from the /outgoing directory on the appliance to your management computer.

Import the Tanium public/private key pair (Tanium Core Platform 7.3 and earlier)

When you migrate an existing deployment to new Tanium Core Platform 7.3 installations, you might want to migrate the Tanium Server public/private key pair to avoid redistributing the tanium.pub key file to Tanium Clients.

Beginning in Tanium Core Platform 7.4, the Tanium Server includes a pki.db file that contains the root keys, Tanium Server TLS keys, and message-signing keys for the Tanium Server. The option to import the tanium.pub and tanium.pvk files does not exist. If you have a pki.db file from a previous Tanium Server 7.4 installation, you can import the keys when you install the Tanium Server. For more information, see Installing Tanium Server.

Upload the public and private key files

  1. Add the public/private key pair you want to copy to a passphrase-protected file named tanium.zip (minimum 10 character password).
  2. Use SFTP to copy the tanium.zip file to the /incoming directory on the Tanium Server appliance.

Replace the public and private keys

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter 2 to go to the Tanium Operations menu.
  3. Enter 8 and then follow the prompts to import the zip file and install the keys.

Import a common access card (CAC) certificate file

The Tanium™ Console supports smart card authentication. A smart card is physical credential that has a microchip and data, such as secure certificates and keys. Smart cards are also known as common access cards (CAC) and personal identity verification (PIV) cards. Endpoint systems are set up with smart card readers, and end users use their smart card to authenticate and gain access. For more information, see the Tanium Core Platform Deployment Reference Guide: Smart card authentication.

Upload the certificate file

  1. Add the certificate file (PEM format) to a passphrase-protected file named tanium.zip (minimum 10 character password).
  2. Use SFTP to copy the tanium.zip file to the /incoming directory on the Tanium Server appliance.

Install the certificate file

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter 2 to go to the Tanium Operations menu.
  3. Enter 8 and then follow the prompts to import the zip file and install the CAC certificate file.

Change the Tanium content manifest URL

  1. Log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter 2 to go to the Tanium Operations menu.
  3. Enter C to go to the Manage Content menu.
  4. Enter B to display the Manifest URL Change menu.
  5. Use the menu to change the manifest URL.

Install the Direct Connect Zone Proxy

For installations with Direct Connect, install a zone proxy to enable connections to endpoints through the Zone Server appliance. This configuration is required to use Direct Connect with endpoints that connect to the Module Server through a Zone Server.

Import and configure Direct Connect

In the Tanium Console, go to the Solutions page to import Direct Connect. See Direct Connect User Guide: Installing Direct Connect for steps on how to import Direct Connect, verify the installation, and then set up Direct Connect. When you reach the steps to configure zone proxies, use the following steps to install the Direct Connect Zone Proxy to the Zone Server appliance.

Obtain the Direct Connect Zone Proxy Installer file

Work with your TAM to obtain the Direct Connect Zone Proxy Installer file for the Zone Server appliance.

Install the Direct Connect Zone Proxy on the Zone Server Appliance

The following steps only work on a dedicated Zone Server Appliance. For an All-in-One deployment, install the Direct Connect Zone Proxy through the Tanium Console. See in the Direct Connect User Guide: Installing Direct Connect.

  1. Use SFTP to copy the file to the Zone Server /incoming folder.
  2. Log into the TanOS console on the ZoneServer Appliance as a user with the tanadmin role.
  3. From the tanadmin menu, enter 2 to go to the Tanium Operations menu.
  4. Enter M to display the Module Operation menu.
  5. Enter B and follow the prompts to install the Direct Connect Zone Proxy.
  6. Copy the provision secret and certificate that display at the end of the installation. Follow the steps that display to return to the the Direct Connect settings in the Tanium Console to complete the configuration. For additional information on how to configure Direct Connext, see Direct Connect User Guide: Installing Direct Connect.
  7. Press Q and Enter to exit the installation.

Install the Zone Proxy package

The zone proxy service has two parts: the zone proxy (proxy) and the zone hub (hub). The hub is installed on a Tanium Module Server and the proxy is typically installed on a Zone Server. The hub connects to one or more proxies, creating a tunnel between itself and each proxy to allow remote endpoint connections to be established.

The Zone Proxy package can not be installed in an All-in-One deployment. The Zone Server must be contained on a dedicated appliance.

Import the Zone Hub solution

In the Tanium Console, go to the Solutions page and import the Zone Hub solution. See the Tanium Threat Response User Guide.

Generate the Zone Proxy package

Go to Threat Response and generate a Zone Proxy package. See the Tanium Threat Response User Guide.

When you generate the Zone Proxy package, the package displays a Pending status and a Publish All button. Do not click Publish All until you have downloaded the Zone Proxy package from the Module Server, as described in the next section. As a security feature, the package .zip files are deleted from the Module Server when you click Publish All.

Download the Zone Proxy package from the Module Server

  1. Log into the Module Server TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter 2 to go to the Tanium Operations menu.
  3. Enter M to display the Module Operation menu.
  4. Enter 1 and then follow the prompts to copy the Zone Proxy package to the /outgoing folder.
  5. Use SFTP to copy the file to your management computer.

Install the Zone Proxy package on the Zone Server

  1. Use SFTP to copy the file to the Zone Server /incoming folder.
  2. Log into the Zone Server TanOS console as a user with the tanadmin role.
  3. From the tanadmin menu, enter 2 to go to the Tanium Operations menu.
  4. Enter M to display the Module Operation menu.
  5. Enter A and follow the prompts to install the Zone Proxy package.

The option to install the Zone Proxy package only displays on a dedicated Zone Server appliance.

Publish the packages to the hub and endpoints

After the configuration packages are deployed, share the Zone Server configuration with the Zone Hub and the endpoints. All endpoints get all connection information and certificates, allowing them to connect to any proxy. For detailed steps, see the Tanium Threat Response User Guide.