Reference: Tanium Operations menu

Tanium™ operations include management of Tanium services, configuration settings, and certificate and public key files.

Start, stop, and restart Tanium services

Manage Tanium™ Core Platform servers and the database server with these common service control commands:

  • Start
  • Stop
  • Restart
  • Disable
  • Enable

Use the TanOS menus to stop, start, or restart a service, regardless if the service is enabled or disabled.

To issue a command:

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 1 to go to the Tanium Service Control menu. ClosedView screen
  4. Enter the line number of the service that you want to manage to view the service commands. ClosedView screen
  5. Enter the number associated with the service control command to issue it.

Change a Tanium server configuration

Use the Configuration Settings menu to change the log level or the Tanium component server configuration settings. Contact Tanium Support before changing Tanium configuration settings. For more information, see Contact Tanium Support.

Edit server settings

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 2 to go to the Configuration Settings menu. ClosedView screen
  4. Use the menu to view and edit Tanium component server settings.
For detailed guidelines on Tanium Core Platform server settings, see the Tanium Core Platform Deployment Reference Guide: Settings.

Add an authentication user for TDownloader

TDownloader is a utility that the Tanium Core Platform uses to download files from other servers, including updates from content.tanium.com. Some servers require user authentication. Use this menu to add user credentials for the Tanium Server TDownloader instance or the Module Server TDownloader instance.

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 2 to go to the Configuration Settings menu. ClosedView screen
  4. Enter 3 (Tanium Server TDL Auth User) or 7 (Tanium Module Server TDL Auth User) and follow the prompts to configure user credentials for the server URL from which you want to download files. ClosedView screen

    Alternatively, the URL field can contain the path for a Windows file share, such as \\tam.local\dc1\share.

  5. Review the resulting configuration.

Edit TDownloader settings

Use this menu to add and edit settings for the Tanium Server TDownloader instance or the Module Server TDownloader instance. For example, if your deployment uses proxies and contains only IPV6 addresses, add the ForceIPV6 setting to force the TDownloader to resolve proxy addresses as IPV6.

For a list of supported settings, see Tanium Core Platform Deployment Reference Guide: Tanium Core Platform server settings.

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 2 to go to the Configuration Settings menu. ClosedView screen
  4. Enter 2 to show the TDL settings. ClosedView screen
    • To add a new setting, enter A and follow the prompts to enter a key-value pair.
    • To edit a setting, enter the line number of the setting, enter E, and type in the new value of the setting.
    • To delete a setting, enter the line number of the setting, and enter D.

Add an authentication certificate for TDownloader

Servers from which you want to download files might require certificate authentication. Use this menu to add a client certificate and key to the Tanium Server TDownloader instance or the Module Server TDownloader instance.

  1. Use SFTP to copy the client certificate file and key file to the /incoming folder.

  2. Sign into the TanOS console as a user with the tanadmin role.
  3. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  4. Enter 2 to go to the Configuration Settings menu. ClosedView screen
  5. Enter 4 (Add Tanium Server TDL Auth Cert) or 8 (Add Tanium Module Server TDL Auth Cert) and follow the prompts to upload the certificate and key file and configure TDownloader to use them for the server URL from which you want to download files. ClosedView screen
  6. Review the resulting configuration.

Manage authentication certificates for Tanium Patch connections with Red Hat

Tanium™ Patch downloads files from a Red Hat Satellite Server that requires certificate authentication.

  1. Download a client certificate and key file from the Red Hat website that is specific to your subscription entitlement and create files named client-certificate.pem and client-key.pem as described in the Tanium Support KB: Creating a Red Hat certificate for Tanium downloads (sign-in required).
  2. Use SFTP to copy the certificate file and key file to the /incoming folder.
  3. Sign into the TanOS console as a user with the tanadmin role.
  4. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  5. Enter 2 to go to the Configuration Settings menu. ClosedView screen
  6. Enter 4 (Tanium Server TDL Auth Cert)  and follow the prompts to upload the certificate file and key file and to configure TDownloader to use them for the server URL from which you want to download files. ClosedView screen
  7. Enter 13 and use the menu to install the Red Hat enterprise CA certificate file (redhat-uep.pem). ClosedView screen

Edit Zone Server list

This option is deprecated for Tanium Core Platform 7.4 and does not appear in the menu.

  1. Sign into the Zone Server Hub appliance as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 2 to go to the Configuration Settings menu. ClosedView screen
  4. Enter 10 to edit the zoneserverlist.txt file.
  5. Add the IP address or FQDN for each Zone Server and save the file.

Edit Zone Server isolated subnets list

Use the TanOS menus to configure the isolated subnets list for Zone Servers.

For Tanium Servers (not Zone Servers), use the Tanium Console to configure the isolated subnets list. For more information, see Tanium Client User Guide: Configure isolated subnets.

  1. Sign into the TanOS console of the Zone Server appliance as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 2 to go to the Configuration Settings menu. ClosedView screen
  4. Enter 11 to edit the IsolatedSubnets.txt file. ClosedView screen
  5. Use the menu to specify the CIDR IP address for subnets in which clients should never peer.

Change a Tanium component server port

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 3 to go to the Change Tanium Port menu. ClosedView screen
  4. Use the menu to change the port configuration.

Install a custom SOAP certificate

You can replace the self-signed certificates generated by the Tanium Server and Tanium Module Server installers with an SSL certificate issued by a commercial or enterprise certificate authority (CA).

In a Tanium cluster, repeat the following procedures to upload and install the certificate and key files to each Tanium Server.

For detailed information about the SSL certificates used in a Tanium deployment, see the Tanium Core Platform Deployment Reference Guide: Securing Tanium Console, API, and Module Server access.

Upload the CA certificate file

  1. Set up an SFTP client to connect to the Tanium Appliance:
    1. Specify tancopy for user name.
    2. Click Advanced.
    3. Under SSH, browse and select the private key that pairs with the public key that is uploaded to the appliance. For information, see Configure user access (hardware appliance) or Configure user access (virtual appliance).
  2. Use SFTP to copy the SOAP certificate and key files to the /incoming directory on the appliance.

Install the SOAP certificate file

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 4 to go to the Install Custom SOAP Cert procedure. ClosedView screen
  4. Follow the prompts to install the certificate and key files you uploaded in the previous procedure.
After you replace the self-signed SOAP certificate on the Tanium Server with an SSL certificate signed by a CA, perform the following actions:
  1. Redo both remote Module Server configuration steps to update the certificates that are derived from that certificate on each server. See Configure the Tanium Server to use the remote Module Server .
  2. Restart all Tanium services on the Module Server appliance. See Start, stop, and restart Tanium services.

Manage content signing keys

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 5 to go to the Install Content Signing Keys menu. ClosedView screen
  4. Use the menus to add, delete, or list the key files.

Enable import of user-created content

The Tanium Server requires content files that are imported into the Tanium Console to be signed, and the signatures are verified by public keys stored on the Tanium Server. The public keys for content developed by Tanium and delivered through content.tanium.com are included with the installation. To import user-created content, you must use a utility provided by Tanium to sign the content, and you must upload the public key from that pair to the Tanium Server.

If you set up a Tanium cluster with an Appliance Array, perform the following steps for the primary Tanium Server. When you add a content signing key to the primary Tanium Server, TanOS copies the public key to the secondary Tanium Server and the Tanium Module Server. If you set up a standby Tanium Module Server, you will need to manually add the content signing key.

  1. Contact Tanium Support for instructions on how to download the content signing key utility (keyutility.exe). For more information, see Contact Tanium Support.
  2. Use keyutility.exe to generate a cryptographic key pair and use it to sign the user-created content you want to import into the Tanium Server. See Tanium Core Platform User Guide: Authenticating content files.
  3. Rename the public key file from that key pair import.pub and use SFTP to upload it to the /incoming folder of the Tanium Server appliance.
  4. Sign into the TanOS console as a user with the tanadmin role.
  5. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  6. Enter 5 to go to the Install Content Signing Keys menu. ClosedView screen
  7. Enter A to go to the Add Content Signing Key menu and follow the prompts to import the public key file. ClosedView screen

You can now upload signed user-created content to the Tanium Server on the appliance. In a Tanium Cluster, Tanium Servers write content to the shared Tanium database. Therefore, after you import content on a Tanium Server in an Tanium cluster, the content is available on the other Tanium Server.

Watch the tutorial on managing content signing keys for the Tanium Appliance on the Tanium Community website.

Download the Tanium Server public key file

Download the Tanium Server public key file so you can include it in Tanium Client installation packages.

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 6 to go to the Download Public Key procedure.
  4. Follow any prompts to copy the public key to the /outgoing directory. ClosedView screen
  5. Use SFTP to copy the tanium.pub file from the /outgoing directory on the appliance to your management computer.

Download the Tanium Server SOAP certificate

Download the Tanium Server SOAP certificate file for configuration of a remote Windows Module Server, or other use.

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 7 to go to the Download SOAP Certificate procedure.
  4. Follow any prompts to copy the SOAP certificate file to the /outgoing directory. ClosedView screen
  5. Use SFTP to copy the tanium.pub file from the /outgoing directory on the appliance to your management computer.

Import the Tanium public/private key pair (Tanium Core Platform 7.3 and earlier)

When you migrate an existing deployment to new Tanium Core Platform 7.3 installations, you might want to migrate the Tanium Server public/private key pair to avoid redistributing the tanium.pub key file to Tanium Clients.

Beginning in Tanium Core Platform 7.4, the Tanium Server includes a pki.db file that contains the root keys, Tanium Server TLS keys, and message-signing keys for the Tanium Server. The option to import the tanium.pub and tanium.pvk files does not exist. If you have a pki.db file from a previous Tanium Server 7.4 installation, you can import the keys when you install the Tanium Server. For more information, see Installing Tanium Server.

Upload the public and private key files

  1. Add the public/private key pair you want to copy to a passphrase-protected file named tanium.zip (minimum 10 character password).
  2. Use SFTP to copy the tanium.zip file to the /incoming directory on the Tanium Server appliance.

Replace the public and private keys

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 8 and follow the prompts to import the ZIP file and install the keys.

Import a common access card certificate file

The Tanium Console supports smart card authentication. A smart card is a physical credential that has a microchip and data, such as secure certificates and keys. Smart cards are also known as common access cards (CAC) and personal identity verification (PIV) cards. Endpoint systems are set up with smart card readers, and end users use their smart card to authenticate and gain access. For more information, see the Tanium Core Platform Deployment Reference Guide: Smart card authentication.

Upload the certificate file

  1. Add the certificate file (PEM format) to a passphrase-protected file named tanium.zip (minimum 10 character password).
  2. Use SFTP to copy the tanium.zip file to the /incoming directory on the Tanium Server appliance.

Install the certificate file

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 8 and follow the prompts to import the ZIP file and install the CAC certificate file.

Change the Tanium content manifest URL

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter C to go to the Manage Content menu. ClosedView screen
  4. Enter B to go to the Manifest URL Change menu. ClosedView screen
  5. Use the menu to change the manifest URL.

Install the Direct Connect Zone Proxy

For installations with Direct Connect, install a zone proxy to enable connections to endpoints through the Zone Server appliance. This configuration is required to use Direct Connect with endpoints that connect to the Module Server through a Zone Server.

Import and configure Direct Connect

In the Tanium Console, go to Administration > Configuration > Solutions and import Direct Connect. See Direct Connect User Guide: Installing Direct Connect for steps on how to import Direct Connect, verify the installation, and then set up Direct Connect. When you reach the steps to configure zone proxies, use the following steps to install the Direct Connect Zone Proxy to the Zone Server appliance.

Obtain the Direct Connect Zone Proxy Installer file

Work with Tanium Support to obtain the Direct Connect Zone Proxy Installer file for the Zone Server appliance. For more information, see Contact Tanium Support.

Install the Direct Connect Zone Proxy on the Zone Server Appliance

  1. Use SFTP to copy the file to the Zone Server /incoming folder.
  2. Sign into the TanOS console of the Zone Server Appliance as a user with the tanadmin role.
  3. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  4. Enter M to go to the Module Operation menu. ClosedView screen
  5. Enter B and follow the prompts to install the Direct Connect Zone Proxy. ClosedView screen
  6. Copy the provision secret and certificate that appears at the end of the installation. Follow the steps that appear to return to the Direct Connect settings in the Tanium Console to complete the configuration. For steps to configure a zone proxy in Direct Connect, see Direct Connect User Guide: Configure Zone Proxies.
  7. Press Q and Enter to exit the installation.

Install the Zone Proxy package

The zone proxy service has two parts: the zone proxy (proxy) and the zone hub (hub). The hub is installed on a Tanium Module Server and the proxy is typically installed on a Zone Server. The hub connects to one or more proxies, creating a tunnel between itself and each proxy to allow remote endpoint connections to be established.

The Zone Proxy package cannot be installed in an All-in-One deployment. The Zone Server must be contained on a dedicated appliance.

Import the Zone Hub solution

In the Tanium Console, go to Administration > Configuration > Solutions and import the Zone Hub solution. See the Tanium Threat Response User Guide.

Generate the Zone Proxy package

Go to Threat Response and generate a Zone Proxy package. See the Tanium Threat Response User Guide.

When you generate the Zone Proxy package, the package shows a Pending status and a Publish All button. Do not click Publish All until you have downloaded the Zone Proxy package from the Module Server, as described in the next section. As a security feature, the package ZIP files are deleted from the Module Server when you click Publish All.

Download the Zone Proxy package from the Module Server

  1. Sign into the Module Server TanOS console as a user with the tanadmin role.
  2. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter M to go to the Module Operation menu.
  4. Enter 1 and follow the prompts to copy the Zone Proxy package to the /outgoing folder.
  5. Use SFTP to copy the file to your management computer.

Install the Zone Proxy package on the Zone Server

  1. Use SFTP to copy the file to the Zone Server /incoming folder.
  2. Sign into the Zone Server TanOS console as a user with the tanadmin role.
  3. Enter 2 to go to the Tanium Operations menu. ClosedView screen
  4. Enter M to go to the Module Operation menu.
  5. Enter A and follow the prompts to install the Zone Proxy package.

The option to install the Zone Proxy package only appears on a dedicated Zone Server appliance.

Publish the packages to the hub and endpoints

After the configuration packages are deployed, share the Zone Server configuration with the Zone Hub and the endpoints. All endpoints get all connection information and certificates, allowing them to connect to any proxy. For detailed steps, see the Tanium Threat Response User Guide.