Reference: Tanium Operations menu

Tanium™ operations include management of Tanium services, configuration settings, and certificate and public key files.

Start, stop, and restart Tanium services

Tanium® component servers and the database server can be managed with common service control commands:

  • Start
  • Stop
  • Restart
  • Disable
  • Enable

To issue a command:

  1. Log into the TanOS console as the user tanadmin.

    The TanOS console displays the tanadmin menu.

  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 1 to go to the Tanium Service Control menu.
  4. Enter the line number of the service you want to manage to display the service commands.
  5. Type the number of a service control command to issue it.

Change a Tanium server configuration

You can use the Configuration Settings menu to change the log level or the Tanium® component server configuration settings. Contact your technical account manager (TAM) before changing Tanium configuration settings.

Edit server settings

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 2 to go to the Tanium Configuration Settings menu.
  4. Use the menu to view and edit Tanium server settings.

Tanium Server settings reference

In general, you do not need to edit the Tanium Server settings. During troubleshooting, your technical account manager (TAM) might advise you to review and modify the settings described in the following table.

Table 1:   Tanium Server settings
Settings Guidelines
AddressMask Hexadecimal value of a subnet CIDR that delineates the clients that belong to a chain.

Do not change this setting unless instructed to do so by your TAM.

AuthenticationPlugin String that specifies the pluggable authentication module (PAM).
BypassCRLCheckHostList Use this setting to list servers that should be trusted without CRL checking. Unless a server is specified in this list, the Tanium Server performs a CRL check and does not download files from a server that does not pass.
BypassProxyHostList If you configure a proxy server, you might need to configure exceptions so that connections to specified hosts do not go through the proxy server.

For example, a proxy server should not be used for traffic between Tanium Servers in an active-active cluster.

A proxy server can cause problems with other traffic to a destination Tanium Server. For example, a package configuration can specify file URIs that are local to the Tanium Server. It is important to bypass the proxy server for these URIs.

Use this setting to specify destinations that should not use the proxy servers. In most cases, specify localhost, 127.0.0.1, and all Tanium Server names and IP addresses.

For example:

ts1.example.com, ts2.example.com,localhost,127.0.0.1,10.10.10.11,10.10.10.15

Version 7.0.314.6242 and later support wildcards.

ConsoleSettingsJSON Path to the console settings file.
LogPath The default is /opt/Tanium/TaniumServer/Logs.
LogVerbosityLevel Log verbosity level:
  • 0: Logging disabled.
  • 1: Normal log level.
  • 41: Recommended during troubleshooting.
  • >= 91: Most detailed log level. Enable for short periods of time only.
ModuleServer Module Server IP address.
ModuleServerPort Module Server port. The default is 17477.
ProxyPassword Account password. Required if a Basic proxy is configured.
ProxyPort Port number of the proxy server.
ProxyType Basic or NTLM.
ProxyServer IP address of the proxy server.
ProxyUserid Account username to establish the connection with the proxy server. Required if a Basic proxy is configured. NTLM proxies use the credentials of the user context that runs the Tanium Server service.
ReportingTLSCertPath Setting for inbound connections. Path to the TLS certificate that was created upon installation. This certificate is used in TLS connections initiated by the Tanium Client, the Tanium Zone Server Hub, or the Tanium Zone Server.
ReportingTLSKeyPath Setting for inbound connections. Path to the private key file used in TLS connections. This setting must be present to enable TLS.
ServerPort Tanium Server port. The server listens for Tanium Clients on this port. The default is 17472. Do not change the ServerPort setting in the TaniumServer.ini configuration file; instead, use the Tanium Operations > Change Tanium Port menu.
ServerSOAPPort Tanium Console and SOAP API port. The default is 8443. Port 443 redirects to this 8443.
SQLConnectionString Database server connection information. 

Example:

postgres:[email protected]=postgres password= dbname=tanium ssl mode=required port=5432

SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
SSLHonorCipherOrder The default is 1.
TrustedCertPath Path to the certificate file used for secure connections to the Tanium Console port.
TrustedHostList Use this setting to list hosts that should be trusted without a valid SSL certificate.

The Tanium Server does not download files from a server without a valid SSL certificate, unless it is included in this list.

Add the FQDN or IP address of any servers you want to trust. In an active/active cluster, specify the FQDN for both Tanium Servers. Version 7.0.314.6242 and later support wildcards.

Version Tanium Server version number.

 

Tanium Module Server reference

In general, you do not need to edit the Tanium Module Server configuration settings. During troubleshooting, your TAM might advise you to review and modify settings described in the following table.

Table 2:   Tanium Module Server settings
Settings Guidelines
BypassCRLCheckHostList Use this setting to list servers that should be trusted without CRL checking. Unless a server is specified in this list, the Tanium Server performs a CRL check and does not download files from a server that does not pass.
BypassProxyHostList If you configure a proxy server, you might need to configure exceptions so that connections to specified hosts do not go through the proxy server.

For example, a proxy server should not be used for traffic between Tanium Servers in an active-active cluster.

A proxy server can cause problems with other traffic to a destination Tanium Server. For example, a package configuration can specify file URIs that are local to the Tanium Server. It is important to bypass the proxy server for these URIs.

Use this setting to specify destinations that should not use the proxy servers. In most cases, specify localhost, 127.0.0.1, and all Tanium Server names and IP addresses.

For example:

ts1.example.com, ts2.example.com,localhost,127.0.0.1,10.10.10.11,10.10.10.15

Version 7.0.314.6242 and later support wildcards.

LogVerbosityLevel Log verbosity level:
  • 0: Logging disabled.
  • 1: Normal log level.
  • 41: Recommended during troubleshooting.
  • >= 91: Most detailed log level. Enable for short periods of time only.
ProxyPassword Account password. Required if a Basic proxy is configured.

Note: The Proxy settings have entries only if a proxy server has been manually configured.

ProxyPort Port number of the proxy server.
ProxyType Basic or NTLM.
ProxyServer IP address of the proxy server.
ProxyUserid Account username to establish the connection with the proxy server. Required if a Basic proxy is configured. NTLM proxies use the credentials of the user context that runs the Tanium Server service.
ServerPort Module Server port. The default is 17477.
TrustedHostList Use this setting to list hosts that should be trusted without a valid SSL certificate.

The Tanium Server does not download files from a server without a valid SSL certificate, unless it is included in this list.

Add the FQDN or IP address of any servers you want to trust. In an active/active cluster, specify the FQDN for both Tanium Servers. Version 7.0.314.6242 and later support wildcards.

Version Tanium Module Server version number.

 

Tanium Zone Server settings reference

In general, you do not need to edit the Tanium Zone Server configuration settings. During troubleshooting, your TAM might advise you to review and modify settings described in the following table.

Table 3:   Tanium Zone Server settings
Settings Guidelines
AllowedHubs A comma-separated list of IP addresses of Zone Server Hub(s) that are authorized to communicate with this Zone Server.
EnforceAllowedHubs Set the value to 1.
LogVerbosityLevel Log verbosity level:
  • 0: Logging disabled.
  • 1: Normal log level.
  • 41: Recommended during troubleshooting.
  • >= 91: Most detailed log level. Enable for short periods of time only.
ReportingTLSCertPath Setting for inbound connections. Path to the TLS certificate. This certificate is used in TLS connections initiated by the Tanium Client.
ReportingTLSKeyPath Setting for inbound connections. Path to the private key file used in TLS connections. This setting must be present to enable TLS.
ServerName

Tanium Server fully qualified domain name.

ServerPort Tanium Server Port. The default is 17472.
Version Tanium Zone Server version number.
ZoneHubFlag 0 if not the hub; 1 if the hub.

Edit zone server list

  1. Log into the Zone Server Hub appliance as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 2 to go to the Configuration Settings menu.
  4. Enter 11 to edit the zoneserverlist.txt file.
  5. Add the IP address or FQDN for each Zone Server and save the file.

Edit zone server isolated subnets list

You can use the Tanium Console to configure the isolated subnets list for Tanium Servers but not Zone Servers. You can use the TanOS menus to configure the list for Zone Servers.

  1. On the Zone Server appliance, log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 2 to go to the Tanium Configuration Settings menu.
  4. Enter 12 to edit the isolatedsubnets.txt file.
  5. Use the menu to specify the CIDR IP address for subnets in which clients should never peer.

Change a Tanium component server port

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 3 to go to the Change Tanium Port menu.
  4. Use the menu to change the port configuration.

Install a custom SOAP certificate

You can replace the self-signed certificates generated by the Tanium Server and Tanium Module Server installers with an SSL certificate issued by a commercial or enterprise certificate authority (CA). For details on certificate requirements, including the filenames expected in the Tanium installations, see the Tanium Core Platform Installation Guide.

Upload the CA certificate file

  1. Set up an SFTP client to connect to the Tanium appliance:
    1. Specify tancopy for user name.
    2. Click the Advanced button.
    3. Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance in Completing the initial setup (hardware appliances).
  2. Use SFTP to copy the SOAP certificate and key files to the /incoming directory on the appliance.

Install the SOAP certificate file

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 4 to go to the Install Custom SOAP Cert procedure.
  4. Follow the prompts to install the certificate and key files you uploaded in the previous procedure.

If you replace the self-signed SOAP certificate on the Tanium Server with a CA-provided certificate, you must also redo the remote Module Server configuration steps to update the certificates that are derived from that certificate on each server (namely, trusted.crt on the Module Server appliance and trusted-module-servers.crt on the Tanium Server appliance).

Enable import of user-created content

The Tanium Server requires content XML files that are imported into the Tanium Console to be signed and the signatures are verified by public keys stored on the Tanium Server. The public keys for content developed by Tanium and delivered via content.tanium.com are included with the installation. To import user-created content, you must use a utility provided by Tanium to sign the content, and you must upload the public key from that pair to the Tanium Server.

  1. Download the content signing key utility (keyutility.exe). See Download the content signing key utility.
  2. Use keyutility.exe to generate a cryptographic key pair and use it to sign the user-created content you want to import into the Tanium Server. See the Tanium Core Platform User Guide.
  3. Rename the public key file from that key pair import.pub and use SFTP to upload it to the /incoming folder of the Tanium Server appliance.
  4. Log into the TanOS console as the user tanadmin.
  5. Enter 2 to go to the Tanium Operations menu.
  6. Enter 5 to go to the Manage Custom Signing Keys menu.
  7. Enter 3 to go to the Add Content Signing Key menu and then follow the prompts to import the public key file.

Download the content signing key utility

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 5 to go to the Manage Custom Signing Keys menu.
  4. Enter 1 to copy the KeyUtility.exe and related files to a zip file in the /outgoing directory.
  5. Use SFTP to copy the file from the /outgoing directory to your local computer.

Manage content signing keys

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 5 to go to the Manage Custom Signing Keys menu.
  4. Use the menus to add, remove, or list the key files.

Download the Tanium Server public key file

Download the Tanium Server public key file so you can include it in Tanium Client installation packages.

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 6 to go to the Download Public Key procedure.
  4. Follow the prompts to copy the public key to the /outgoing directory.
  5. Use SFTP to copy the tanium.pub file from the /outgoing directory on the appliance to your management computer.

Download the Tanium Server SOAP certificate

Download the Tanium Server SOAP certificate file for configuration of a remote Windows Module Server, or other use.

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 7 to go to the Download SOAP Certificate procedure.
  4. Follow the prompts to copy the SOAP certificate file to the /outgoing directory.
  5. Use SFTP to copy the tanium.pub file from the /outgoing directory on the appliance to your management computer.

Import the Tanium public/private key pair

When you migrate an existing deployment to new installations, you might want to migrate the Tanium Server public/private key pair to avoid redistributing the tanium.pub key file to Tanium Clients.

Upload the public and private key files

  1. Add the public/private key pair you want to copy to a passphrase-protected tanum.zip file.
  2. Use SFTP to copy the tanium.zip file to the /incoming directory on the Tanium Server appliance.

Replace the public and private keys

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 8 and then follow the prompts to import the zip file and install the keys.

Change the Tanium content manifest URL

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter C to go to the Manifest URL Change menu and make your changes.

Install the Trace Zone Proxy package

The Trace zone proxy service has two parts: the Trace zone proxy (TZ proxy) and the Trace zone hub (TZ hub). The TZ hub is installed on a Tanium Module Server and the TZ proxy is typically installed on a Zone Server. The TZ hub connects to one or more TZ proxies, creating a tunnel between itself and each proxy to allow Trace remote endpoint connections to be established.

Import the Trace Zone Hub solution

In the Tanium Console, go to the Solutions page and import the Trace Zone Hub solution.

Generate the Trace Zone Proxy package

Go to Trace and generate a Trace Zone Proxy package. See the Tanium Trace User Guide.

Download the Trace Zone Proxy package from the Module Server

  1. Log into the Module Server TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter M to display the Module Operations menu.
  4. Enter 1 and then follow the prompts to copy the Trace Zone Proxy package to the /outgoing folder.
  5. Use SFTP to copy the file to your management computer.

Install the Trace Zone Proxy package on the Zone Server

  1. Use SFTP to copy the file to the Zone Server /incoming folder.
  2. Log into the Zone Server TanOS console as the user tanadmin.
  3. Enter 2 to go to the Tanium Operations menu.
  4. Enter M to display the Module Operations menu.
  5. Enter A and then follow the prompts to install the Trace Zone Proxy package.

Last updated: 11/8/2018 3:04 PM | Feedback