Reference: Tanium Operations menu

Tanium™ operations include management of Tanium services, configuration settings, and certificate and public key files.

Start, stop, and restart Tanium services

Tanium™ component servers and the database server can be managed with common service control commands:

  • Start
  • Stop
  • Restart
  • Disable
  • Enable

To issue a command:

  1. Log into the TanOS console as the user tanadmin.

    The TanOS console displays the tanadmin menu.

  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 1 to go to the Tanium Service Control menu.
  4. Enter the line number of the service you want to manage to display the service commands.
  5. Type the number of a service control command to issue it.

Change a Tanium server configuration

You can use the Configuration Settings menu to change the log level or the Tanium component server configuration settings. Contact your technical account manager (TAM) before changing Tanium configuration settings.

Edit server settings

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 2 to go to the Tanium Configuration Settings menu.
  4. Use the menu to view and edit Tanium component server settings.

Tanium Server settings reference

In general, you do not need to edit the Tanium Server settings. During troubleshooting, your technical account manager (TAM) might advise you to review and modify the settings described in the following table.

Table 1:   Tanium Server settings
Settings Guidelines
AddressMask Hexadecimal value of a subnet CIDR that delineates the clients that belong to a chain.

Do not change this setting unless instructed to do so by your TAM.

AllowedHubs Comma-separated list of Zone Server Hubs allowed to connect to this Tanium Server. Typically, the Zone Server Hub is collocated on the Tanium Server appliance and this setting has a value 127.0.0.1.
AuthPluginTimeoutSeconds The default is 60.
AuthenticationPlugin String that specifies the pluggable authentication module (PAM).
ConsoleSettingsJSON Path to the console settings file.
LogPath The default is /opt/Tanium/TaniumServer/Logs.
LogVerbosityLevel Log verbosity level:
  • 0: Logging disabled.
  • 1: Normal log level.
  • 41: Recommended during troubleshooting.
  • >= 91: Most detailed log level. Enable for short periods of time only.
ModuleServer Module Server IP address.
ModuleServerPort Module Server port. The default is 17477.
ProxyPassword Account password. Required if a Basic proxy is configured.
ProxyPort Port number of the proxy server.
ProxyType Basic, NTLM, or None.
ProxyServer IP address of the proxy server.
ProxyUserid Account username to establish the connection with the proxy server.
ReportingTLSCertPath Setting for inbound connections. Path to the TLS certificate that was created upon installation. This certificate is used in TLS connections initiated by the Tanium Client, the Tanium Zone Server Hub, or the Tanium Zone Server.
ReportingTLSKeyPath Setting for inbound connections. Path to the private key file used in TLS connections. This setting must be present to enable TLS.
ReportingTLSMode Configures TLS for outgoing connections that the server initiates. On a Tanium Server, configure this option if you want to enable TLS for the Tanium Server to Zone Server Hub segment, if the Zone Server Hub is not collocated on the Tanium Server. Otherwise, this setting does not apply to a Tanium Server appliance role, which uses IPSEC instead of TLS to secure the Tanium Server Active-Active cluster communication.
  • 0 (TLS not used)
  • 1 (TLS required)
  • 2 (TLS optional)
RequireIncomingEncryption Setting for inbound connections. Implicitly set to 0 by default. To set a different value, you must add the setting.
  • 0 (TLS not required)
  • 1 (TLS required)

Important: When RequireIncomingEncryption is set to 1, only TLS connection requests are processed, so only Tanium Clients that have TLS enabled are able to register and be managed. Do not set this to 1 until you are sure all Tanium Clients that have been deployed are configured to use TLS (ReportingTLSMode=1 or ReportingTLSMode=2), and you are ready to deploy Tanium Client to new endpoints with TLS configured prior to initial registration. Do not set this to 1 if your deployment has Tanium Client 6.0, which does not support TLS.

ServerPort Tanium Server port. The server listens for Tanium Clients on this port. The default is 17472. Do not change the ServerPort setting in the TaniumServer.ini configuration file; instead, use the Tanium Operations > Change Tanium Port menu.
ServerSOAPPort Tanium Console and SOAP API port. The default is 8443. Port 443 redirects to this 8443.
SQLConnectionString Database server connection information. 

Example:

postgres:[email protected]=postgres password= dbname=tanium ssl mode=required port=5432

SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
SSLHonorCipherOrder The default is 1.
TrustedCertPath Path to the certificate file used for secure connections to the Tanium Console port.
TrustedHostList Use this setting to list hosts that should be trusted without a valid SSL certificate.

The Tanium Server does not download files from a server without a valid SSL certificate, unless it is included in this list.

Add the FQDN or IP address of any servers you want to trust. In an active/active cluster, specify the FQDN for both Tanium Servers. Version 7.0.314.6242 and later support wildcards.

Version Tanium Server version number.

 

Table 2:   Tanium Server TDownloader (TDL) settings
Settings Guidelines
BypassCRLCheckHostList Use this setting to list servers that should be trusted without CRL checking. Unless a server is specified in this list, the Tanium Server performs a CRL check and does not download files from a server that does not pass.
BypassProxyHostList If you configure a proxy server, you might need to configure exceptions so that connections to specified hosts do not go through the proxy server.

For example, a proxy server should not be used for traffic between Tanium Servers in an active-active cluster.

A proxy server can cause problems with other traffic to a destination Tanium Server. For example, a package configuration can specify file URIs that are local to the Tanium Server. It is important to bypass the proxy server for these URIs.

Use this setting to specify destinations that should not use the proxy servers. In most cases, specify localhost, 127.0.0.1, and all Tanium Server names and IP addresses.

For example:

ts1.example.com, ts2.example.com,localhost,127.0.0.1,10.10.10.11,10.10.10.15

Version 7.0.314.6242 and later support wildcards.

LogVerbosityLevel Log verbosity level:
  • 0: Logging disabled.
  • 1: Normal log level.
  • 41: Recommended during troubleshooting.
  • >= 91: Most detailed log level. Enable for short periods of time only.
ProxyPassword Account password. Required if a Basic proxy is configured.
ProxyPort Port number of the proxy server.
ProxyType Basic, NTLM, or None.
ProxyServer IP address of the proxy server.
ProxyUserid Account username to establish the connection with the proxy server.
TrustedCertPath Path to the TLS CA bundle of trusted certificates.
TrustedHostList Use this setting to list hosts that should be trusted without a valid SSL certificate.

The Tanium Server does not download files from a server without a valid SSL certificate, unless it is included in this list.

Add the FQDN or IP address of any servers you want to trust. In an active/active cluster, specify the FQDN for both Tanium Servers. Version 7.0.314.6242 and later support wildcards.

Tanium Module Server reference

In general, you do not need to edit the Tanium Module Server configuration settings. During troubleshooting, your TAM might advise you to review and modify settings described in the following table.

Table 3:   Tanium Module Server settings
Settings Guidelines
LogVerbosityLevel Log verbosity level:
  • 0: Logging disabled.
  • 1: Normal log level.
  • 41: Recommended during troubleshooting.
  • >= 91: Most detailed log level. Enable for short periods of time only.
ServerPort Module Server port. The default is 17477.
Version Tanium Module Server version number.

 

Table 4:   Tanium Module Server TDownloader (TDL) settings
Settings Guidelines
LogVerbosityLevel Log verbosity level:
  • 0: Logging disabled.
  • 1: Normal log level.
  • 41: Recommended during troubleshooting.
  • >= 91: Most detailed log level. Enable for short periods of time only.
BypassCRLCheckHostList Use this setting to list servers that should be trusted without CRL checking. Unless a server is specified in this list, TDownloader performs a CRL check and does not download files from a server that does not pass.
BypassProxyHostList If you configure a proxy server, you might need to configure exceptions so that connections to specified hosts do not go through the proxy server.
ProxyPassword Account password. Required if a Basic proxy is configured.

Note: The Proxy settings have entries only if a proxy server has been manually configured.

ProxyPort Port number of the proxy server.
ProxyType Basic, NTLM, or None.
ProxyServer IP address of the proxy server.
ProxyUserid Account username to establish the connection with the proxy server.
TrustedCertPath Path to the TLS CA bundle of trusted certificates.
TrustedHostList Use this setting to list hosts that should be trusted without a valid SSL certificate.

Tanium Zone Server settings reference

In general, you do not need to edit the Tanium Zone Server configuration settings. During troubleshooting, your TAM might advise you to review and modify settings described in the following table.

Table 5:   Tanium Zone Server settings
Settings Guidelines
AllowedHubs A comma-separated list of IP addresses of Zone Server Hub(s) that are authorized to communicate with this Zone Server.
EnforceAllowedHubs Set the value to 1.
LogVerbosityLevel Log verbosity level:
  • 0: Logging disabled.
  • 1: Normal log level.
  • 41: Recommended during troubleshooting.
  • >= 91: Most detailed log level. Enable for short periods of time only.
ReportingTLSCertPath Setting for inbound connections. Path to the TLS certificate. This certificate is used in TLS connections initiated by the Tanium Client.
ReportingTLSKeyPath Setting for inbound connections. Path to the private key file used in TLS connections. This setting must be present to enable TLS.
ReportingTLSMode Configures TLS for outgoing connections that the server initiates. On a Zone Server hub, you configure this option to enable TLS for the Zone Server Hub to Zone Server segment. Automatically set to 2 when you complete the Zone Server TLS setup.
  • 0 (TLS not used)
  • 1 (TLS required)
  • 2 (TLS optional)
RequireIncomingEncryption Setting for inbound connections. Automatically set to 0 when you complete the Zone Server TLS setup.
  • 0 (TLS not required)
  • 1 (TLS required)

Important: When RequireIncomingEncryption is set to 1, only TLS connection requests are processed, so only Tanium Clients that have TLS enabled are able to register and be managed. Do not set this to 1 until you are sure all Tanium Clients that have been deployed are configured to use TLS (ReportingTLSMode=1 or ReportingTLSMode=2), and you are ready to deploy Tanium Client to new endpoints with TLS configured prior to initial registration. Do not set this to 1 if your deployment has Tanium Client 6.0, which does not support TLS.

ServerName

Tanium Server fully qualified domain name.

ServerPort Tanium Server Port. The default is 17472.
Version Tanium Zone Server version number.
ZoneHubFlag 0 if not the hub; 1 if the hub.

 

Add an authentication user for TDownloader

TDownloader is a utility used by the Tanium Core Platform to perform file downloads. A destination server might require user authentication. Use this menu to add user credentials for the Tanium Server TDownloader instance or the Module Server TDownloader instance.

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 2 to go to the Tanium Configuration Settings menu.
  4. Enter 3 (Tanium Server TDL Auth User) or 7 (Tanium Module Server TDL Auth User) and follow the prompts to configure user credentials for the specified destination server URL.
  5. Review the resulting configuration.

Add an authentication certificate for TDownloader

A destination server might require certificate authentication. Use this menu to add a client certificate and key to Tanium Server TDownloader instance or the Module Server TDownloader instance.

  1. Use SFTP to copy the client certificate file and key file to the /incoming folder.

  2. Log into the TanOS console as the user tanadmin.
  3. Enter 2 to go to the Tanium Operations menu.
  4. Enter 2 to go to the Tanium Configuration Settings menu.
  5. Enter 4 (Tanium Server TDL Auth Cert) or 8 (Tanium Module Server TDL Auth Cert) and follow the prompts to upload the certificate and key file and configure TDownloader to use them for the specified destination server URL.
  6. Review the resulting configuration.

Manage authentication certificates for Tanium Patch connections with RedHat

Tanium Patch downloads files from a RedHat satellite server that requires certificate authentication.

  1. Obtain from RedHat a client certificate and key file that is specific to your subscription entitlement and create files named client-certificate.pem and client-key.pem as described in the Tanium Support KB: Creating a RedHat certficate for Tanium downloads (login required).
  2. Use SFTP to copy the certificate file and key file to the /incoming folder.
  3. Log into the TanOS console as the user tanadmin.
  4. Enter 2 to go to the Tanium Operations menu.
  5. Enter 2 to go to the Tanium Configuration Settings menu.
  6. Enter 4 (Tanium Server TDL Auth Cert)  and follow the prompts to upload the certificate file and key file and to configure TDownloader to use them for the specified destination server URL.
  7. Enter 12 (Control RedHat CA Cert) and use the menu to install the RedHat enterprise CA certificate file (redhat-uep.pem).

Edit zone server list

  1. Log into the Zone Server Hub appliance as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 2 to go to the Configuration Settings menu.
  4. Enter 10 to edit the zoneserverlist.txt file.
  5. Add the IP address or FQDN for each Zone Server and save the file.

Edit zone server isolated subnets list

You can use the Tanium Console to configure the isolated subnets list for Tanium Servers but not Zone Servers. You can use the TanOS menus to configure the list for Zone Servers.

  1. On the Zone Server appliance, log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 2 to go to the Tanium Configuration Settings menu.
  4. Enter 11 to edit the isolatedsubnets.txt file.
  5. Use the menu to specify the CIDR IP address for subnets in which clients should never peer.

Change a Tanium component server port

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 3 to go to the Change Tanium Port menu.
  4. Use the menu to change the port configuration.

Install a custom SOAP certificate

You can replace the self-signed certificates generated by the Tanium Server and Tanium Module Server installers with an SSL certificate issued by a commercial or enterprise certificate authority (CA). For details on certificate requirements, including the filenames expected in the Tanium installations, see the Tanium Core Platform Installation Guide.

Upload the CA certificate file

  1. Set up an SFTP client to connect to the Tanium appliance:
    1. Specify tancopy for user name.
    2. Click the Advanced button.
    3. Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance in Completing the initial setup (hardware appliances).
  2. Use SFTP to copy the SOAP certificate and key files to the /incoming directory on the appliance.

Install the SOAP certificate file

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 4 to go to the Install Custom SOAP Cert procedure.
  4. Follow the prompts to install the certificate and key files you uploaded in the previous procedure.

If you replace the self-signed SOAP certificate on the Tanium Server with a CA-provided certificate, you must also redo the remote Module Server configuration steps to update the certificates that are derived from that certificate on each server (namely, trusted.crt on the Module Server appliance and trusted-module-servers.crt on the Tanium Server appliance).

Enable import of user-created content

The Tanium Server requires content XML files that are imported into the Tanium Console to be signed and the signatures are verified by public keys stored on the Tanium Server. The public keys for content developed by Tanium and delivered via content.tanium.com are included with the installation. To import user-created content, you must use a utility provided by Tanium to sign the content, and you must upload the public key from that pair to the Tanium Server.

  1. Download the content signing key utility (keyutility.exe). See Download the content signing key utility.
  2. Use keyutility.exe to generate a cryptographic key pair and use it to sign the user-created content you want to import into the Tanium Server. See the Tanium Core Platform User Guide.
  3. Rename the public key file from that key pair import.pub and use SFTP to upload it to the /incoming folder of the Tanium Server appliance.
  4. Log into the TanOS console as the user tanadmin.
  5. Enter 2 to go to the Tanium Operations menu.
  6. Enter 5 to go to the Manage Custom Signing Keys menu.
  7. Enter 3 to go to the Add Content Signing Key menu and then follow the prompts to import the public key file.

Download the content signing key utility

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 5 to go to the Manage Custom Signing Keys menu.
  4. Enter 1 to copy the KeyUtility.exe and related files to a zip file in the /outgoing directory.
  5. Use SFTP to copy the file from the /outgoing directory to your local computer.

Manage content signing keys

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 5 to go to the Manage Custom Signing Keys menu.
  4. Use the menus to add, remove, or list the key files.

Download the Tanium Server public key file

Download the Tanium Server public key file so you can include it in Tanium Client installation packages.

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 6 to go to the Download Public Key procedure.
  4. Follow the prompts to copy the public key to the /outgoing directory.
  5. Use SFTP to copy the tanium.pub file from the /outgoing directory on the appliance to your management computer.

Download the Tanium Server SOAP certificate

Download the Tanium Server SOAP certificate file for configuration of a remote Windows Module Server, or other use.

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 7 to go to the Download SOAP Certificate procedure.
  4. Follow the prompts to copy the SOAP certificate file to the /outgoing directory.
  5. Use SFTP to copy the tanium.pub file from the /outgoing directory on the appliance to your management computer.

Import the Tanium public/private key pair

When you migrate an existing deployment to new installations, you might want to migrate the Tanium Server public/private key pair to avoid redistributing the tanium.pub key file to Tanium Clients.

Upload the public and private key files

  1. Add the public/private key pair you want to copy to a passphrase-protected tanum.zip file.
  2. Use SFTP to copy the tanium.zip file to the /incoming directory on the Tanium Server appliance.

Replace the public and private keys

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 8 and then follow the prompts to import the zip file and install the keys.

Change the Tanium content manifest URL

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter C to go to the Manifest URL Change menu and make your changes.

Install the Trace Zone Proxy package

The Trace zone proxy service has two parts: the Trace zone proxy (TZ proxy) and the Trace zone hub (TZ hub). The TZ hub is installed on a Tanium Module Server and the TZ proxy is typically installed on a Zone Server. The TZ hub connects to one or more TZ proxies, creating a tunnel between itself and each proxy to allow Trace remote endpoint connections to be established.

Import the Trace Zone Hub solution

In the Tanium Console, go to the Solutions page and import the Trace Zone Hub solution.

Generate the Trace Zone Proxy package

Go to Trace and generate a Trace Zone Proxy package. See the Tanium Trace User Guide.

When you generate the Trace Zone Proxy package, the package displays a Pending status and a Publish All button. Do not click Publish All until you have downloaded the Trace Zone Proxy package from the Module Server, as described in the next section. As a security feature, the package .zip files are deleted from the Module Server when you click Publish All.

Download the Trace Zone Proxy package from the Module Server

  1. Log into the Module Server TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter M to display the Module Operations menu.
  4. Enter 1 and then follow the prompts to copy the Trace Zone Proxy package to the /outgoing folder.
  5. Use SFTP to copy the file to your management computer.

Install the Trace Zone Proxy package on the Zone Server

  1. Use SFTP to copy the file to the Zone Server /incoming folder.
  2. Log into the Zone Server TanOS console as the user tanadmin.
  3. Enter 2 to go to the Tanium Operations menu.
  4. Enter M to display the Module Operations menu.
  5. Enter A and then follow the prompts to install the Trace Zone Proxy package.

Last updated: 2/5/2019 11:52 AM | Feedback