Reference: User Administration menu

Use TanOS to manage user accounts on the Tanium appliance. Users with the tanadmin role can manage two types of user accounts:

• Use the TanOS User Management menu to manage TanOS system users. These user accounts can access the TanOS console, but not the Tanium™ Console. This includes the predefined TanOS users tanadmin, tancopy, and tanuser. TanOS system users are local to each appliance, users are not shared across appliances. For more information on the predefined TanOS user accounts, see Configure user access (physical appliance) or Configure user access (virtual appliance).
• Use the TanOS User Management menu to manage TanOS system users. These user accounts can access the TanOS console, but not the Tanium™ Console. This includes the predefined TanOS users tanadmin, tancopy, and tanuser. TanOS system users are local to each appliance, users are not shared across appliances. For more information on the predefined TanOS user accounts, see Configure user access.
• Use the Local Tanium User Management menu to manage Tanium users who can access the Tanium Console through a web browser. These user accounts cannot access the TanOS console. TanOS hosts a local authentication service that you can use for Tanium Console user authentication. In addition, you can use your enterprise LDAP server to manage Tanium Console authentication. For details on using LDAP, see the Tanium Core Platform User Guide.

Change TanOS user passwords

The TanOS special users tanadmin and tanuser can make password-authenticated SSH connections to the TanOS console.

Change the tanadmin password

Use these steps to reset the password for the current tanadmin user. To change the password for another tanadmin user, see Manage system users.

1. Sign into the TanOS console as a user with the tanadmin role.
2. Enter P and follow the prompts to change the password. View screen

   >>> TanAdmin -> Password Change <<< 
   
   
    The password policy requires meeting these rules:
     - Minimum of 10 characters long
     - At least 1 upper case character
     - At least 1 lower case character
     - At least 1 numeric character
     - At least 1 other character
     - Must not match any of recent 4 passwords
     - Must not be based on a dictionary word
     - Must not contain part of the username
   
   
    Do you want to continue with password change for user tanadmin? [Yes|No]: 

After the password changes, you are signed out.

Reset the tanuser password

1. Sign into the TanOS console as a user with the tanadmin role.
2. Enter C to go to the User Administration menu. View screen

   ------------------------------------------------------
   
                 >>> User Administration <<< 
   
   		U: TanOS User Management
   		I: Recent Login Information
   
   		L: Local Tanium User Management
   
   		H: Help
   		R: Return to previous menu
   
   ------------------------------------------------------

3. Enter U to go to the TanOS User Management menu. View screen

   >>> User Administration -> TanOS <<<
   
   #: User ID       Role       Locked  Name
   
   1: tanadmin     tanadmin   No (0)  Tanium Privileged User
   2: tancopy      tanuser    No (0)  Tanium Copy User
   3: tanuser      tanuser    No (0)  Tanium Restricted User
   
   A: Add System User
   
   R: Return to previous menu
   
   ------------------------------------------------------

4. Enter 3 to select the tanuser user. View screen

   >>> User Administration -> TanOS -> tanuser <<<
   
   Username:        tanuser
   Account Enabled: Yes
   Authentication:  SSH Key or Password
   SSH Lockout:     No (0)
   
   Notes:
     * This user account cannot be deleted
   
   	A: Manage SSH Authorized Keys
   	P: Manage SSH Key Pair
   	L: Reset SSH Lockout
   	C: Change/Enable Password (Randomized)
   	N: Disable Password Access
   
   	E: Enable Account
   	D: Disable Account
   	X: [DISABLED] Delete User
   
   	F: Edit known hosts file
   
   	R: Return to previous menu
   
   ------------------------------------------------------

5. Enter C to Change/Enable Password, and follow the prompts to reset the password. View screen

   >>> User Administration -> System Users -> Reset Password  <<<A temporary password will be generate and the user is required to change
   their password upon login!
    
   The password policy requires meeting these rules:
   - Minimum of 10 characters long
   - At least 1 upper case character
   - At least 1 lower case character
   - At least 1 numeric character
   - At least 1 other character
   - Must not match any of recent 4 passwords
   - Must not be based on a dictionary word
   - Must not contain part of the username
   
   The temporary password for tanuser is: temporarypassword
   Successfully reset password for user tanuser.
   
   Resetting ssh lockout for user tanuser ...
   Successfully reset any lockout for user tanuser.
   
   Press enter to continue
   				

Manage SSH keys

The installation process generates a public/private SSH key pair for the tanadmin user. Use the SSH Key Management menu to perform the following functions:

• Regenerate the key pair.
• Generate keys for the other TanOS special users.
• Add authorized keys to support inbound user connections.
• View the public key so you can copy and paste it into other appliance configurations.

You can use ssh-copy-id to add an SSH public key to any TanOS user with the tanadmin profile.

Before you begin

• You must have an SSH client to sign into the TanOS console and an SFTP client such as WinSCP to copy files to and from the appliance.
• You must have an SSH key generator such as ssh-keygen to generate keys for the user.

Generate keys

1. Sign into the TanOS console as a user with the tanadmin role.
2. Enter C to go to the User Administration menu. View screen

   ------------------------------------------------------
   
                 >>> User Administration <<< 
   
   		U: TanOS User Management
   		I: Recent Login Information
   
   		L: Local Tanium User Management
   
   		H: Help
   		R: Return to previous menu
   
   ------------------------------------------------------

3. Enter U to go to the TanOS User Management menu.
4. Enter the line number of the user account that you want to manage. View screen

   >>> User Administration -> TanOS -> tanuser <<<
   
   Username:        tanuser
   Account Enabled: Yes
   Authentication:  SSH Key or Password
   SSH Lockout:     No (0)
   
   Notes:
     * This user account cannot be deleted
   
   	A: Manage SSH Authorized Keys
   	P: Manage SSH Key Pair
   	L: Reset SSH Lockout
   	C: Change/Enable Password (Randomized)
   	N: Disable Password Access
   
   	E: Enable Account
   	D: Disable Account
   	X: [DISABLED] Delete User
   
   	F: Edit known hosts file
   
   	R: Return to previous menu
   
   ------------------------------------------------------

5. Enter P to go to the Manage SSH Key Pair menu. View screen

   >>> User Administration -> TanOS -> tanuser -> Key Pair <<< 
   
   Account: tanuser
   No SSH keys found for user tanuser. Please create key pair first
   
   	G: Generate ssh key pair
   
   	R: Return to previous menu
   
   ------------------------------------------------------

6. Enter G to generate a public/private key pair. View screen

   >>> User Administration -> Manage -> User -> SSH <<< 
   
   	Account: tanuser
   	Action:  Generate SSH Keys
   	No .ssh directory for user tanuser found - creating and securing it
   	keygen process finished successful
   	Finished generating keys for tanuser
   
   	Press enter to continue

Add authorized keys

1. Use an SSH key generator such as ssh-keygen to generate a public/private key pair. Note:
   • Specify an RSA key with 2048 bits (such as ssh-keygen -t rsa -b 2048).
   • Specify a passphrase that is easy to remember.
   • Save the private key to a location that you can access when you set up your SFTP client.
2. Copy all of the text in the public key file to the clipboard. If you use ssh-keygen, copy the contents of the .pub file that you created.

   In an SSH key exchange, the keys must match exactly.

3. Sign into the TanOS console as a user with the tanadmin role.
4. Enter C to go to the User Administration menu.
5. Enter U to go to the TanOS User Management menu.
6. Enter the line number for the tancopy user to go to the user administration menu for this user. View screen

   >>> User Administration -> TanOS -> tancopy <<< 
   
   Username:        tancopy
   Account Enabled: Yes
   Authentication:  SSH Key Only
   SSH Lockout:     No (0)
   
   Notes:
     * This user account cannot be deleted
     * This user account cannot have a password
   
   	A: Manage SSH Authorized Keys
   	P: Manage SSH Key Pair
   	L: Reset SSH Lockout
   	C: [DISABLED] Change Password
   	N: [DISABLED] Disable Password Access
   
   	E: Enable Account
   	D: Disable Account
   	X: [DISABLED] Delete User
   
   	F: Edit known hosts file
   
   	R: Return to previous menu
   
   ------------------------------------------------------

7. Enter A to go to the Manage SSH Authorized Keys menu. View screen

   >>> User Administration -> TanOS -> tancopy -> Authorized Keys <<< 
   
   Username: tancopy
   Select an entry to view or delete.
   
   	1: 2048 SHA256:m/0rT0o+rDfKLWQQULUQqbOUdMkojZhco60dCuu3elY 
   	2: 2048 SHA256:8OV4S5V30aFu9pZKexRVaElF3BgJNEx+Y91fgbnzxIU
   			
          A: Add key
   
          R: Return to previous menu
   
   ------------------------------------------------------

8. Enter A and follow the prompts to add the contents of the public key generated in Step 1. View screen

   >>> User Administration -> TanOS -> tancopy -> Authorized Keys -> Add <<< 
   
   Account: tancopy
   Please paste the public key and press enter: 
   ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA1ClmgkMrbbxB7jND/Y4/Giupck35xAuGNKfZWqVLM5F0CNXuTScf6v2zMDxW5TO5tm/U
   8P9sqh19RDEzTn2RayXzsoZmXyB8abCCpHG4+03Zv05RHiX4i5QomAMBnbZejdA9/fGTxO1rPo1rdtTqZ+KCgzbEhHLWUD44+If5RtG+
   U4kgyzlYsyjgwhfho+BrRY6e7QYBsXVbuBQ9ROGV6PCTB80jXZVAKrAbsTQ1DVkpuBuemftv7vOn3b8MKzJ/IY/LLL1tIgpSGvgvjr2m
   OJJ+JoZF2XnPVUFmYiDSCkPAzhCyFHILHfOVAfws9n1G6p3fwILqNhvBoPeaCFaApQ== rsa-key-20200123
    Validating input
    Adding key to authorized keys after validation
    Finished adding authorized keys for tancopy
   
   
    Press enter to continue

View public keys

1. Sign into the TanOS console as a user with the tanadmin role.
2. Enter C to go to the User Administration menu.
3. Enter U to go to the TanOS User Management menu.
4. Enter the line number for the tancopy user to go to the user administration menu for this user. View screen

   >>> User Administration -> TanOS -> tancopy <<< 
   
   Username:        tancopy
   Account Enabled: Yes
   Authentication:  SSH Key Only
   SSH Lockout:     No (0)
   
   Notes:
     * This user account cannot be deleted
     * This user account cannot have a password
   
   	A: Manage SSH Authorized Keys
   	P: Manage SSH Key Pair
   	L: Reset SSH Lockout
   	C: [DISABLED] Change Password
   	N: [DISABLED] Disable Password Access
   
   	E: Enable Account
   	D: Disable Account
   	X: [DISABLED] Delete User
   
   	F: Edit known hosts file
   
   	R: Return to previous menu
   
   ------------------------------------------------------

5. Enter P to go to the Manage SSH Key Pair menu to view the public key. View screen

   >>> User Administration -> TanOS -> tancopy -> Key Pair <<< 
   
   Account: tancopy
   SSH Public Key for user tancopy:
   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDZCvC+
   nF93Nqmv2lrlUJoDTrwCnpJkcm5Er5ywNFNem5MJZZd0esToJTpY43gb8XppB5JP7SdHVJk2M3Nm0DP+xapjAL35Cs/
   bdX48kwDc0R1m4Qc7/4aqQQkBcF/95Z3OrpD1EVW0bwF3KlsX9vEojQ3sO4PjNBQJxTepLI+iU1IQzu44OvUx4A7Jpk
   ZSZBL+t1KdyNl75vZ8vCfcG4KqdHqwVds1XIplaW77LcN8+G4kYUthlpWVrSLvWtKdZztGG+Kasj0y/VSqhlP7AHorU
   mDzuV4z4AOB7+UI8lcx8B5FPEverfNhPAXkemOrqnkd0oolLKeoEdiaakqANJHboI5gFJPJe1v1ZLDr47wXYqnGBccm
   1Tp/MQyMvtf98HKesBk4qXOgvBICLs44/pLVqXou/3c+sI+uCj1aNDlTjmpvG1TBLAuuCUiu3SkUi3zcZxlvqRD/YgVq/
   w9yGryG7pamAmBkYVXYqIx0JHfjxhO6er+pAZOpXPV8B4p3ie7lhzOJO+g7JRHwOEo+yLOyCU9yWwfvs6dsP7RqKS4EL
   asTLFnaKFT4D+sxZnEIxJPpy/gO8tQdfm69fz6RXh8GkWt/2CyyQ4DWVXt5AXLt6YbMFk0nNVbnOVih1/g6yHsTcxQKP
   zVDO/6fQ/tb33kbj5M5KhC1YI3pXxjMYZN1aQ
   
   	G: Generate ssh key pair
   
   	R: Return to previous menu
   
   ------------------------------------------------------

Configure TanOS system users

You can create TanOS users that have permissions equivalent to tanadmin or tanuser system users. The system users with the tanadmin role have access to all menus. System users with the tanuser role have access to status menus.

Add a system user

1. Sign into the TanOS console as a user with the tanadmin role.
2. Enter C to go to the User Administration menu. View screen

   ------------------------------------------------------
   
                 >>> User Administration <<< 
   
   		U: TanOS User Management
   		I: Recent Login Information
   
   		L: Local Tanium User Management
   
   		H: Help
   		R: Return to previous menu
   
   ------------------------------------------------------

3. Enter U to go to the TanOS User Management menu. View screen

   >>> User Administration -> TanOS <<<
   
   #: User ID       Role       Locked  Name
   
   1: tanadmin     tanadmin   No (0)  Tanium Privileged User
   2: tancopy      tanuser    No (0)  Tanium Copy User
   3: tanuser      tanuser    No (0)  Tanium Restricted User
   
   A: Add System User
   
   R: Return to previous menu
   
   ------------------------------------------------------

4. Enter A and follow the prompts to add a system user. View screen

   >>> User Administration -> System Users -> Add System User <<< 
   
    Adding a system user requires first name, last name, user name and user role.
   
    Attention: 
    TanUser Role:  Monitor/Check the status of the appliance, no changes are allowed
    TanAdmin Role: Full administrative role to manage the appliance
   
    A temporary password will be generated and the new user is required to change 
    their password upon first login! 
   
    The password policy requires meeting these rules:
    - Minimum of 10 characters long
    - At least 1 upper case character
    - At least 1 lower case character
    - At least 1 numeric character
    - At least 1 other character
    - Must not match any of recent 4 passwords
    - Must not be based on a dictionary word
    - Must not contain part of the username
   
    Please enter first name: John
    Please enter last name: Doe
    Please enter desired user name (max 30 chars): john.doe
    Which role should be assigned to john.doe?
   
    1: TanUser (Monitoring)
    2: TanAdmin (Administrative)
   
    Please select: 2
   
    The temporary password for john.doe is: proudbrownwildfowl
   
    Adding local user john doe ...
    Successfully added user john doe (username: john.doe) with role tanadmin.
   
    Press enter to continue

Disable password access

You can disable password access for any user except the tanadmin special user. When you disable password access for a user, the user can only sign in through SSH using the configured SSH private key.

1. Sign into the TanOS console as a user with the tanadmin role.
2. Enter C to go to the User Administration menu.
3. Enter U to go to the TanOS User Management menu. View screen

   >>> User Administration -> TanOS <<<
   
   #: User ID       Role       Locked  Name
   
   1: tanadmin     tanadmin   No (0)  Tanium Privileged User
   2: tancopy      tanuser    No (0)  Tanium Copy User
   3: tanuser      tanuser    No (0)  Tanium Restricted User
   
   A: Add System User
   
   R: Return to previous menu
   
   ------------------------------------------------------

4. Enter the line item of the user that you want to manage to go to the User menu. View screen

   >>> User Administration -> TanOS -> tanuser <<<
   
   Username:        tanuser
   Account Enabled: Yes
   Authentication:  SSH Key or Password
   SSH Lockout:     No (0)
   
   Notes:
     * This user account cannot be deleted
   
   	A: Manage SSH Authorized Keys
   	P: Manage SSH Key Pair
   	L: Reset SSH Lockout
   	C: Change/Enable Password (Randomized)
   	N: Disable Password Access
   
   	E: Enable Account
   	D: Disable Account
   	X: [DISABLED] Delete User
   
   	F: Edit known hosts file
   
   	R: Return to previous menu
   
   ------------------------------------------------------

5. Enter N and follow the prompts to disable password access for the user. View screen

    ------------------------------------------------------
   
   >>> User Administration -> TanOS -> john.doe <<< 
   
    Username:        john.doe 
    Account Enabled: Yes
    Authentication:  SSH Key or Password
    SSH Lockout:     No (0)
   
   			A: Manage SSH Authorized Keys
   			P: Manage SSH Key Pair
   			L: Reset SSH Lockout
   			C: Change/Enable Password (Randomized)
   			N: Disable Password Access
   
   			E: Enable Account
   			D: Disable Account
   			X: Delete User
   
   			F: Edit known hosts file
   
   			R: Return to previous menu
   
             ------------------------------------------------------
   
    TanOS Version:        1.6.4
    TanOS_Shell Version:  1.6.4
   
    Please select: N
   
    Disabling the password for an account means that
    1. The user can only log in via SSH (not a serial console or equivalent)
    2. The user can only log in using the configured SSH private key
    3. The user will not need to change their password periodically
   
    This operation can be reversed by setting a password again.
   
    Do you want to disable password access for john.doe? [Yes|No]: yes
    Successfully removed the password.
   
    Press enter to continue

Enable password access

Password access is enabled by default. If you disable password access for a user and want to re-enable password access, perform the following steps.

1. Sign into the TanOS console as a user with the tanadmin role.
2. Enter C to go to the User Administration menu.
3. Enter U to go to the TanOS User Management menu. View screen

   >>> User Administration -> TanOS <<<
   
   #: User ID       Role       Locked  Name
   
   1: tanadmin     tanadmin   No (0)  Tanium Privileged User
   2: tancopy      tanuser    No (0)  Tanium Copy User
   3: tanuser      tanuser    No (0)  Tanium Restricted User
   
   A: Add System User
   
   R: Return to previous menu
   
   ------------------------------------------------------

4. Enter the line item of the user that you want to manage to go to the User menu. View screen

   >>> User Administration -> TanOS -> tanuser <<<
   
   Username:        tanuser
   Account Enabled: Yes
   Authentication:  SSH Key or Password
   SSH Lockout:     No (0)
   
   Notes:
     * This user account cannot be deleted
   
   	A: Manage SSH Authorized Keys
   	P: Manage SSH Key Pair
   	L: Reset SSH Lockout
   	C: Change/Enable Password (Randomized)
   	N: Disable Password Access
   
   	E: Enable Account
   	D: Disable Account
   	X: [DISABLED] Delete User
   
   	F: Edit known hosts file
   
   	R: Return to previous menu
   
   ------------------------------------------------------

5. Enter C to enable password access or reset the password for the selected user.
   • If you enable the password for the current user, enter a password.
   • If you enable password access for another user, TanOS generates a random password. View screen

     >>> User Administration -> System Users -> Reset Password  <<<A temporary password will be generate and the user is required to change
     their password upon login!
      
     The password policy requires meeting these rules:
     - Minimum of 10 characters long
     - At least 1 upper case character
     - At least 1 lower case character
     - At least 1 numeric character
     - At least 1 other character
     - Must not match any of recent 4 passwords
     - Must not be based on a dictionary word
     - Must not contain part of the username
     
     The temporary password for tanuser is: temporarypassword
     Successfully reset password for user tanuser.
     
     Resetting ssh lockout for user tanuser ...
     Successfully reset any lockout for user tanuser.
     
     Press enter to continue
     				

Manage system users

1. Sign into the TanOS console as a user with the tanadmin role.
2. Enter C to go to the User Administration menu.
3. Enter U to go to the TanOS User Management menu. View screen

   >>> User Administration -> TanOS <<<
   
   #: User ID       Role       Locked  Name
   
   1: tanadmin     tanadmin   No (0)  Tanium Privileged User
   2: tancopy      tanuser    No (0)  Tanium Copy User
   3: tanuser      tanuser    No (0)  Tanium Restricted User
   
   A: Add System User
   
   R: Return to previous menu
   
   ------------------------------------------------------

4. Enter the line number of the user that you want to manage to go to the User menu. View screen

   >>> User Administration -> TanOS -> tanuser <<<
   
   Username:        tanuser
   Account Enabled: Yes
   Authentication:  SSH Key or Password
   SSH Lockout:     No (0)
   
   Notes:
     * This user account cannot be deleted
   
   	A: Manage SSH Authorized Keys
   	P: Manage SSH Key Pair
   	L: Reset SSH Lockout
   	C: Change/Enable Password (Randomized)
   	N: Disable Password Access
   
   	E: Enable Account
   	D: Disable Account
   	X: [DISABLED] Delete User
   
   	F: Edit known hosts file
   
   	R: Return to previous menu
   
   ------------------------------------------------------

5. Use the menu to delete the user, reset or enable the password, manage SSH keys, disable password access, enable/disable the account, or delete entries from the known_hosts file for the user.

View history of sign-ins

1. Sign into the TanOS console as a user with the tanadmin role.
2. Enter C to go to the User Administration menu.
3. Enter I to go to the Recent Login Information menu. View screen

   ------------------------------------------------------
   
         >>> User Administration -> Recent Login Information <<< 
   
   System users can login to monitor the appliance
   or perform administrative tasks.
   
            A: View Last 20 Successful Logins
            B: View Last 20 Failed Logins
            C: View Login Statistics
   
            R: Return to previous menu
   
   ------------------------------------------------------

4. Use options A, B, and C to view the sign-in history.

Configure the local authentication service

You can use the local authentication service to set up Tanium Console user accounts for demo or testing purposes.

For best results, configure the Tanium Console to use an external LDAP server to authenticate Tanium users. For details, see the Tanium Core Platform User Guide. Additionally, if you plan to use the local authentication service with the Tanium LDAP Sync connector, you must use the following user filter in the LDAP Sync Connector configuration:

(&(objectClass=person)(uidNumber>=20000))

The Local Authentication Service menu is available only after you install the Tanium Server on the appliance.

Add a local user

1. Sign into the TanOS console as a user with the tanadmin role.
2. Enter C to go to the User Administration menu.
3. Enter L to go to the Local Tanium User Management menu. View screen

     ------------------------------------------------------
   
   >>> Appliance User Administration -> Local Tanium User Management <<< 
   
    Local Users can be used for Tanium application authentication.
   
             1: Add Local User
             2: Manage Local User(s)
   
             A: Enable/Disable Local Authentication Service
             B: Security Policy Local Authentication Service
   
             H: Help
             R: Return to previous menu
   
     ------------------------------------------------------

4. Enter 1 and follow the prompts to add a local user. View screen

   >>> Appliance User Administration -> Local Authentication -> Add Local User <<< 
   
    Adding a local user requires first name, last name and a user name.
   
    Attention: 
    Please assign the new user appropriate roles and rights in the Tanium application!
   
    Please enter first name: John
    Please enter last name: Doe
    Please enter desired user name (max 20 chars): john.doe
   
   
    The password policy requires meeting these rules:
     - Minimum 10 characters long
     - At least 1 upper case character
     - At least 1 lower case character
     - At least 1 numeric character
     - At least 1 other character
     - Must not be based on a dictionary word
     - Must not contain part of the username
   
    Please enter password (will not be displayed): 
    Password score: 50 out of 100 (strong)
    Please enter password again: 
   
    Successfully added user John Doe (username: john.doe) to the local authentication service.
    Press enter to continue

5. Sign into the Tanium Console as an administrator to create the user and assign roles to it. For details, see Tanium Console User Guide: Managing users.

Set a user password

1. Sign into the TanOS console as a user with the tanadmin role.
2. Enter C to go to the User Administration menu.
3. Enter L to go to the Local Tanium User Management menu. View screen

     ------------------------------------------------------
   
   >>> Appliance User Administration -> Local Tanium User Management <<< 
   
    Local Users can be used for Tanium application authentication.
   
             1: Add Local User
             2: Manage Local User(s)
   
             A: Enable/Disable Local Authentication Service
             B: Security Policy Local Authentication Service
   
             H: Help
             R: Return to previous menu
   
     ------------------------------------------------------

4. Enter 2 to go to the Manage Local Users menu. View screen

     ------------------------------------------------------
   
   >>> Appliance User Administration -> Tanium Users <<< 
   
   
      The following local users currently exist:
   
             #: User ID                Locked   Expired  User Name
   
             1: tanldap                NO       NO       tanldap tanldap 
             2: tanium                 NO       NO       tanium tanium 
   
             R: Return to previous menu
   
     ------------------------------------------------------

5. Enter the user line number to go to the User menu. View screen

    ------------------------------------------------------
   
   >>> User Administration -> Tanium Users -> tanldap <<< 
   
     UserID:         tanldap 
     Name:           tanldap tanldap 
     Lock Time:      n/a 
     Expiry Time:    n/a 
   
             1: Delete User
             2: Set Password
   
             R: Return to previous menu
   
    ------------------------------------------------------

6. Enter 2 and follow the prompts to set the user password. View screen

    ------------------------------------------------------
   
   >>> User Administration -> Tanium Users -> tanldap <<< 
   
     UserID:         tanldap 
     Name:           tanldap tanldap 
     Lock Time:      n/a 
     Expiry Time:    n/a 
   
             1: Delete User
             2: Set Password
   
             R: Return to previous menu
   
    ------------------------------------------------------
   
    TanOS Version:        1.6.4
    TanOS_Shell Version:  1.6.4
   
    Please select: 2
   
    Setting new password for tanldap
   
   
    The password policy requires meeting these rules:
     - Minimum 10 characters long
     - At least 1 upper case character
     - At least 1 lower case character
     - At least 1 numeric character
     - At least 1 other character
     - Must not be based on a dictionary word
     - Must not contain part of the username
   
    Please enter password (will not be displayed):

Delete a user

1. Sign into the TanOS console as a user with the tanadmin role.
2. Enter C to go to the User Administration menu.
3. Enter L to go to the Local Tanium User Management menu. View screen

     ------------------------------------------------------
   
   >>> Appliance User Administration -> Local Tanium User Management <<< 
   
    Local Users can be used for Tanium application authentication.
   
             1: Add Local User
             2: Manage Local User(s)
   
             A: Enable/Disable Local Authentication Service
             B: Security Policy Local Authentication Service
   
             H: Help
             R: Return to previous menu
   
     ------------------------------------------------------

4. Enter 2 to go to the Manage Local Users menu. View screen

     ------------------------------------------------------
   
   >>> Appliance User Administration -> Tanium Users <<< 
   
   
      The following local users currently exist:
   
             #: User ID                Locked   Expired  User Name
   
             1: tanldap                NO       NO       tanldap tanldap 
             2: tanium                 NO       NO       tanium tanium 
   
             R: Return to previous menu
   
     ------------------------------------------------------

5. Enter the user line number to go to the User menu. View screen

    ------------------------------------------------------
   
   >>> User Administration -> Tanium Users -> tanldap <<< 
   
     UserID:         tanldap 
     Name:           tanldap tanldap 
     Lock Time:      n/a 
     Expiry Time:    n/a 
   
             1: Delete User
             2: Set Password
   
             R: Return to previous menu
   
    ------------------------------------------------------

6. Enter 1 and follow the prompts to delete the user.

Disable the local authentication service

1. Sign into the TanOS console as a user with the tanadmin role.
2. Enter C to go to the User Administration menu.
3. Enter L to go to the Local Tanium User Management menu. View screen

     ------------------------------------------------------
   
   >>> Appliance User Administration -> Local Tanium User Management <<< 
   
    Local Users can be used for Tanium application authentication.
   
             1: Add Local User
             2: Manage Local User(s)
   
             A: Enable/Disable Local Authentication Service
             B: Security Policy Local Authentication Service
   
             H: Help
             R: Return to previous menu
   
     ------------------------------------------------------

4. Enter A and follow the prompts to enable or disable the local authentication service. View screen

   >>> User Administration -> Enable/Disable Local Authentication <<< 
   
    Current status of the Local Authentication Service:
    Enabled 
    Active 
   
    Warning: make sure that you have configured the Tanium application to use an 
    external authentication service prior to disabling the local authentication service!
   
    Would you like to disable the Local Authentication Service? [Yes|No]: yes
    
    Disabling Local Authentication Service
   
    Local Authentication Service has been disabled.
    Press enter to continue

Although the Tanium Console contains a soap_enable_local_auth global setting to disable local authentication, that setting is not supported for Tanium Appliance installations.

Modify the local authentication service security policy

The local authentication service security policy has the following default settings.

Setting	Factory Default	Description
Password Minimum Age (days)	1	The minimum number of days between password changes. A value of 0 indicates the password can be changed at any time. Valid range is 0-20.
Password Maximum Age (days)	90	The age at which a current password expires. A value of 0 indicates the password does not expire. Valid range is 0-360.
Password Minimum Length	10	The minimum number of characters allowed in a password. Valid range is 0-30.
Password History	5	The number of most recent passwords that a user cannot reuse. A setting of 0 allows reuse of any previous passwords. Valid range is 0-10.
Password Lockout	True	True locks out a user with an expired password. False forces the user to change the password.
Password Maximum Failure	5	The number of failed attempts before a user is locked out. A setting of 0 allows unlimited failed attempts. Valid range is 0-10.

To modify the default settings:

1. Sign into the TanOS console as a user with the tanadmin role.
2. Enter C to go to the User Administration menu.
3. Enter L to go to the Local Tanium User Management menu. View screen

     ------------------------------------------------------
   
   >>> Appliance User Administration -> Local Tanium User Management <<< 
   
    Local Users can be used for Tanium application authentication.
   
             1: Add Local User
             2: Manage Local User(s)
   
             A: Enable/Disable Local Authentication Service
             B: Security Policy Local Authentication Service
   
             H: Help
             R: Return to previous menu
   
     ------------------------------------------------------

4. Enter B to go to the Security Policy Local Authentication Service menu. View screen

    ------------------------------------------------------
   >>> User Security Policy for Local Authentication Service <<< 
   
    Current Security Policy:
   
    Password Minimum Age (days):   1
    Password Maximum Age (days):   90
    Password Minimum Length:       10
    Password History:              5
    Password Lockout:              TRUE
    Password Maximum Failure:      5
   
    Would you like to change the security policy? [Yes|No]: 

5. Follow the prompts to modify the settings.