Contact Tanium Support to obtain a virtual Tanium Appliance image file and license.
Requirements
License |
Contact Tanium Support to obtain a valid license. Tanium Support must know the fully qualified domain name (FQDN) for each Tanium Server appliance in your deployment to generate your license file.
|
Hypervisor |
VMware ESXi, Microsoft Hyper-V, or KVM. For specifications, see Reference: Tanium Appliance specifications. |
Network |
Be ready to specify the static IP address in CIDR format (such as 192.168.2.0/24), default gateway IP address, host name, domain name, primary DNS server, and an NTP server. (Optionally, you can also specify a secondary DNS server and secondary NTP server.) |
Deploy the virtual image to the hypervisor
- Add the virtual image to vSphere or vCenter Server:
- In vSphere, right-click the resource pool and select Deploy OVF Template
- In vCenter Server, right-click Virtual Machines and select Create/Register VM.
- Select the virtual image file and enter a unique name for the virtual machine.
- (Optional) Some environments might require changes to network adapter settings or other changes to the virtual image template settings. You might need to increase the settings from the default Cloud-based Tanium Appliance and virtual Tanium Appliance specifications. If necessary, make the changes before starting the virtual machine.
- Start the virtual machine.
- The boot prompt has an option to load the active or inactive partition. Load the active partition (selected by default).
(Optional) Change keyboard mapping for virtual console
If you want to change the keyboard mapping from the default (us) to a different layout, you can change this setting before you create a new password for the tanadmin user account and start initial configuration.
- Open the VM host console for the Tanium Appliance and then sign in as the tanadmin user with the default password Tanium1.
View screen ------------------------------------------------------
>>> Initial Configuration <<<
Initial configuration workflow for a new TanOS appliance.
All items must be complete before the appliance can be used.
Keymap: us
IP Address:
Hostname: initial-tanos-347587.localdomain
FIPS 140-2: disabled
1: Set Virtual Console Keymap
M: Toggle FIPS 140-2 Mode
P: Set Password (INCOMPLETE)
Set the password to continue configuration
F: [DISABLED] Finish Initial Configuration
S: Shutdown
Z: Log out
------------------------------------------------------
TanOS Version: 1.8.1
Please select:
-
Enter 1 (Set Keymap).
- Enter 2 to go to a list of available keyboard mappings. Use the spacebar key to page through the list, and then enter the name of the desired mapping.
View screen ------------------------------------------------------
Current keymap: us
Displaying all available keymaps. Space to continue or Q to quit
ANSI-dvorak al
al-plisi amiga-de
amiga-us applkey
at at-mac
at-nodeadkeys at-sundeadkeys
atari-de atari-se
atari-uk-falcon atari-us
az azerty
ba ba-alternatequotes
ba-unicode ba-unicodeus
ba-us backspace
bashkir be
be-iso-alternate be-latin1
be-nodeadkeys be-oss
be-oss_latin9 be-oss_sundeadkeys
be-sundeadkeys be-wang
bg-cp1251 bg-cp855
bg_bds-cp1251 bg_bds-utf8
bg_pho-cp1251 bg_pho-utf8
br br-abnt
br-abnt2 br-dvorak
br-latin1-abnt2 br-latin1-us
br-nativo br-nativo-epo
br-nativo-us br-nodeadkeys
br-thinkpad by
by-cp1251 by-latin
bywin-cp1251 ca
ca-eng ca-fr-dvorak
ca-fr-legacy ca-multi
ca-multix cf
ch ch-de_mac
ch-de_nodeadkeys ch-de_sundeadkeys
ch-fr ch-fr_mac
ch-fr_nodeadkeys ch-fr_sundeadkeys
ch-legacy cm
cm-azerty cm-dvorak
cm-french cm-mmuock
cm-qwerty cn
cn-altgr-pinyin croat
ctrl cz
cz-bksl cz-cp1250
cz-dvorak-ucw cz-lat2
cz-lat2-prog cz-qwerty
cz-qwerty_bksl cz-rus
cz-us-qwertz de
de-T3 de-deadacute
de-deadgraveacute de-deadtilde
de-dsb de-dsb_qwertz
de-dvorak de-latin1
de-latin1-nodeadkeys de-mac
de-mac_nodeadkeys de-mobii
de-neo de-nodeadkeys
de-qwerty de-ro
de-ro_nodeadkeys de-sundeadkeys
de-tr de_CH-latin1
de_alt_UTF-8 defkeymap
defkeymap_V1.0 dk
dk-dvorak dk-latin1
dk-mac dk-mac_nodeadkeys
dk-nodeadkeys dk-winkeys
dvorak dvorak-ca-fr
dvorak-es dvorak-fr
dvorak-l dvorak-r
dvorak-ru dvorak-sv-a1
dvorak-sv-a5 dvorak-uk
dz ee
ee-dvorak ee-nodeadkeys
ee-us emacs
emacs2 en-latin9
epo epo-legacy
es es-ast
es-cat es-cp850
es-deadtilde es-dvorak
es-mac es-nodeadkeys
es-olpc es-sundeadkeys
es-winkeys et
et-nodeadkeys euro
euro1 euro2
fi fi-classic
fi-das fi-latin1
fi-latin9 fi-mac
fi-nodeadkeys fi-old
fi-smi fi-winkeys
fo fo-nodeadkeys
fr fr-azerty
fr-bepo fr-bepo_latin9
fr-bre fr-dvorak
fr-latin0 fr-latin1
fr-latin9 fr-latin9_nodeadkeys
fr-latin9_sundeadkeys fr-mac
fr-nodeadkeys fr-oci
fr-old fr-oss
fr-oss_latin9 fr-oss_nodeadkeys
fr-oss_sundeadkeys fr-pc
fr-sundeadkeys fr_CH
fr_CH-latin1 gb
gb-colemak gb-dvorak
gb-dvorakukp gb-extd
gb-intl gb-mac
gb-mac_intl ge
ge-ergonomic ge-mess
ge-ru gh
gh-akan gh-avn
gh-ewe gh-fula
gh-ga gh-generic
gh-gillbt gh-hausa
gr gr-pc
hr hr-alternatequotes
hr-unicode hr-unicodeus
hr-us hu
hu-101_qwerty_comma_dead hu-101_qwerty_comma_nodead
hu-101_qwerty_dot_dead hu-101_qwerty_dot_nodead
hu-101_qwertz_comma_dead hu-101_qwertz_comma_nodead
hu-101_qwertz_dot_dead hu-101_qwertz_dot_nodead
hu-102_qwerty_comma_dead hu-102_qwerty_comma_nodead
hu-102_qwerty_dot_dead hu-102_qwerty_dot_nodead
hu-102_qwertz_comma_dead hu-102_qwertz_comma_nodead
hu-102_qwertz_dot_dead hu-102_qwertz_dot_nodead
hu-nodeadkeys hu-qwerty
hu-standard hu101
ie ie-CloGaelach
ie-UnicodeExpert ie-ogam_is434
il il-heb
il-phonetic in-eng
iq-ku iq-ku_alt
iq-ku_ara iq-ku_f
ir-ku ir-ku_alt
ir-ku_ara ir-ku_f
is is-Sundeadkeys
is-dvorak is-latin1
is-latin1-us is-mac
is-mac_legacy is-nodeadkeys
it it-geo
it-ibm it-intl
it-mac it-nodeadkeys
it-scn it-us
it-winkeys it2
jp jp-OADG109A
jp-dvorak jp-kana86
jp106 kazakh
ke ke-kik
keypad kr
kr-kr104 ky_alt_sh-UTF-8
kyrgyz la-latin1
latam latam-deadtilde
latam-dvorak latam-nodeadkeys
latam-sundeadkeys lk-us
lt lt-ibm
lt-lekp lt-lekpa
lt-std lt-us
lt.baltic lt.l4
lv lv-adapted
lv-apostrophe lv-ergonomic
lv-fkey lv-modern
lv-tilde ma-french
mac-be mac-de-latin1
mac-de-latin1-nodeadkeys mac-de_CH
mac-dk-latin1 mac-dvorak
mac-es mac-euro
mac-euro2 mac-fi-latin1
mac-fr mac-fr_CH-latin1
mac-it mac-pl
mac-pt-latin1 mac-se
mac-template mac-uk
mac-us md
md-gag me
me-latinalternatequotes me-latinunicode
me-latinunicodeyz me-latinyz
mk mk-cp1251
mk-utf mk0
ml ml-fr-oss
ml-us-intl ml-us-mac
mm mt
mt-us ng
ng-hausa ng-igbo
ng-yoruba nl
nl-mac nl-std
nl-sundeadkeys nl2
no no-colemak
no-dvorak no-latin1
no-mac no-mac_nodeadkeys
no-nodeadkeys no-smi
no-smi_nodeadkeys no-winkeys
pc110 ph
ph-capewell-dvorak ph-capewell-qwerf2k6
ph-colemak ph-dvorak
pl pl-csb
pl-dvorak pl-dvorak_altquotes
pl-dvorak_quotes pl-dvp
pl-legacy pl-qwertz
pl-szl pl1
pl2 pl3
pl4 pt
pt-latin1 pt-latin9
pt-mac pt-mac_nodeadkeys
pt-mac_sundeadkeys pt-nativo
pt-nativo-epo pt-nativo-us
pt-nodeadkeys pt-olpc
pt-sundeadkeys ro
ro-cedilla ro-std
ro-std_cedilla ro-winkeys
ro_std rs-latin
rs-latinalternatequotes rs-latinunicode
rs-latinunicodeyz rs-latinyz
ru ru-cp1251
ru-cv_latin ru-ms
ru-yawerty ru1
ru2 ru3
ru4 ru_win
ruwin_alt-CP1251 ruwin_alt-KOI8-R
ruwin_alt-UTF-8 ruwin_alt_sh-UTF-8
ruwin_cplk-CP1251 ruwin_cplk-KOI8-R
ruwin_cplk-UTF-8 ruwin_ct_sh-CP1251
ruwin_ct_sh-KOI8-R ruwin_ct_sh-UTF-8
ruwin_ctrl-CP1251 ruwin_ctrl-KOI8-R
ruwin_ctrl-UTF-8 se
se-dvorak se-fi-ir209
se-fi-lat6 se-ir209
se-lat6 se-latin1
se-mac se-nodeadkeys
se-smi se-svdvorak
se-us se-us_dvorak
sg sg-latin1
sg-latin1-lk450 si
si-alternatequotes si-us
sk sk-bksl
sk-prog-qwerty sk-prog-qwertz
sk-qwerty sk-qwerty_bksl
sk-qwertz slovene
sr-cy sun-pl
sun-pl-altgraph sundvorak
sunkeymap sunt4-es
sunt4-fi-latin1 sunt4-no-latin1
sunt5-cz-us sunt5-de-latin1
sunt5-es sunt5-fi-latin1
sunt5-fr-latin1 sunt5-ru
sunt5-uk sunt5-us-cz
sunt6-uk sv-latin1
sy-ku sy-ku_alt
sy-ku_f tj_alt-UTF8
tm tm-alt
tr tr-alt
tr-crh tr-crh_alt
tr-crh_f tr-f
tr-intl tr-ku
tr-ku_alt tr-ku_f
tr-sundeadkeys tr_f-latin5
tr_q-latin5 tralt
trf trf-fgGIod
trq ttwin_alt-UTF-8
ttwin_cplk-UTF-8 ttwin_ct_sh-UTF-8
ttwin_ctrl-UTF-8 tw
tw-indigenous tw-saisiyat
ua ua-cp1251
ua-utf ua-utf-ws
ua-ws uk
unicode us
us-acentos us-alt-intl
us-altgr-intl us-colemak
us-dvorak us-dvorak-alt-intl
us-dvorak-classic us-dvorak-intl
us-dvorak-l us-dvorak-r
us-dvp us-euro
us-hbs us-intl
us-mac us-olpc2
us-workman us-workman-intl
uz-latin wangbe
wangbe2 windowkeys
Current keymap: us
Enter the desired keymap:
To change the keyboard mapping at a later time, enter A-X-8 (Appliance Configuration > Advanced Configuration > Set Virtual Console Keymap).
(FIPS-compliant organizations) Enable FIPS 140-3 mode before initial setup
Enabling Federal Information Processing Standards (FIPS) mode causes the appliance to use a FIPS-validated cryptographic module for all cryptographic operations. It also ensures that services like SSH use only cryptographic algorithms that FIPS 140-3 allows.
If FIPS mode is required for your organization, you can enable it before you continue with initial setup so that the password and keys that you configure during setup are FIPS-compliant.
Enable FIPS mode only if you are required to do so for your organization.
- In Tanium Core Platform 7.4.5.1200 and later, enabling FIPS mode in TanOS also puts the Tanium Platform in FIPS mode.
- You can later disable FIPS mode if it is not required and it was inadvertently enabled during setup. See Enable FIPS 140-3 mode.
-
Sign in to the TanOS console as the tanadmin user.
- Enter M and follow the prompt to enable FIPS 140-3 mode and reboot the appliance, and then continue initial setup.
Configuration options
Perform full initial configuration
You can perform initial configuration in the order that you prefer. As you finish configuring settings, their status in the checklist changes from incomplete to complete.
Before you begin
Configure the password for the tanadmin user account. This is required before you can connect to the network and start initial configuration.
Complete the initial configuration
- Open the VM host console for the Tanium Appliance and then sign in as the tanadmin user with the default password Tanium1.
View screen ------------------------------------------------------
>>> Initial Configuration <<<
Initial configuration workflow for a new TanOS appliance.
All items must be complete before the appliance can be used.
Keymap: us
IP Address:
Hostname: initial-tanos-347587.localdomain
FIPS 140-2: disabled
1: Set Virtual Console Keymap
M: Toggle FIPS 140-2 Mode
P: Set Password (INCOMPLETE)
Set the password to continue configuration
F: [DISABLED] Finish Initial Configuration
S: Shutdown
Z: Log out
------------------------------------------------------
TanOS Version: 1.8.1
Please select:
If the IP address was already configured, sign in with the password that was set in the data center, and then proceed with the rest of the initial configuration steps.
- Enter P, and then follow the prompts to change the password.
View screen ------------------------------------------------------
>>> Initial Config -> Set Password <<<
Preparing to change the password for tanadmin
The password policy requires meeting these rules:
- Minimum of 10 characters long
- At least 1 upper case character
- At least 1 lower case character
- At least 1 numeric character
- At least 1 other character
- Must not match any of recent 4 passwords
- Must not be based on a dictionary word
- Must not contain part of the username
Please enter password (will not be displayed):
Password score: 55 out of 100 (strong)
Please enter password again:
The password change was successful.
Press enter to continue
Follow the password policy guidelines closely. Note the password score that appears and aim for a strong password.
- Press the Enter key to return to the Initial Configuration menu.
View screen ------------------------------------------------------
>>> Initial Configuration <<<
Initial configuration workflow for a new TanOS appliance.
All items must be complete before the appliance can be used.
Keymap: us
IP Address:
Hostname: initial-tanos-347587.localdomain
FIPS 140-2: disabled
1: Set Virtual Console Keymap
M: Toggle FIPS 140-2 Mode
P: Set Password (complete)
A: Set IP Address (INCOMPLETE)
N: Set FQDN (hostname) (INCOMPLETE)
D: Set DNS Nameservers (INCOMPLETE)
T: Set NTP (time) (INCOMPLETE)
E: View and Accept EULA (INCOMPLETE)
F: [DISABLED] Finish Initial Configuration
S: Shutdown
Z: Log out
------------------------------------------------------
TanOS Version: 1.8.1
Please select:
- If necessary, enter A, and then follow the prompts to set the static IP address, IPv6 settings, and gateway.
View screen>>> Network Configuration <<< >
Note: any existing IP address listed below is NOT persistent/DHCP assigned.
Please provide a static IP address below regardless of the current
configuration. At the end of the initial configuration routine you will be
logged out. If the IP address is changed then you will need to modify your
connection settings to reach the TanOS menu.
Available interfaces:
#: Interface State Link MAC IP Location
1: ens160 UP UP 00:0c:29:35:f4:fa 10.10.10.60/24 virtual
Please select: 1
Current settings:
Interface: ens160
IPv4 Address: 10.10.10.60/24
Default IPv4 Gateway: 10.10.10.2
IPv6 Address: fe80::20c:29ff:fec3:4afa/64
IPv6 Gateway:
Enter the IPv4 address/prefix (e.g. 10.2.3.4/24): 10.10.10.60/24
Enter the IPv4 gateway address (e.g. 10.2.3.1): 10.10.10.2
Would you like to accept default IPv6 settings? [Yes|No]: yes
New settings:
Interface: ens160
IPv4 Address: 10.10.10.60/24
Default IPv4 Gateway: 10.10.10.2
Manual IPv6: No
IPv6 Address: fe80::20c:29ff:fec3:4afa/64
IPv6 Gateway:
Are these settings correct? [Yes|No]: yes
- After the initial configuration screen appears with the updated IP address configuration, enter N and then follow the prompts to configure the fully qualified domain name (FQDN).
View screen>>> Initial Config -> Set FQDN <<<
Current hostname (FQDN):
New FQDN: fqdn.example.com
Setting new hostname (FQDN):
fqdn.example.com
Do you want to continue? [Yes|No]: Yes
-
After the initial configuration screen appears with the updated FQDN configuration, enter D and then follow the prompts to set the DNS name servers.
View screen
>>> Initial Config -> Set Nameservers <<<
Currently configured nameserver(s):
Enter the first DNS server address: 10.10.10.10
Enter the second DNS server address:
Setting nameserver 1: 10.10.10.10
Setting nameserver 2:
Do you want to continue? [Yes|No]: Yes
- After the initial configuration screen appears with the updated DNS configuration, enter T and then follow the prompts to set the NTP servers.
View screen>>> NTP Configuration <<<
Timezone will be automatically set to UTC.
Enter the NTP server information for up to two NTP servers. Each entry consist
of a server name or IP address.
Optionally each server may indicate authentication information using
colons as a separator: >server<:>key-id<:>SHA1|MD5<:key
1.2.3.4
pool.ntp.org
ntp.secret.corp:999:SHA1:0123456789abcdef0123456789abcdef01234567
Please provide the NTP server address: pool.ntp.org
Please provide the second NTP server address (enter blank value for none):
The following settings will be used:
NTP Server 1: pool.ntp.org
NTP Server 2:
Are these settings correct? [Yes|No]: Yes
-
After the initial configuration screen appears with the updated NTP configuration, enter E and then use the spacebar to page through the end-user license agreement (EULA). When complete, press the Q key, enter your email address, and enter YES to accept it.
The email address is stored locally only. It is not used externally for any reason.
- Enter F to finish initial configuration. The appliance reboots, and when you sign in, the initial configuration menu is replaced the tanadmin menu.
Configure IP address only
In some virtual infrastructure environments, only the VM administrator has access to the VM console to set up new VMs. If necessary, the VM administrator can use the tanadmin account to set up the IP address only so the VM host is accessible through SSH.
Before you begin
- You must be able to access the VM console.
- Configure the password for the tanadmin user account. This is required before you can connect to the network and start initial configuration.
Configure the IP address settings
- Open the VM host console for the Tanium Appliance and then sign in as the tanadmin user with the default password Tanium1.
View screen ------------------------------------------------------
>>> Initial Configuration <<<
Initial configuration workflow for a new TanOS appliance.
All items must be complete before the appliance can be used.
Keymap: us
IP Address:
Hostname: initial-tanos-347587.localdomain
FIPS 140-2: disabled
1: Set Virtual Console Keymap
M: Toggle FIPS 140-2 Mode
P: Set Password (INCOMPLETE)
Set the password to continue configuration
F: [DISABLED] Finish Initial Configuration
S: Shutdown
Z: Log out
------------------------------------------------------
TanOS Version: 1.8.1
Please select:
- Enter P, and then follow the prompts to change the password.
View screen ------------------------------------------------------
>>> Initial Config -> Set Password <<<
Preparing to change the password for tanadmin
The password policy requires meeting these rules:
- Minimum of 10 characters long
- At least 1 upper case character
- At least 1 lower case character
- At least 1 numeric character
- At least 1 other character
- Must not match any of recent 4 passwords
- Must not be based on a dictionary word
- Must not contain part of the username
Please enter password (will not be displayed):
Password score: 55 out of 100 (strong)
Please enter password again:
The password change was successful.
Press enter to continue
Follow the password policy guidelines closely. Note the password score that appears and aim for a strong password.
- Press the Enter key to return to the Initial Configuration menu.
View screen ------------------------------------------------------
>>> Initial Configuration <<<
Initial configuration workflow for a new TanOS appliance.
All items must be complete before the appliance can be used.
Keymap: us
IP Address:
Hostname: initial-tanos-347587.localdomain
FIPS 140-2: disabled
M: Toggle FIPS 140-2 Mode
P: Set Password (complete)
A: Set IP Address (INCOMPLETE)
N: Set FQDN (hostname) (INCOMPLETE)
D: Set DNS Nameservers (INCOMPLETE)
T: Set NTP (time) (INCOMPLETE)
E: View and Accept EULA (INCOMPLETE)
F: [DISABLED] Finish Initial Configuration
S: Shutdown
Z: Log out
------------------------------------------------------
TanOS Version: 1.8.1
Please select:
- Enter A, and then follow the prompts to specify the IPv4 address with prefix, and the default IPv4 gateway. You can also configure the IPv6 address with prefix, and the IPv6 gateway. The TanOS console confirms that the settings are applied.
View screen>>> Network Configuration <<< >
Note: any existing IP address listed below is NOT persistent/DHCP assigned.
Please provide a static IP address below regardless of the current
configuration. At the end of the initial configuration routine you will be
logged out. If the IP address is changed then you will need to modify your
connection settings to reach the TanOS menu.
Available interfaces:
#: Interface State Link MAC IP Location
1: ens160 UP UP 00:0c:29:35:f4:fa 10.10.10.60/24 virtual
Please select: 1
Current settings:
Interface: ens160
IPv4 Address: 10.10.10.60/24
Default IPv4 Gateway: 10.10.10.2
IPv6 Address: fe80::20c:29ff:fec3:4afa/64
IPv6 Gateway:
Enter the IPv4 address/prefix (e.g. 10.2.3.4/24): 10.10.10.60/24
Enter the IPv4 gateway address (e.g. 10.2.3.1): 10.10.10.2
Would you like to accept default IPv6 settings? [Yes|No]: yes
New settings:
Interface: ens160
IPv4 Address: 10.10.10.60/24
Default IPv4 Gateway: 10.10.10.2
Manual IPv6: No
IPv6 Address: fe80::20c:29ff:fec3:4afa/64
IPv6 Gateway:
Are these settings correct? [Yes|No]: yes
The IP address setting changes from incomplete to complete. You can sign out of the console and connect through SSH later to resume the initial configuration steps. See Perform full initial configuration.
Access TanOS remotely
To access your Tanium Appliances remotely, note the following requirements.
- Your local
management computer
must be connected to a subnet that can reach the appliance IP address.
- Your management computer must have an SSH client application or terminal emulator that can make a client connection to the appliance.
- You must have an SSH client such as PuTTY to sign in to the TanOS console. For PuTTY, use version 0.71 or later.
- You must have an SSH key generator such as ssh-keygen to generate keys for the tancopy user.
- You must have an SFTP client such as WinSCP to copy files to and from the appliance. For WinSCP, use version 5.15.2 or later.
Watch the tutorial about how to configure WinSCP for the Tanium Appliance.
Configure SSH keys
TanOS has built-in and customer-created user accounts to access the appliance operating system and perform tasks.
Before you install a Tanium Appliance role, you must add SSH keys to authenticate access for the tancopy built-in user. tancopy can make an SFTP connection with SSH key authentication to TanOS and copy files to and from the /incoming and /outgoing directories.
TanOS does not support self-service password reset methods. If you forget your password, you must ask a user with the tanadmin role to reset it for you. You can avoid this risk by setting up SSH key authentication.
Watch the tutorial about how to configure SSH key authentication for the Tanium Appliance.
Before you begin
- You must have an SSH client to sign in to the TanOS console, and an SFTP client to copy files to and from the appliance.
- You must have an SSH key generator to generate keys for the tancopy user.
Add SSH keys
You must set up an SSH key for the tancopy user. For the best results, set up SSH key authentication for TanOS user accounts.
Add SSH keys for the tancopy user
You must set up an SSH key for the tancopy user. The SSH key is used when you transfer files through SFTP to the /incoming and /outgoing directories.
- Use an SSH key generator such as ssh-keygen to generate a public/private key pair. Note:
- Specify an RSA key with 2048 bits (such as ssh-keygen -t rsa -b 2048).
- Specify a passphrase that is easy to remember.
- Save the private key to a location that you can access when you set up your SFTP client.
- Copy the text in the public key file to the clipboard. If you use ssh-keygen, copy the contents of the .pub file that you created.
In an SSH key exchange, the keys must match exactly, including line endings.
- Sign in to the TanOS console as a user with the tanadmin role.
-
Enter C-U (User Administration > TanOS User Management).
- Enter the line number for the tancopy user to go to the user administration menu for this user.
View screen>>> User Administration -> TanOS -> tancopy <<<
Username: tancopy
Account Enabled: Yes
Authentication: SSH Key Only
SSH Lockout: No (0)
Multi-Factor: Not configured
Notes:
* This user account cannot be deleted
* This user account cannot have a password
* This user account cannot use multi-factor
A: Manage SSH Authorized Keys
P: Manage SSH Key Pair
L: Reset SSH Lockout
C: [DISABLED] Change Password
N: [DISABLED] Disable Password Access
M: [DISABLED] Multi-Factor Authentication
E: Enable Account
D: Disable Account
X: [DISABLED] Delete User
F: Edit known hosts file
R: Return to previous menu RR: Return to top
------------------------------------------------------
-
Enter A (Authorized Keys).
- Enter A and follow the prompts to add the contents of the public key generated in Step 1.
View screen>>> User Administration -> TanOS -> tancopy -> Authorized Keys -> Add <<<
Account: tancopy
Please paste the public key and press enter:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA1ClmgkMrbbxB7jND/Y4/Giupck35xAuGNKfZWqVLM5F0CNXuTScf6v2z
MDxW5TO5tm/U8P9sqh19RDEzTn2RayXzsoZmXyB8abCCpHG4+03Zv05RHiX4i5QomAMBnbZejdA9/fGTxO1rPo1rdtTq
Z+KCgzbEhHLWUD44+If5RtG+U4kgyzlYsyjgwhfho+BrRY6e7QYBsXVbuBQ9ROGV6PCTB80jXZVAKrAbsTQ1DVkpuBue
mftv7vOn3b8MKzJ/IY/LLL1tIgpSGvgvjr2mOJJ+JoZF2XnPVUFmYiDSCkPAzhCyFHILHfOVAfws9n1G6p3fwILqNhvB
oPeaCFaApQ== rsa-key-20200123
Validating input
Adding key to authorized keys after validation
Finished adding authorized keys for tancopy
Press enter to continue
- To test, on your management computer, set up an SFTP client such as WinSCP to connect to the Tanium Server appliance:
- Specify tancopy for user name.
- Click Advanced.
- Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance.
- Save the configuration and click Login to initiate the connection.
You should be able to connect to the appliance and see the /incoming and /outgoing directories.
Add SSH keys for TanOS users
It is a best practice to also set up SSH key authentication for TanOS user accounts.
As an alternative to the following procedure, you can use ssh-copy-id to add an SSH public key to any TanOS user with the tanadmin profile.
- Use an SSH key generator such as ssh-keygen to generate a public/private key pair. Note:
- Specify an RSA key with 2048 bits (such as ssh-keygen -t rsa -b 2048).
- Specify a passphrase that is easy to remember.
- Save the private key to a location that you can access when you set up your SFTP client.
- Copy all of the text in the public key file to the clipboard. If you use ssh-keygen, copy the contents of the .pub file that you created.
In an SSH key exchange, the keys must match exactly, including line endings.
- Sign in to the TanOS console as a user with the tanadmin role.
-
Enter C-U (User Administration > TanOS User Management).
- Enter the line number of the user account that you want to manage.
View screen>>> User Administration -> TanOS -> tanadmin <<<
Username: tanadmin
Account Enabled: Yes
Authentication: SSH Key or Password
SSH Lockout: No (0)
Notes:
* This user account must always have a password
* This user account cannot be deleted
* This user account cannot be disabled
A: Manage SSH Authorized Keys
P: Manage SSH Key Pair
L: Reset SSH Lockout
C: Change/Enable Password (Chosen)
N: [DISABLED] Disable Password Access
M: Multi-Factor Authentication
E: [DISABLED] Enable Account
D: [DISABLED] Disable Account
X: [DISABLED] Delete User
F: Edit known hosts file
R: Return to previous menu RR: Return to top
-
Enter A (Authorized Keys).
- Enter A and follow the prompts to paste the public key generated in Step 1.
View screen>>> User Administration -> TanOS -> tanadmin -> Authorized Keys -> Add <<<
Account: tanadmin
Please paste the public key and press enter:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqXUnoyrg4opYQp4DGZoasYy8ud5oJEar9BqRr2RVHMm/Sxcl4T1sthsN
WS0ECo0j32mCSM3ynYZn2AdJTU6HbKnFM30gtQL7+tpmGrgbkaVEJ9OXoA47JP0o5hbI16UUpuEKJrEBOYovIsrN2gtwKbz
YdOVCxVq5amzqg7/UrQyUO3rmt54qStiqNIiHI3UjzPWYJwUxz90vU7LWsXYz1CAWBTXnh51kg0lBPFgbRmUZJb0DwLb4Sw
lFZAe5P0RO4RwdmZVgTfsqy+MVuyzaBzGD1z4MlIZ83R6sW+nXtipbzqhFTLykLRLIXobuHjuf0Yy1H7/ZDJh/qlojce4TC
g/+5e2h1RQ8ZKgECZDJoCdrkAM6y9arHCoZwqEP9MXugQXCO6EMrP39vXajnV3YrDKKLYP1pxWZGOA4ylNqY5mG1+AofVdG
vAUBztjXfXgC3bgL0Qgp+d3E8JvLRHXfkmRijppvj+BCJUawXJfkMtBEgrxQP9PoDwHrqJj6ey80v8P7DgojQw83JumsG3S
+7l0e0Ia02q/05s2EpOv9jE9aJiLRGKbb4WkjvUSpK1VmDK54qfeSKj6yp3IIt13GBKmkVqKbbZS6gaZ3UTpzq3dj+53YeP
eOe8XMECuxl6aH4nLT4u3CqrCqxTfTa5y1Fi3/e9zI5/AKJlTXWF3ISCQ== [email protected]
Validating input
Adding key to authorized keys after validation
Finished adding authorized keys for tanadmin
Press enter to continue
- To test, on your management computer, set up an SSH client such as PuTTY to connect to the Tanium Server appliance:
- Specify the Tanium Server IP address, port 22, and SSH connection type.
- Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance.
- Open the SSH session and enter the tanadmin user name.
- You are prompted for the SSH key passphrase instead of the tanadmin password.
View screenlogin as: tanadmin
######################## WARNING ########################
Unauthorized access is strictly prohibited.
#########################################################
Authenticating with public key "rsa-key-20200119"
Passphrase for key "rsa-key-20200119":
Export the grub key
The grub key can be used during the boot sequence to diagnose and recover from failure conditions. You can export the key and store it in a safe location. During recovery, you need to provide the key.
- Sign in to the TanOS console as a user with the tanadmin role.
-
Enter A-X (Appliance Configuration > Advanced Configuration).
- Enter 6 and follow the prompts to export the grub key to the /outgoing folder.
View screen>>> Appliance Configuration -> Advanced Menu -> Export Security Key <<<
Once the security key has been placed in the outgoing directory it
will remain until the nightly cleanup job is run. After this time it
will be deleted and must be exported again.
Please be sure to download it and save in a secure location.
Would you like to export the security key? [Yes|No]: yes
The security key has been placed in the sftp outgoing directory.
This location will be cleaned daily at 02:00am appliance time!
Press enter to continue
-
Use SFTP to copy the file from the /outgoing directory to your local computer.
Add TanOS system users
Create additional TanOS system users based on tanadmin (privileged) and tanuser (restricted) profiles.
Create more than one privileged user with the tanadmin role in case you forget the password for the built-in tanadmin user.
- Sign in to the TanOS console as a user with the tanadmin role.
-
Enter C-U (User Administration > TanOS User Management).
- Enter A and follow the prompts to add a system user.
View screen>>> User Administration -> System Users -> Add System User <<<
Adding a system user requires first name, last name, user name and user role.
Attention:
TanUser Role: Monitor/Check the status of the appliance, no changes are allowed
TanAdmin Role: Full administrative role to manage the appliance
A temporary password will be generated and the new user is required to change
their password upon first login!
The password policy requires meeting these rules:
- Minimum of 10 characters long
- At least 1 upper case character
- At least 1 lower case character
- At least 1 numeric character
- At least 1 other character
- Must not match any of recent 4 passwords
- Must not be based on a dictionary word
- Must not contain part of the username
Please enter first name: John
Please enter last name: Doe
Please enter desired user name (max 30 chars): john.doe
Which role should be assigned to john.doe?
1: TanUser (Monitoring)
2: TanAdmin (Administrative)
Please select: 2
The temporary password for john.doe is: proudbrownwildfowl
Adding local user john doe ...
Successfully added user john doe (username: john.doe) with role tanadmin.
Press enter to continue
What to do next
- To save time, complete advanced network configuration before you install Tanium Core Platform servers. See Configuring Appliance connections.
- When these steps are completed, you can continue with the installation of an Appliance Array.