Completing the initial setup (virtual Tanium Appliance)

Contact Tanium Support to obtain a virtual Tanium Appliance image file and license.

Requirements

License	Contact Tanium Support to obtain a valid license. Tanium Support must know the fully qualified domain name (FQDN) for each Tanium Server appliance in your deployment to generate your license file.
Hypervisor	VMware ESXi, Microsoft Hyper-V, or KVM. For specifications, see Reference: Tanium Appliance specifications.
Network	Be ready to specify the static IP address in CIDR format (such as 192.168.2.0/24), default gateway IP address, host name, domain name, primary DNS server, and an NTP server. (Optionally, you can also specify a secondary DNS server and secondary NTP server.)

Deploy the virtual image to the hypervisor

Notes:

The following steps demonstrate a deployment of the virtual image through VMware ESXi. Perform the related steps for your hypervisor.
Virtual images must be deployed individually to ensure the serial numbers are unique; do not clone virtual images.
Hyper-V requires the following options when you set up the VM:
- Create the VM as a Generation 2 VM.
- Select the Enable Secure Boot option and the Microsoft UEFI Certificate Authority template.

Add the virtual image to vSphere or vCenter Server:
- In vSphere, right-click the resource pool and select Deploy OVF Template
- In vCenter Server, right-click Virtual Machines and select Create/Register VM.
Select the virtual image file and enter a unique name for the virtual machine.
(Optional) Some environments might require changes to network adapter settings or other changes to the virtual image template settings. You might need to increase the settings from the default Cloud-based Tanium Appliance and virtual Tanium Appliance specifications. If necessary, make the changes before starting the virtual machine.
Start the virtual machine.
The boot prompt has an option to load the active or inactive partition. Load the active partition (selected by default).

(Optional) Change keyboard mapping for virtual console

If you want to change the keyboard mapping from the default (us) to a different layout, you can change this setting before you create a new password for the tanadmin user account and start initial configuration.

Open the VM host console for the Tanium Appliance and then sign in as the tanadmin user with the default password Tanium1.

View screen

 ------------------------------------------------------

 >>> Initial Configuration <<<

 Initial configuration workflow for a new TanOS appliance.
 All items must be complete before the appliance can be used.

 Keymap:     us
 IP Address: 
 Hostname:   initial-tanos-347587.localdomain
 FIPS 140-2: disabled

          1: Set Virtual Console Keymap
          M: Toggle FIPS 140-2 Mode
                  
          P: Set Password                   (INCOMPLETE)
             Set the password to continue configuration
          F: [DISABLED] Finish Initial Configuration
          S: Shutdown

          Z: Log out

 ------------------------------------------------------

 TanOS Version:        1.8.1 

 Please select:

Enter 1 (Set Keymap).

Enter 2 to go to a list of available keyboard mappings. Use the spacebar key to page through the list, and then enter the name of the desired mapping.

View screen

 ------------------------------------------------------
Current keymap: us
Displaying all available keymaps. Space to continue or Q to quit

ANSI-dvorak                     al
al-plisi                        amiga-de
amiga-us                        applkey
at                              at-mac
at-nodeadkeys                   at-sundeadkeys
atari-de                        atari-se
atari-uk-falcon                 atari-us
az                              azerty
ba                              ba-alternatequotes
ba-unicode                      ba-unicodeus
ba-us                           backspace
bashkir                         be
be-iso-alternate                be-latin1
be-nodeadkeys                   be-oss
be-oss_latin9                   be-oss_sundeadkeys
be-sundeadkeys                  be-wang
bg-cp1251                       bg-cp855
bg_bds-cp1251                   bg_bds-utf8
bg_pho-cp1251                   bg_pho-utf8
br                              br-abnt
br-abnt2                        br-dvorak
br-latin1-abnt2                 br-latin1-us
br-nativo                       br-nativo-epo
br-nativo-us                    br-nodeadkeys
br-thinkpad                     by
by-cp1251                       by-latin
bywin-cp1251                    ca
ca-eng                          ca-fr-dvorak
ca-fr-legacy                    ca-multi
ca-multix                       cf
ch                              ch-de_mac
ch-de_nodeadkeys                ch-de_sundeadkeys
ch-fr                           ch-fr_mac
ch-fr_nodeadkeys                ch-fr_sundeadkeys
ch-legacy                       cm
cm-azerty                       cm-dvorak
cm-french                       cm-mmuock
cm-qwerty                       cn
cn-altgr-pinyin                 croat
ctrl                            cz
cz-bksl                         cz-cp1250
cz-dvorak-ucw                   cz-lat2
cz-lat2-prog                    cz-qwerty
cz-qwerty_bksl                  cz-rus
cz-us-qwertz                    de
de-T3                           de-deadacute
de-deadgraveacute               de-deadtilde
de-dsb                          de-dsb_qwertz
de-dvorak                       de-latin1
de-latin1-nodeadkeys            de-mac
de-mac_nodeadkeys               de-mobii
de-neo                          de-nodeadkeys
de-qwerty                       de-ro
de-ro_nodeadkeys                de-sundeadkeys
de-tr                           de_CH-latin1
de_alt_UTF-8                    defkeymap
defkeymap_V1.0                  dk
dk-dvorak                       dk-latin1
dk-mac                          dk-mac_nodeadkeys
dk-nodeadkeys                   dk-winkeys
dvorak                          dvorak-ca-fr
dvorak-es                       dvorak-fr
dvorak-l                        dvorak-r
dvorak-ru                       dvorak-sv-a1
dvorak-sv-a5                    dvorak-uk
dz                              ee
ee-dvorak                       ee-nodeadkeys
ee-us                           emacs
emacs2                          en-latin9
epo                             epo-legacy
es                              es-ast
es-cat                          es-cp850
es-deadtilde                    es-dvorak
es-mac                          es-nodeadkeys
es-olpc                         es-sundeadkeys
es-winkeys                      et
et-nodeadkeys                   euro
euro1                           euro2
fi                              fi-classic
fi-das                          fi-latin1
fi-latin9                       fi-mac
fi-nodeadkeys                   fi-old
fi-smi                          fi-winkeys
fo                              fo-nodeadkeys
fr                              fr-azerty
fr-bepo                         fr-bepo_latin9
fr-bre                          fr-dvorak
fr-latin0                       fr-latin1
fr-latin9                       fr-latin9_nodeadkeys
fr-latin9_sundeadkeys           fr-mac
fr-nodeadkeys                   fr-oci
fr-old                          fr-oss
fr-oss_latin9                   fr-oss_nodeadkeys
fr-oss_sundeadkeys              fr-pc
fr-sundeadkeys                  fr_CH
fr_CH-latin1                    gb
gb-colemak                      gb-dvorak
gb-dvorakukp                    gb-extd
gb-intl                         gb-mac
gb-mac_intl                     ge
ge-ergonomic                    ge-mess
ge-ru                           gh
gh-akan                         gh-avn
gh-ewe                          gh-fula
gh-ga                           gh-generic
gh-gillbt                       gh-hausa
gr                              gr-pc
hr                              hr-alternatequotes
hr-unicode                      hr-unicodeus
hr-us                           hu
hu-101_qwerty_comma_dead        hu-101_qwerty_comma_nodead
hu-101_qwerty_dot_dead          hu-101_qwerty_dot_nodead
hu-101_qwertz_comma_dead        hu-101_qwertz_comma_nodead
hu-101_qwertz_dot_dead          hu-101_qwertz_dot_nodead
hu-102_qwerty_comma_dead        hu-102_qwerty_comma_nodead
hu-102_qwerty_dot_dead          hu-102_qwerty_dot_nodead
hu-102_qwertz_comma_dead        hu-102_qwertz_comma_nodead
hu-102_qwertz_dot_dead          hu-102_qwertz_dot_nodead
hu-nodeadkeys                   hu-qwerty
hu-standard                     hu101
ie                              ie-CloGaelach
ie-UnicodeExpert                ie-ogam_is434
il                              il-heb
il-phonetic                     in-eng
iq-ku                           iq-ku_alt
iq-ku_ara                       iq-ku_f
ir-ku                           ir-ku_alt
ir-ku_ara                       ir-ku_f
is                              is-Sundeadkeys
is-dvorak                       is-latin1
is-latin1-us                    is-mac
is-mac_legacy                   is-nodeadkeys
it                              it-geo
it-ibm                          it-intl
it-mac                          it-nodeadkeys
it-scn                          it-us
it-winkeys                      it2
jp                              jp-OADG109A
jp-dvorak                       jp-kana86
jp106                           kazakh
ke                              ke-kik
keypad                          kr
kr-kr104                        ky_alt_sh-UTF-8
kyrgyz                          la-latin1
latam                           latam-deadtilde
latam-dvorak                    latam-nodeadkeys
latam-sundeadkeys               lk-us
lt                              lt-ibm
lt-lekp                         lt-lekpa
lt-std                          lt-us
lt.baltic                       lt.l4
lv                              lv-adapted
lv-apostrophe                   lv-ergonomic
lv-fkey                         lv-modern
lv-tilde                        ma-french
mac-be                          mac-de-latin1
mac-de-latin1-nodeadkeys        mac-de_CH
mac-dk-latin1                   mac-dvorak
mac-es                          mac-euro
mac-euro2                       mac-fi-latin1
mac-fr                          mac-fr_CH-latin1
mac-it                          mac-pl
mac-pt-latin1                   mac-se
mac-template                    mac-uk
mac-us                          md
md-gag                          me
me-latinalternatequotes         me-latinunicode
me-latinunicodeyz               me-latinyz
mk                              mk-cp1251
mk-utf                          mk0
ml                              ml-fr-oss
ml-us-intl                      ml-us-mac
mm                              mt
mt-us                           ng
ng-hausa                        ng-igbo
ng-yoruba                       nl
nl-mac                          nl-std
nl-sundeadkeys                  nl2
no                              no-colemak
no-dvorak                       no-latin1
no-mac                          no-mac_nodeadkeys
no-nodeadkeys                   no-smi
no-smi_nodeadkeys               no-winkeys
pc110                           ph
ph-capewell-dvorak              ph-capewell-qwerf2k6
ph-colemak                      ph-dvorak
pl                              pl-csb
pl-dvorak                       pl-dvorak_altquotes
pl-dvorak_quotes                pl-dvp
pl-legacy                       pl-qwertz
pl-szl                          pl1
pl2                             pl3
pl4                             pt
pt-latin1                       pt-latin9
pt-mac                          pt-mac_nodeadkeys
pt-mac_sundeadkeys              pt-nativo
pt-nativo-epo                   pt-nativo-us
pt-nodeadkeys                   pt-olpc
pt-sundeadkeys                  ro
ro-cedilla                      ro-std
ro-std_cedilla                  ro-winkeys
ro_std                          rs-latin
rs-latinalternatequotes         rs-latinunicode
rs-latinunicodeyz               rs-latinyz
ru                              ru-cp1251
ru-cv_latin                     ru-ms
ru-yawerty                      ru1
ru2                             ru3
ru4                             ru_win
ruwin_alt-CP1251                ruwin_alt-KOI8-R
ruwin_alt-UTF-8                 ruwin_alt_sh-UTF-8
ruwin_cplk-CP1251               ruwin_cplk-KOI8-R
ruwin_cplk-UTF-8                ruwin_ct_sh-CP1251
ruwin_ct_sh-KOI8-R              ruwin_ct_sh-UTF-8
ruwin_ctrl-CP1251               ruwin_ctrl-KOI8-R
ruwin_ctrl-UTF-8                se
se-dvorak                       se-fi-ir209
se-fi-lat6                      se-ir209
se-lat6                         se-latin1
se-mac                          se-nodeadkeys
se-smi                          se-svdvorak
se-us                           se-us_dvorak
sg                              sg-latin1
sg-latin1-lk450                 si
si-alternatequotes              si-us
sk                              sk-bksl
sk-prog-qwerty                  sk-prog-qwertz
sk-qwerty                       sk-qwerty_bksl
sk-qwertz                       slovene
sr-cy                           sun-pl
sun-pl-altgraph                 sundvorak
sunkeymap                       sunt4-es
sunt4-fi-latin1                 sunt4-no-latin1
sunt5-cz-us                     sunt5-de-latin1
sunt5-es                        sunt5-fi-latin1
sunt5-fr-latin1                 sunt5-ru
sunt5-uk                        sunt5-us-cz
sunt6-uk                        sv-latin1
sy-ku                           sy-ku_alt
sy-ku_f                         tj_alt-UTF8
tm                              tm-alt
tr                              tr-alt
tr-crh                          tr-crh_alt
tr-crh_f                        tr-f
tr-intl                         tr-ku
tr-ku_alt                       tr-ku_f
tr-sundeadkeys                  tr_f-latin5
tr_q-latin5                     tralt
trf                             trf-fgGIod
trq                             ttwin_alt-UTF-8
ttwin_cplk-UTF-8                ttwin_ct_sh-UTF-8
ttwin_ctrl-UTF-8                tw
tw-indigenous                   tw-saisiyat
ua                              ua-cp1251
ua-utf                          ua-utf-ws
ua-ws                           uk
unicode                         us
us-acentos                      us-alt-intl
us-altgr-intl                   us-colemak
us-dvorak                       us-dvorak-alt-intl
us-dvorak-classic               us-dvorak-intl
us-dvorak-l                     us-dvorak-r
us-dvp                          us-euro
us-hbs                          us-intl
us-mac                          us-olpc2
us-workman                      us-workman-intl
uz-latin                        wangbe
wangbe2                         windowkeys

 Current keymap: us
 Enter the desired keymap:

To change the keyboard mapping at a later time, enter A-X-8 (Appliance Configuration > Advanced Configuration > Set Virtual Console Keymap).

(FIPS-compliant organizations) Enable FIPS 140-3 mode before initial setup

Enabling Federal Information Processing Standards (FIPS) mode causes the appliance to use a FIPS-validated cryptographic module for all cryptographic operations. It also ensures that services like SSH use only cryptographic algorithms that FIPS 140-3 allows.

If FIPS mode is required for your organization, you can enable it before you continue with initial setup so that the password and keys that you configure during setup are FIPS-compliant.

Enable FIPS mode only if you are required to do so for your organization.

In Tanium Core Platform 7.4.5.1200 and later, enabling FIPS mode in TanOS also puts the Tanium Platform in FIPS mode.
You can later disable FIPS mode if it is not required and it was inadvertently enabled during setup. See Enable FIPS 140-3 mode.

Sign in to the TanOS console as the tanadmin user.
Enter M and follow the prompt to enable FIPS 140-3 mode and reboot the appliance, and then continue initial setup.

Configuration options

Perform full initial configuration if you want to complete all of the initial configuration steps at once from the console.
Configure IP address only if you want to complete the network configuration from the console and then later resume initial configuration elsewhere (for example, in a different location through an SSH connection).

Perform full initial configuration

You can perform initial configuration in the order that you prefer. As you finish configuring settings, their status in the checklist changes from incomplete to complete.

Before you begin

Configure the password for the tanadmin user account. This is required before you can connect to the network and start initial configuration.

Complete the initial configuration

Open the VM host console for the Tanium Appliance and then sign in as the tanadmin user with the default password Tanium1.

View screen

 ------------------------------------------------------

 >>> Initial Configuration <<<

 Initial configuration workflow for a new TanOS appliance.
 All items must be complete before the appliance can be used.

 Keymap:     us
 IP Address: 
 Hostname:   initial-tanos-347587.localdomain
 FIPS 140-2: disabled

          1: Set Virtual Console Keymap
          M: Toggle FIPS 140-2 Mode
                  
          P: Set Password                   (INCOMPLETE)
             Set the password to continue configuration
          F: [DISABLED] Finish Initial Configuration
          S: Shutdown

          Z: Log out

 ------------------------------------------------------

 TanOS Version:        1.8.1 

 Please select:

If the IP address was already configured, sign in with the password that was set in the data center, and then proceed with the rest of the initial configuration steps.

Enter P, and then follow the prompts to change the password.

View screen

 ------------------------------------------------------

 >>> Initial Config -> Set Password <<<

 Preparing to change the password for tanadmin

 The password policy requires meeting these rules:
  - Minimum of 10 characters long
  - At least 1 upper case character
  - At least 1 lower case character
  - At least 1 numeric character
  - At least 1 other character
  - Must not match any of recent 4 passwords
  - Must not be based on a dictionary word
  - Must not contain part of the username

 Please enter password (will not be displayed):
Password score: 55 out of 100 (strong)
 Please enter password again:

 The password change was successful.

 Press enter to continue

Follow the password policy guidelines closely. Note the password score that appears and aim for a strong password.

Press the Enter key to return to the Initial Configuration menu.

View screen

 ------------------------------------------------------

 >>> Initial Configuration <<<

 Initial configuration workflow for a new TanOS appliance.
 All items must be complete before the appliance can be used.

 Keymap:     us
 IP Address: 
 Hostname:   initial-tanos-347587.localdomain
 FIPS 140-2: disabled

          1: Set Virtual Console Keymap
          M: Toggle FIPS 140-2 Mode
          
          P: Set Password                   (complete)
          A: Set IP Address                 (INCOMPLETE)
          N: Set FQDN (hostname)            (INCOMPLETE)
          D: Set DNS Nameservers            (INCOMPLETE)
          T: Set NTP (time)                 (INCOMPLETE)
          E: View and Accept EULA           (INCOMPLETE)

          F: [DISABLED] Finish Initial Configuration
          S: Shutdown

          Z: Log out

 ------------------------------------------------------

 TanOS Version:        1.8.1 

 Please select:

If necessary, enter A, and then follow the prompts to set the static IP address, IPv6 settings, and gateway.

View screen

>>> Network Configuration <<< >

 Note: any existing IP address listed below is NOT persistent/DHCP assigned. 

 Please provide a static IP address below regardless of the current
 configuration. At the end of the initial configuration routine you will be
 logged out. If the IP address is changed then you will need to modify your
 connection settings to reach the TanOS menu.

 Available interfaces:

         #: Interface  State  Link    MAC                IP                  Location
         1: ens160     UP      UP     00:0c:29:35:f4:fa  10.10.10.60/24      virtual

 Please select: 1
 Current settings:
   Interface: ens160
   IPv4 Address: 10.10.10.60/24
   Default IPv4 Gateway: 10.10.10.2
   IPv6 Address: fe80::20c:29ff:fec3:4afa/64
   IPv6 Gateway:

 Enter the IPv4 address/prefix (e.g. 10.2.3.4/24): 10.10.10.60/24
 Enter the IPv4 gateway address (e.g. 10.2.3.1): 10.10.10.2
 Would you like to accept default IPv6 settings? [Yes|No]: yes

 New settings:
   Interface: ens160
   IPv4 Address: 10.10.10.60/24
   Default IPv4 Gateway: 10.10.10.2
   Manual IPv6:  No
   IPv6 Address: fe80::20c:29ff:fec3:4afa/64
   IPv6 Gateway:

 Are these settings correct? [Yes|No]: yes

After the initial configuration screen appears with the updated IP address configuration, enter N and then follow the prompts to configure the fully qualified domain name (FQDN).

View screen

>>> Initial Config -> Set FQDN <<<

 Current hostname (FQDN):
 
 New FQDN: fqdn.example.com
 
 
 Setting new hostname (FQDN):
 fqdn.example.com

 Do you want to continue? [Yes|No]: Yes

After the initial configuration screen appears with the updated FQDN configuration, enter D and then follow the prompts to set the DNS name servers. View screen

>>> Initial Config -> Set Nameservers <<<

 Currently configured nameserver(s):


 Enter the first DNS server address: 10.10.10.10
 Enter the second DNS server address: 

 Setting nameserver 1: 10.10.10.10
 Setting nameserver 2: 

 Do you want to continue? [Yes|No]: Yes

After the initial configuration screen appears with the updated DNS configuration, enter T and then follow the prompts to set the NTP servers.

View screen

>>> NTP Configuration <<<

 Timezone will be automatically set to UTC.

 Enter the NTP server information for up to two NTP servers. Each entry consist
 of a server name or IP address.
 Optionally each server may indicate authentication information using
 colons as a separator: >server<:>key-id<:>SHA1|MD5<:key


 1.2.3.4
 pool.ntp.org
 ntp.secret.corp:999:SHA1:0123456789abcdef0123456789abcdef01234567


 Please provide the NTP server address: pool.ntp.org
 Please provide the second NTP server address (enter blank value for none):

 The following settings will be used:

     NTP Server 1: pool.ntp.org
     NTP Server 2:

 Are these settings correct? [Yes|No]: Yes

After the initial configuration screen appears with the updated NTP configuration, enter E and then use the spacebar to page through the end-user license agreement (EULA). When complete, press the Q key, enter your email address, and enter YES to accept it.

The email address is stored locally only. It is not used externally for any reason.
Enter F to finish initial configuration. The appliance reboots, and when you sign in, the initial configuration menu is replaced the tanadmin menu.

Configure IP address only

In some virtual infrastructure environments, only the VM administrator has access to the VM console to set up new VMs. If necessary, the VM administrator can use the tanadmin account to set up the IP address only so the VM host is accessible through SSH.

Before you begin

You must be able to access the VM console.
Configure the password for the tanadmin user account. This is required before you can connect to the network and start initial configuration.

Configure the IP address settings

Open the VM host console for the Tanium Appliance and then sign in as the tanadmin user with the default password Tanium1.

View screen

 ------------------------------------------------------

 >>> Initial Configuration <<<

 Initial configuration workflow for a new TanOS appliance.
 All items must be complete before the appliance can be used.

 Keymap:     us
 IP Address: 
 Hostname:   initial-tanos-347587.localdomain
 FIPS 140-2: disabled

          1: Set Virtual Console Keymap
          M: Toggle FIPS 140-2 Mode
                  
          P: Set Password                   (INCOMPLETE)
             Set the password to continue configuration
          F: [DISABLED] Finish Initial Configuration
          S: Shutdown

          Z: Log out

 ------------------------------------------------------

 TanOS Version:        1.8.1 

 Please select:

Enter P, and then follow the prompts to change the password.

View screen

 ------------------------------------------------------

 >>> Initial Config -> Set Password <<<

 Preparing to change the password for tanadmin

 The password policy requires meeting these rules:
  - Minimum of 10 characters long
  - At least 1 upper case character
  - At least 1 lower case character
  - At least 1 numeric character
  - At least 1 other character
  - Must not match any of recent 4 passwords
  - Must not be based on a dictionary word
  - Must not contain part of the username

 Please enter password (will not be displayed):
Password score: 55 out of 100 (strong)
 Please enter password again:

 The password change was successful.

 Press enter to continue

Follow the password policy guidelines closely. Note the password score that appears and aim for a strong password.

Press the Enter key to return to the Initial Configuration menu.

View screen

 ------------------------------------------------------

 >>> Initial Configuration <<<

 Initial configuration workflow for a new TanOS appliance.
 All items must be complete before the appliance can be used.

 Keymap:     us
 IP Address: 
 Hostname:   initial-tanos-347587.localdomain
 FIPS 140-2: disabled

          M: Toggle FIPS 140-2 Mode
          
          P: Set Password                   (complete)
          A: Set IP Address                 (INCOMPLETE)
          N: Set FQDN (hostname)            (INCOMPLETE)
          D: Set DNS Nameservers            (INCOMPLETE)
          T: Set NTP (time)                 (INCOMPLETE)
          E: View and Accept EULA           (INCOMPLETE)

          F: [DISABLED] Finish Initial Configuration
          S: Shutdown

          Z: Log out

 ------------------------------------------------------

 TanOS Version:        1.8.1 

 Please select:

Enter A, and then follow the prompts to specify the IPv4 address with prefix, and the default IPv4 gateway. You can also configure the IPv6 address with prefix, and the IPv6 gateway. The TanOS console confirms that the settings are applied.

View screen

>>> Network Configuration <<< >

 Note: any existing IP address listed below is NOT persistent/DHCP assigned. 

 Please provide a static IP address below regardless of the current
 configuration. At the end of the initial configuration routine you will be
 logged out. If the IP address is changed then you will need to modify your
 connection settings to reach the TanOS menu.

 Available interfaces:

         #: Interface  State  Link    MAC                IP                  Location
         1: ens160     UP      UP     00:0c:29:35:f4:fa  10.10.10.60/24      virtual

 Please select: 1
 Current settings:
   Interface: ens160
   IPv4 Address: 10.10.10.60/24
   Default IPv4 Gateway: 10.10.10.2
   IPv6 Address: fe80::20c:29ff:fec3:4afa/64
   IPv6 Gateway:

 Enter the IPv4 address/prefix (e.g. 10.2.3.4/24): 10.10.10.60/24
 Enter the IPv4 gateway address (e.g. 10.2.3.1): 10.10.10.2
 Would you like to accept default IPv6 settings? [Yes|No]: yes

 New settings:
   Interface: ens160
   IPv4 Address: 10.10.10.60/24
   Default IPv4 Gateway: 10.10.10.2
   Manual IPv6:  No
   IPv6 Address: fe80::20c:29ff:fec3:4afa/64
   IPv6 Gateway:

 Are these settings correct? [Yes|No]: yes

The IP address setting changes from incomplete to complete. You can sign out of the console and connect through SSH later to resume the initial configuration steps. See Perform full initial configuration.

Access TanOS remotely

To access your Tanium Appliances remotely, note the following requirements.

Your local management computer must be connected to a subnet that can reach the appliance IP address.
Your management computer must have an SSH client application or terminal emulator that can make a client connection to the appliance.
You must have an SSH client such as PuTTY to sign in to the TanOS console. For PuTTY, use version 0.71 or later.
You must have an SSH key generator such as ssh-keygen to generate keys for the tancopy user.
You must have an SFTP client such as WinSCP to copy files to and from the appliance. For WinSCP, use version 5.15.2 or later.

Watch the tutorial about how to configure WinSCP for the Tanium Appliance.

Configure SSH keys

TanOS has built-in and customer-created user accounts to access the appliance operating system and perform tasks.

Before you install a Tanium Appliance role, you must add SSH keys to authenticate access for the tancopy built-in user. tancopy can make an SFTP connection with SSH key authentication to TanOS and copy files to and from the /incoming and /outgoing directories.

TanOS does not support self-service password reset methods. If you forget your password, you must ask a user with the tanadmin role to reset it for you. You can avoid this risk by setting up SSH key authentication.

Watch the tutorial about how to configure SSH key authentication for the Tanium Appliance.

Before you begin

You must have an SSH client to sign in to the TanOS console, and an SFTP client to copy files to and from the appliance.
You must have an SSH key generator to generate keys for the tancopy user.

Add SSH keys

You must set up an SSH key for the tancopy user. For the best results, set up SSH key authentication for TanOS user accounts.

Add SSH keys for the tancopy user

You must set up an SSH key for the tancopy user. The SSH key is used when you transfer files through SFTP to the /incoming and /outgoing directories.

Use an SSH key generator such as ssh-keygen to generate a public/private key pair. Note:
- Specify an RSA key with 2048 bits (such as ssh-keygen -t rsa -b 2048).
- Specify a passphrase that is easy to remember.
- Save the private key to a location that you can access when you set up your SFTP client.
Copy the text in the public key file to the clipboard. If you use ssh-keygen, copy the contents of the .pub file that you created.
In an SSH key exchange, the keys must match exactly, including line endings.
Sign in to the TanOS console as a user with the tanadmin role.
Enter C-U (User Administration > TanOS User Management).

Enter the line number for the tancopy user to go to the user administration menu for this user.

View screen

>>> User Administration -> TanOS -> tancopy <<< 

 Username:        tancopy 
 Account Enabled: Yes
 Authentication:  SSH Key Only
 SSH Lockout:     No (0)
 Multi-Factor:    Not configured
 
 Notes:
   * This user account cannot be deleted
   * This user account cannot have a password
   * This user account cannot use multi-factor

          A: Manage SSH Authorized Keys
          P: Manage SSH Key Pair
          L: Reset SSH Lockout
          C: [DISABLED] Change Password
          N: [DISABLED] Disable Password Access
          M: [DISABLED] Multi-Factor Authentication

          E: Enable Account
          D: Disable Account
          X: [DISABLED] Delete User

          F: Edit known hosts file

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter A (Authorized Keys).

Enter A and follow the prompts to add the contents of the public key generated in Step 1.

View screen

>>> User Administration -> TanOS -> tancopy -> Authorized Keys -> Add <<< 

Account: tancopy
Please paste the public key and press enter: 
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA1ClmgkMrbbxB7jND/Y4/Giupck35xAuGNKfZWqVLM5F0CNXuTScf6v2z
MDxW5TO5tm/U8P9sqh19RDEzTn2RayXzsoZmXyB8abCCpHG4+03Zv05RHiX4i5QomAMBnbZejdA9/fGTxO1rPo1rdtTq
Z+KCgzbEhHLWUD44+If5RtG+U4kgyzlYsyjgwhfho+BrRY6e7QYBsXVbuBQ9ROGV6PCTB80jXZVAKrAbsTQ1DVkpuBue
mftv7vOn3b8MKzJ/IY/LLL1tIgpSGvgvjr2mOJJ+JoZF2XnPVUFmYiDSCkPAzhCyFHILHfOVAfws9n1G6p3fwILqNhvB
oPeaCFaApQ== rsa-key-20200123
 Validating input
 Adding key to authorized keys after validation
 Finished adding authorized keys for tancopy


 Press enter to continue

To test, on your management computer, set up an SFTP client such as WinSCP to connect to the Tanium Server appliance:
1. Specify tancopy for user name.
2. Click Advanced.
3. Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance.
4. Save the configuration and click Login to initiate the connection.

Add SSH keys for TanOS users

It is a best practice to also set up SSH key authentication for TanOS user accounts.

As an alternative to the following procedure, you can use ssh-copy-id to add an SSH public key to any TanOS user with the tanadmin profile.

Use an SSH key generator such as ssh-keygen to generate a public/private key pair. Note:
- Specify an RSA key with 2048 bits (such as ssh-keygen -t rsa -b 2048).
- Specify a passphrase that is easy to remember.
- Save the private key to a location that you can access when you set up your SFTP client.
Copy all of the text in the public key file to the clipboard. If you use ssh-keygen, copy the contents of the .pub file that you created.
In an SSH key exchange, the keys must match exactly, including line endings.
Sign in to the TanOS console as a user with the tanadmin role.
Enter C-U (User Administration > TanOS User Management).

Enter the line number of the user account that you want to manage.

View screen

>>> User Administration -> TanOS -> tanadmin <<<

 Username:        tanadmin 
 Account Enabled: Yes
 Authentication:  SSH Key or Password
 SSH Lockout:     No (0)

 Notes:
   * This user account must always have a password
   * This user account cannot be deleted
   * This user account cannot be disabled

          A: Manage SSH Authorized Keys
          P: Manage SSH Key Pair
          L: Reset SSH Lockout
          C: Change/Enable Password (Chosen)
          N: [DISABLED] Disable Password Access
          M: Multi-Factor Authentication

          E: [DISABLED] Enable Account
          D: [DISABLED] Disable Account
          X: [DISABLED] Delete User

          F: Edit known hosts file

          R: Return to previous menu  RR: Return to top

Enter A (Authorized Keys).

Enter A and follow the prompts to paste the public key generated in Step 1.

View screen

>>> User Administration -> TanOS -> tanadmin -> Authorized Keys -> Add <<< 

 Account: tanadmin 
 Please paste the public key and press enter: 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqXUnoyrg4opYQp4DGZoasYy8ud5oJEar9BqRr2RVHMm/Sxcl4T1sthsN
WS0ECo0j32mCSM3ynYZn2AdJTU6HbKnFM30gtQL7+tpmGrgbkaVEJ9OXoA47JP0o5hbI16UUpuEKJrEBOYovIsrN2gtwKbz
YdOVCxVq5amzqg7/UrQyUO3rmt54qStiqNIiHI3UjzPWYJwUxz90vU7LWsXYz1CAWBTXnh51kg0lBPFgbRmUZJb0DwLb4Sw
lFZAe5P0RO4RwdmZVgTfsqy+MVuyzaBzGD1z4MlIZ83R6sW+nXtipbzqhFTLykLRLIXobuHjuf0Yy1H7/ZDJh/qlojce4TC
g/+5e2h1RQ8ZKgECZDJoCdrkAM6y9arHCoZwqEP9MXugQXCO6EMrP39vXajnV3YrDKKLYP1pxWZGOA4ylNqY5mG1+AofVdG
vAUBztjXfXgC3bgL0Qgp+d3E8JvLRHXfkmRijppvj+BCJUawXJfkMtBEgrxQP9PoDwHrqJj6ey80v8P7DgojQw83JumsG3S
+7l0e0Ia02q/05s2EpOv9jE9aJiLRGKbb4WkjvUSpK1VmDK54qfeSKj6yp3IIt13GBKmkVqKbbZS6gaZ3UTpzq3dj+53YeP
eOe8XMECuxl6aH4nLT4u3CqrCqxTfTa5y1Fi3/e9zI5/AKJlTXWF3ISCQ== [email protected]
 Validating input
 Adding key to authorized keys after validation
 Finished adding authorized keys for tanadmin


 Press enter to continue

To test, on your management computer, set up an SSH client such as PuTTY to connect to the Tanium Server appliance:
1. Specify the Tanium Server IP address, port 22, and SSH connection type.
2. Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance.
3. Open the SSH session and enter the tanadmin user name.
4. You are prompted for the SSH key passphrase instead of the tanadmin password. View screen
```
login as: tanadmin

######################## WARNING ########################

       Unauthorized access is strictly prohibited.

#########################################################

Authenticating with public key "rsa-key-20200119"
Passphrase for key "rsa-key-20200119":
```

Export the grub key

The grub key can be used during the boot sequence to diagnose and recover from failure conditions. You can export the key and store it in a safe location. During recovery, you need to provide the key.

Sign in to the TanOS console as a user with the tanadmin role.
Enter A-X (Appliance Configuration > Advanced Configuration).

Enter 6 and follow the prompts to export the grub key to the /outgoing folder.

View screen

>>> Appliance Configuration -> Advanced Menu -> Export Security Key <<< 

Once the security key has been placed in the outgoing directory it
will remain until the nightly cleanup job is run. After this time it
will be deleted and must be exported again.
Please be sure to download it and save in a secure location.

Would you like to export the security key? [Yes|No]: yes

The security key has been placed in the sftp outgoing directory.
This location will be cleaned daily at 02:00am appliance time!

Press enter to continue

Use SFTP to copy the file from the /outgoing directory to your local computer.

Add TanOS system users

Create additional TanOS system users based on tanadmin (privileged) and tanuser (restricted) profiles.

Create more than one privileged user with the tanadmin role in case you forget the password for the built-in tanadmin user.

Sign in to the TanOS console as a user with the tanadmin role.
Enter C-U (User Administration > TanOS User Management).

Enter A and follow the prompts to add a system user.

View screen

>>> User Administration -> System Users -> Add System User <<< 

 Adding a system user requires first name, last name, user name and user role.

 Attention: 
 TanUser Role:  Monitor/Check the status of the appliance, no changes are allowed
 TanAdmin Role: Full administrative role to manage the appliance

 A temporary password will be generated and the new user is required to change 
 their password upon first login! 

 The password policy requires meeting these rules:
 - Minimum of 10 characters long
 - At least 1 upper case character
 - At least 1 lower case character
 - At least 1 numeric character
 - At least 1 other character
 - Must not match any of recent 4 passwords
 - Must not be based on a dictionary word
 - Must not contain part of the username

 Please enter first name: John
 Please enter last name: Doe
 Please enter desired user name (max 30 chars): john.doe
 Which role should be assigned to john.doe?

 1: TanUser (Monitoring)
 2: TanAdmin (Administrative)

 Please select: 2

 The temporary password for john.doe is: proudbrownwildfowl

 Adding local user john doe ...
 Successfully added user john doe (username: john.doe) with role tanadmin.

 Press enter to continue

What to do next

To save time, complete advanced network configuration before you install Tanium Core Platform servers. See Configuring Appliance connections.
When these steps are completed, you can continue with the installation of an Appliance Array.