Completing the initial setup (Tanium Virtual Appliance)

Contact Tanium Support to obtain a virtual appliance image file and virtual appliance license from Tanium Support.

Requirements

License

Contact Tanium Support to obtain a valid license. Tanium Support must know the fully qualified domain name (FQDN) for each Tanium Server Appliance in your deployment to generate your license file.

Hypervisor VMware ESXi, Microsoft Hyper-V, or KVM. For specifications, see Reference: Tanium Appliance specifications.
Network Be ready to specify the static IP address in CIDR format (such as 192.168.2.0/24), default gateway IP address, host name, domain name, primary DNS server, and an NTP server. (Optionally, you can also specify a secondary DNS server and secondary NTP server.)

Deploy the virtual image to the hypervisor

Notes:
  • The following steps demonstrate a deployment of the virtual image through VMware ESXi. Perform the related steps for your hypervisor.
  • Virtual images must be deployed individually to ensure the serial numbers are unique; do not clone virtual images.
  • Hyper-V requires the following options when you set up the VM:

    • Create the VM as a Generation 2 VM.
    • Select the Enable Secure Boot option and the Microsoft UEFI Certificate Authority template.
  1. Add the virtual image to vSphere or vCenter Server:
    • In vSphere, right-click the resource pool and select Deploy OVF Template
    • In vCenter Server, right-click Virtual Machines and select Create/Register VM.
  2. Select the virtual image file and enter a unique name for the virtual machine.
  3. (Optional) Some environments might require changes to network adapter settings or other changes to the virtual image template settings. You might need to increase the settings from the default Virtual appliance specifications. If necessary, make the changes before starting the virtual machine.
  4. Start the virtual machine.
  5. The boot prompt has an option to load the active or inactive partition. Load the active partition (selected by default).

(Optional) Change keyboard mapping for virtual console

If you want to change the keyboard mapping from the default (us) to a different layout, you can change this setting before you create a new password for the tanadmin user account and start initial configuration.

  1. Open the VM host console for the Tanium appliance and then sign in as the tanadmin user with the default password Tanium1. ClosedView screen
  2. Enter 1 to go to the Set Keymap menu. ClosedView screen
  3. Enter 2 to go to a list of available keyboard mappings. Use the spacebar key to page through the list, and then enter the name of the desired mapping. ClosedView screen

Configuration options

  • Perform full initial configuration if you want to complete all of the initial configuration steps at once from the console.

  • Configure IP address only if you want to complete the network configuration from the console and then later resume initial configuration elsewhere (for example, in a different location through an SSH connection).

Perform full initial configuration

You can perform initial configuration in the order that you prefer. As you finish configuring settings, their status in the checklist changes from incomplete to complete.

Before you begin

Configure the password for the tanadmin user account. This is required before you can connect to the network and start initial configuration.

Complete the initial configuration

  1. Open the VM host console for the Tanium appliance and then sign in as the tanadmin user with the default password Tanium1. ClosedView screen

    If the IP address was already configured, sign in with the password that was set in the data center, and then proceed with the rest of the initial configuration steps.

  2. Enter P, and then follow the prompts to change the password. ClosedView screen

    Follow the password policy guidelines closely. Note the password score that appears and aim for a strong password.

  3. Press the Enter key to return to the Initial Configuration menu. ClosedView screen
  4. If necessary, enter A, and then follow the prompts to set the static IP address, IPv6 settings, and gateway. ClosedView screen
  5. After the initial configuration screen appears with the updated IP address configuration, enter N and then follow the prompts to configure the fully qualified domain name (FQDN). ClosedView screen
  6. After the initial configuration screen appears with the updated FQDN configuration, enter D and then follow the prompts to set the DNS name servers. ClosedView screen

  7. After the initial configuration screen appears with the updated DNS configuration, enter T and then follow the prompts to set the NTP servers. ClosedView screen
  8. After the initial configuration screen appears with the updated NTP configuration, enter E and then use the spacebar to page through the end-user license agreement (EULA). When complete, press the Q key, enter your email address, and enter YES to accept it.

    The email address is stored locally only. It is not used externally for any reason.

  9. Enter F to finish initial configuration. The appliance reboots, and when you sign in, the initial configuration menu is replaced the tanadmin menu.

Configure IP address only

In some virtual infrastructure environments, only the VM administrator has access to the VM console to set up new VMs. If necessary, the VM administrator can use the tanadmin account to set up the IP address only so the VM host is accessible through SSH.

Before you begin

  • You must be able to access the VM console.
  • Configure the password for the tanadmin user account. This is required before you can connect to the network and start initial configuration.

Configure the IP address settings

  1. Open the VM host console for the Tanium appliance and then sign in as the tanadmin user with the default password Tanium1. ClosedView screen
  2. Enter P, and then follow the prompts to change the password. ClosedView screen

    Follow the password policy guidelines closely. Note the password score that appears and aim for a strong password.

  3. Press the Enter key to return to the Initial Configuration menu. ClosedView screen
  4. Enter A, and then follow the prompts to specify the IPv4 address with prefix, and the default IPv4 gateway. You can also configure the IPv6 address with prefix, and the IPv6 gateway. The TanOS console confirms that the settings are applied. ClosedView screen

    The IP address setting changes from incomplete to complete. You can sign out of the console and connect through SSH later to resume the initial configuration steps. See Perform full initial configuration.

Access TanOS remotely

To access your Tanium Appliances remotely, note the following requirements.

  • Your local management computer must be connected to a subnet that can reach the appliance IP address.
  • Your management computer must have an SSH client application or terminal emulator that can make a client connection to the appliance.
  • You must have an SSH client such as PuTTY to sign in to the TanOS console. For PuTTY, use version 0.71 or later.
  • You must have an SSH key generator such as ssh-keygen to generate keys for the tancopy user.
  • You must have an SFTP client such as WinSCP to copy files to and from the appliance. For WinSCP, use version 5.15.2 or later.

Watch the tutorial about how to configure WinSCP for the Tanium Appliance.

Configure SSH keys

TanOS has built-in and customer-created user accounts to access the appliance operating system and perform tasks.

Before you install a Tanium Appliance role, you must add SSH keys to authenticate access for the tancopy built-in user. tancopy can make an SFTP connection with SSH key authentication to TanOS and copy files to and from the /incoming and /outgoing directories.

TanOS does not support self-service password reset methods. If you forget your password, you must ask a user with the tanadmin role to reset it for you. You can avoid this risk by setting up SSH key authentication.

Watch the tutorial about how to configure SSH key authentication for the Tanium Appliance.

Before you begin

  • You must have an SSH client to sign in to the TanOS console, and an SFTP client to copy files to and from the appliance.
  • You must have an SSH key generator to generate keys for the tancopy user.

Add SSH keys

You must set up an SSH key for the tancopy user. For the best results, set up SSH key authentication for TanOS user accounts.

Add SSH keys for the tancopy user

You must set up an SSH key for the tancopy user. The SSH key is used when you transfer files through SFTP to the /incoming and /outgoing directories.

  1. Use an SSH key generator such as ssh-keygen to generate a public/private key pair. Note:
    • Specify an RSA key with 2048 bits (such as ssh-keygen -t rsa -b 2048).
    • Specify a passphrase that is easy to remember.
    • Save the private key to a location that you can access when you set up your SFTP client.
  2. Copy the text in the public key file to the clipboard. If you use ssh-keygen, copy the contents of the .pub file that you created.

    In an SSH key exchange, the keys must match exactly, including line endings.

  3. Sign in to the TanOS console as a user with the tanadmin role.
  4. Enter C to go to the User Administration menu.
  5. Enter U to manage TanOS users.
  6. Enter the line number for the tancopy user to go to the user administration menu for this user. ClosedView screen
  7. Enter A to go to the Authorized Keys menu. ClosedView screen
  8. Enter A and follow the prompts to add the contents of the public key generated in Step 1. ClosedView screen
  9. To test, on your management computer, set up an SFTP client such as WinSCP to connect to the Tanium Server appliance:
    1. Specify tancopy for user name.
    2. Click Advanced.
    3. Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance.
    4. Save the configuration and click Login to initiate the connection.
    5. You should be able to connect to the appliance and see the /incoming and /outgoing directories.

 

Add SSH keys for TanOS users

It is a best practice to also set up SSH key authentication for TanOS user accounts.

As an alternative to the following procedure, you can use ssh-copy-id to add an SSH public key to any TanOS user with the tanadmin profile.

  1. Use an SSH key generator such as ssh-keygen to generate a public/private key pair. Note:
    • Specify an RSA key with 2048 bits (such as ssh-keygen -t rsa -b 2048).
    • Specify a passphrase that is easy to remember.
    • Save the private key to a location that you can access when you set up your SFTP client.
  2. Copy all of the text in the public key file to the clipboard. If you use ssh-keygen, copy the contents of the .pub file that you created.

    In an SSH key exchange, the keys must match exactly, including line endings.

  3. Sign in to the TanOS console as a user with the tanadmin role.
  4. Enter C to go to the User Administration menu. ClosedView screen
  5. Enter U to manage TanOS users.
  6. Enter the line number of the user account that you want to manage. ClosedView screen
  7. Enter A to go to the Authorized Keys menu. ClosedView screen
  8. Enter A and follow the prompts to paste the public key generated in Step 1. ClosedView screen
  9. To test, on your management computer, set up an SSH client such as PuTTY to connect to the Tanium Server appliance:
    1. Specify the Tanium Server IP address, port 22, and SSH connection type.
    2. Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance.
    3. Open the SSH session and enter the tanadmin user name.
    4. You are prompted for the SSH key passphrase instead of the tanadmin password. ClosedView screen

Export the grub key

The grub key can be used during the boot sequence to diagnose and recover from failure conditions. You can export the key and store it in a safe location. During recovery, you need to provide the key.

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu. ClosedView screen
  3. Enter X to go to the Advanced Configuration menu. ClosedView screen
  4. Enter 6 and follow the prompts to export the grub key to the /outgoing folder. ClosedView screen
  5. Use SFTP to copy the file from the /outgoing directory to your local computer.

Add TanOS system users

Create additional TanOS system users based on tanadmin (privileged) and tanuser (restricted) profiles. It is useful to have more than one privileged user in case you forget the password for the initial tanadmin user.

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter C to go to the User Administration menu. ClosedView screen
  3. Enter U to manage TanOS users. ClosedView screen
  4. Enter A and follow the prompts to add a system user. ClosedView screen

What to do next

  • To save time, complete advanced network configuration before you install Tanium servers. See Reference: Appliance configuration.
  • When these steps are completed, you can continue with the installation of an Appliance Array.