Using Tanium Client-related Tanium content
The Tanium Core Platform includes Tanium content that facilitates Tanium Client administration.
Initial Content
The Tanium Server imports the Initial Content pack when you initially log into the Tanium Console. The pack contains a key set of saved questions, packages, and sensors that you use to get data from endpoints and take actions, including the saved questions and scheduled actions related to the deployment of the Tanium Client itself. To familiarize yourself with the Tanium Client-related Initial Content:
- Go to Actions > Scheduled Actions and review the actions that are scheduled to run against the action group named Default.
- Go to Content > Sensors and search for client-related sensors.
- Go to Content > Packages and search for client-related packages.
- Go to Content > Saved Questions and search for client-related questions.
Client Maintenance
The Client Maintenance content pack facilitates the cleanup of stale Tanium data on Tanium Client host computers. The Tanium Server imports the pack when you initially log into the Tanium Console. The purpose of the questions, packages, and scheduled actions in the pack is to keep the Tanium footprint light on client host computers. The Client Maintenance scheduled action is set to run every four hours.
| Content | Object name | Description |
|---|---|---|
| Saved questions | Clean Stale Tanium Client Data Scheduled Action | Returns the set of machines that have stale Tanium Client data. |
| Tanium Client Action Folder Sizes | Returns the combined size of all Action_XXXX subdirectories in the Tanium Client\Downloads directory. | |
| Packages | Clean Stale Tanium Client Data | File: clean-stale-tanium-client-data.vbs
Command: cmd /c cscript //T:1200 clean-stale-tanium-client-data.vbs /StaleDownloadsRestart:True /MaxClientRAMInMB:200 Timeout: 1200 |
| Clean Tanium Client Action Folders | File: clean-action-dirs.vbs
Command: cmd /c cscript.exe clean-action-dirs.vbs /FolderAgeThresholdInMinutes:120 Timeout: 900 |
|
| Sensors | Has Stale Tanium Client Data | Evaluates whether a machine has stale Tanium Client data. Data includes long running processes, old action status and log files, action folders, and sensor output.
Example answer: Yes |
| Tanium Client Action Folder Sizes | Returns the combined size of all Action_XXXX subdirectories in the Tanium Client\Downloads directory.
Example answer: 351 MB |
|
| Scheduled actions | Tanium - Clean Stale Tanium Client Data | Removes stale data from Tanium Client directory. Safely kills any stale sensor or action processes. Action processes are only terminated when they are run from the Downloads directory.
By default, runs every four hours and is not distributed over time. |
Using the default settings is a best practice, but the configuration is editable for testing and troubleshooting. If you need to edit the Client Maintenance scheduled action:
- Go to Actions > Scheduled Actions, select the Tanium - Clean Stale Tanium Client Data action, and click Edit.
- Review the package and action details. You can make changes to the Schedule Deployment settings and Action Group assignment.
Client Upgrade
The Client Upgrade content pack facilitates upgrading the Tanium Client on Windows endpoints. It is available in all deployments and is categorized as core content on the Tanium Solutions page. To import the the ClientUpgradeNonWindows content pack for upgrading the Tanium Client on non-Windows endpoints, consult your Technical Account Manager (TAM).
| Content | Object name | Description |
|---|---|---|
| Saved questions | Windows Clients Older Than <version> For Targeting | A targeting question designed to return Tanium Clients on Windows that have not been upgraded to the latest version. |
| Packages | Update Tanium Client <version> | Files:
SetupClient.exe,
set-service-permissions-back-to-default.vbs Command: cmd /c start /B "" cmd /c "cscript.exe set-service-permissions-back-to-default.vbs & net stop "Tanium Client" & net stop "TaniumClient" & taskkill /f /im taniumclient.exe & SetupClient.exe /S & net start "Tanium Client" & net start "TaniumClient"" Timeout: 900 |
| Sensors | Client Brand | Use to fine-tune a targeting question. |
| Scheduled actions | Update Any Tanium Client to <version> | By default, runs every hour and is distributed over 15 minutes. |
To upgrade Windows clients, see Upgrading Tanium Clients.
Client Service Hardening
The Client Service Hardening content pack includes saved questions, packages, and scheduled actions that you can use to restrict how the Tanium Client can be accessed from the local Windows system.
The Tanium Client installs as a normal application on Windows. While the protocols used to communicate with the Tanium Server and peer clients are designed to be secure and prevent rogue sensors or actions, it is still imperative that the Tanium Client itself be protected from an attacker or just a tinkering end user.
| Content | Object name | Description |
|---|---|---|
| Categories | Client Service Hardening | Contains dashboards related to this content. |
| Dashboards | Control Service State Permissions |
Controlling which accounts have permissions to start and stop services is often the first, and most effective, way you can protect the integrity of your Tanium Client deployment.
Many organizations have given some or all of their end users permissions to be a local administrator. For this reason, Tanium typically recommends you restrict service control to the local SYSTEM account instead. |
| Set Client Directory Permissions | Default permissions allow several user types to view or modify files in the Tanium Client directory. While this does not mean that an attacker could cause the agent to run sensors or packages that were not issued by the Tanium Server, because these actions are digitally signed, it could lead to performance issues or extra bandwidth consumption while the information is re-synchronized. Setting the file system permissions to SYSTEM is recommended. | |
| Hide From Add-Remove Programs | Controlling whether or not the Tanium Client is viewable in the Add/Remove Programs or simply Programs menu does not directly affect the security of the agent by itself. A user with permissions to uninstall an application would also be able to launch the uninstall manually. This is a useful layer that will help reduce accidental uninstallations and preempt the more inquisitive end users from trying to tamper with the agent. Hiding the client from Add/Remove Programs is considered a best practice and should be used alongside of regular audits of unmanaged assets to look for systems with missing or non-functioning agents. | |
| Saved questions | Tanium Client Service Control Permissions | Get Tanium Client Service Control Status containing "Service Control" from all machines with Tanium Client Service Control Status containing "Service Control" |
| Tanium Client Directory Permissions | Get Tanium Client Directory Permissions from all machines | |
| Tanium Client Visible in Add-Remove Programs | Get Tanium Client Uninstall Hidden containing "No" from all machines with Tanium Client Uninstall Hidden containing "No" | |
| Tanium Client Hidden From Add-Remove Programs | Get Tanium Client Uninstall Hidden containing "Yes" from all machines with Tanium Client Uninstall Hidden containing "Yes" | |
| Scheduled actions | Control Service State Permissions | Grant permission to start/stop Tanium Client service to only the local administrator or local system account. |
| Hide From Add-Remove Programs | Hide the Tanium Client from the Windows Add-Remove Programs list. | |
| Packages | Client Service Hardening - Allow Only Local Admins to Control Service | Files:
allow-only-admins-to-control-service.vbs Command: cmd /c cscript.exe allow-only-admins-to-control-service.vbs Timeout: 900 |
| Client Service Hardening - Allow Only Local SYSTEM to Control Service | Files:
allow-only-local-system-to-control-services.vbs Command: cmd /c cscript.exe allow-only-local-system-to-control-services.vbs Timeout: 600 |
|
| Client Service Hardening - Reset permissions on Tanium Client directory | Files:
reset_directory_permissions.vbs Command: cmd /c cscript //T:60 reset_directory_permissions.vbs Timeout: 600 |
|
| Client Service Hardening - Set SYSTEM only permissions on Tanium Client directory | Files:
modify_directory_permissions.vbs Command: cmd /c cscript //T:60 modify_directory_permissions.vbs Timeout: 600 |
|
| Client Service Hardening - Set Service Permissions to Defaults | Files:
set-service-permissions-back-to-default.vbs Command: cmd /c cscript.exe set-service-permissions-back-to-default.vbs Timeout: 600 |
|
| Client Service Hardening - Hide Client from Add-Remove Programs | File: hide-client-from-add-remove.vbs Command: cmd /c cscript.exe hide-client-from-add-remove.vbs Timeout: 600 |
|
| Client Service Hardening - Show Client in Add-Remove Programs | Files:
show-client-in-add-remove-programs.vbs Command: cmd /c cscript.exe show-client-in-add-remove-programs.vbs Timeout: 600 |
|
| Sensors | Tanium Client Directory Permissions |
Returns the current status of the Tanium Client directories permissions and if they have been set as restricted to SYSTEM.
Example: Restricted - SYSTEM |
| Tanium Client Service Control Status |
Returns whether the Tanium Client service has special permissions set such that regular users, or non-SYSTEM users, can control the service.
Example: Service Control Restricted to Administrators |
|
| Tanium Client Uninstall Hidden |
Returns whether the Tanium Client is hidden from the Add-Remove programs list.
Example: Yes |
The following workflow shows how to use the Client Service Hardening content pack to hide the Tanium Client from the Windows Add-Remove Programs list:
- Go to Tanium Solutions, scroll to the Tanium Content table, select the Client Service Hardening solution, and click Import Solution.
- Review the list of content objects and click Import.
- Go to Interact > Categories and browse to Client Service Hardening.
- Click a question to drill into the saved question page for it.
- Select the appropriate results row and click Deploy Action to display the configuration page.
- Verify the package and action details and then scroll down to preview the action.
- Click Deploy Action to initiate the action.
- Review the status to confirm expected results.
The page reloads to display the Action Summary.
Last updated: 8/20/2019 1:41 PM | Feedback