Using Tanium Client-related Tanium content

The Tanium Core Platform includes Tanium content that facilitates Tanium Client administration.

Initial Content

The Tanium Server imports the Initial Content packs when you initially log into the Tanium Console. The packs contain a key set of saved questions, packages, and sensors that you use to get data from endpoints and take actions, including the saved questions and scheduled actions related to the deployment of the Tanium Client itself. To familiarize yourself with the Tanium Client-related Initial Content:

  1. Go to Actions > Scheduled Actions and review the actions that are scheduled to run against the action group named Default.
  2. Go to Content > Sensors and search for client-related sensors.
  3. Go to Content > Packages and search for client-related packages.
  4. Go to Content > Saved Questions and search for client-related questions.

Client Upgrade

The Client Upgrade content pack facilitates upgrading the Tanium Client on Windows endpoints. It is available in all deployments and is categorized as core content on the Tanium Solutions page. To import the the ClientUpgradeNonWindows content pack for upgrading the Tanium Client on non-Windows endpoints, consult your Technical Account Manager (TAM).

Table 1:   Client Upgrade content pack for Windows endpoints
Content Object name Description
Saved questions Windows Clients Older Than <version> For Targeting A targeting question designed to return Tanium Clients on Windows that have not been upgraded to the latest version.
Packages Update Tanium Client <version> Files: SetupClient.exe, set-service-permissions-back-to-default.vbs

Command: cmd /c start /B "" cmd /c "cscript.exe set-service-permissions-back-to-default.vbs & net stop "Tanium Client" & net stop "TaniumClient" & taskkill /f /im taniumclient.exe & SetupClient.exe /S & net start "Tanium Client" & net start "TaniumClient""

Timeout: 900

Sensors Client Brand Use to fine-tune a targeting question.
Scheduled actions Update Any Tanium Client to <version> By default, runs every hour and is distributed over 15 minutes.

To upgrade Windows clients, see Upgrading Tanium Clients.

Client Service Hardening

The Client Service Hardening content pack includes saved questions, packages, and scheduled actions that you can use to restrict how the Tanium Client can be accessed from the local Windows system.

The Tanium Client installs as a normal application on Windows. While the protocols used to communicate with the Tanium Server and peer clients are designed to be secure and prevent rogue sensors or actions, it is still imperative that the Tanium Client itself be protected from an attacker or just a tinkering end user.

Table 2:   Client Service Hardening content pack
Content Object name Description
Categories Client Service Hardening Contains dashboards related to this content.
Dashboards Control Service State Permissions Controlling which accounts have permissions to start and stop services is often the first, and most effective, way you can protect the integrity of your Tanium Client deployment.

Many organizations have given some or all of their end users permissions to be a local administrator. For this reason, Tanium typically recommends you restrict service control to the local SYSTEM account instead.

Set Client Directory Permissions Default permissions allow several user types to view or modify files in the Tanium Client directory. While this does not mean that an attacker could cause the agent to run sensors or packages that were not issued by the Tanium Server, because these actions are digitally signed, it could lead to performance issues or extra bandwidth consumption while the information is re-synchronized. Setting the file system permissions to SYSTEM is recommended.
Hide From Add-Remove Programs Controlling whether or not the Tanium Client is viewable in the Add/Remove Programs or simply Programs menu does not directly affect the security of the agent by itself. A user with permissions to uninstall an application would also be able to launch the uninstall manually. This is a useful layer that will help reduce accidental uninstallations and preempt the more inquisitive end users from trying to tamper with the agent. Hiding the client from Add/Remove Programs is considered a best practice and should be used alongside of regular audits of unmanaged assets to look for systems with missing or non-functioning agents.
Saved questions Tanium Client Service Control Permissions Get Tanium Client Service Control Status containing "Service Control" from all machines with Tanium Client Service Control Status containing "Service Control"
Tanium Client Directory Permissions Get Tanium Client Directory Permissions from all machines
Tanium Client Visible in Add-Remove Programs Get Tanium Client Uninstall Hidden containing "No" from all machines with Tanium Client Uninstall Hidden containing "No"
Tanium Client Hidden From Add-Remove Programs Get Tanium Client Uninstall Hidden containing "Yes" from all machines with Tanium Client Uninstall Hidden containing "Yes"
Scheduled actions Control Service State Permissions Grant permission to start/stop Tanium Client service to only the local administrator or local system account.
Hide From Add-Remove Programs Hide the Tanium Client from the Windows Add-Remove Programs list.
Packages Client Service Hardening - Allow Only Local Admins to Control Service Files: allow-only-admins-to-control-service.vbs

Command: cmd /c cscript.exe allow-only-admins-to-control-service.vbs

Timeout: 900

Client Service Hardening - Allow Only Local SYSTEM to Control Service Files: allow-only-local-system-to-control-services.vbs

Command: cmd /c cscript.exe allow-only-local-system-to-control-services.vbs

Timeout: 600

Client Service Hardening - Reset permissions on Tanium Client directory Files: reset_directory_permissions.vbs

Command: cmd /c cscript //T:60 reset_directory_permissions.vbs

Timeout: 600

Client Service Hardening - Set SYSTEM only permissions on Tanium Client directory Files: modify_directory_permissions.vbs

Command: cmd /c cscript //T:60 modify_directory_permissions.vbs

Timeout: 600

Client Service Hardening - Set Service Permissions to Defaults Files: set-service-permissions-back-to-default.vbs

Command: cmd /c cscript.exe set-service-permissions-back-to-default.vbs

Timeout: 600

Client Service Hardening - Hide Client from Add-Remove Programs File: hide-client-from-add-remove.vbs

Command: cmd /c cscript.exe hide-client-from-add-remove.vbs

Timeout: 600

Client Service Hardening - Show Client in Add-Remove Programs Files: show-client-in-add-remove-programs.vbs

Command: cmd /c cscript.exe show-client-in-add-remove-programs.vbs

Timeout: 600

Sensors Tanium Client Directory Permissions Returns the current status of the Tanium Client directories permissions and if they have been set as restricted to SYSTEM.

Example: Restricted - SYSTEM

Tanium Client Service Control Status Returns whether the Tanium Client service has special permissions set such that regular users, or non-SYSTEM users, can control the service.

Example: Service Control Restricted to Administrators

Tanium Client Uninstall Hidden Returns whether the Tanium Client is hidden from the Add-Remove programs list.

Example: Yes

The following workflow shows how to use the Client Service Hardening content pack to hide the Tanium Client from the Windows Add-Remove Programs list:

  1. Go to Tanium Solutions, scroll to the Tanium Content table, select the Client Service Hardening solution, and click Import Solution.
  2. Review the list of content objects and click Import.
  3. Go to Interact > Categories and browse to Client Service Hardening.
  4. Click a question to drill into the saved question page for it.
  5. Select the appropriate results row and click Deploy Action to display the configuration page.
  6. Verify the package and action details and then scroll down to preview the action.
  7. Click Deploy Action to initiate the action.
  8. The page reloads to display the Action Summary.

  9. Review the status to confirm expected results.