Managing Tanium Clients

Use built-in saved questions, sensors, and packages

The Tanium Server imports the Tanium™ Default Content pack when you initially sign in to the Tanium Console. This content pack contains a key set of saved questions, sensors, and packages that you can use to collect information from endpoints and take actions. The content pack also includes saved questions and scheduled actions that relate to the deployment of the Tanium Client. To access Tanium Client-related content, access the following Tanium Console pages from the Main menu:

• Go to Administration > Actions > Scheduled Actions, select Default for the Action Group, and review the actions that are scheduled to run.
• Go to Administration > Content > Sensors and search for client-related sensors.
• Go to Administration > Content > Packages and search for client-related packages.
• Go to Administration > Content > Saved Questions and search for client-related questions.
  
  
  

Monitor the client health overview in Client Management

Review a summary of health information about deployed Tanium Clients in Client Management.

1. From the Main menu, go to Administration > Shared Services > Client Management.

2. From the Client Management menu, go to Client Health.

3. Click the tab that contains the information that you want to view.

   • Click the Deployment tab to view a summary of client deployment information, such as client versions, health check failures, operating systems, installed client extensions, and Python runtime versions.

   • Click the Settings tab to view a summary of client settings, such as log verbosity level, server name, server port, and various component information. This overview can help identify settings that have been changed from defaults.

4. (Optional) Select a Computer Group to filter the summary information.

5. (Optional) To further investigate a data set using the associated question results, click View question results in Interact . For more information about working with question results, see Tanium Interact User Guide: Managing question results.

Access detailed client health and troubleshooting information on an endpoint

You can directly connect to a Windows, Linux, or macOS endpoint from Client Management to view detailed client health information and to access and collect information that can be useful for troubleshooting.

For additional information about troubleshooting the Tanium Client, see Troubleshooting Tanium Clients and Client Management.

1. From the Main menu, go to Administration > Shared Services > Client Management.
2. From the Client Management menu, go to Client Health.

3. In the Direct Connect search box, enter all or part of an IP address or a computer name.

   Matching results are displayed after the search completes.

4. From the search results, click the computer name to connect to the endpoint. 

5. Click a tab to view the detailed client health information for the endpoint.

   • Status: View status information about the connected endpoint, such as the computer ID, the first and last client installation time stamps, the installed client version, client and peer address information, and client extension information, including any health check failures.

   • Configuration: View information about client settings for the connected endpoint, such as log verbosity level, server name, server port, and various settings for client extensions.

   • Logs: View and download logs from the connected client. Select a log to view or download. For more information about reviewing logs for troubleshooting, see Review the Tanium Client installation log to troubleshoot installation on Windows and Review Tanium Client logs to troubleshoot connections and other client issues.

   • Actions: View and download action logs from the connected client. Select a previously run action for which you want to view or download the log. For more information about reviewing action logs for troubleshooting, see Review action logs and associated files to troubleshoot actions and packages.

   • Gather: Collect a bundle of logs and other artifacts from a connected endpoint to help resolve issues.

     1. To filter the available logs and artifacts, click a button in the Domain section. Click Gather from Endpoint.

        The selected logs and artifacts are gathered from the endpoint. The package appears in the Must Gathers section, named with its time stamp.

     2. When Finished appears in the Run State column, select the package and click Download to download a ZIP file that contains the troubleshooting information.

6. When you finish reviewing client health information for the endpoint, click Disconnect to disconnect from the endpoint and return to the client health summary.

If the connection to the endpoint times out, click Reconnect to reestablish the connection.

The Tanium Client is installed as a service with a Startup Type set to Automatic on Windows endpoints. The default installation directory is C:\Program Files (x86)\ for 64-bit versions of Windows, or C:\Program Files\ for 32-bit versions of Windows.

Manage the Tanium Client service on Windows

Use the Windows Services application to stop, start, or restart the Tanium Client service on Windows endpoints:

1. Click Start > Run. Type services.msc and click OK.

2. Select the Tanium Client service and then select an action in the Action > All Tasks menu.

(Optional) Harden the Tanium Client on Windows

The protocols that the client uses to communicate with Tanium Cloud the Tanium Server and peer clients are designed to be secure and prevent rogue sensors or actions, and digital signing prevents an attacker from causing the client to run sensors or packages that Tanium Cloudthe Tanium Server did not issue. However, the Tanium Client is a traditional Win32 application on Windows. By default, it appears in the Add/Remove Programs list, and users with local administrator rights can manage the service and access the Tanium Client installation directory. You can take additional measures to protect the Tanium Client itself from casual tampering by end users with local administrator rights.

Optional client hardening features are provided by the Client Service Hardening content pack and the StateProtectedFlag client setting. Use the saved question dashboards in the Client Service Hardening content pack to review restrictions on user access to the Tanium Client on Windows endpoints. Deploy actions with the packages that are associated with the saved questions to adjust those restrictions. For more information about deploying packages, see Tanium Console User Guide: Deploying actions.

Contact Tanium Support to import the Client Service Hardening content pack into Tanium Cloud.

Perform regular audits of unmanaged assets to look for systems with missing or non-functioning clients, regardless of whether you have hardened the Tanium Client on Windows. Regularly auditing and remediating disconnected clients reduces the need to take extra steps to harden the Tanium Client. For more information, see For information about regular maintenance to keep Tanium Clients connected and in good health, see Maintaining Tanium Clients.

Access the Client Service Hardening dashboards

The Client Service Hardening dashboards in Interact provide easy access to review and manage access restrictions for the Tanium Client.

1. From the Main menu, go to Modules > Interact.
2. In the Categories section, select Client Service Hardening.

Limit permission to start and stop Tanium Client services to the SYSTEM account

1. In the Dashboards section in Interact, click Control Service State Permissions to issue the dashboard question.

2. Select the Service Control is set to default permissions row and click Deploy Action.

3. For Deployment Package, select Client Service Hardening - Allow Only Local SYSTEM to Control Service.

4. Click Show Preview To Continue, review the list of targeted endpoints, and then click Deploy Action.

Limit permission to view or modify files in the Tanium Client directory to the SYSTEM account

1. In the Dashboards section in Interact, click Set Client Directory Permissions to issue the dashboard question..

2. Select the Not Restricted row and click Deploy Action.

3. For Deployment Package, select Client Service Hardening - Set SYSTEM only permissions on Tanium Client directory.

4. Click Show Preview To Continue, review the list of targeted endpoints, and then click Deploy Action.

Hide the Tanium Client from the Windows Add/Remove Programs list

Hiding the Tanium Client from the Windows Add/Remove Programs list or the Programs menu does not affect the security of the client. A user with permissions to uninstall an application can still launch the uninstallation manually. Hiding the Tanium Client from the Add/Remove Programs list helps to reduce accidental uninstallations and casual tampering by end users.

1. In the Dashboards section in Interact, click Hide From Add-Remove Programs to issue the dashboard question..

2. In the section for the Tanium Client Visible in Add-Remove Programs saved question, select the No row and click Deploy Action.

3. For Deployment Package, leave Client Service Hardening - Hide Client from Add-Remove Programs selected.

4. Click Show Preview To Continue, review the list of targeted endpoints, and then click Deploy Action.

Encrypt the client state and sensor queries stored on the client

Use the StateProtectedFlag client setting to enable encryption of the client state and sensor queries stored on the client. This encryption is not required for the security of the Tanium Client, but it might be required for compliance with certain regulations. This setting does not require the Client Service Hardening content pack.

1. In Interact, ask a question to target the Windows endpoints on which you want to enable encryption:
   Get Tanium Client Explicit Setting[StateProtectedFlag] from all machines with Is Windows contains true

2. Select the endpoints from the results and click Deploy Action.

3. For Deployment Package, select Modify Tanium Client Setting and configure the following settings:

   • For RegType, select REG_DWORD.
   • For ValueName, enter StateProtectedFlag.
   • For ValueData, enter 1.

4. Click Show Preview To Continue, review the list of targeted endpoints, and then click Deploy Action.

The Tanium Client is installed as a system service on macOS endpoints. The client files are located in the /Library/Tanium/TaniumClient directory.

Manage macOS firewall rules

The Tanium Client service is signed to automatically allow communication through the default macOS firewall. The client installation process does not modify any host-based firewall that might be in use. A network security administrator must ensure that host and network firewalls are configured to allow inbound and outbound TCP traffic on port 17472 and the portsport that the client uses for peer Tanium Client traffic (default 17472).

For details about port and firewall requirements for the Tanium Client, see Network connectivity, ports, and firewalls.

 Table 1: Firewall commands for macOS

Tasks	Commands
View port 17472 status	sudo /usr/libexec/ApplicationFirewall/socketfilterfw --listapps | awk \ '/TaniumClient/ {getline; print $0}'
Add Tanium Client to firewall	sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add \ /Library/Tanium/TaniumClient/TaniumClient
Unblock Tanium Client in firewall	sudo /usr/libexec/ApplicationFirewall/socketfilterfw --unblockapp \ /Library/Tanium/TaniumClient/TaniumClient
Remove Tanium Client from firewall	sudo /usr/libexec/ApplicationFirewall/socketfilterfw --remove \ /Library/Tanium/TaniumClient/TaniumClient
Block Tanium Client in firewall	sudo /usr/libexec/ApplicationFirewall/socketfilterfw --blockapp \ /Library/Tanium/TaniumClient/TaniumClient

Manage pop-ups for Tanium Client upgrades

When you upgrade the Tanium Client on endpoints that have a firewall enabled on macOS 10.14 (Mojave) or later, end users might see a pop-up prompting them to allow connections for the Tanium Client. To prevent the pop-up, either configure a firewall rule (best practice) or configure the System Preferences on the endpoints. You can perform this task for multiple endpoints by configuring a policy or profile through a User Approved Mobile Device Management (UAMDM) tool. Contact Tanium Support if you need help ensuring that an environment is ready before the Tanium Client upgrade.

For increased security, configuring a firewall rule to prevent the connections pop-up is preferable to configuring the System Preferences. However, only endpoints running macOS 10.14.4 or later support this method.

Configure an MDM policy or profile for multiple endpoints

When you configure a firewall rule or System Preferences through a policy or profile, the specific steps depend on your UAMDM. Contact Tanium Support for the procedure. The general steps are as follows:

1. Create the policy or profile.
2. Add a firewall or security setting to the policy or profile.
3. Add com.tanium.taniumclient.plist to the allowed connections.

Users cannot see that the Tanium Client is allowed in the firewall unless you provide those users access to the Tanium Client installation directory.

Configure a firewall rule on a single endpoint

You require read-only access to the /Library/Tanium/TaniumClient directory to perform this task.

1. Go to System Preferences > Security & Privacy.
2. Click Unlock , enter administrator credentials, and click Unlock.
3. Add a firewall rule: Click Firewall Options, click Add +, navigate to the /Library/Tanium/TaniumClient/ directory, select taniumclient, and click Add.
4. Click OK to apply the rule.

Configure the System Preferences on a single endpoint

All endpoints that run macOS 10.14.x or later support configuring System Preferences to prevent the connections pop-up.

1. Go to System Preferences > Security & Privacy.
2. Click Unlock , enter administrator credentials, and click Unlock.
3. Click Firewall Options, select Automatically allow downloaded signed software to receive incoming connections, and click OK.

Manage the Tanium Client service on macOS

On the macOS endpoint, open Terminal and use the listed launchctl commands to complete the following actions:

• Start the Tanium Client service:

  sudo launchctl load /Library/LaunchDaemons/com.tanium.taniumclient.plist

• Stop the Tanium Client service:

  sudo launchctl unload /Library/LaunchDaemons/com.tanium.taniumclient.plist

• Remove the Tanium Client from the launch list:

  sudo launchctl remove com.tanium.taniumclient

The Tanium Client is installed as a system service on Linux endpoints. The default installation directory for Tanium Client files is /opt/Tanium/TaniumClient.

Manage Linux firewall rules

The installation process does not modify any host-based firewall that might be in use. A network security administrator must ensure that host and network firewalls are configured to allow inbound and outbound TCP traffic on port 17472 and the portsport that the client uses for peer Tanium Client traffic (default 17472).

For details about port and firewall requirements for the Tanium Client, see Network connectivity, ports, and firewalls.

The following subsections list example commands for managing Linux firewalls based on default distributions of Linux.

• Amazon Linux
• Debian
• CentOS, AlmaLinux, Rocky Linux, Oracle Linux, Red Hat Linux
• OpenSUSE and SLES
• Ubuntu

Amazon Linux

By default, the iptables utility for managing the firewall is not configured on Amazon Linux AMI (2016.09, 2017.09, 2018.3) or Amazon Linux 2 LTS. To add, remove, deny, or view the status of ports that the Tanium Client uses, check your Amazon Web Services (AWS) security group instead.

Debian

By default, the iptables utility for managing the firewall is not configured on Debian 6.x, 7.x, 8.x, or 9.x. To add, remove, deny, or view the status of ports that the Tanium Client uses, check your Amazon Web Services (AWS) security group instead.

CentOS, AlmaLinux, Rocky Linux, Oracle Linux, Red Hat Linux

Versions 5.x and 6.x

The following table lists the commands for managing firewall rules for versions 5.x and 6.x of CentOS, Oracle Linux, and Red Hat Linux.

The iptables command is for IPv4. For IPv6, use the ip6tables command. Tanium Cloud does not support IPv6.

 Table 2: Firewall commands for CentOS, Oracle Linux, Red Hat Linux 5.x and 6.x

Tasks	Commands
Check the firewall status	iptables -L -n --line-numbers | egrep -i "^Chain|REJECT *all" The firewall is enabled when a REJECT *all rule is present.
View rules for port 17472	sudo iptables -L -n | grep 17472
Add or allow port 17472	Check the firewall status. sudo iptables -L -n --line-numbers | egrep -i "^Chain|REJECT *all" For each <chain_name> with a REJECT all rule, run the following command, where <line> is the line number of the rule. sudo iptables -I <chain_name> <line> -p tcp -m state --state NEW \ --dport 17472 -j ACCEPT For example, if the chain is RH-Firewall-1-INPUT and the REJECT all rule is on line 10, run: sudo iptables -I RH-Firewall-1-INPUT 10 -p tcp -m state --state NEW \ --dport 17472 -j ACCEPT Save your changes and restart the iptables service. sudo service iptables save sudo service iptables restart
Remove or deny port 17472	List the chains. sudo iptables -L -n | egrep -i "^Chain|17472" For each <chain_name>, run: sudo iptables -D <chain_name> -p tcp -m state --state NEW --dport 17472 -j ACCEPT Save your changes and restart the iptables service. sudo service iptables save sudo service iptables restart

Version 7.x and 8.x

The following table lists the commands for managing firewall rules for versions 7.x and 8.x of CentOS, Oracle Linux, or Red Hat Linux, or version 8.x of AlmaLinux or Rocky Linux:

 Table 3: Firewall commands for CentOS, Oracle Linux, or Red Hat Linux 7.x or 8.x; AlmaLinux or Rocky Linux 8.x

Tasks	Commands
View rules for port 17472	sudo firewall-cmd --list-all-zones | grep 17472
Add or allow port 17472	List the zones. sudo firewall-cmd --list-all-zones For each relevant <zone_name> (such as default and where ssh is present), run: sudo firewall-cmd --permanent --zone=<zone_name> --add-port=17472/tcp Restart the firewall. sudo systemctl restart firewalld
Remove or deny port 17472	List the zones. sudo firewall-cmd --list-all-zones For each relevant <zone_name> where port 17472 is present, run: sudo firewall-cmd --permanent --zone=<zone_name> --remove-port=17472/tcp Restart the firewall. sudo systemctl restart firewalld

OpenSUSE and SLES

Version 15.x

The following table lists the commands for managing firewall rules for versions 15.x of OpenSUSE and SUSE Linux Enterprise Server (SLES):

 Table 4: Firewall commands for OpenSUSE and SLES 15.x

Tasks	Commands
View rules for port 17472	sudo firewall-cmd --list-all-zones | grep 17472
Add or allow port 17472	List the zones. sudo firewall-cmd --list-all-zones For each relevant <zone_name> (such as default and where ssh is present), run: sudo firewall-cmd --permanent --zone=<zone_name> --add-port=17472/tcp Restart the firewall. sudo systemctl restart firewalld
Remove or deny port 17472	List the zones. sudo firewall-cmd --list-all-zones For each relevant <zone_name> where port 17472 is present, run: sudo firewall-cmd --permanent --zone=<zone_name> --remove-port=17472/tcp Restart the firewall. sudo systemctl restart firewalld

Version 11.x and 12.X

The following table lists the commands for managing firewall rules for versions 11.x and 12.x of OpenSUSE and SUSE Linux Enterprise Server (SLES):

 Table 5: Firewall commands for OpenSUSE and SLES 11.x and 12.x

Tasks	Commands
View rules for port 17472	sudo grep "FW_SERVICES_EXT_TCP=" /etc/sysconfig/SuSEfirewall2 | egrep "[ \"]17472[ \"]"
Add or allow port 17472	Open the /etc/sysconfig/SuSEfirewall2 file for editing, add port 17472 to the line FW_SERVICES_EXT_TCP=, and save your changes. Restart the firewall. sudo SuSEfirewall2 start
Remove or deny port 17472	Open the /etc/sysconfig/SuSEfirewall2 file for editing, remove port 17472 from the line FW_SERVICES_EXT_TCP=, and save your changes. Restart the firewall. sudo SuSEfirewall2 start

Ubuntu

The following table lists the commands for managing firewall rules for Ubuntu 10.04, 14.04, 16.04, and 18.04 LTS:

 Table 6: Firewall commands for Ubuntu

Tasks	Commands
View port 17472 status	sudo ufw status | grep 17472 or sudo iptables -L -n | grep 17472
Allow port 17472	sudo ufw allow 17472/tcp
Remove port 17472	sudo ufw delete allow 17472/tcp
Deny port 17472	sudo ufw deny 17472/tcp

Manage the Tanium Client service on Linux

Linux service commands vary according to Linux distribution. This documentation provides examples but is not a reference for each Linux distribution. If you are not already familiar with installing and managing services on your target Linux distribution, review the documentation for the particular Linux operating system before you begin.

Linux distributions and versions	Typical commands
Versions that use the systemd daemon (all distributions) Amazon Linux (all supported versions) Debian (all supported versions) Oracle Linux (version 7 and later) Red Hat / CentOS (version 7 and later) AlmaLinux / Rocky Linux (all supported versions) SUSE / OpenSUSE (version 12 and later) Ubuntu (version 16 and later)	systemctl start taniumclient systemctl stop taniumclient systemctl status taniumclient
Versions that use the init daemon (Debian-based distributions) Ubuntu (version 14)	service taniumclient start service taniumclient stop service taniumclient status
Versions that use the init daemon (RPM-based distributions) Oracle Linux (versions 5, 6) Red Hat / CentOS (versions 5, 6) SUSE / OpenSUSE (versions 11.3, 11.4)	service TaniumClient start service TaniumClient stop service TaniumClient status

Move an existing installation of the Tanium Client on Linux

The Tanium Client must store data in the default installation directory. For this reason, in some environments, the size of the /opt/Tanium directory might exceed the space allowed within the /opt directory. If there is not enough space in the default directory, use a symbolic link to move the client and data to another directory.

1. Sign in to the endpoint using an account that has administrative privileges, or that is listed in the sudoers file to allow the account you are using to use sudo.

2. Stop the Tanium Client service. For more information, see Manage the Tanium Client service on Linux.

3. Move the Tanium Client to a new directory. For example, to move the Tanium Client from the default installation directory to the /appbin/Tanium directory, run the following command:

   mv /opt/Tanium /appbin

   The new directory must be located on a local fixed drive.

4. Create a symbolic link. For example, if you want to use the directory /appbin/Tanium, run the following command:

   ln -s /appbin/Tanium /opt/Tanium

5. Start the Tanium Client service. For more information, see Manage the Tanium Client service on Linux.

The Tanium Client is installed as a system service on Solaris endpoints. The Tanium Client files are installed by default in the /opt/Tanium/TaniumClient directory.

Manage the Tanium Client service on Solaris

To run svcadm commands, you must sign in to the endpoint as the root user or as a user who can use the sudo utility to run commands with root permissions.

Run the listed commands to complete the following actions:

• Start the Tanium Client service: svcadm enable taniumclient
• Stop the Tanium Client service: svcadm disable taniumclient
• Restart the Tanium Client service: svcadm restart taniumclient
• Display the status of the Tanium Client service: svcs taniumclient

Move an existing installation of the Tanium Client on Solaris

The Tanium Client must store data in the default installation directory. For this reason, in some environments, the size of the /opt/Tanium directory might exceed the space allowed within the /opt directory. If there is not enough space in the default directory, use a symbolic link to move the client and data to another directory.

1. Sign in to the endpoint using an account that has administrative privileges, or that is listed in the sudoers file to allow the account you are using to use sudo.

2. Use the following command to stop the Tanium Client service:

   svcadm disable taniumclient

3. Move the Tanium Client to a new directory. For example, to move the Tanium Client from the default installation directory to the /appbin/Tanium directory, run the following command:

   mv /opt/Tanium /appbin

   The new directory must be located on a local fixed drive.

4. Create a symbolic link, and set the PKG_NONABI_SYMLINKS environment variable to true. For example, if you want to use the directory /appbin/Tanium, run the following command:

   ln -s /appbin/Tanium /opt/Tanium
   PKG_NONABI_SYMLINKS=true
   export PKG_NONABI_SYMLINKS

5. Use the following command to start the Tanium Client service:

   svcadm enable taniumclient

The Tanium Client is installed as a system service on AIX endpoints. The default installation directory for Tanium Client files is /opt/Tanium/TaniumClient.

Manage the Tanium Client service on AIX

The Tanium Client on AIX uses the IBM AIX System Resource Controller (SRC) to manage the client service:

• Start the Tanium Client service: startsrc -s taniumclient
• Stop the Tanium Client service: stopsrc -s taniumclient
• Verify that the Tanium Client service is available: lssrc -s taniumclient

Move an existing installation of the Tanium Client on AIX

The Tanium Client must store data in the default installation directory. For this reason, in some environments, the size of the /opt/Tanium directory might exceed the space allowed within the /opt directory. If there is not enough space in the default directory, use a symbolic link to move the client and data to another directory.

1. Sign in to the endpoint using an account that has administrative privileges, or that is listed in the sudoers file to allow the account you are using to use sudo.

2. Use the following command to stop the Tanium Client service:

   stopsrc -s taniumclient

3. Move the Tanium Client to a new directory. For example, to move the Tanium Client from the default installation directory to the /appbin/Tanium directory, run the following command:

   mv /opt/Tanium /appbin

   The new directory must be located on a local fixed drive.

4. Create a symbolic link. For example, if you want to use the directory /appbin/Tanium, run the following command:

   ln -s /appbin/Tanium /opt/Tanium

5. Use the following command to start the Tanium Client service:

   startsrc -s taniumclient