Managing Tanium Clients

The following sections provide information on the following activities to manage the Tanium Client:

  • Monitoring health information about deployed Tanium Clients in the Client Management service

  • Managing the Tanium Client service on each operating system

  • Managing certain operating system features related to the Tanium Client

For information about uninstalling the Tanium Client, see Uninstalling Tanium Clients.

Monitoring client health in the Client Management service

Review health information about deployed Tanium Clients in Client Management.

View a summary of client health information

  1. From the Client Management menu, go to Client Health.

  2. Click the tab that contains the information that you want to view.

    • Click the Deployment tab to view a summary of client deployment information, such as client versions, health check failures, operating systems, installed client extensions, and Python runtime versions.

    • Click the Settings tab to view a summary of client settings, such as log verbosity level, server name, server port, and various component information. This overview can help identify settings that have been changed from defaults.

  3. (Optional) Select a Computer Group to filter the summary information.

  4. (Optional) To further investigate a data set using the associated question results, click View question results in Interact . For more information about working with question results, see Tanium Interact User Guide: Managing question results.

View detailed client health information for an endpoint

You can directly connect to a Windows, Linux, or macOS endpoint to view more detailed client health information.

You can directly connect only to an endpoint that has an IPv4 address.

  1. From the Client Management menu, go to Client Health.
  2. In the Direct Connect search box, enter all or part of an IP address or a computer name.

    Matching results are displayed after the search completes.

  3. From the search results, click the computer name to connect to the endpoint. 
  4. Click a tab to view the detailed client health information for the endpoint.

    • Status: View status information about the connected endpoint, such as the computer ID, the first and last client installation time stamps, the installed client version, client and peer address information, and client extension information, including any health check failures.

    • Configuration: View information about client settings for the connected endpoint, such as log verbosity level, server name, server port, and various settings for client extensions.

    • Logs: View and download logs from the connected client. Select a log to view or download. For more information about reviewing logs for troubleshooting, see Review the Tanium Client installation log to troubleshoot installation on Windows and Review Tanium Client logs to troubleshoot connections and other client issues.

    • Actions: View and download action logs from the connected client. Select a previously run action for which you want to view or download the log. For more information about reviewing action logs for troubleshooting, see Review action logs and associated files to troubleshoot actions and packages.

    • Gather: Collect a bundle of logs and other artifacts from a connected endpoint to help resolve issues.

      1. To filter the available logs and artifacts, click a button in the Domain section. Click Gather from Endpoint.

        The selected logs and artifacts are gathered from the endpoint. The package appears in the Must Gathers section, named with its time stamp.

      2. When Finished appears in the Run State column, select the package and click Download to download a ZIP file that contains the troubleshooting information.

  5. When you finish reviewing client health information for the endpoint, click Disconnect to disconnect from the endpoint and return to the client health summary.

If the connection to the endpoint times out, click Reconnect to reestablish the connection.

Manage the Tanium Client on Windows

On Windows endpoints, the Tanium Client is installed as a service with a Startup Type set to Automatic. The default installation directory is C:\Program Files (x86)\ for 64-bit versions of Windows, or C:\Program Files\ for 32-bit versions of Windows.

Manage the Tanium Client service on Windows

On Windows endpoints, you can stop, start, or restart the Tanium Client service through the Windows Services application:

  1. Click Start > Run. Type services.msc and click OK.

  2. Select the Tanium Client service and then select an action in the Action > All Tasks menu.

Figure  1:  Tanium Client service

Manage the Tanium Client on macOS

This section provides information about the following activities to manage the Tanium Client on macOS:

On macOS endpoints, the Tanium Client is installed as a system service. The client files are located in the /Library/Tanium/TaniumClient directory.

Manage macOS firewall rules

The Tanium Client service is signed to automatically allow communication through the default macOS firewall. The client installation process does not modify any host-based firewall that might be in use. A network security administrator must ensure that host and network firewalls are configured to allow inbound and outbound TCP traffic on the port that the client uses for Tanium traffic (default 17472).

For details about port and firewall requirements for the Tanium Client, see Network connectivity, ports, and firewalls.

 Table 1: Firewall commands for OS X and macOS
Tasks Commands
View port 17472 status sudo /usr/libexec/ApplicationFirewall/socketfilterfw --listapps | awk '/TaniumClient/
{getline; print $0}'
Add Tanium Client to firewall sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add \
/Library/Tanium/TaniumClient/TaniumClient
Unblock Tanium Client in firewall sudo /usr/libexec/ApplicationFirewall/socketfilterfw --unblockapp \
/Library/Tanium/TaniumClient/TaniumClient
Remove Tanium Client from firewall sudo /usr/libexec/ApplicationFirewall/socketfilterfw --remove \
/Library/Tanium/TaniumClient/TaniumClient
Block Tanium Client in firewall sudo /usr/libexec/ApplicationFirewall/socketfilterfw --blockapp \
/Library/Tanium/TaniumClient/TaniumClient

Manage pop-ups for Tanium Client upgrades

When you upgrade the Tanium Client on endpoints that have a firewall enabled on macOS 10.14 (Mojave) or later, end users might see a pop-up prompting them to allow connections for the Tanium Client. To prevent the pop-up, either configure a firewall rule (best practice) or configure the System Preferences on the endpoints. You can perform this task for multiple endpoints by configuring a policy or profile through a User Approved Mobile Device Management (UAMDM) tool. Contact Tanium Support if you need help ensuring that an environment is ready before the Tanium Client upgrade.

For increased security, configuring a firewall rule to prevent the connections pop-up is preferable to configuring the System Preferences. However, only endpoints running macOS 10.14.4 or later support this method.

Configure an MDM policy or profile for multiple endpoints

When you configure a firewall rule or System Preferences through a policy or profile, the specific steps depend on your UAMDM. Contact Tanium Support for the procedure. The general steps are as follows:

  1. Create the policy or profile.
  2. Add a firewall or security setting to the policy or profile.
  3. Add com.tanium.taniumclient.plist to the allowed connections.

Users cannot see that the Tanium Client is allowed in the firewall unless you provide those users access to the Tanium Client installation directory. To view and manage permissions for that directory, see Client Service Hardening.

Configure a firewall rule on a single endpoint

You require read-only access to the /Library/Tanium/TaniumClient directory to perform this task.

  1. Go to System Preferences > Security & Privacy.
  2. Click Unlock Unlock, enter administrator credentials, and click Unlock.
  3. Add a firewall rule: Click Firewall Options, click Add +, navigate to the /Library/Tanium/TaniumClient/ directory, select taniumclient, and click Add.
  4. Click OK to apply the rule.
Configure the System Preferences on a single endpoint

All endpoints that run macOS 10.14.x or later support configuring System Preferences to prevent the connections pop-up.

  1. Go to System Preferences > Security & Privacy.
  2. Click Unlock Unlock, enter administrator credentials, and click Unlock.
  3. Click Firewall Options, select Automatically allow downloaded signed software to receive incoming connections, and click OK.

Manage the Tanium Client service on macOS

On the macOS endpoint, open Terminal and use the listed launchctl commands to complete the following actions:

  • Start the Tanium Client service:

    sudo launchctl load /Library/LaunchDaemons/com.tanium.taniumclient.plist

  • Stop the Tanium Client service:

    sudo launchctl unload /Library/LaunchDaemons/com.tanium.taniumclient.plist

  • Remove the Tanium Client from the launch list:

    sudo launchctl remove com.tanium.taniumclient

Manage custom tags in the CustomTags.txt file

You can add a file that contains custom tags to the Tanium Client installation directory to enable using the tags to identify the endpoint in Tanium workflows. For example, you could use the tag Lab to identify endpoints used in a testing lab. You could then ask a question that uses the Custom Tags sensor and specifies the Lab tag, or you could create a computer group that selects computers based on the tag.

Add tags to the CustomTags.txt file

  1. Create a file named CustomTags.txt in the /Library/Tanium/TaniumClient/Tools directory.

  2. Open the file in a text editor and add tags as strings. Enter one string per line, and do not use spaces.
  3. Save the file. A restart of the endpoint or Tanium Client service is not required.

    The following example shows a Tanium Client installation directory that includes a custom tag named Lab:

Example: Use custom tags to create a computer group

After you add custom tags, you can use them to create a computer group as follows.

  1. From the Main menu, go to Administration > Permissions > Computer Groups and click New Group.
  2. Enter a Name to identify the group.

    In the Filter Bar, use the Custom Tags sensor to define group membership, as shown in Figure  2.

    Figure  2:  Using custom tags to select a computer group
  3. Save your changes.

You can use the Tanium packages named Custom Tagging - Add Tags and Custom Tagging - Add Tags (Non-Windows) to deploy tags at scale. The results are exactly the same as the manual procedure shown here. For more information, see the Tanium Support Knowledge Base article on custom tags (account required).

Manage the Tanium Client on Linux

This section provides information about the following activities to manage the Tanium Client on Linux:

On Linux endpoints, the Tanium Client is installed as a system service. The default installation directory for Tanium Client files is /opt/Tanium/TaniumClient.

Manage Linux firewall rules

The installation process does not modify any host-based firewall that might be in use. A network security administrator must ensure that host and network firewalls are configured to allow inbound and outbound TCP traffic on the port that the client uses for Tanium traffic (default 17472).

For details about port and firewall requirements for the Tanium Client, see Network connectivity, ports, and firewalls.

The following subsections list example commands for managing Linux firewalls based on default distributions of Linux.

Amazon Linux

By default, the iptables utility for managing the firewall is not configured on Amazon Linux AMI (2016.09, 2017.09, 2018.3) or Amazon Linux 2 LTS. To add, remove, deny, or view the status of ports that the Tanium Client uses, check your Amazon Web Services (AWS) security group instead.

Debian

By default, the iptables utility for managing the firewall is not configured on Debian 6.x, 7.x, 8.x, or 9.x. To add, remove, deny, or view the status of ports that the Tanium Client uses, check your Amazon Web Services (AWS) security group instead.

CentOS, Oracle Linux, Red Hat Linux

Versions 5.x and 6.x

The following table lists the commands for managing firewall rules for versions 5.x and 6.x of CentOS, Oracle Linux, and Red Hat Linux.

The iptables command is for IPv4. For IPv6, use the ip6tables command. TaaS does not support IPv6.

 Table 2: Firewall commands for CentOS, Oracle Linux, Red Hat Linux 5.x and 6.x
Tasks Commands
Check the firewall status

iptables -L -n --line-numbers | egrep -i "^Chain|REJECT *all"

The firewall is enabled when a REJECT *all rule is present.

View rules for port 17472 sudo iptables -L -n | grep 17472
Add or allow port 17472
  1. Check the firewall status.

    sudo iptables -L -n --line-numbers | egrep -i "^Chain|REJECT *all"

  2. For each <chain_name> with a REJECT all rule, run the following command, where <line> is the line number of the rule.

    sudo iptables -I <chain_name> <line> -p tcp -m state --state NEW \
    --dport 17472 -j ACCEPT

    For example, if the chain is RH-Firewall-1-INPUT and the REJECT all rule is on line 10, run:

    sudo iptables -I RH-Firewall-1-INPUT 10 -p tcp -m state --state NEW \
    --dport 17472 -j ACCEPT

  3. Save your changes and restart the iptables service.

    sudo service iptables save

    sudo service iptables restart

Remove or deny port 17472
  1. List the chains.

    sudo iptables -L -n | egrep -i "^Chain|17472"

  2. For each <chain_name>, run:

    sudo iptables -D <chain_name> -p tcp -m state --state NEW --dport 17472 -j ACCEPT

  3. Save your changes and restart the iptables service.

    sudo service iptables save

    sudo service iptables restart

Version 7.x and 8.x

The following table lists the commands for managing firewall rules for versions 7.x and 8.x of CentOS, Oracle Linux, or Red Hat Linux:

 Table 3: Firewall commands for CentOS, Oracle Linux, Red Hat Linux 7.x and 8.x
Tasks Commands
View rules for port 17472 sudo firewall-cmd --list-all-zones | grep 17472
Add or allow port 17472
  1. List the zones.

    sudo firewall-cmd --list-all-zones

  2. For each relevant <zone_name> (such as default and where ssh is present), run:

    sudo firewall-cmd --permanent --zone=<zone_name> --add-port=17472/tcp

  3. Restart the firewall.

    sudo systemctl restart firewalld

Remove or deny port 17472
  1. List the zones.

    sudo firewall-cmd --list-all-zones

  2. For each relevant <zone_name> where port 17472 is present, run:

    sudo firewall-cmd --permanent --zone=<zone_name> --remove-port=17472/tcp

  3. Restart the firewall.

    sudo systemctl restart firewalld

OpenSUSE and SLES

Version 15.x

The following table lists the commands for managing firewall rules for versions 15.x of OpenSUSE and SUSE Linux Enterprise Server (SLES):

 Table 4: Firewall commands for OpenSUSE and SLES 15.x
Tasks Commands
View rules for port 17472 sudo firewall-cmd --list-all-zones | grep 17472
Add or allow port 17472
  1. List the zones.

    sudo firewall-cmd --list-all-zones

  2. For each relevant <zone_name> (such as default and where ssh is present), run:

    sudo firewall-cmd --permanent --zone=<zone_name> --add-port=17472/tcp

  3. Restart the firewall.

    sudo systemctl restart firewalld

Remove or deny port 17472
  1. List the zones.

    sudo firewall-cmd --list-all-zones

  2. For each relevant <zone_name> where port 17472 is present, run:

    sudo firewall-cmd --permanent --zone=<zone_name> --remove-port=17472/tcp

  3. Restart the firewall.

    sudo systemctl restart firewalld

Version 11.x and 12.X

The following table lists the commands for managing firewall rules for versions 11.x and 12.x of OpenSUSE and SUSE Linux Enterprise Server (SLES):

 Table 5: Firewall commands for OpenSUSE and SLES 11.x and 12.x
Tasks Commands
View rules for port 17472 sudo grep "FW_SERVICES_EXT_TCP=" /etc/sysconfig/SuSEfirewall2 | egrep "[ \"]17472[ \"]"
Add or allow port 17472
  1. Open the /etc/sysconfig/SuSEfirewall2 file for editing, add port 17472 to the line FW_SERVICES_EXT_TCP=, and save your changes.
  2. Restart the firewall.

    sudo SuSEfirewall2 start

Remove or deny port 17472
  1. Open the /etc/sysconfig/SuSEfirewall2 file for editing, remove port 17472 from the line FW_SERVICES_EXT_TCP=, and save your changes.
  2. Restart the firewall.

    sudo SuSEfirewall2 start

Ubuntu

The following table lists the commands for managing firewall rules for Ubuntu 10.04, 14.04, 16.04, and 18.04 LTS:

 Table 6: Firewall commands for Ubuntu
Tasks Commands
View port 17472 status sudo ufw status | grep 17472

or

sudo iptables -L -n | grep 17472

Allow port 17472 sudo ufw allow 17472/tcp
Remove port 17472 sudo ufw delete allow 17472/tcp
Deny port 17472 sudo ufw deny 17472/tcp

Manage the Tanium Client service on Linux

Linux service commands vary according to Linux distribution. This documentation provides examples but is not a reference for each Linux distribution. If you are not already familiar with installing and managing services on your target Linux distribution, review the documentation for the particular Linux operating system before you begin.

Linux distributions and versions Typical commands

Versions that use the systemd daemon

  • Amazon Linux (all supported versions)

  • Debian (all supported versions)

  • Oracle Linux (version 7 and later)

  • Red Hat / CentOS (version 7 and later)

  • SUSE / OpenSUSE (version 12 and later)

  • Ubuntu (version 16 and later)

systemctl start taniumclient
systemctl stop taniumclient
systemctl status taniumclient

Versions that use the init daemon

  • Oracle Linux (versions 5, 6)

  • Red Hat / CentOS (versions 5, 6)

  • SUSE / OpenSUSE (versions 11.3, 11.4)

  • Ubuntu (version 14)

service taniumclient start
service taniumclient stop
service taniumclient status

Move an existing installation of the Tanium Client on Linux

The Tanium Client must store data in the default installation directory. For this reason, in some environments, the size of the /opt/Tanium directory might exceed the space allowed within the /opt directory. If there is not enough space in the default directory, use a symbolic link to move the client and data to another directory.

  1. Sign in to the endpoint using an account that has administrative privileges, or that is listed in the sudoers file to allow the account you are using to use sudo.
  2. Stop the Tanium Client service. For more information, see Manage the Tanium Client service on Linux.

  3. Move the Tanium Client to a new directory. For example, to move the Tanium Client from the default installation directory to the /appbin/Tanium directory, run the following command:

    mv /opt/Tanium /appbin

  4. Create a symbolic link. For example, if you want to use the directory /appbin/Tanium, run the following command:

    ln -s /appbin/Tanium /opt/Tanium

  5. Start the Tanium Client service. For more information, see Manage the Tanium Client service on Linux.

Manage custom tags in the CustomTags.txt file

You can add a file that contains custom tags to the Tanium Client installation directory to enable using the tags to identify the endpoint in Tanium workflows. For example, you could use the tag Lab to identify endpoints used in a testing lab. You could then ask a question that uses the Custom Tags sensor and specifies the Lab tag, or you could create a computer group that selects computers based on the tag.

Add tags to the CustomTags.txt file

  1. Create a file named CustomTags.txt in the Tools subdirectory of the installation directory.

    When using the default installation directory, the path is /opt/Tanium/TaniumClient/Tools/CustomTags.txt.

  2. Open the file in a text editor and add tags as strings. Enter one string per line, and do not use spaces.
  3. Save the file. A restart of the endpoint or Tanium Client service is not required.

    The following example shows a Tanium Client installation directory that includes a custom tag named Lab:

Example: Use custom tags to create a computer group

After you add custom tags, you can use them to create a computer group as follows.

  1. From the Main menu, go to Administration > Permissions > Computer Groups and click New Group.
  2. Enter a Name to identify the group.

    In the Filter Bar, use the Custom Tags sensor to define group membership, as shown in Figure  2.

    Figure  3:  Using custom tags to select a computer group
  3. Save your changes.

You can use the Tanium packages named Custom Tagging - Add Tags and Custom Tagging - Add Tags (Non-Windows) to deploy tags at scale. The results are exactly the same as the manual procedure shown here. For more information, see the Tanium Support Knowledge Base article on custom tags (account required).

Manage the Tanium Client on Solaris

On Solaris endpoints, the Tanium Client is installed as a system service. The Tanium Client files are installed by default in the /opt/Tanium/TaniumClient directory.

Manage the Tanium Client service on Solaris

To run svcadm commands, you must sign in to the endpoint as the root user or as a user who can use the sudo utility to run commands with root permissions.

Run the listed commands to complete the following actions:

  • Start the Tanium Client service: svcadm enable taniumclient
  • Stop the Tanium Client service: svcadm disable taniumclient
  • Restart the Tanium Client service: svcadm restart taniumclient
  • Display the status of the Tanium Client service: svcs taniumclient

Move an existing installation of the Tanium Client on Solaris

The Tanium Client must store data in the default installation directory. For this reason, in some environments, the size of the /opt/Tanium directory might exceed the space allowed within the /opt directory. If there is not enough space in the default directory, use a symbolic link to move the client and data to another directory.

  1. Sign in to the endpoint using an account that has administrative privileges, or that is listed in the sudoers file to allow the account you are using to use sudo.
  2. Use the following command to stop the Tanium Client service:

    svcadm disable taniumclient

  3. Move the Tanium Client to a new directory. For example, to move the Tanium Client from the default installation directory to the /appbin/Tanium directory, run the following command:

    mv /opt/Tanium /appbin

  4. Create a symbolic link, and set the PKG_NONABI_SYMLINKS environment variable to true. For example, if you want to use the directory /appbin/Tanium, run the following command:

    ln -s /appbin/Tanium /opt/Tanium
    PKG_NONABI_SYMLINKS=true
    export PKG_NONABI_SYMLINKS

  5. Use the following command to start the Tanium Client service:

    svcadm enable taniumclient

Manage the Tanium Client on AIX

On AIX endpoints, the Tanium Client is installed as a system service. The default installation directory for Tanium Client files is /opt/Tanium/TaniumClient.

Manage the Tanium Client service on AIX

The Tanium Client on AIX uses the IBM AIX System Resource Controller (SRC) to manage the client service:

  • Start the Tanium Client service: startsrc -s taniumclient
  • Stop the Tanium Client service: stopsrc -s taniumclient
  • Verify that the Tanium Client service is available: lssrc -s taniumclient

Move an existing installation of the Tanium Client on AIX

The Tanium Client must store data in the default installation directory. For this reason, in some environments, the size of the /opt/Tanium directory might exceed the space allowed within the /opt directory. If there is not enough space in the default directory, use a symbolic link to move the client and data to another directory.

  1. Sign in to the endpoint using an account that has administrative privileges, or that is listed in the sudoers file to allow the account you are using to use sudo.
  2. Use the following command to stop the Tanium Client service:

    stopsrc -s taniumclient

  3. Move the Tanium Client to a new directory. For example, to move the Tanium Client from the default installation directory to the /appbin/Tanium directory, run the following command:

    mv /opt/Tanium /appbin

  4. Create a symbolic link. For example, if you want to use the directory /appbin/Tanium, run the following command:

    ln -s /appbin/Tanium /opt/Tanium

  5. Use the following command to start the Tanium Client service:

    startsrc -s taniumclient