Preparing the Tanium Client on OS images

You can install the Tanium Client on an operating system (OS) image that you use as a master when provisioning an OS for new computers or virtual desktop infrastructure (VDI) instances. The following sections describe best practices for preparing the Tanium Client on OS images.

Registration and ComputerID

When you start the OS image for the first time and the Tanium Client registers with the Tanium Server, the server assigns a unique ComputerID to the endpoint. The Tanium Server uses this ComputerID to track and monitor each endpoint even if other identifiers change, such as the computer name, IP address, MAC address, or OS GUID. The server detects and resolves duplicate IDs during registration to ensure each computer has a unique identifier, even if computers are cloned from an OS image that has a non-zero value for the ComputerID. However, to avoid the additional processing required to resolve duplicate IDs and the potential data infidelity during that processing, the best practice is to delete the Tanium Client ComputerID setting (non-Windows) or set it to 0 (Windows) in the OS image.

Windows OS

Refer to Microsoft documentation for complete details on Windows OS imaging.

Prepare the Tanium Client on a reference computer:

  1. Install the Tanium Client: see the endpoint requirements and Deploying the Tanium Client to Windows endpoints.
  2. Go to Windows Services, stop the Tanium Client service, and verify that its Startup Type is set to Automatic.
  3. Perform the following steps in the Tanium Client Windows Registry.
    • Set the ComputerID data value to 0. Do not simply delete the value or set it to a blank or null character.
    • Delete the registry values RegistrationCount and LastGoodServerName.
    • Verify that the ServerName, ServerNameList, and ServerPort values are correct. If you configured additional Tanium Client settings during installation, verify those also.

  4. Perform the following steps in the Tanium Client installation folder.
    • Delete the Strings, Logs, and Backup folders.
    • Delete all files in the Downloads, Tools\Scans, and Tools\Content Logs folders without deleting those actual folders.
    • (Tanium Client 7.4 or later) Delete pki.db.
    • Review the rest of the Tanium Client installation folder to ensure that no other stale Tanium Client data will be replicated. Contact Tanium Support for details.
  5. Confirm that the date and timestamp of the tanium-init.dat file (version 7.4 or later) or tanium.pub file (version 7.2) in the Tanium Client installation folder match the date and timestamp of that file on the Tanium Server (top-level installation folder).

    Ensure that the client has the latest version of the tanium-init.dator tanium.pub file. To download the latest file, see Tanium Client Management User Guide: Download and deploy the installer bundle.

  6. Save the image and shut down the computer.

The Tanium Client service is configured to start automatically when the OS is started. If the reference computer is restarted before the reference image is captured, you might need to repeat these steps.

Linux OS

The commands for creating a Linux OS reference image vary by Linux distribution:

  • Earlier distributions implement the BSD init system (/etc/init.d). These distributions use the service command to start, stop, or restart the service.
  • More recent distributions, such as CentOS 7.x, Oracle Enterprise Linux 7.x, RHEL 7.x, and Ubuntu 16.04, implement the newer systemd init system. The Tanium Client service is added to the services in /etc/systemd/system/multi-user.target.wants. These distributions use the systemctl command to start, stop, or restart a service.

Each supported platform distribution requires a specific Tanium Client installation package file: see Tanium Client package files for Linux.

Linux service commands vary by Linux distribution: see Manage the Tanium Client service on Linux. This documentation provides examples but is not a reference for each Linux distribution. If you are not already familiar with installing and managing services on your target Linux distribution, please review the documentation for the particular Linux operating system before you begin.

Prepare the Tanium Client on a reference computer:

  1. Install the Tanium Client. Be sure to use the Tanium Client installation package file for your particular Linux distribution, as listed under Tanium Client package files for Linux. To install the client, see the endpoint requirements and Deploying the Tanium Client to Linux endpoints.
  2. Stop the Tanium Client daemon by entering the service command for your Linux distribution. The following are example commands:
  3. service TaniumClient stop

    systemctl stop taniumclient

  4. Use the CLI to configure the following basic Tanium Client settings. See CLI on Non-Windows endpoints.
    ServerName or ServerNameListIn a deployment with a standalone Tanium Server, set the ServerName to the server FQDN or IP address. In a deployment with Tanium Zone Servers or multiple Tanium Servers, configure ServerNameList with the FQDN or IP address of each server, separated with a comma.

    If the tanium-init.dat file for Tanium Client 7.4.4 specifies ServerNameList, you do not need to configure ServerName or ServerNameList. By default, the tanium-init.dat that you download through Client Management specifies ServerNameList, while the the tanium-init.dat that you download through the Tanium Console does not. For Tanium Client 7.2, 74.1, or 7.4.2, you must specify ServerName or ServerNameList.

    LogVerbosityLevel

    The following decimal values are best practices for specific use cases:

    • 0: Disable logging. This is the best practice value for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
    • 1: This is the best practice value during normal operation.
    • 41: This is the best practice value during troubleshooting.
    • 91 or higher: Enable the most detailed log levels for short periods of time only.

    For details on additional settings that you can configure, see Tanium Client settings.

    The following example commands are for a deployment with HA Tanium Servers.

    cd <Tanium Client>
    sudo ./TaniumClient config set ServerNameList ts1.example.com,ts2.example.com
    sudo ./TaniumClient config set LogVerbosityLevel 1

  5. Confirm that the Tanium Client daemon still exists in the system init folder. For example: /etc/init.d/TaniumClient or /etc/systemd/system/multi-user.target.wants/taniumclient.service. This ensures that the daemon is launched when the system is rebooted.
  6. Go to the Tanium Client installation folder and delete all files and subfolders except:
    • TaniumClient
    • tanium-init.dat (Tanium Client 7.4 or later)
    • tanium.pub (Tanium Client 7.2)
    • Sensors folder
    • Tools folder
    • client.db
    • libssl.so.1.0.0
    • libpython2.7.so
    • libpython2.7.so.1.0
    • libcrypto.so.1.0.0
    • python27 folder
    • python38 folder
  7. Confirm that the date and timestamp of the tanium-init.dat file (version 7.4 or later) or tanium.pub file (version 7.2) in the Tanium Client installation folder match the date and timestamp of that file on the Tanium Server (top-level installation folder).

    Ensure that the client has the latest version of the tanium-init.dator tanium.pub file. To download the latest file, see Tanium Client Management User Guide: Download and deploy the installer bundle.

  8. Save the image and shut down the computer.

The Tanium Client daemon is configured to start automatically when the OS is started. If the reference computer is restarted before the reference image is captured, you might need to repeat these steps.

macOS

Refer to Apple documentation for complete details on macOS imaging.

Prepare the Tanium Client on a reference computer:

  1. Install the Tanium Client: see the endpoint requirements and Deploying the Tanium Client to macOS endpoints.
  2. Use the launchctl command to stop the Tanium Client daemon (sudo permissions are required). For example:
  3. sudo launchctl unload /Library/LaunchDaemons/com.tanium.taniumclient.plist

  4. Confirm that com.tanium.taniumclient.plist still exists in /Library/Launchdaemons/. This ensures the daemon is launched when the system is rebooted.
  5. Use the CLI to configure the following basic Tanium Client settings. See CLI on Non-Windows endpoints.
    ServerName or ServerNameListIn a deployment with a standalone Tanium Server, set the ServerName to the server FQDN or IP address. In a deployment with Tanium Zone Servers or multiple Tanium Servers, configure ServerNameList with the FQDN or IP address of each server, separated with a comma.

    If the tanium-init.dat file for Tanium Client 7.4.4 specifies ServerNameList, you do not need to configure ServerName or ServerNameList. By default, the tanium-init.dat that you download through Client Management specifies ServerNameList, while the the tanium-init.dat that you download through the Tanium Console does not. For Tanium Client 7.2, 74.1, or 7.4.2, you must specify ServerName or ServerNameList.

    LogVerbosityLevel

    The following decimal values are best practices for specific use cases:

    • 0: Disable logging. This is the best practice value for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
    • 1: This is the best practice value during normal operation.
    • 41: This is the best practice value during troubleshooting.
    • 91 or higher: Enable the most detailed log levels for short periods of time only.

    For details on additional settings that you can configure, see Tanium Client settings.

    The following example commands are for a deployment with HA Tanium Servers:

    cd <Tanium Client>
    sudo ./TaniumClient config set ServerNameList ts1.example.com,ts2.example.com sudo ./TaniumClient config set LogVerbosityLevel 1
  6. Go to the Tanium Client installation folder and delete all files and subfolders except:
    • TaniumClient
    • tanium-init.dat (Tanium Client 7.4 or later)
    • tanium.pub (Tanium Client 7.2)
    • Sensors folder
    • Tools folder
    • client.db
    • libcrypto.1.0.0.dylib
    • libpython2.7.dylib
    • libssl.1.0.0.dylib
    • python27 folder
    • python38 folder
  7. Confirm that the date and timestamp of the tanium-init.dat file (version 7.4 or later) or tanium.pub file (version 7.2) in the Tanium Client installation folder match the date and timestamp of that file on the Tanium Server (top-level installation folder).

    Ensure that the client has the latest version of the tanium-init.dator tanium.pub file. To download the latest file, see Tanium Client Management User Guide: Download and deploy the installer bundle.

  8. Save the image and shut down the computer.

The Tanium Client daemon is configured to start automatically when the OS is started. If the reference computer is restarted before the reference image is captured, you might need to repeat these steps.

VDI

Licensing for VDI instances varies by VDI model type:

  • Persistent desktop instances are instances that are not reset more than once every 30 days. Each persistent instance requires a single license.
  • Non-persistent desktop instances are instances that are reset over the course of 30 days. A non-persistent instance requires one license for each reset during a 30-day period.

Use the following matrix to calculate the number of licenses required to support your Tanium deployment.

Device Description Estimated Count
Physical devices and persistent VDI systems +
Reimage/resets within non-persistent VDI over a 30-day period +
Physical or persistent VDI systems that are reimaged, reinstalled, or reset over a 30-day period +
Total required licenses =

Create a VDI golden image by preparing a reference computer as follows:

  1. Prepare the Tanium Client based on the OS of the intended endpoints:
  2. Verify that the default client configuration is applied. To confirm this:
    • Check the ComputerID value in the Windows Registry, TaniumClient.ini file, or client.db (CLI). At this point, a non-zero numeric value is expected.
    • Ensure the client executed all relevant scheduled actions. If you do not want to wait for the scheduled actions to run based on their default schedules, you can target the respective packages to the device hosting the golden image through one-time actions.
  3. Run the initial Tanium™ Index scan on the reference computer to index its file system.

    Running the scan before saving the golden image obviates the need to perform the scan for each VM when it is created from the image. Let the scan completely finish before finalizing the image.

    For more information about Index scans, see Tanium Incident Response User Guide: Indexing file systems.

    Perform the following steps to run the Index scan:

    1. Access the Tanium Console.
    2. Deploy Index tools to the reference computer if it does not already have them: see Tanium Incident Response User Guide: Deploy Index tools to endpoints.
    3. Issue the question Get Computer Name from all machines with Computer Name contains <name>, where <name> is the hostname of the reference computer.
    4. Select the reference computer in the Question Results and click Deploy Action.
    5. For the Deployment Package, enter Start Indexing.
    6. Specify an Action Group that contains the reference computer.
    7. Click Show Preview to Continue, verify that the reference computer is the target, and click Deploy Action.
    8. Return to the Tanium Home page and, after giving the scan enough time to complete, issue the question Get Index Status from all machines with Computer Name contains <reference_computer_hostname>.

      When the scan completes, the Question Results display the following:

      Index Status: Initial Index Scan Completed

      Index Status: Running

    Do not delete any files in the <Tanium Client>/Tools folder. These files are required for indexing.

  4. Stop the Tanium Client service: see Manage the Tanium Client service on Windows or Manage the Tanium Client service on Linux.
  5. Verify that the service has stopped and that it is configured to start automatically on the next reboot.
  6. Go to the Windows Registry, TaniumClient.ini file, or client.db (CLI) and add or update the following settings. The goal is to diffuse the concentration of resource utilization that otherwise might occur as a consequence of cloning and shared hardware.
  7. Client Setting Registry Value Type Value Guidelines
    ComputerID REG_DWORD 0 Explicitly set the value to 0 (zero). Do not simply delete the value or set it to a blank or null character.
    RandomSensorDelayInSeconds REG_DWORD 20 Delays execution of all sensors randomly with 20-second delays to prevent any concurrent execution of sensors and packages.
    MaxAgeMultiplier REG_DWORD 2 The maximum age for each sensor is multiplied by this value to reduce impact on the VDI device.
    MinDistributeOverTimeInSeconds REG_DWORD 60 Distribute an action over no less than 1 minute.
    LogVerbosityLevel REG_DWORD 0 Disable logging in VDI instances.
    Logs.extensions.LogVerbosityLevel REG_DWORD 0 Disable Tanium™ Client Extensions logging in VDI instances.
    SaveClientStateIntervalInSeconds REG_DWORD 1800 Write client state to disk every 30 minutes to reduce disk writes.

  8. Save the image and then turn off the reference computer or block network access to the Tanium Server so that the Tanium Client on the reference computer does not register with the Tanium Server.

The Tanium Client service is configured to start automatically when the OS is started. If the reference computer is restarted before the reference image is captured, you might need to repeat these steps.