Preparing the Tanium Client on OS images

You can install the Taniumâ„¢ Client in an operating system (OS) image that you use as a master when you provision an OS for new computers or virtual desktop infrastructure (VDI) instances.

The recommended practice in preparing the Tanium Client on OS images is to set the Tanium Client ComputerID setting to 0 (Windows) or to delete the ComputerID setting (non-Windows) in the reference image. When the OS image is started for the first time, the Tanium Client initially attempts to register with this ID. The Tanium Server considers the registration as coming from a client that has never registered before, and it assigns the device a new unique identifier. The Tanium Server identifies and tracks each managed device based on this identifier so it can be accurately monitored despite changes in properties such as computer name, IP address, MAC address, or OS GUID.

This practice is not required. The Tanium Server is designed to detect duplicate IDs during registration, and it resolves potential conflicts before registration is completed. As a result, even if computers were being cloned from an OS reference image with the Tanium Client ComputerID set to a non-zero value, the registration process would detect duplicates and ensure a unique ID is assigned to each Tanium Client computer.

The following procedures are the recommended practice.

Windows OS

Windows links

Refer to Microsoft documentation for complete details on Windows OS imaging.

To prepare the Tanium Client:

  1. Install the Tanium Client.
  2. Go to Windows Services and stop the Tanium Client service.
  3. Confirm that the Tanium Client service is still set to start automatically when the computer reboots.
  4. Go to the Tanium Client Windows Registry key.
  5. Take the following actions:
    • Explicitly set the ComputerID data value to 0 (zero). Do not simply delete the value or set it to a blank or null character.
    • Delete the registry value RegistrationCount.
    • Verify ServerName and ServerPort are correct.
  6. Go to the Tanium Client installation folder.
  7. Take the following actions:
    • Delete the Strings folder.
    • Delete the log0.txt file.
    • Delete all files in the Downloads folder. (In other words, you should have an empty Downloads folder.)
    • Delete all files in the Tools\Scans and Tools\Content Logs folders.
    • Consult with your TAM to review the rest of the Tools folder to ensure no other stale client data will be replicated.
    • Confirm that the date and timestamp on the Tanium Client tanium.pub file matches the Tanium Server tanium.pub file.
  8. Save the image and shut down the computer.

The Tanium Client service is configured to start automatically when the OS is started. If the reference computer is restarted before the reference image is captured, you might need to repeat these steps.

Linux OS

Linux links

Commands for creating a Linux OS reference image vary according to Linux distribution.

Earlier distributions implement the BSD init system (/etc/init.d). These distributions use the service command to start, stop, or restart the service.

More recent distributions, such as CentOS 7.x, Oracle Enterprise Linux 7.x, RHEL 7.x, and Ubuntu 16.04 implement the newer systemd init system. The Tanium Client service is added to the services in /etc/systemd/system/multi-user.target.wants. These distributions use the systemctl command to start, stop, or restart a service.

There are specific Tanium Client installation package files for each supported platform distribution. For example, the package file for Amazon Linux 2016.09 is named TaniumClient-7.2.314.3211-1.amzn2016.09.x86_64.rpm and the package file for Debian 6.x (64-bit) is named taniumclient_7.2.314.3211-debian6_amd64.deb.

Linux service commands vary according to Linux distribution. This documentation provides examples but is not a reference for each Linux distribution. If you are not already familiar with installing and managing services on your target Linux distribution, please review the documentation for the particular Linux operating system before you begin.

To prepare the Tanium Client:

  1. Install the Tanium Client. Be sure to use the Tanium Client installation package file that was developed for the particular Linux distribution. See Deploying the Tanium Client to Linux endpoints.
  2. Stop the Tanium Client daemon.

    For example:

  3. service TaniumClient stop

    Or:

    systemctl stop taniumclient

  4. On the reference computer, complete basic Tanium Client settings:
    • For Tanium Client 6.0, go to /opt/Tanium/TaniumClient/ and edit the TaniumClient.ini file. Make changes so that it has only the following settings:
    • ServerName or ServerNameListTanium Server FQDN or IP address.
      LogVerbosityLevel
      • 0: Disable logging. Recommended for clients installed to sensitive endpoints or VDI endpoints.
      • 1: Recommended logging level during normal operation.
      • 41: Recommended logging during troubleshooting.
      • >= 91: Enable the most detailed log levels for short periods of time only.
      VersionTanium Client Version number

      The following is an example TaniumClient.ini file:

      Version=6.0.314.1579
      ServerNameList=ts1.example.com,ts2.example.com LogVerbosityLevel=1

      See Tanium Client settings for a description of common settings.


    • For Tanium Client 7.2, issue the following commands:
    • cmd-prompt>./TaniumClient config set ServerNameList ts1.example.com,ts2.example.com
      cmd-prompt>./TaniumClient config set LogVerbosityLevel 1
      

      For 7.2, you do not have to configure the version. See Non-Windows for information about using the CLI.

  5. Confirm that the Tanium Client daemon is still present in the system init directory. For example: (/etc/init.d/TaniumClient or /etc/systemd/system/multi-user.target.wants/taniumclient.service). This ensures the daemon is launched when the system is rebooted.
  6. Go to the Tanium Client installation folder.
  7. Delete all files and subfolders except:
    • TaniumClient
    • TaniumClient.ini (6.0)
    • client.db (7.2)
    • tanium.pub
    • Sensors folder
    • Tools folder

    The resulting directory should be similar to the following example.

  8. Save the image and shut down the computer.

The Tanium Client daemon is configured to start automatically when the OS is started. If the reference computer is restarted before the reference image is captured, you might need to repeat these steps.

macOS

Mac links

Refer to Apple documentation for complete details on macOS imaging.

To prepare the Tanium Client:

  1. Install the Tanium Client.
  2. Use the launchctl command to stop the Tanium Client daemon (sudo privileges are required). For example:
  3. sudo launchctl unload /Library/LaunchDaemons/com.tanium.taniumclient.plist

  4. Confirm that com.tanium.taniumclient.plist is still present in /Library/Launchdaemons/. This ensures the daemon is launched when the system is rebooted.
  5. On the reference computer, complete basic Tanium Client settings:
    • For Tanium Client 6.0, go to /Library/Tanium/TaniumClient/ and edit the TaniumClient.ini file. Make changes so that it has only the following settings:
    • ServerName or ServerNameListTanium Server FQDN or IP address.
      LogVerbosityLevel
      • 0: Disable logging. Recommended for clients installed to sensitive endpoints or VDI endpoints.
      • 1: Recommended logging level during normal operation.
      • 41: Recommended logging during troubleshooting.
      • >= 91: Enable the most detailed log levels for short periods of time only.
      VersionTanium Client Version number

      The following is an example TaniumClient.ini file:

      Version=6.0.314.1579
      ServerNameList=ts1.example.com,ts2.example.com LogVerbosityLevel=1

      See Tanium Client settings for a description of common settings.


    • For Tanium Client 7.2, issue the following commands:
    • cmd-prompt>sudo ./TaniumClient config set ServerNameList ts1.example.com,ts2.example.com
      cmd-prompt>sudo ./TaniumClient config set LogVerbosityLevel 1
      

      For 7.2, you do not have to configure the version. See Reference: Tanium Client CLI for information about using the CLI.

  6. Go to the Tanium Client installation folder.
  7. Delete all files and subfolders except:
    • TaniumClient
    • TaniumClient.ini (6.0)
    • client.db (7.2)
    • tanium.pub
    • Sensors folder
    • Tools folder

    The resulting directory should be similar to the following example.

  8. Save the image and shut down the computer.

The Tanium Client daemon is configured to start automatically when the OS is started. If the reference computer is restarted before the reference image is captured, you might need to repeat these steps.

VDI

Licensing for VDI instances varies according to VDI model type:

  • Persistent desktop instances are instances that are not reset more than once every 30 days. Each persistent instance requires a single license.
  • Non-persistent desktop instances are instances that are reset over the course of 30 days. A non-persistent instance requires one license for each reset during a 30-day period.

Use the following matrix to calculate the number of licenses required to support your Tanium deployment configuration.

Device Description Estimated Count
Physical devices and persistent VDI systems +
Reimage/resets within non-persistent VDI over a 30-day period +
Physical or persistent VDI systems that are reimaged, reinstalled, or reset over a 30-day period +
Total required licenses =

To create a VDI golden image:

  1. Install the Tanium Client.
  2. Verify that the default client configuration has been applied. To confirm this:
    • Check the ComputerID value in the Windows Registry, TaniumClient.ini file, or client.db (CLI). At this point, the setting should have a non-zero numeric value.
    • Ensure the Client has executed all relevant scheduled actions. If you do not want to wait for the scheduled actions to run based on their default schedules, you can target the respective packages to the device hosting the golden image through one-time actions.
  3. Stop the Tanium Client service (Windows) or process (Linux).
  4. Verify that the service or process has stopped and that it is configured to start automatically on the next reboot.
  5. Go to the Windows Registry, TaniumClient.ini file, or client.db (CLI).
  6. Add or update the settings described in the following table. With these tunings, the goal is to diffuse the concentration of resource utilization that otherwise might occur as a consequence of cloning and shared hardware.
  7. Client Setting Registry Value Type Value Data Guidelines
    ComputerID REG_DWORD 0 Explicitly set the ComputerID value to 0 (zero). Do not simply delete the value or set it to a blank or null character.
    RandomSensorDelayInSeconds REG_DWORD 60 Delays execution of all sensors randomly with 60-second delays to prevent any concurrent execution of sensors and packages.
    MaxAgeMultiplier REG_DWORD 5 The max age for each sensor will be multiplied by this value to reduce impact on the VDI device.
    MinDistributeOverTimeInSeconds REG_DWORD 60 Distribute an action over no less than 1 minute.
    LogVerbosityLevel REG_DWORD 0 Disable logging in VDI instances.
    SaveClientStateIntervalInSeconds REG_DWORD 1800 Write client state to disk every 30 minutes to reduce disk writes.

  8. Once the image has been saved, turn off the reference computer or block network access to the Tanium Server so that the Tanium Client on the reference computer does not register with the Tanium Server.

The Tanium Client service is configured to start automatically when the OS is started. If the reference computer is restarted before the reference image is captured, you might need to repeat these steps.

Last updated: 7/31/2018 2:54 PM | Feedback