Preparing the Tanium Client on OS images

You can install the Tanium Client on an operating system (OS) image that you use as a template when provisioning an OS for new endpoints or virtual desktop infrastructure (VDI) instances. The following sections describe best practices for preparing the Tanium Client on OS images.

Registration and ComputerID

When you start the OS image for the first time and the Tanium Client registers with Tanium as a Service (TaaS) the Tanium Server, TaaS the server assigns a unique computer ID to the endpoint. TaaSThe Tanium Server uses this computer ID to track and monitor each endpoint even if other identifiers change, such as the computer name, IP address, MAC address, or OS GUID. TaaS The server detects and resolves duplicate IDs during registration to ensure each computer has a unique identifier, even if computers are cloned from an OS image that has a non-zero value for the computer ID.

To avoid the additional processing that is required to resolve duplicate IDs and the potential data infidelity during that processing, delete the Tanium Client ComputerID setting in the OS image.

Preparing the Tanium Client on a Windows OS image

Refer to Microsoft documentation for complete details on Windows OS imaging.

Prepare the Tanium Client on a reference computer:

  1. Install the Tanium Client: see the endpoint requirements and Deploy the Tanium Client to Windows endpoints using the installer. Make sure that you configure the appropriate server settings during installation (see Configuring connections to the Tanium Core Platform), and leave the LogVerbosityLevel setting at the default of 1.
  2. Open the Windows Services program, stop the Tanium Client service, and verify that its Startup Type is set to Automatic.
  3. Use the CLI to delete the Tanium Client ComputerID, RegistrationCount, and LastGoodServerName settings:

    TaniumClient config remove ComputerID
    TaniumClient config remove RegistrationCount
    TaniumClient config remove LastGoodServerName

  4. Use the CLI to configure any necessary client settings that you did not configure during the initial installation: see CLI on Windows endpoints and Tanium Client settings.

  5. Perform the following steps in the Tanium Client installation directory.

    • Delete the Strings, Logs, and Backup directories.
    • Delete all files in the following directories without deleting those actual directories:

      • Downloads
      • Tools\Content Logs
      • Tools\Scans
    • (Tanium Client 7.4 or later) Delete pki.db.
    • Review the rest of the Tanium Client installation directory to ensure that no other stale Tanium Client data will be replicated. Contact Tanium Support for details.
  6. Obtain the latest tanium‑init.dat file (version 7.4 or later) or tanium.pub file (version 7.2) and add it to the client.

    1. From the Main menu in the Tanium console, go to Administration > Shared Services > Client Management.
    2. From the Client Management Home page, click Download Windows Package.
    3. Extract the tanium‑init.dat file from the downloaded bundle, and copy it into the Tanium Client installation directory.
    1. From the Main menu in the Tanium console, go to Administration > Configuration > Tanium Server > Infrastructure Configuration Files.
    2. Click Download in the Clients v7.4+ and Zone Server or Clients v7.2 section, depending on which file you need.
    3. Copy the downloaded file into the Tanium Client installation directory.

    Confirm that the date and time stamp of the file in the Tanium Client installation directory match the date and time stamp of that file on the Tanium Server (top-level installation directory).

    If you are using Client Management, you can also obtain a version of tanium-init.dat that includes ServerNameList from the installer bundle for the client settings that are associated with the image you are preparing. When you use this version, the ServerNameList specified in tanium-init.dat overwrites the ServerName or ServerNameList that are specified in the Windows registry for Tanium Client 7.4. For more information about managing client settings in Client Management, see Configure client settings. For more information about downloading installer bundles, see Download the installation bundle for alternative deployment.

    Be careful not to allow the tanium-init.dat or tanium.pub file to be distributed or stored outside of your organization, such as in a publicly accessible source code repository or any other location accessible from the public internet. Limit the distribution to specific use in the deployment of Tanium Clients.

    Though these files do not contain private keys and cannot be used to provide control over a Tanium environment, a user with malicious intent could use them to connect an unapproved client and use this unauthorized access to learn how your organization is using Tanium.

  7. Save the image and shut down the computer.

The Tanium Client service is configured to start automatically when the OS is started. If the reference computer is restarted before the reference image is captured, you might need to repeat these steps.

Preparing the Tanium Client on a macOS image

Refer to Apple documentation for complete details on macOS imaging.

Prepare the Tanium Client on a reference computer:

  1. Install the Tanium Client: see the endpoint requirements and Deploy the Tanium Client to macOS endpoints using the installer. Make sure that you configure the appropriate server settings during installation (see Configuring connections to the Tanium Core Platform), and leave the LogVerbosityLevel setting at the default of 1.
  2. Open Terminal and use the launchctl command to stop the Tanium Client daemon (sudo permissions are required):

    sudo launchctl unload /Library/LaunchDaemons/com.tanium.taniumclient.plist

  3. Confirm that com.tanium.taniumclient.plist still exists in /Library/Launchdaemons/. This ensures that the daemon is launched when the system is rebooted.
  4. Use the CLI to delete the Tanium Client ComputerID setting:

    sudo ./TaniumClient config remove ComputerID

  5. Use the CLI to configure any necessary client settings that you did not configure during the initial installation: see CLI on non-Windows endpoints and Tanium Client settings.

  6. Go to the Tanium Client installation directory and delete all files and subdirectories except for the following:

    • TaniumClient
    • Sensors directory
    • Tools directory
    • client.db
    • libcrypto.1.0.0.dylib
    • libssl.1.0.0.dylib
  7. Obtain the latest tanium‑init.dat file (version 7.4 or later) or tanium.pub file (version 7.2) and add it to the client.

    1. From the Main menu in the Tanium console, go to Administration > Shared Services > Client Management.
    2. From the Client Management Home page, click Download macOS Package.
    3. Extract the tanium‑init.dat file from the downloaded bundle, and copy it into the Tanium Client installation directory.
    1. From the Main menu in the Tanium console, go to Administration > Configuration > Tanium Server > Infrastructure Configuration Files.
    2. Click Download in the Clients v7.4+ and Zone Server or Clients v7.2 section, depending on which file you need.
    3. Copy the downloaded file into the Tanium Client installation directory.

    Confirm that the date and time stamp of the file in the Tanium Client installation directory match the date and time stamp of that file on the Tanium Server (top-level installation directory).

    If you are using Client Management, you can also obtain a version of tanium-init.dat that includes ServerNameList from the installer bundle for the client settings that are associated with the image you are preparing. When you use this version, you do not need to specify ServerName or ServerNameList for Tanium Client 7.4 using the CLI; any settings from the CLI are added to the ServerNameList specified in tanium-init.dat. For more information about managing client settings in Client Management, see Configure client settings. For more information about downloading installer bundles, see Download the installation bundle for alternative deployment.

    Be careful not to allow the tanium-init.dat or tanium.pub file to be distributed or stored outside of your organization, such as in a publicly accessible source code repository or any other location accessible from the public internet. Limit the distribution to specific use in the deployment of Tanium Clients.

    Though these files do not contain private keys and cannot be used to provide control over a Tanium environment, a user with malicious intent could use them to connect an unapproved client and use this unauthorized access to learn how your organization is using Tanium.

  8. Save the image and shut down the computer.

The Tanium Client daemon is configured to start automatically when the OS is started. If the reference computer is restarted before the reference image is captured, you might need to repeat these steps.

Preparing the Tanium Client on a Linux OS image

Linux service commands vary by Linux distribution. This documentation provides examples but is not a reference for each Linux distribution. If you are not already familiar with installing and managing services on your target Linux distribution, review the documentation for the particular Linux operating system before starting.

Prepare the Tanium Client on a reference computer:

  1. Install the Tanium Client. Be sure to use the Tanium Client installation package file for your particular Linux distribution, as listed under Tanium Client package files for Linux. To install the client, see the endpoint requirements and Deploy the Tanium Client to Linux endpoints using package files. Make sure that you configure the appropriate server settings during installation (see Configuring connections to the Tanium Core Platform), and leave the LogVerbosityLevel setting at the default of 1.
  2. Stop the Tanium Client daemon by entering the service command for your Linux distribution: see Manage the Tanium Client service on Linux.
  3. Use the CLI to delete the Tanium Client ComputerID setting:

    sudo ./TaniumClient config remove ComputerID

  4. Confirm that the Tanium Client daemon still exists in the system init directory. For example: /etc/init.d/TaniumClient or /etc/systemd/system/multi-user.target.wants/taniumclient.service. This ensures that the daemon is launched when the system is rebooted.
  5. Use the CLI to configure any necessary client settings that you did not configure during the initial installation: see CLI on non-Windows endpoints and Tanium Client settings.

  6. Go to the Tanium Client installation directory and delete all files and subdirectories except for the following:

    • TaniumClient
    • Sensors directory
    • Tools directory
    • client.db
    • libssl.so.1.0.0
    • libssl.so.1.0.0.sig
    • libcrypto.so.1.0.0
    • libcrypto.so.1.0.0.sig
  7. Obtain the latest tanium‑init.dat file (version 7.4 or later) or tanium.pub file (version 7.2) and add it to the client.

    1. From the Main menu in the Tanium console, go to Administration > Shared Services > Client Management.
    2. From the Client Management Home page, click Download Linux Package.
    3. Extract the tanium‑init.dat file from the downloaded bundle, and copy it into the Tanium Client installation directory.
    1. From the Main menu in the Tanium console, go to Administration > Configuration > Tanium Server > Infrastructure Configuration Files.
    2. Click Download in the Clients v7.4+ and Zone Server or Clients v7.2 section, depending on which file you need.
    3. Copy the downloaded file into the Tanium Client installation directory.

    Confirm that the date and time stamp of the file in the Tanium Client installation directory match the date and time stamp of that file on the Tanium Server (top-level installation directory).

    If you are using Client Management, you can also obtain a version of tanium-init.dat that includes ServerNameList from the installer bundle for the client settings that are associated with the image you are preparing. When you use this version, you do not need to specify ServerName or ServerNameList for Tanium Client 7.4 using the CLI; any settings from the CLI are added to the ServerNameList specified in tanium-init.dat. For more information about managing client settings in Client Management, see Configure client settings. For more information about downloading installer bundles, see Download the installation bundle for alternative deployment.

    Be careful not to allow the tanium-init.dat or tanium.pub file to be distributed or stored outside of your organization, such as in a publicly accessible source code repository or any other location accessible from the public internet. Limit the distribution to specific use in the deployment of Tanium Clients.

    Though these files do not contain private keys and cannot be used to provide control over a Tanium environment, a user with malicious intent could use them to connect an unapproved client and use this unauthorized access to learn how your organization is using Tanium.

  8. Save the image and shut down the computer.

The Tanium Client daemon is configured to start automatically when the OS is started. If the reference computer is restarted before the reference image is captured, you might need to repeat these steps.

Preparing the Tanium Client on a virtual desktop infrastructure (VDI) instance

Licensing for VDI instances varies by VDI model type:

  • Persistent desktop instances: Instances that are not reset more than once every 30 days. Each instance requires a single license.
  • Non-persistent desktop instances: Instances that are reset over the course of 30 days. An instance requires one license for each reset during a 30-day period.

Use the following formula to calculate the number of licenses required to support your Tanium deployment.

Devices and VDI Instances Estimated Count
Physical devices and persistent VDI systems +
Reimage/resets within non-persistent VDI over a 30-day period +
Physical or persistent VDI systems that are reimaged, reinstalled, or reset over a 30-day period +
Total required licenses =

Create a VDI golden image by preparing a reference endpoint:

  1. Prepare the Tanium Client based on the OS of the intended endpoints:

  2. Check the ComputerID, which should be a non-zero numeric value, to verify that the client has registered with TaaS the Tanium Server or Tanium Zone Server. In the endpoint CLI, navigate to the Tanium Client installation directory, and run one of the following commands based on the OS:

    • Windows: TaniumClient config get ComputerID
    • macOS or Linux: sudo ./TaniumClient config get ComputerID
  3. Review the action history to ensure that the client runs any scheduled actions that affect the client configuration. For more information, see Tanium Console User Guide: Manage actions that are completed or in progress.

    To run actions immediately instead of waiting for them to run according to a schedule, use one-time actions to deploy the associated packages to the endpoint that hosts the golden image. For more information, see Tanium Console User Guide: Deploying actions.

  4. Deploy any endpoint tools that are required by the Tanium solutions that you plan to use with VDI instances. The tool deployment method varies for each solution.

    For example, if you are using Threat Response, create a profile that includes all components that you plan to use with VDI instances, and deploy that profile to the endpoint. The deployment includes any tools that the Threat Response profile requires, such as Tanium™ Index if you included an index configuration.

    For more information about how to deploy tools for a solution, go to https://docs.tanium.com/ and review the documentation for that solution.

  5. Allow any processes that endpoint tools initiate to complete on the endpoint. To determine whether these processes have completed, ask a question using a sensor that returns tool status for each solution.

    For example, if you are using a Threat Response profile with an index configuration, ask the question: Get Threat Response - Status from all machines with Computer Name contains <reference_computer_hostname>. In the results, for the component Index and the key Scan Phase, make sure that the value is Initial Index Scan Completed.

    If you are using Index tools with a solution (such as Threat Response, Reveal, Integrity Monitor, or Asset), the initial index scan might take significantly longer to complete than other processes. Make sure that the initial index scan completes before continuing.

    For more information about how to determine tool status for a solution, go to https://docs.tanium.com/ and review the documentation for that solution.

  6. Stop the Tanium Client service:

  7. Verify that the service has stopped and that it is configured to start automatically on the next reboot.
  8. Use the CLI to delete the Tanium Client ComputerID setting:

    • Windows: TaniumClient config remove ComputerID
    • macOS or Linux: sudo ./TaniumClient config remove ComputerID
  9. Add or update the following settings through the CLI. These settings help to avoid the concentration of resource usage that otherwise might occur as a consequence of cloning and shared hardware. The CLI syntax depends on the endpoint OS:

    • Windows: TaniumClient config set <setting>
    • macOS or Linux: sudo ./TaniumClient config set <setting>
    Client Setting Value Guidelines
    RandomSensorDelayInSeconds 20 Delays execution of all sensors randomly with 20-second delays to prevent any concurrent execution of sensors and packages.
    MaxAgeMultiplier 2 The maximum age for each sensor is multiplied by this value to reduce the impact on the VDI endpoint.
    MinDistributeOverTimeInSeconds 60 Distribute an action over no less than 1 minute.
    LogVerbosityLevel 0 Disable logging in VDI instances.
    Logs.extensions.LogVerbosityLevel 0 Disable Tanium™ Client Extensions logging in VDI instances.
    SaveClientStateIntervalInSeconds 1800 Write client state to disk every 30 minutes to reduce disk writes.
  10. Save the image and then shut down the reference machine or block network access to TaaS the Tanium Server so that the Tanium Client on the reference machine does not register with TaaS the server.

The Tanium Client service is configured to start automatically when the OS is started. If the reference machine is restarted before the reference image is captured, you might need to repeat these steps.