Preparing the Tanium Client on OS images

You can install the Tanium Client in an operating system (OS) image that you use as a master when you provision an OS for new computers or virtual desktop infrastructure (VDI) instances. When preparing the Tanium Client on OS images, the best practice is to delete the Tanium Client ComputerID setting (non-Windows) or set it to 0 (Windows) in the reference image. When the OS image is started for the first time, the Tanium Client initially attempts to register with this ID. The Tanium Server considers the registration as coming from a Tanium Client that never registered before, and it assigns the device a new unique identifier. The Tanium Server identifies and tracks each managed endpoint based on this identifier so it can be accurately monitored despite changes in properties such as computer name, IP address, MAC address, or OS GUID. This best practice is not mandatory. The Tanium Server is designed to detect duplicate IDs during registration, and it resolves potential conflicts before registration is completed. As a result, even if computers were being cloned from an OS reference image with the Tanium Client ComputerID set to a non-zero value, the registration process would detect duplicates and ensure a unique ID is assigned to each Tanium Client computer.

The following procedures are best practices.

Windows OS

Windows links

Refer to Microsoft documentation for complete details on Windows OS imaging.

To prepare the Tanium Client:

  1. Install the Tanium Client: see Deploying the Tanium Client to Windows endpoints.
  2. Go to Windows Services and stop the Tanium Client service.
  3. Confirm that the Tanium Client service is still set to start automatically when the computer reboots.
  4. Perform the following steps in the Tanium Client Windows Registry key.
    • Set the ComputerID data value to 0 (zero). Do not simply delete the value or set it to a blank or null character.
    • Delete the registry value RegistrationCount.
    • Verify the ServerName and ServerPort values are correct.

  5. Perform the following steps in the Tanium Client installation folder.
    • Delete the Strings folder.
    • Delete the log0.txt file.
    • Delete all files in the Downloads folder. (In other words, you should have an empty Downloads folder.)
    • Delete all files in the Tools\Scans folder and in the Tools\Content Logs folder.
    • Consult your TAM to review the rest of the Tools folder to ensure no other stale Tanium Client data will be replicated.
    • Confirm that the date and timestamp on the Tanium Client tanium.pub file matches the Tanium Server tanium.pub file.
  6. Save the image and shut down the computer.

The Tanium Client service is configured to start automatically when the OS is started. If the reference computer is restarted before the reference image is captured, you might need to repeat these steps.

Linux OS

Linux links

Commands for creating a Linux OS reference image vary according to Linux distribution. Earlier distributions implement the BSD init system (/etc/init.d). These distributions use the service command to start, stop, or restart the service. More recent distributions, such as CentOS 7.x, Oracle Enterprise Linux 7.x, RHEL 7.x, and Ubuntu 16.04, implement the newer systemd init system. The Tanium Client service is added to the services in /etc/systemd/system/multi-user.target.wants. These distributions use the systemctl command to start, stop, or restart a service.

Each supported platform distribution requires a specific Tanium Client installation package file. For example, the package file for Amazon Linux 2016.09 is named TaniumClient-7.2.314.3211-1.amzn2016.09.x86_64.rpm and the package file for Debian 6.x (64-bit) is named taniumclient_7.2.314.3211-debian6_amd64.deb.

Linux service commands vary according to Linux distribution. This documentation provides examples but is not a reference for each Linux distribution. If you are not already familiar with installing and managing services on your target Linux distribution, please review the documentation for the particular Linux operating system before you begin.

To prepare the Tanium Client:

  1. Install the Tanium Client. Be sure to use the Tanium Client installation package file that was developed for the particular Linux distribution. See Deploying the Tanium Client to Linux endpoints.
  2. Stop the Tanium Client daemon.

    For example:

  3. service TaniumClient stop

    Or:

    systemctl stop taniumclient

  4. On the reference computer, configure basic Tanium Client settings (for details, see Tanium Client settings).
    ServerName or ServerNameListTanium Server FQDN or IP address.
    LogVerbosityLevel

    The following decimal values are best practices for specific use cases:

    • 0: Disable logging. This is the best practice value for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
    • 1: This is the best practice value during normal operation.
    • 41: This is the best practice value during troubleshooting.
    • 91 or higher: Enable the most detailed log levels for short periods of time only.
    VersionTanium Client version number

    The steps to configure the settings depend on the Tanium Client version:

    • Tanium Client 6.0: Edit the /opt/Tanium/TaniumClient/TaniumClient.ini file so that it has only the preceding settings. The following is an example of the file contents:
    • Version=6.0.314.1579
      ServerNameList=ts1.example.com,ts2.example.com LogVerbosityLevel=1
    • Tanium Client 7.2: Issue the following CLI commands (for details, see Non-Windows). Version 7.2 does not require TaniumClient.ini or a version setting.
    • cmd-prompt>./TaniumClient config set ServerNameList ts1.example.com,ts2.example.com
      cmd-prompt>./TaniumClient config set LogVerbosityLevel 1
      
  5. Confirm that the Tanium Client daemon still exists in the system init directory. For example: /etc/init.d/TaniumClient or /etc/systemd/system/multi-user.target.wants/taniumclient.service. This ensures the daemon is launched when the system is rebooted.
  6. Go to the Tanium Client installation folder and delete all files and subfolders except:
    • TaniumClient
    • tanium.pub
    • Sensors folder
    • Tools folder
    • TaniumClient.ini (Tanium Client 6.0)
    • client.db (Tanium Client 7.2)
    • libssl.so.1.0.0 (Tanium Client 7.2)

    • libpython2.7.so (Tanium Client 7.2)

    • libpython2.7.so.1.0 (Tanium Client 7.2)

    • libcrypto.so.1.0.0 (Tanium Client 7.2)

    • python27 folder (Tanium Client 7.2)

  7. Save the image and shut down the computer.

The Tanium Client daemon is configured to start automatically when the OS is started. If the reference computer is restarted before the reference image is captured, you might need to repeat these steps.

macOS

macOS links

Refer to Apple documentation for complete details on macOS imaging.

To prepare the Tanium Client:

  1. Install the Tanium Client: see Deploying the Tanium Client to macOS endpoints.
  2. Use the launchctl command to stop the Tanium Client daemon (sudo privileges are required). For example:
  3. sudo launchctl unload /Library/LaunchDaemons/com.tanium.taniumclient.plist

  4. Confirm that com.tanium.taniumclient.plist still exists in /Library/Launchdaemons/. This ensures the daemon is launched when the system is rebooted.
  5. On the reference computer, configure basic Tanium Client settings (for details, see Tanium Client settings).
    ServerName or ServerNameListTanium Server FQDN or IP address.
    LogVerbosityLevel

    The following decimal values are best practices for specific use cases:

    • 0: Disable logging. This is the best practice value for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
    • 1: This is the best practice value during normal operation.
    • 41: This is the best practice value during troubleshooting.
    • 91 or higher: Enable the most detailed log levels for short periods of time only.
    VersionTanium Client version number

    The steps to configure the settings depend on the Tanium Client version:

    • Tanium Client 6.0: Edit the /Library/Tanium/TaniumClient/TaniumClient.ini file so that it has only the preceding settings. The following is an example of the file contents:
    • Version=6.0.314.1579
      ServerNameList=ts1.example.com,ts2.example.com LogVerbosityLevel=1
    • Tanium Client 7.2: Issue the following CLI commands (for details, see Non-Windows). Version 7.2 does not require a version setting.
    • cmd-prompt>sudo ./TaniumClient config set ServerNameList ts1.example.com,ts2.example.com
      cmd-prompt>sudo ./TaniumClient config set LogVerbosityLevel 1
      
  6. Go to the Tanium Client installation folder and delete all files and subfolders except:
    • TaniumClient
    • tanium.pub
    • Sensors folder
    • Tools folder
    • TaniumClient.ini (Tanium Client 6.0)
    • client.db (Tanium Client 7.2)
    • libcrypto.1.0.0.dylib (Tanium Client 7.2)
    • libpython2.7.dylib (Tanium Client 7.2)
    • libssl.1.0.0.dylib (Tanium Client 7.2)
    • python27 folder (Tanium Client 7.2)
  7. Save the image and shut down the computer.

The Tanium Client daemon is configured to start automatically when the OS is started. If the reference computer is restarted before the reference image is captured, you might need to repeat these steps.

VDI

Licensing for VDI instances varies based on the VDI model type:

  • Persistent desktop instances are instances that are not reset more than once every 30 days. Each persistent instance requires a single license.
  • Non-persistent desktop instances are instances that are reset over the course of 30 days. A non-persistent instance requires one license for each reset during a 30-day period.

Use the following matrix to calculate the number of licenses required to support your Tanium deployment.

Device Description Estimated Count
Physical devices and persistent VDI systems +
Reimage/resets within non-persistent VDI over a 30-day period +
Physical or persistent VDI systems that are reimaged, reinstalled, or reset over a 30-day period +
Total required licenses =

To create a VDI golden image:

  1. Install the Tanium Client.
  2. Verify that the default client configuration has been applied. To confirm this:
    • Check the ComputerID value in the Windows Registry, TaniumClient.ini file, or client.db (CLI). At this point, the setting should have a non-zero numeric value.
    • Ensure the client has executed all relevant scheduled actions. If you do not want to wait for the scheduled actions to run based on their default schedules, you can target the respective packages to the device hosting the golden image through one-time actions.
  3. Stop the Tanium Client service (Windows) or process (Linux).
  4. Verify that the service or process has stopped and that it is configured to start automatically on the next reboot.
  5. Go to the Windows Registry, TaniumClient.ini file, or client.db (CLI) and add or update the following settings. The goal is to diffuse the concentration of resource utilization that otherwise might occur as a consequence of cloning and shared hardware.
  6. Client Setting Registry Value Type Value Data Guidelines
    ComputerID REG_DWORD 0 Explicitly set the value to 0 (zero). Do not simply delete the value or set it to a blank or null character.
    RandomSensorDelayInSeconds REG_DWORD 60 Delays execution of all sensors randomly with 60-second delays to prevent any concurrent execution of sensors and packages.
    MaxAgeMultiplier REG_DWORD 2 The maximum age for each sensor is multiplied by this value to reduce impact on the VDI device.
    MinDistributeOverTimeInSeconds REG_DWORD 60 Distribute an action over no less than 1 minute.
    LogVerbosityLevel REG_DWORD 0 Disable logging in VDI instances.
    SaveClientStateIntervalInSeconds REG_DWORD 1800 Write client state to disk every 30 minutes to reduce disk writes.

  7. After the image is saved, turn off the reference computer or block network access to the Tanium Server so that the Tanium Client on the reference computer does not register with the Tanium Server.

The Tanium Client service is configured to start automatically when the OS is started. If the reference computer is restarted before the reference image is captured, you might need to repeat these steps.

Last updated: 2/6/2019 8:53 AM | Feedback