Preparing the Tanium Client on OS images

You can install the Tanium Client on an operating system (OS) image that you use as a template when provisioning an OS for new endpoints or virtual desktop infrastructure (VDI) instances. The following sections describe best practices for preparing the Tanium Client on OS images.

Registration and ComputerID

When you start the OS image for the first time and the Tanium Client registers with Tanium as a Service (TaaS) the Tanium Server, TaaS the server assigns a unique computer ID to the endpoint. TaaSThe Tanium Server uses this computer ID to track and monitor each endpoint even if other identifiers change, such as the computer name, IP address, MAC address, or OS GUID. TaaS The server detects and resolves duplicate IDs during registration to ensure each computer has a unique identifier, even if computers are cloned from an OS image that has a non-zero value for the computer ID.

To avoid the additional processing that is required to resolve duplicate IDs and the potential data infidelity during that processing, delete the Tanium Client ComputerID setting (non-Windows) or set it to 0 (Windows) in the OS image.

Preparing the Tanium Client on a Windows OS image

Refer to Microsoft documentation for complete details on Windows OS imaging.

Prepare the Tanium Client on a reference computer:

  1. Install the Tanium Client: see the endpoint requirements and Deploy the Tanium Client to Windows endpoints using the installer.
  2. Open the Windows Services program, stop the Tanium Client service, and verify that its Startup Type is set to Automatic.
  3. Perform the following steps in the Tanium Client Windows registry key.

    • Set the ComputerID data value to 0. Do not delete the value or set it to a blank or null character.
    • Delete the registry values RegistrationCount and LastGoodServerName.
    • Verify that the ServerName, ServerNameList, and ServerPort values are correct. If you configured additional Tanium Client settings during installation, verify those also.

  4. Perform the following steps in the Tanium Client installation directory.

    • Delete the Strings, Logs, and Backup directories.
    • Delete all files in the following directories without deleting those actual directories:

      • Downloads
      • Tools\Content Logs
      • Tools\Scans
    • (Tanium Client 7.4 or later) Delete pki.db.
    • Review the rest of the Tanium Client installation directory to ensure that no other stale Tanium Client data will be replicated. Contact Tanium Support for details.
  5. Obtain the latest tanium‑init.dat file (version 7.4 or later) or tanium.pub file (version 7.2) and add it to the client.

    1. From the Main menu in the Tanium console, go to Administration > Shared Services > Client Management.
    2. From the Client Management Home page, click Download Windows Package.
    3. Extract the tanium‑init.dat file from the downloaded bundle, and copy it into the Tanium Client installation directory.
    1. From the Main menu in the Tanium console, go to Administration > Configuration > Tanium Server > Infrastructure Configuration Files.
    2. Click Download in the Clients v7.4+ and Zone Server or Clients v7.2 section, depending on which file you need.
    3. Copy the downloaded file into the Tanium Client installation directory.

    Confirm that the date and time stamp of the file in the Tanium Client installation directory match the date and time stamp of that file on the Tanium Server (top-level installation directory).

    If you are using Client Management, you can also obtain a version of tanium-init.dat that includes ServerNameList from the installer bundle for the client settings that are associated with the image you are preparing. When you use this version, the ServerNameList specified in tanium-init.dat overwrites the ServerName or ServerNameList that are specified in the Windows registry for Tanium Client 7.4. For more information about managing client settings in Client Management, see Configure client settings. For more information about downloading installer bundles, see Download the installation bundle for alternative deployment.

    Be careful not to allow the tanium-init.dat or tanium.pub file to be distributed or stored outside of your organization, such as in a publicly accessible source code repository or any other location accessible from the public internet. Limit the distribution to specific use in the deployment of Tanium Clients.

    Though these files do not contain private keys and cannot be used to provide control over a Tanium environment, a user with malicious intent could use them to connect an unapproved client and use this unauthorized access to learn how your organization is using Tanium.

  6. Save the image and shut down the computer.

The Tanium Client service is configured to start automatically when the OS is started. If the reference computer is restarted before the reference image is captured, you might need to repeat these steps.

Preparing the Tanium Client on a macOS image

Refer to Apple documentation for complete details on macOS imaging.

Prepare the Tanium Client on a reference computer:

  1. Install the Tanium Client: see the endpoint requirements and Deploy the Tanium Client to macOS endpoints using the installer.
  2. Open Terminal and use the launchctl command to stop the Tanium Client daemon (sudo permissions are required):
  3. sudo launchctl unload /Library/LaunchDaemons/com.tanium.taniumclient.plist

  4. Confirm that com.tanium.taniumclient.plist still exists in /Library/Launchdaemons/. This ensures that the daemon is launched when the system is rebooted.
  5. Use the CLI to configure the following basic Tanium Client settings. See CLI on non-Windows endpoints.

    ServerName or ServerNameList In a deployment with a standalone Tanium Server, s Set the ServerName to the TaaSserver FQDN or IP address. In a deployment with Tanium Zone Servers or multiple TaaS instancesTanium Servers, configure ServerNameList with the FQDN or IP address of each instanceserver, separated with a comma.

    If the tanium‑init.dat file for Tanium Client 7.4 specifies ServerNameList, you do not need to configure ServerName or ServerNameList; any setting that you specify here is added to the ServerNameList specified in tanium-init.dat. By default, the tanium‑init.dat that you download through the Tanium Client Management service specifies ServerNameList, while the tanium‑init.dat that you download through the Tanium Console does not. You can use the TaniumClient pki show <path_to_tanium-init.dat> command on an endpoint where Tanium Client 7.4.5 or later is already installed to view the ServerNameList that the tanium-init.dat file specifies. For Tanium Client 7.2, you must specify ServerName or ServerNameList.

    LogVerbosityLevel

    The level of logging on the endpoint. The following values are best practices for specific use cases:

    • 0: Use this value to disable logging; use for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
    • 1: Use this value during normal operation.
    • 41: Use this value during troubleshooting.
    • 91 or higher: Use this value for full logging, for short periods of time only.

    For details on additional settings that you can configure, see Tanium Client settings.

    The following example commands are for a deployment with multiple TaaS instances Tanium Servers:

    cd <Tanium Client>
    sudo ./TaniumClient config set ServerNameList taas-example1-zs.cloud.tanium.com,taas-example2-zs.cloud.tanium.comts1.example.com,ts2.example.com sudo ./TaniumClient config set LogVerbosityLevel 1
  6. Go to the Tanium Client installation directory and delete all files and subdirectories except for the following:

    • TaniumClient
    • Sensors directory
    • Tools directory
    • client.db
    • libcrypto.1.0.0.dylib
    • libssl.1.0.0.dylib
  7. Obtain the latest tanium‑init.dat file (version 7.4 or later) or tanium.pub file (version 7.2) and add it to the client.

    1. From the Main menu in the Tanium console, go to Administration > Shared Services > Client Management.
    2. From the Client Management Home page, click Download macOS Package.
    3. Extract the tanium‑init.dat file from the downloaded bundle, and copy it into the Tanium Client installation directory.
    1. From the Main menu in the Tanium console, go to Administration > Configuration > Tanium Server > Infrastructure Configuration Files.
    2. Click Download in the Clients v7.4+ and Zone Server or Clients v7.2 section, depending on which file you need.
    3. Copy the downloaded file into the Tanium Client installation directory.

    Confirm that the date and time stamp of the file in the Tanium Client installation directory match the date and time stamp of that file on the Tanium Server (top-level installation directory).

    If you are using Client Management, you can also obtain a version of tanium-init.dat that includes ServerNameList from the installer bundle for the client settings that are associated with the image you are preparing. When you use this version, you do not need to specify ServerName or ServerNameList for Tanium Client 7.4 using the CLI; any settings from the CLI are added to the ServerNameList specified in tanium-init.dat. For more information about managing client settings in Client Management, see Configure client settings. For more information about downloading installer bundles, see Download the installation bundle for alternative deployment.

    Be careful not to allow the tanium-init.dat or tanium.pub file to be distributed or stored outside of your organization, such as in a publicly accessible source code repository or any other location accessible from the public internet. Limit the distribution to specific use in the deployment of Tanium Clients.

    Though these files do not contain private keys and cannot be used to provide control over a Tanium environment, a user with malicious intent could use them to connect an unapproved client and use this unauthorized access to learn how your organization is using Tanium.

  8. Save the image and shut down the computer.

The Tanium Client daemon is configured to start automatically when the OS is started. If the reference computer is restarted before the reference image is captured, you might need to repeat these steps.

Preparing the Tanium Client on a Linux OS image

Linux service commands vary by Linux distribution. This documentation provides examples but is not a reference for each Linux distribution. If you are not already familiar with installing and managing services on your target Linux distribution, review the documentation for the particular Linux operating system before starting.

Prepare the Tanium Client on a reference computer:

  1. Install the Tanium Client. Be sure to use the Tanium Client installation package file for your particular Linux distribution, as listed under Tanium Client package files for Linux. To install the client, see the endpoint requirements and Deploy the Tanium Client to Linux endpoints using package files.
  2. Stop the Tanium Client daemon by entering the service command for your Linux distribution: see Manage the Tanium Client service on Linux.
  3. Use the CLI to configure the following basic Tanium Client settings. See CLI on non-Windows endpoints.

    ServerName or ServerNameList In a deployment with a standalone Tanium Server, s Set the ServerName to the TaaSserver FQDN or IP address. In a deployment with Tanium Zone Servers or multiple TaaS instancesTanium Servers, configure ServerNameList with the FQDN or IP address of each instanceserver, separated with a comma.

    If the tanium‑init.dat file for Tanium Client 7.4 specifies ServerNameList, you do not need to configure ServerName or ServerNameList; any setting that you specify here is added to the ServerNameList specified in tanium-init.dat. By default, the tanium‑init.dat that you download through the Tanium Client Management service specifies ServerNameList, while the tanium‑init.dat that you download through the Tanium Console does not. You can use the TaniumClient pki show <path_to_tanium-init.dat> command on an endpoint where Tanium Client 7.4.5 or later is already installed to view the ServerNameList that the tanium-init.dat file specifies. For Tanium Client 7.2, you must specify ServerName or ServerNameList.

    LogVerbosityLevel

    The level of logging on the endpoint. The following values are best practices for specific use cases:

    • 0: Use this value to disable logging; use for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
    • 1: Use this value during normal operation.
    • 41: Use this value during troubleshooting.
    • 91 or higher: Use this value for full logging, for short periods of time only.

    For details on additional settings that you can configure, see Tanium Client settings.

    The following example commands are for a deployment with multiple TaaS instances Tanium Servers:

    cd <Tanium Client>
    sudo ./TaniumClient config set ServerNameList taas-example1-zs.cloud.tanium.com,taas-example2-zs.cloud.tanium.com ts1.example.com,ts2.example.com
    sudo ./TaniumClient config set LogVerbosityLevel 1

  4. Confirm that the Tanium Client daemon still exists in the system init directory. For example: /etc/init.d/TaniumClient or /etc/systemd/system/multi-user.target.wants/taniumclient.service. This ensures that the daemon is launched when the system is rebooted.
  5. Go to the Tanium Client installation directory and delete all files and subdirectories except for the following:

    • TaniumClient
    • Sensors directory
    • Tools directory
    • client.db
    • libssl.so.1.0.0
    • libssl.so.1.0.0.sig
    • libcrypto.so.1.0.0
    • libcrypto.so.1.0.0.sig
  6. Obtain the latest tanium‑init.dat file (version 7.4 or later) or tanium.pub file (version 7.2) and add it to the client.

    1. From the Main menu in the Tanium console, go to Administration > Shared Services > Client Management.
    2. From the Client Management Home page, click Download Linux Package.
    3. Extract the tanium‑init.dat file from the downloaded bundle, and copy it into the Tanium Client installation directory.
    1. From the Main menu in the Tanium console, go to Administration > Configuration > Tanium Server > Infrastructure Configuration Files.
    2. Click Download in the Clients v7.4+ and Zone Server or Clients v7.2 section, depending on which file you need.
    3. Copy the downloaded file into the Tanium Client installation directory.

    Confirm that the date and time stamp of the file in the Tanium Client installation directory match the date and time stamp of that file on the Tanium Server (top-level installation directory).

    If you are using Client Management, you can also obtain a version of tanium-init.dat that includes ServerNameList from the installer bundle for the client settings that are associated with the image you are preparing. When you use this version, you do not need to specify ServerName or ServerNameList for Tanium Client 7.4 using the CLI; any settings from the CLI are added to the ServerNameList specified in tanium-init.dat. For more information about managing client settings in Client Management, see Configure client settings. For more information about downloading installer bundles, see Download the installation bundle for alternative deployment.

    Be careful not to allow the tanium-init.dat or tanium.pub file to be distributed or stored outside of your organization, such as in a publicly accessible source code repository or any other location accessible from the public internet. Limit the distribution to specific use in the deployment of Tanium Clients.

    Though these files do not contain private keys and cannot be used to provide control over a Tanium environment, a user with malicious intent could use them to connect an unapproved client and use this unauthorized access to learn how your organization is using Tanium.

  7. Save the image and shut down the computer.

The Tanium Client daemon is configured to start automatically when the OS is started. If the reference computer is restarted before the reference image is captured, you might need to repeat these steps.

Preparing the Tanium Client on a virtual desktop infrastructure (VDI) instance

Licensing for VDI instances varies by VDI model type:

  • Persistent desktop instances: Instances that are not reset more than once every 30 days. Each instance requires a single license.
  • Non-persistent desktop instances: Instances that are reset over the course of 30 days. An instance requires one license for each reset during a 30-day period.

Use the following formula to calculate the number of licenses required to support your Tanium deployment.

Devices and VDI Instances Estimated Count
Physical devices and persistent VDI systems +
Reimage/resets within non-persistent VDI over a 30-day period +
Physical or persistent VDI systems that are reimaged, reinstalled, or reset over a 30-day period +
Total required licenses =

Create a VDI golden image by preparing a reference endpoint:

  1. Prepare the Tanium Client based on the OS of the intended endpoints:

  2. Check the ComputerID, which should be a non-zero numeric value, to verify that the client has registered with TaaS the Tanium Server or Tanium Zone Server. In the endpoint CLI, navigate to the Tanium Client installation directory, and run one of the following commands based on the OS:

    • Windows: TaniumClient config get ComputerID
    • macOS or Linux: sudo ./TaniumClient config get ComputerID
  3. Review the action history to ensure that the client runs any scheduled actions that affect the client configuration. For more information, see Tanium Console User Guide: Manage actions that are completed or in progress.

    To run actions immediately instead of waiting for them to run according to a schedule, use one-time actions to deploy the associated packages to the endpoint that hosts the golden image. For more information, see Tanium Console User Guide: Deploying actions.

  4. Deploy any endpoint tools that are required by the Tanium solutions that you plan to use with VDI instances. The tool deployment method varies for each solution.

    For example, if you are using Threat Response, create a profile that includes all components that you plan to use with VDI instances, and deploy that profile to the endpoint. The deployment includes any tools that the Threat Response profile requires, such as Tanium™ Index if you included an index configuration.

    For more information about how to deploy tools for a solution, go to https://docs.tanium.com/ and review the documentation for that solution.

  5. Allow any processes that endpoint tools initiate to complete on the endpoint. To determine whether these processes have completed, ask a question using a sensor that returns tool status for each solution.

    For example, if you are using a Threat Response profile with an index configuration, ask the question: Get Threat Response - Status from all machines with Computer Name contains <reference_computer_hostname>. In the results, for the component Index and the key Scan Phase, make sure that the value is Initial Index Scan Completed.

    If you are using Index tools with a solution (such as Threat Response, Reveal, Integrity Monitor, or Asset), the initial index scan might take significantly longer to complete than other processes. Make sure that the initial index scan completes before continuing.

    For more information about how to determine tool status for a solution, go to https://docs.tanium.com/ and review the documentation for that solution.

  6. Stop the Tanium Client service:

  7. Verify that the service has stopped and that it is configured to start automatically on the next reboot.
  8. Add or update the following settings through the TaniumClient.ini file (macOS option) or endpoint CLI. These settings help to avoid the concentration of resource usage that otherwise might occur as a consequence of cloning and shared hardware. The CLI syntax depends on the endpoint OS:

    • Windows: TaniumClient config set <setting>
    • macOS or Linux: sudo ./TaniumClient config set <setting>
    Client Setting Value Guidelines
    ComputerID 0 Explicitly set the value to 0 (zero) instead of deleting it or setting it to a blank or null character.
    RandomSensorDelayInSeconds 20 Delays execution of all sensors randomly with 20-second delays to prevent any concurrent execution of sensors and packages.
    MaxAgeMultiplier 2 The maximum age for each sensor is multiplied by this value to reduce the impact on the VDI endpoint.
    MinDistributeOverTimeInSeconds 60 Distribute an action over no less than 1 minute.
    LogVerbosityLevel 0 Disable logging in VDI instances.
    Logs.extensions.LogVerbosityLevel 0 Disable Tanium™ Client Extensions logging in VDI instances.
    SaveClientStateIntervalInSeconds 1800 Write client state to disk every 30 minutes to reduce disk writes.
  9. Save the image and then shut down the reference machine or block network access to TaaS the Tanium Server so that the Tanium Client on the reference machine does not register with TaaS the server.

The Tanium Client service is configured to start automatically when the OS is started. If the reference machine is restarted before the reference image is captured, you might need to repeat these steps.