Preparing the Tanium Client on OS images

You can install the Tanium Client on an operating system (OS) image that you use as a master when provisioning an OS for new computers or virtual desktop infrastructure (VDI) instances. When you start the OS image for the first time and the Tanium Client registers, the Tanium Server assigns a unique ComputerID to the endpoint. The Tanium Server uses this ComputerID to track and monitor each endpoint even if other identifiers change, such as the computer name, IP address, MAC address, or OS GUID. The Tanium Server detects and resolves duplicate IDs during registration to ensure each computer has a unique identifier, even if computers are cloned from an OS image that has a non-zero value for the ComputerID. However, to avoid the additional processing required to resolve duplicate IDs and the potential data infidelity during that processing, the best practice is to delete the Tanium Client ComputerID setting (non-Windows) or set it to 0 (Windows) in the OS image.

The following procedures are best practices for preparing the Tanium Client on OS images.

Windows OS

Refer to Microsoft documentation for complete details on Windows OS imaging.

Prepare the Tanium Client as follows:

  1. Install the Tanium Client: see Deploying the Tanium Client to Windows endpoints and supported Host system requirements.
  2. Go to Windows Services and stop the Tanium Client service.
  3. Confirm that the Tanium Client service is still set to start automatically when the computer reboots.
  4. Perform the following steps in the Tanium Client Windows Registry key.
    • Set the ComputerID data value to 0 (zero). Do not simply delete the value or set it to a blank or null character.
    • Delete the registry value RegistrationCount.
    • Verify the ServerName and ServerPort values are correct.

  5. Perform the following steps in the Tanium Client installation folder.
    • Delete the Strings folder.
    • Delete the log0.txt file.
    • Delete all files in the Downloads folder. (In other words, you should have an empty Downloads folder.)
    • Delete all files in the Tools\Scans folder and in the Tools\Content Logs folder.
    • Consult your TAM to review the rest of the Tools folder to ensure no other stale Tanium Client data will be replicated.
    • Confirm that the date and timestamp on the Tanium Client tanium.pub file matches the Tanium Server tanium.pub file.
  6. Save the image and shut down the computer.

The Tanium Client service is configured to start automatically when the OS is started. If the reference computer is restarted before the reference image is captured, you might need to repeat these steps.

Linux OS

The commands for creating a Linux OS reference image vary by Linux distribution:

  • Earlier distributions implement the BSD init system (/etc/init.d). These distributions use the service command to start, stop, or restart the service.
  • More recent distributions, such as CentOS 7.x, Oracle Enterprise Linux 7.x, RHEL 7.x, and Ubuntu 16.04, implement the newer systemd init system. The Tanium Client service is added to the services in /etc/systemd/system/multi-user.target.wants. These distributions use the systemctl command to start, stop, or restart a service.

Each supported platform distribution requires a specific Tanium Client installation package file: see Tanium Client package files for Linux.

Linux service commands vary by Linux distribution: see Manage the Tanium Client service on Linux. This documentation provides examples but is not a reference for each Linux distribution. If you are not already familiar with installing and managing services on your target Linux distribution, please review the documentation for the particular Linux operating system before you begin.

Prepare the Tanium Client as follows:

  1. Install the Tanium Client. Be sure to use the Tanium Client installation package file for your particular Linux distribution. See Deploying the Tanium Client to Linux endpoints and supported Host system requirements.
  2. Stop the Tanium Client daemon by entering the service command for your Linux distribution. The following are example commands:
  3. service TaniumClient stop

    systemctl stop taniumclient

  4. Configure basic Tanium Client settings on the reference computer (see Tanium Client settings).
    ServerName or ServerNameListTanium Server FQDN or IP address.
    LogVerbosityLevel

    The following decimal values are best practices for specific use cases:

    • 0: Disable logging. This is the best practice value for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
    • 1: This is the best practice value during normal operation.
    • 41: This is the best practice value during troubleshooting.
    • 91 or higher: Enable the most detailed log levels for short periods of time only.
    VersionTanium Client version number

    The steps to configure the settings depend on the Tanium Client version:

    • Tanium Client 6.0: Edit the /opt/Tanium/TaniumClient/TaniumClient.ini file so that it has only the preceding settings. The following is an example of the file contents:
    • Version=6.0.314.1579
      ServerNameList=ts1.example.com,ts2.example.com LogVerbosityLevel=1
    • Tanium Client 7.2: Issue the following CLI commands to navigate to the Tanium Client installation folder (default is /opt/Tanium/TaniumClient) and configure the settings (for details, see Non-Windows). Version 7.2 does not require TaniumClient.ini or a version setting.
    • cmd-prompt> cd <Tanium Client>
      cmd-prompt> sudo ./TaniumClient config set ServerNameList ts1.example.com,ts2.example.com
      cmd-prompt> sudo ./TaniumClient config set LogVerbosityLevel 1

  5. Confirm that the Tanium Client daemon still exists in the system init folder. For example: /etc/init.d/TaniumClient or /etc/systemd/system/multi-user.target.wants/taniumclient.service. This ensures the daemon is launched when the system is rebooted.
  6. Go to the Tanium Client installation folder and delete all files and subfolders except:
    • TaniumClient
    • tanium.pub
    • Sensors folder
    • Tools folder
    • TaniumClient.ini (Tanium Client 6.0 only)
    • client.db (Tanium Client 7.2 or later)
    • libssl.so.1.0.0 (Tanium Client 7.2 or later)

    • libpython2.7.so (Tanium Client 7.2 or later)

    • libpython2.7.so.1.0 (Tanium Client 7.2 or later)

    • libcrypto.so.1.0.0 (Tanium Client 7.2 or later)

    • python27 folder (Tanium Client 7.2 or later)

  7. Save the image and shut down the computer.

The Tanium Client daemon is configured to start automatically when the OS is started. If the reference computer is restarted before the reference image is captured, you might need to repeat these steps.

macOS

Refer to Apple documentation for complete details on macOS imaging.

Prepare the Tanium Client as follows:

  1. Install the Tanium Client: see Deploying the Tanium Client to macOS endpoints and supported Host system requirements.
  2. Use the launchctl command to stop the Tanium Client daemon (sudo permissions are required). For example:
  3. sudo launchctl unload /Library/LaunchDaemons/com.tanium.taniumclient.plist

  4. Confirm that com.tanium.taniumclient.plist still exists in /Library/Launchdaemons/. This ensures the daemon is launched when the system is rebooted.
  5. On the reference computer, configure basic Tanium Client settings (for details, see Tanium Client settings).
    ServerName or ServerNameListTanium Server FQDN or IP address.
    LogVerbosityLevel

    The following decimal values are best practices for specific use cases:

    • 0: Disable logging. This is the best practice value for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
    • 1: This is the best practice value during normal operation.
    • 41: This is the best practice value during troubleshooting.
    • 91 or higher: Enable the most detailed log levels for short periods of time only.
    VersionTanium Client version number

    The steps to configure the settings depend on the Tanium Client version:

    • Tanium Client 6.0: Edit the /Library/Tanium/TaniumClient/TaniumClient.ini file so that it has only the preceding settings. The following is an example of the file contents:
    • Version=6.0.314.1579
      ServerNameList=ts1.example.com,ts2.example.com
      LogVerbosityLevel=1

    • Tanium Client 7.2: Issue the following CLI commands to navigate to the Tanium Client installation folder (default is /Library/Tanium/TaniumClient) and configure the settings (for details, see Non-Windows). Version 7.2 does not require a version setting.
    • cmd-prompt> cd <Tanium Client>
      cmd-prompt> sudo ./TaniumClient config set ServerNameList ts1.example.com,ts2.example.com cmd-prompt> sudo ./TaniumClient config set LogVerbosityLevel 1
  6. Go to the Tanium Client installation folder and delete all files and subfolders except:
    • TaniumClient
    • tanium.pub
    • Sensors folder
    • Tools folder
    • TaniumClient.ini (Tanium Client 6.0)
    • client.db (Tanium Client 7.2)
    • libcrypto.1.0.0.dylib (Tanium Client 7.2)
    • libpython2.7.dylib (Tanium Client 7.2)
    • libssl.1.0.0.dylib (Tanium Client 7.2)
    • python27 folder (Tanium Client 7.2)
  7. Save the image and shut down the computer.

The Tanium Client daemon is configured to start automatically when the OS is started. If the reference computer is restarted before the reference image is captured, you might need to repeat these steps.

VDI

Licensing for VDI instances varies by VDI model type:

  • Persistent desktop instances are instances that are not reset more than once every 30 days. Each persistent instance requires a single license.
  • Non-persistent desktop instances are instances that are reset over the course of 30 days. A non-persistent instance requires one license for each reset during a 30-day period.

Use the following matrix to calculate the number of licenses required to support your Tanium deployment.

Device Description Estimated Count
Physical devices and persistent VDI systems +
Reimage/resets within non-persistent VDI over a 30-day period +
Physical or persistent VDI systems that are reimaged, reinstalled, or reset over a 30-day period +
Total required licenses =

Create a VDI golden image as follows:

  1. Install the Tanium Client.
  2. Verify that the default client configuration is applied. To confirm this:
    • Check the ComputerID value in the Windows Registry, TaniumClient.ini file, or client.db (CLI). At this point, the setting should have a non-zero numeric value.
    • Ensure the client has executed all relevant scheduled actions. If you do not want to wait for the scheduled actions to run based on their default schedules, you can target the respective packages to the device hosting the golden image through one-time actions.
  3. Stop the Tanium Client service (Manage the Tanium Client service on Windows) or process (Manage the Tanium Client service on Linux).
  4. Verify that the service or process has stopped and that it is configured to start automatically on the next reboot.
  5. Go to the Windows Registry, TaniumClient.ini file, or client.db (CLI) and add or update the following settings. The goal is to diffuse the concentration of resource utilization that otherwise might occur as a consequence of cloning and shared hardware.
  6. Client Setting Registry Value Type Value Data Guidelines
    ComputerID REG_DWORD 0 Explicitly set the value to 0 (zero). Do not simply delete the value or set it to a blank or null character.
    RandomSensorDelayInSeconds REG_DWORD 30 Delays execution of all sensors randomly with 30-second delays to prevent any concurrent execution of sensors and packages.
    MaxAgeMultiplier REG_DWORD 2 The maximum age for each sensor is multiplied by this value to reduce impact on the VDI device.
    MinDistributeOverTimeInSeconds REG_DWORD 60 Distribute an action over no less than 1 minute.
    LogVerbosityLevel REG_DWORD 0 Disable logging in VDI instances.
    SaveClientStateIntervalInSeconds REG_DWORD 1800 Write client state to disk every 30 minutes to reduce disk writes.

  7. Run the initial Taniumâ„¢ Index scan on the reference computer to index its file system.

    Running the scan before saving the golden image obviates the need to perform the scan for each VM when it is created from the image. Complete all other image preparations before starting the scan, and let the scan completely finish before finalizing the image.

    For more information about Index scans, see Tanium Incident Response User Guide: Indexing file systems.

    Perform the following steps to run the Index scan:

    1. Access the Tanium Console.
    2. Deploy Index tools to the reference computer if it does not already have them: see Tanium Incident Response User Guide: Deploy Index tools to endpoints.
    3. Issue the question Get Computer Name from all machines with Computer Name contains <name>, where <name> is the hostname of the reference computer.
    4. Select the reference computer in the Question Results and click Deploy Action.
    5. For the Deployment Package, enter Start Indexing.
    6. Specify an Action Group that contains the reference computer.
    7. Click Show Preview to Continue, verify that the reference computer is the target, and click Deploy Action.
    8. Return to the Tanium Console home page and, after giving the scan enough time to complete, issue the question Get Index Status from all machines with Computer Name contains <reference_computer_hostname>.

      When the scan completes, the Question Results display the following:

      Index Status: Initial Index Scan Completed

      Index Status: Running

  8. Save the image and then turn off the reference computer or block network access to the Tanium Server so that the Tanium Client on the reference computer does not register with the Tanium Server.

The Tanium Client service is configured to start automatically when the OS is started. If the reference computer is restarted before the reference image is captured, you might need to repeat these steps.

Last updated: 10/15/2019 2:24 PM | Feedback