Preparing the Tanium Client on OS images

You can install the Tanium Client on an operating system (OS) image that you use as a master when provisioning an OS for new endpoints or virtual desktop infrastructure (VDI) instances. The following sections describe best practices for preparing the Tanium Client on OS images.

Registration and ComputerID

When you start the OS image for the first time and the Tanium Client registers with Tanium as a Service (TaaS) the Tanium Server, TaaS the server assigns a unique ComputerID to the endpoint. TaaSThe Tanium Server uses this ComputerID to track and monitor each endpoint even if other identifiers change, such as the computer name, IP address, MAC address, or OS GUID. TaaS The server detects and resolves duplicate IDs during registration to ensure each computer has a unique identifier, even if computers are cloned from an OS image that has a non-zero value for the ComputerID.

To avoid the additional processing that is required to resolve duplicate IDs and the potential data infidelity during that processing, the best practice is to delete the Tanium Client ComputerID setting (non-Windows) or set it to 0 (Windows) in the OS image.

Windows OS

Refer to Microsoft documentation for complete details on Windows OS imaging.

Prepare the Tanium Client on a reference computer:

  1. Install the Tanium Client: see the endpoint requirements and Deploying the Tanium Client to Windows endpoints.
  2. Open the Windows Services program, stop the Tanium Client service, and verify that its Startup Type is set to Automatic.
  3. Perform the following steps in the Tanium Client Windows registry key.
    • Set the ComputerID data value to 0. Do not delete the value or set it to a blank or null character.
    • Delete the registry values RegistrationCount and LastGoodServerName.
    • Verify that the ServerName, ServerNameList, and ServerPort values are correct. If you configured additional Tanium Client settings during installation, verify those also.

  4. Perform the following steps in the Tanium Client installation directory.
    • Delete the Strings, Logs, and Backup directories.
    • Delete all files in the Downloads, Tools\Scans, and Tools\Content Logs directories without deleting those actual directories.
    • (Tanium Client 7.4 or later) Delete pki.db.
    • Review the rest of the Tanium Client installation directory to ensure that no other stale Tanium Client data will be replicated. Contact Tanium Support for details.
  5. Obtain the latest tanium‑init.dat file (version 7.4 or later) or tanium.pub file (version 7.2) and add it to the client.

    1. From the Main menu in the Tanium console, go to Administration > Shared Services > Client Management.
    2. From the Client Management Overview page, click Download Windows Package.
    3. Extract the tanium‑init.dat file from the downloaded bundle, and copy it into the Tanium Client installation directory.
    1. From the Main menu in the Tanium console, go to Administration > Configuration > Tanium Server > Infrastructure Configuration Files.
    2. Click Download in the Clients v7.4+ and Zone Server or Clients v7.2 section, depending on which file you need.
    3. Copy the downloaded file into the Tanium Client installation directory.

    Confirm that the date and time stamp of the file in the Tanium Client installation directory match the date and time stamp of that file on the Tanium Server (top-level installation directory).

    If you are using Client Management, you can also obtain a version of tanium-init.dat that includes ServerNameList from the installer bundle for the client settings that are associated with the image you are preparing. When you use this version, the ServerNameList specified in tanium-init.dat overwrites the ServerName or ServerNameList that are specified in the Windows registry for Tanium Client 7.4. For more information about managing client settings in Client Management, see Tanium Client Management User Guide: Configure client settings. For more information about downloading installer bundles, see Tanium Client Management User Guide: Download and deploy the installer bundle.

  6. Save the image and shut down the computer.

The Tanium Client service is configured to start automatically when the OS is started. If the reference computer is restarted before the reference image is captured, you might need to repeat these steps.

Linux OS

Linux service commands vary by Linux distribution. This documentation provides examples but is not a reference for each Linux distribution. If you are not already familiar with installing and managing services on your target Linux distribution, review the documentation for the particular Linux operating system before starting.

Prepare the Tanium Client on a reference computer:

  1. Install the Tanium Client. Be sure to use the Tanium Client installation package file for your particular Linux distribution, as listed under Tanium Client package files for Linux. To install the client, see the endpoint requirements and Deploying the Tanium Client to Linux endpoints.
  2. Stop the Tanium Client daemon by entering the service command for your Linux distribution: see Manage the Tanium Client service on Linux.
  3. Use the CLI to configure the following basic Tanium Client settings. See CLI on Non-Windows endpoints.
    ServerName or ServerNameListIn a deployment with a standalone Tanium Server, sSet the ServerName to the TaaSserver FQDN or IP address. In a deployment with Tanium Zone Servers or multiple TaaS instancesTanium Servers, configure ServerNameList with the FQDN or IP address of each instanceserver, separated with a comma.

    If the tanium‑init.dat file for Tanium Client 7.4 specifies ServerNameList, you do not need to configure ServerName or ServerNameList; any setting that you specify here is added to the ServerNameList specified in tanium-init.dat. By default, the tanium‑init.dat that you download through the Tanium Client Management service specifies ServerNameList, while the tanium‑init.dat that you download through the Tanium Console does not. For Tanium Client 7.2, you must specify ServerName or ServerNameList.

    LogVerbosityLevel

    The level of logging on the endpoint. The following values are best practices for specific use cases:

    • 0: Disable logging. This is the best practice value for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
    • 1: This is the best practice value during normal operation.
    • 41: This is the best practice value during troubleshooting.
    • 91 or higher: Enable the most detailed log levels for short periods of time only.

    For details on additional settings that you can configure, see Tanium Client settings.

    The following example commands are for a deployment with multiple TaaS instances Tanium Servers.

    cd <Tanium Client>
    sudo ./TaniumClient config set ServerNameList taas-example1-zs.cloud.tanium.com,taas-example2-zs.cloud.tanium.comts1.example.com,ts2.example.com
    sudo ./TaniumClient config set LogVerbosityLevel 1

  4. Confirm that the Tanium Client daemon still exists in the system init directory. For example: /etc/init.d/TaniumClient or /etc/systemd/system/multi-user.target.wants/taniumclient.service. This ensures that the daemon is launched when the system is rebooted.
  5. Go to the Tanium Client installation directory and delete all files and subdirectories except for the following:
    • TaniumClient
    • Sensors directory
    • Tools directory
    • client.db
    • libssl.so.1.0.0
    • libssl.so.1.0.0.sig
    • libcrypto.so.1.0.0
    • libcrypto.so.1.0.0.sig
  6. Obtain the latest tanium‑init.dat file (version 7.4 or later) or tanium.pub file (version 7.2) and add it to the client.

    1. From the Main menu in the Tanium console, go to Administration > Shared Services > Client Management.
    2. From the Client Management Overview page, click Download Linux Package.
    3. Extract the tanium‑init.dat file from the downloaded bundle, and copy it into the Tanium Client installation directory.
    1. From the Main menu in the Tanium console, go to Administration > Configuration > Tanium Server > Infrastructure Configuration Files.
    2. Click Download in the Clients v7.4+ and Zone Server or Clients v7.2 section, depending on which file you need.
    3. Copy the downloaded file into the Tanium Client installation directory.

    Confirm that the date and time stamp of the file in the Tanium Client installation directory match the date and time stamp of that file on the Tanium Server (top-level installation directory).

    If you are using Client Management, you can also obtain a version of tanium-init.dat that includes ServerNameList from the installer bundle for the client settings that are associated with the image you are preparing. When you use this version, you do not need to specify ServerName or ServerNameList for Tanium Client 7.4 using the CLI; any settings from the CLI are added to the ServerNameList specified in tanium-init.dat. For more information about managing client settings in Client Management, see Tanium Client Management User Guide: Configure client settings. For more information about downloading installer bundles, see Tanium Client Management User Guide: Download and deploy the installer bundle.

  7. Save the image and shut down the computer.

The Tanium Client daemon is configured to start automatically when the OS is started. If the reference computer is restarted before the reference image is captured, you might need to repeat these steps.

macOS

Refer to Apple documentation for complete details on macOS imaging.

Prepare the Tanium Client on a reference computer:

  1. Install the Tanium Client: see the endpoint requirements and Deploying the Tanium Client to macOS endpoints.
  2. Open Terminal and use the launchctl command to stop the Tanium Client daemon (sudo permissions are required):
  3. sudo launchctl unload /Library/LaunchDaemons/com.tanium.taniumclient.plist

  4. Confirm that com.tanium.taniumclient.plist still exists in /Library/Launchdaemons/. This ensures that the daemon is launched when the system is rebooted.
  5. Use the CLI to configure the following basic Tanium Client settings. See CLI on Non-Windows endpoints.
    ServerName or ServerNameListIn a deployment with a standalone Tanium Server, sSet the ServerName to the TaaSserver FQDN or IP address. In a deployment with Tanium Zone Servers or multiple TaaS instancesTanium Servers, configure ServerNameList with the FQDN or IP address of each instanceserver, separated with a comma.

    If the tanium‑init.dat file for Tanium Client 7.4 specifies ServerNameList, you do not need to configure ServerName or ServerNameList; any setting that you specify here is added to the ServerNameList specified in tanium-init.dat. By default, the tanium‑init.dat that you download through the Tanium Client Management service specifies ServerNameList, while the tanium‑init.dat that you download through the Tanium Console does not. For Tanium Client 7.2, you must specify ServerName or ServerNameList.

    LogVerbosityLevel

    The level of logging on the endpoint. The following values are best practices for specific use cases:

    • 0: Disable logging. This is the best practice value for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints.
    • 1: This is the best practice value during normal operation.
    • 41: This is the best practice value during troubleshooting.
    • 91 or higher: Enable the most detailed log levels for short periods of time only.

    For details on additional settings that you can configure, see Tanium Client settings.

    The following example commands are for a deployment with multiple TaaS instances Tanium Servers:

    cd <Tanium Client>
    sudo ./TaniumClient config set ServerNameList taas-example1-zs.cloud.tanium.com,taas-example2-zs.cloud.tanium.comts1.example.com,ts2.example.com sudo ./TaniumClient config set LogVerbosityLevel 1
  6. Go to the Tanium Client installation directory and delete all files and subdirectories except for the following:
    • TaniumClient
    • Sensors directory
    • Tools directory
    • client.db
    • libcrypto.1.0.0.dylib
    • libssl.1.0.0.dylib
  7. Obtain the latest tanium‑init.dat file (version 7.4 or later) or tanium.pub file (version 7.2) and add it to the client.

    1. From the Main menu in the Tanium console, go to Administration > Shared Services > Client Management.
    2. From the Client Management Overview page, click Download macOS Package.
    3. Extract the tanium‑init.dat file from the downloaded bundle, and copy it into the Tanium Client installation directory.
    1. From the Main menu in the Tanium console, go to Administration > Configuration > Tanium Server > Infrastructure Configuration Files.
    2. Click Download in the Clients v7.4+ and Zone Server or Clients v7.2 section, depending on which file you need.
    3. Copy the downloaded file into the Tanium Client installation directory.

    Confirm that the date and time stamp of the file in the Tanium Client installation directory match the date and time stamp of that file on the Tanium Server (top-level installation directory).

    If you are using Client Management, you can also obtain a version of tanium-init.dat that includes ServerNameList from the installer bundle for the client settings that are associated with the image you are preparing. When you use this version, you do not need to specify ServerName or ServerNameList for Tanium Client 7.4 using the CLI; any settings from the CLI are added to the ServerNameList specified in tanium-init.dat. For more information about managing client settings in Client Management, see Tanium Client Management User Guide: Configure client settings. For more information about downloading installer bundles, see Tanium Client Management User Guide: Download and deploy the installer bundle.

  8. Save the image and shut down the computer.

The Tanium Client daemon is configured to start automatically when the OS is started. If the reference computer is restarted before the reference image is captured, you might need to repeat these steps.

Virtual desktop infrastructure (VDI)

Licensing for VDI instances varies by VDI model type:

  • Persistent desktop instances: Instances that are not reset more than once every 30 days. Each instance requires a single license.
  • Non-persistent desktop instances: Instances that are reset over the course of 30 days. An instance requires one license for each reset during a 30-day period.

Use the following matrix to calculate the number of licenses required to support your Tanium deployment.

Device Description Estimated Count
Physical devices and persistent VDI systems +
Reimage/resets within non-persistent VDI over a 30-day period +
Physical or persistent VDI systems that are reimaged, reinstalled, or reset over a 30-day period +
Total required licenses =

Create a VDI golden image by preparing a reference machine:

  1. Prepare the Tanium Client based on the OS of the intended endpoints:
  2. Verify that the default client configuration is applied:
    1. Check the ComputerID value. Open the endpoint CLI, navigate to the Tanium Client installation directory, and run one of the following commands based on the OS:
      • Windows: TaniumClient config get ComputerID
      • macOS or Linux: sudo ./TaniumClient config get ComputerID

      At this point, a non-zero numeric value is expected. A later step in this procedure explains how to change the ComputerID value.

    2. Ensure that the client has executed all relevant scheduled actions. To run the actions immediately instead of waiting on their schedules, use one-time actions to deploy the associated packages to the machine that hosts the golden image. For the steps, see Tanium Console User Guide: Deploying actions.
  3. Run the initial Tanium™ Index scan on the reference machine to index its file system.

    Running the scan before saving the golden image avoids the need to perform the scan for each VM when it is created from the image. Let the scan completely finish before finalizing the image.

    For more information about Index scans, see Tanium Incident Response User Guide: Indexing file systems.

    Perform the following steps to run the Index scan:

    1. Access the Tanium Console.
    2. Deploy Index tools to the reference computer if it does not already have them: see Tanium Incident Response User Guide: Deploy Index tools to endpoints.
    3. Issue the question Get Computer Name from all machines with Computer Name contains <name>, where <name> is the hostname of the reference computer.
    4. Select the reference machine in the Question Results and click Deploy Action.
    5. For the Deployment Package, enter Start Indexing.
    6. Specify an Action Group that contains the reference computer.
    7. Click Show Preview to Continue, verify that the reference machine is the target, and click Deploy Action.
    8. Return to the Tanium Home page and, after giving the scan enough time to complete, issue the question Get Index Status from all machines with Computer Name contains <reference_computer_hostname>.

      When the scan completes, the Question Results display the following:

      Index Status: Initial Index Scan Completed

      Index Status: Running

    Do not delete any files in the <Tanium Client>/Tools directory. These files are required for indexing.

  4. Stop the Tanium Client service:
  5. Verify that the service has stopped and that it is configured to start automatically on the next reboot.
  6. Add or update the following settings through the TaniumClient.ini file (macOS option) or endpoint CLI. These settings help to avoid the concentration of resource usage that otherwise might occur as a consequence of cloning and shared hardware. The CLI syntax depends on the endpoint OS:
    • Windows: TaniumClient config set <setting>
    • macOS or Linux: sudo ./TaniumClient config set <setting>
  7. Client Setting Value Guidelines
    ComputerID 0 Explicitly set the value to 0 (zero) instead of deleting it or setting it to a blank or null character.
    RandomSensorDelayInSeconds 20 Delays execution of all sensors randomly with 20-second delays to prevent any concurrent execution of sensors and packages.
    MaxAgeMultiplier 2 The maximum age for each sensor is multiplied by this value to reduce the impact on the VDI endpoint.
    MinDistributeOverTimeInSeconds 60 Distribute an action over no less than 1 minute.
    LogVerbosityLevel 0 Disable logging in VDI instances.
    Logs.extensions.LogVerbosityLevel 0 Disable Tanium™ Client Extensions logging in VDI instances.
    SaveClientStateIntervalInSeconds 1800 Write client state to disk every 30 minutes to reduce disk writes.

  8. Save the image and then shut down the reference machine or block network access to TaaS the Tanium Server so that the Tanium Client on the reference machine does not register with TaaS the server.

The Tanium Client service is configured to start automatically when the OS is started. If the reference machine is restarted before the reference image is captured, you might need to repeat these steps.