Installing Tanium Containers
Perform the following steps to import the Containers solution on the Tanium™ Server, and to obtain, install, and configure the Tanium Client Container on endpoints with container images.
Perform the following steps to obtain, install, and configure the Tanium Client Container on endpoints with container images.
Tanium Containers requires the Containers solution to be in Tanium as a Service (TaaS). TaaS automatically handles installations and upgrades for the Containers solution. You only need to install and configure the Tanium Client Container on endpoints with containers.
Contact Tanium Support to obtain a download link for the Tanium Client Container ZIP file.
After download, verify the SHA256 checksum of the ZIP file matches the SHA256 checksum listed on the Tanium download link.
Perform the following steps to install the Containers solution on the Tanium Server.
If you have multiple Tanium Servers in an active-active configuration, you only need to perform these steps on one Tanium Server if you have Tanium Core Platform 22.214.171.1244 or later. Otherwise, perform these steps on each Tanium Server.
- Sign in to the Tanium Console with an administrator account.
- From the Main menu, go to Administration > Configuration > Solutions.
- In the Content section, select the checkbox for Containers and click Install.
- Review the content to import and click Begin Install.
- If prompted, click Yes to confirm the action.
Use the following steps to set up and configure the Tanium Client Container on your container environment nodes. The steps are the same for both nodes that contain the Tanium Client and nodes that do not have an existing Tanium Client. The Tanium Client Container automatically detects an existing Tanium Client on the host and selects the appropriate operating mode. For more information, see Operating modes.
The commands provided in this section are examples. Make sure to adjust your own commands to match your environment.
The following examples use an Amazon Elastic Kubernetes Service (EKS) environment in region us-west-1 with the account 12345678 and the AWS username awsadmin. The concepts apply to any Kubernetes environment. Additionally, the examples use tanium/tcc as the name of the Tanium Client Container image and tcc for the name of the Kubernetes app. Adjust your own commands accordingly.
Move or copy the ZIP file into your preferred directory or folder, and then extract the contents of the file.
docker image load --input tanium-client-container-2.0.1-126.96.36.1994.tar
ctr image import "Tanium-client-container-2.0.1-188.8.131.524.tar"
Use the following steps to register the Tanium Client Container image with your private container registry.
- Authenticate your local Docker command with the EKS registry. For example:
$ aws ecr get-login-password --region us-west-1 | docker login --username awsadmin --password-stdin 12345678.dkr.ecr.us-west-1.amazonaws.com
- Tag the Tanium Client Container image in the registry. For example:
$ docker tag tanium/tcc:latest 12345678.dkr.ecr.us-west-1.amazonaws.com/tcc:latest
- Push the image to the registry. For example:
$ docker push 12345678.dkr.ecr.us-west-1.amazonaws.com/tcc:latest
Some registries require you to create the repository beforehand and do not allow you to push images that are not configured.
Perform the following steps to configure your Kubernetes environment.
The Tanium Client Container requires two environment variables: CONTAINER_RUNTIME and CONTAINER_RUNTIME_ENDPOINT.
- The CONTAINER_RUNTIME variable must be docker, containerd, or crio. The value must match your Kubernetes environment.
- The CONTAINER_RUNTIME_ENDPOINT variable must point to the CRI-compatible container socket that is used by your container runtime.
Create a configmap.yaml file such as the following example to declare the metadata and environment variables for the Tanium Client Container. You can also use the configuration file to apply ENV variables to the Tanium Client as well as the log level.
--- apiVersion: v1 kind: ConfigMap metadata: name: tcc-config namespace: default labels: app: tcc data: CONTAINER_RUNTIME: "docker" CONTAINER_RUNTIME_ENDPOINT: "unix:///var/run/dockershim.sock"
The Tanium Client Container requires the tanium-init.dat initialization file from the Tanium Server. The tanium-init.dat file allows Tanium Clients to register with the Tanium Server and use the Tanium Zone Server settings.
After you download the tanium-init.dat initialization file, use the following command to verify the Tanium Servers in the server name list in the file:
# TaniumClient pki show ./tanium-init.dat --verbose
To securely allow the Tanium Client Container access to the contents of the tanium-init.dat file, generate a Kubernetes secret. For example:
$ kubectl create secret generic tanium-init --from-file tanium-init.dat --output=yaml --dry-run=client > secret-tanium-init.yaml
Be careful not to allow the tanium-init.dat file to be distributed or stored outside of your organization, such as in a publicly accessible source code repository or any other location accessible from the public internet. Limit the distribution to specific use in the deployment of Tanium Clients and the Tanium Client Container.
Though the tanium-init.dat file does not contain private keys and cannot be used to provide control over a Tanium environment, a user with malicious intent could use the file to connect an unapproved client and use this unauthorized access to learn how your organization uses Tanium.
In Tanium Core Platform 7.4.1 or later, you can also retrieve the tanium-init.dat file from the Tanium Server through the REST API.
A Kubernetes DaemonSet is a special container configuration that is automatically created for each node. The DaemonSet is commonly used for metrics, logging, and security tooling.
The DaemonSet configuration declares how the Tanium Client Container runs and combines data from the configmap and secret.
The Tanium Client Container must run in privileged mode; be sure to limit access to the Tanium Client Container.
Create a daemonset.yaml file that declares essential configurations and volume mounts to allow the Tanium Client Container to function properly. For example:
--- apiVersion: apps/v1 kind: DaemonSet metadata: name: tcc namespace: default labels: app: tcc spec: selector: matchLabels: app: tcc template: metadata: labels: app: tcc spec: hostIPC: false hostPID: true hostNetwork: true restartPolicy: Always containers: - name: tcc image: 12345678.dkr.ecr.us-west-1.amazonaws.com/tcc:latest imagePullPolicy: Always volumeMounts: - name: tanium-init-volume mountPath: /opt/Tanium/init readOnly: true - name: host-var-run mountPath: /host/var/run - name: host-run mountPath: /host/run - name: host-root mountPath: /host/root readOnly: true env: - name: CONTAINER_RUNTIME valueFrom: configMapKeyRef: name: tcc-config key: CONTAINER_RUNTIME - name: CONTAINER_RUNTIME_ENDPOINT valueFrom: configMapKeyRef: name: tcc-config key: CONTAINER_RUNTIME_ENDPOINT securityContext: runAsUser: 0 runAsGroup: 0 privileged: true volumes: - name: tanium-init-volume secret: secretName: tanium-init defaultMode: 0400 - name: host-var-run hostPath: path: /var/run type: Directory - name: host-run hostPath: path: /run type: Directory - name: host-root hostPath: path: / type: Directory
Deploy the Tanium Client Container
With the kubectl command configured for your cluster environment, apply each of the YAML files. For example:
$ kubectl apply --filename="secret-tanium-init.yaml"
$ kubectl apply --filename="configmap.yaml"
$ kubectl apply --filename="daemonset.yaml" --selector="app=tcc"
When complete, the Tanium Client Container should be applied to your Kubernetes environment, each existing node creates a container with the Tanium Client Container, and each new node now runs a Tanium Client Container container as part of the creation process. You can verify the DaemonSet of the Tanium Client Container with the following command:
$ kubectl get --selector="app=tcc" daemonsets
After you install the Containers solution on the Tanium Server and install the Tanium Client Container on at least one container host, use the Is Managed Container Host sensor to verify the Tanium Server retrieves results from the Tanium Client Container.
After you install the Tanium Client Container on at least one container host, use the Is Managed Container Host sensor to verify
- Sign in to
TaaS the Tanium Serveras a user with the Administrator Adminreserved role, or a user with the Ask Dynamic Questions permission.
- On the Tanium Home page, enter the following question in the Explore Data field:
Get Is Managed Container Host
- Click Search.
The Question Results page opens to show answers from endpoints.
- Endpoints that are container hosts with the Tanium Client Container respond with True.
- Endpoints that are not container hosts with the Tanium Client Container do not respond and appear as [no results].
Verify that there are one or more True responses to confirm that the Tanium Client Container responds.
Import the Containers board in Trends to provide you with charts on container usage in the environment. The Tanium Client Container ZIP file includes the tanium-trends-boards-containers.json file for the Containers board. For information on how to import a board from a JSON file in Trends, see Tanium Trends User Guide: Import boards, sections, and panels.
To view the Containers board in Trends, you must have the following permissions:
- Trends show permission
- Trends API Board read for the Trends content set
- Trends Data read for the Trends content set
- In Trends, click Boards > Containers to monitor metrics.
See Reference: Tanium Containers sensors for a list of sensors in the Containers solution.
Last updated: 7/27/2021 7:59 AM | Feedback