Installing Tanium Containers

Perform the following steps to import the Containers solution on the Taniumâ„¢ Server, and to obtain, install, and configure the Tanium Client Container on endpoints with container images.

Perform the following steps to obtain, install, and configure the Tanium Client Container on endpoints with container images.

Before you begin

Tanium Containers requires the Containers solution to be in Tanium as a Service (TaaS). TaaS automatically handles installations and upgrades for the Containers solution. You only need to install and configure the Tanium Client Container on endpoints with containers.

Obtain the Tanium Client Container

Contact Tanium Support to obtain a download link for the Tanium Client Container ZIP file.

After download, verify the SHA256 checksum of the ZIP file matches the SHA256 checksum listed on the Tanium download link.

Import the Containers solution on the Tanium Server

Perform the following steps to install the Containers solution on the Tanium Server.

If you have multiple Tanium Servers in an active-active configuration, you only need to perform these steps on one Tanium Server if you have Tanium Core Platform 7.4.3.1204 or later. Otherwise, perform these steps on each Tanium Server.

  1. Sign in to the Tanium Console with an administrator account.
  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. In the Content section, select the checkbox for Containers and click Install.
  4. Review the content to import and click Begin Install.
  5. If prompted, click Yes to confirm the action.

Install and configure the Tanium Client Container

Use the following steps to set up and configure the Tanium Client Container on your container environment nodes. The steps are the same for both nodes that contain the Tanium Client and nodes that do not have an existing Tanium Client. The Tanium Client Container automatically detects an existing Tanium Client on the host and selects the appropriate operating mode. For more information, see Operating modes.

The commands provided in this section are examples. Make sure to adjust your own commands to match your environment.

The following examples use an Amazon Elastic Kubernetes Service (EKS) environment in region us-west-1 with the account 12345678 and the AWS username awsadmin. The concepts apply to any Kubernetes environment. Additionally, the examples use tanium/tcc as the name of the Tanium Client Container image and tcc for the name of the Kubernetes app. Adjust your own commands accordingly.

Unzip the Tanium Client Container ZIP file

Move or copy the ZIP file into your preferred directory or folder, and then extract the contents of the file.

Docker example:

docker image load --input tanium-client-container-2.0.1-7.4.5.1204.tar

CTR example:

ctr image import "Tanium-client-container-2.0.1-7.4.5.1204.tar"

Push the Tanium Client Container to the image registry

Use the following steps to register the Tanium Client Container image with your private container registry.

  1. Authenticate your local Docker command with the EKS registry. For example:

    $ aws ecr get-login-password --region us-west-1 | docker login --username awsadmin --password-stdin 12345678.dkr.ecr.us-west-1.amazonaws.com

  2. Tag the Tanium Client Container image in the registry. For example:

    $ docker tag tanium/tcc:latest 12345678.dkr.ecr.us-west-1.amazonaws.com/tcc:latest

  3. Push the image to the registry. For example:

    $ docker push 12345678.dkr.ecr.us-west-1.amazonaws.com/tcc:latest

    Some registries require you to create the repository beforehand and do not allow you to push images that are not configured.

Configure the Tanium Client Container

Perform the following steps to configure your Kubernetes environment.

configMAP

The Tanium Client Container requires two environment variables: CONTAINER_RUNTIME and CONTAINER_RUNTIME_ENDPOINT.

  • The CONTAINER_RUNTIME variable must be docker, containerd, or crio. The value must match your Kubernetes environment.
  • The CONTAINER_RUNTIME_ENDPOINT variable must point to the CRI-compatible container socket that is used by your container runtime.

Create a configmap.yaml file such as the following example to declare the metadata and environment variables for the Tanium Client Container. You can also use the configuration file to apply ENV variables to the Tanium Client as well as the log level.

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: tcc-config
  namespace: default
  labels:
       app: tcc
data:
  CONTAINER_RUNTIME: "docker"
  CONTAINER_RUNTIME_ENDPOINT: "unix:///var/run/dockershim.sock"

secret

The Tanium Client Container requires the tanium-init.dat initialization file from the Tanium Server. The tanium-init.dat file allows Tanium Clients to register with the Tanium Server and use the Tanium Zone Server settings. For instructions on how to download the tanium-init.dat initialization file from TaaS, see Tanium Client Management User Guide: Download installation packages for the Tanium Client. For instructions on how to download the tanium-init.dat initialization file from the Tanium Server, see Tanium Client Management User Guide: Configure client settings.

After you download the tanium-init.dat initialization file, use the following command to verify the Tanium Servers in the server name list in the file:

# TaniumClient pki show ./tanium-init.dat --verbose

To securely allow the Tanium Client Container access to the contents of the tanium-init.dat file, generate a Kubernetes secret. For example:

$ kubectl create secret generic tanium-init --from-file tanium-init.dat --output=yaml --dry-run=client > secret-tanium-init.yaml

Be careful not to allow the tanium-init.dat file to be distributed or stored outside of your organization, such as in a publicly accessible source code repository or any other location accessible from the public internet. Limit the distribution to specific use in the deployment of Tanium Clients and the Tanium Client Container.

Though the tanium-init.dat file does not contain private keys and cannot be used to provide control over a Tanium environment, a user with malicious intent could use the file to connect an unapproved client and use this unauthorized access to learn how your organization uses Tanium.

In Tanium Core Platform 7.4.1 or later, you can also retrieve the tanium-init.dat file from the Tanium Server through the REST API.

DaemonSet

A Kubernetes DaemonSet is a special container configuration that is automatically created for each node. The DaemonSet is commonly used for metrics, logging, and security tooling.

The DaemonSet configuration declares how the Tanium Client Container runs and combines data from the configmap and secret.

The Tanium Client Container must run in privileged mode; be sure to limit access to the Tanium Client Container.

Create a daemonset.yaml file that declares essential configurations and volume mounts to allow the Tanium Client Container to function properly. For example:

---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: tcc
  namespace: default
  labels:
       app: tcc
spec:
  selector:
     matchLabels:
       app: tcc
  template:
    metadata:
      labels:
        app: tcc
    spec:
    hostIPC: false
    hostPID: true
    hostNetwork: true
    restartPolicy: Always
    containers:
      - name: tcc
        image: 12345678.dkr.ecr.us-west-1.amazonaws.com/tcc:latest
        imagePullPolicy: Always
        volumeMounts:
          - name: tanium-init-volume
            mountPath: /opt/Tanium/init
            readOnly: true
          - name: host-var-run
            mountPath: /host/var/run
          - name: host-run
            mountPath: /host/run
          - name: host-root
            mountPath: /host/root
            readOnly: true
        env:
            - name: CONTAINER_RUNTIME
              valueFrom:
                configMapKeyRef:
                  name: tcc-config
                  key: CONTAINER_RUNTIME
            - name: CONTAINER_RUNTIME_ENDPOINT
              valueFrom:
                configMapKeyRef:
                  name: tcc-config
                  key: CONTAINER_RUNTIME_ENDPOINT
        securityContext:
          runAsUser: 0
          runAsGroup: 0
          privileged: true
        volumes:
          - name: tanium-init-volume
            secret:
              secretName: tanium-init
              defaultMode: 0400
          - name: host-var-run
            hostPath:
              path: /var/run
              type: Directory
          - name: host-run
            hostPath:
              path: /run
              type: Directory
          - name: host-root
            hostPath:
              path: /
              type: Directory

Deploy the Tanium Client Container

With the kubectl command configured for your cluster environment, apply each of the YAML files. For example:

$ kubectl apply --filename="secret-tanium-init.yaml"

$ kubectl apply --filename="configmap.yaml"

$ kubectl apply --filename="daemonset.yaml" --selector="app=tcc"

When complete, the Tanium Client Container should be applied to your Kubernetes environment, each existing node creates a container with the Tanium Client Container, and each new node now runs a Tanium Client Container container as part of the creation process. You can verify the DaemonSet of the Tanium Client Container with the following command:

$ kubectl get --selector="app=tcc" daemonsets

Verify Tanium Containers

After you install the Containers solution on the Tanium Server and install the Tanium Client Container on at least one container host, use the Is Managed Container Host sensor to verify the Tanium Server retrieves results from the Tanium Client Container.

After you install the Tanium Client Container on at least one container host, use the Is Managed Container Host sensor to verify TaaS retrieves results from the Tanium Client Container.

  1. Sign in to TaaSthe Tanium Server as a user with the AdministratorAdmin reserved role, or a user with the Ask Dynamic Questions permission.
  2. On the Tanium Home page, enter the following question in the Explore Data field:

    Get Is Managed Container Host

  3. Click Search.

The Question Results page opens to show answers from endpoints.

  • Endpoints that are container hosts with the Tanium Client Container respond with True.
  • Endpoints that are not container hosts with the Tanium Client Container do not respond and appear as [no results].

Verify that there are one or more True responses to confirm that the Tanium Client Container responds.

Import the Containers board in Trends

Import the Containers board in Trends to provide you with charts on container usage in the environment. The Tanium Client Container ZIP file includes the tanium-trends-boards-containers.json file for the Containers board. For information on how to import a board from a JSON file in Trends, see Tanium Trends User Guide: Import boards, sections, and panels.

To view the Containers board in Trends, you must have the following permissions:

  • Trends show permission
  • Trends API Board read for the Trends content set
  • Trends Data read for the Trends content set

What to do next