Installing Tanium Containers
Perform the following steps to import the Containers solution on the Taniumâ„¢ Server, and to obtain, install, and configure the Tanium Client Container on endpoints with container images.
Perform the following steps to obtain, install, and configure the Tanium Client Container on endpoints with container images.
Before you begin
- Read the release notes.
- Review the Tanium Containers requirements.
Tanium Containers requires the Containers solution to be in Tanium Cloud. Tanium Cloud automatically handles installations and upgrades for the Containers solution. You only need to install and configure the Tanium Client Container on endpoints with containers.
Obtain the Tanium Client Container
The Tanium Client Container ZIP file is included in the Linux installer bundle (linux‑client-bundle.zip) that you download through Tanium Client Management
If you have an older version of Tanium Client Management, Contact Tanium Support to obtain a download link for the Tanium Client Container ZIP file.
Import the Containers solution on the Tanium Server
Perform the following steps to install the Containers solution on the Tanium Server.
If you have multiple Tanium Servers in an active-active configuration, you only need to perform these steps on one Tanium Server if you have Tanium Core Platform 7.4.3.1204 or later. Otherwise, perform these steps on each Tanium Server.
- Sign in to the Tanium Console with an administrator account.
- From the Main menu, go to Administration > Configuration > Solutions.
- In the Content section, select the checkbox for Containers and click Install.
- Review the content to import and click Begin Install.
- If prompted, click Yes to confirm the action.
Install and configure the Tanium Client Container
Use the following steps to set up and configure the Tanium Client Container on your container environment nodes. The steps are the same for both nodes that contain the Tanium Client and nodes that do not have an existing Tanium Client. The Tanium Client Container automatically detects an existing Tanium Client on the host and selects the appropriate operating mode. For more information, see Operating modes.
The commands provided in this section are examples. Make sure to adjust your own commands to match your environment.
The following examples use an Amazon Elastic Kubernetes Service (EKS) environment in region us-west-1 with the account 12345678 and the AWS username awsadmin. The concepts apply to any Kubernetes environment. Additionally, the examples use tanium/tcc as the name of the Tanium Client Container image and tcc for the name of the Kubernetes app. Adjust your own commands accordingly.
Unzip the Tanium Client Container ZIP file
Move or copy the ZIP file into your preferred directory or folder, and then extract the contents of the file.
Docker example:
docker image load --input tanium-client-container-2.0.1-7.4.5.1204.tar
CTR example:
ctr image import "Tanium-client-container-2.0.1-7.4.5.1204.tar"
Validate the Tanium Client Container import
Validate the Tanium Client Container image before registering it with your private container registry.
-
View the labels for the Tanium Client Container image. For example:
docker images --filter 'label=org.opencontainers.image.vendor'
- Confirm that the Tanium Client Container version number in the zip and the tcc tag match. For example, with tanium-client-container-2.0.2-7.4.7.1094.zip, the tag should be 2.0.2-7.4.7.1094.
Push the Tanium Client Container to the image registry
Use the following steps to register the Tanium Client Container image with your private container registry.
- Authenticate your local Docker command with the EKS registry. For example:
$ aws ecr get-login-password --region us-west-1 | docker login --username awsadmin --password-stdin 12345678.dkr.ecr.us-west-1.amazonaws.com
- Tag the Tanium Client Container image in the registry. For example:
$ docker tag tanium/tcc:latest 12345678.dkr.ecr.us-west-1.amazonaws.com/tcc:latest
- Push the image to the registry. For example:
$ docker push 12345678.dkr.ecr.us-west-1.amazonaws.com/tcc:latest
Some registries require you to create the repository beforehand and do not allow you to push images that are not configured.
Configure the Tanium Client Container
Perform the following steps to configure your Kubernetes environment.
configMAP
The Tanium Client Container requires two environment variables: CONTAINER_RUNTIME and CONTAINER_RUNTIME_ENDPOINT.
- The CONTAINER_RUNTIME variable must be docker, containerd, or crio. The value must match your Kubernetes environment.
- The CONTAINER_RUNTIME_ENDPOINT variable must point to the CRI-compatible container socket that is used by your container runtime.
One way to determine these values for your environment is to examine the output for this command:
tr \\0 ' ' < /proc/"$(pgrep kubelet)"/cmdline. For more information, see Kubernetes documentation: Find out what container runtime endpoint you use.
Create a configmap.yaml file such as the following example to declare the metadata and environment variables for the Tanium Client Container. You can also use the configuration file to apply ENV variables to the Tanium Client as well as the log level.
---
apiVersion: v1
kind: ConfigMap
metadata:
name: tcc-config
namespace: default
labels:
app: tcc
data:
CONTAINER_RUNTIME: "docker"
CONTAINER_RUNTIME_ENDPOINT: "unix:///var/run/dockershim.sock"
secret
The Tanium Client Container requires the tanium-init.dat initialization file from the Tanium Server. The tanium-init.dat file allows Tanium Clients to register with the Tanium Server and use the Tanium Zone Server settings.
After you download the tanium-init.dat initialization file, use the following command to verify the Tanium Servers in the server name list in the file:
# TaniumClient pki show ./tanium-init.dat --verbose
You can override the values in the tanium-init.dat file, if necessary. See Override tanium-init.dat configuration.
To securely allow the Tanium Client Container access to the contents of the tanium-init.dat file, generate a Kubernetes secret. For example:
$ kubectl create secret generic tanium-init --from-file tanium-init.dat --output=yaml --dry-run=client > secret-tanium-init.yaml
Be careful not to allow the tanium-init.dat file to be distributed or stored outside of your organization, such as in a publicly accessible source code repository or any other location accessible from the public internet. Limit the distribution to specific use in the deployment of Tanium Clients and the Tanium Client Container.
Though the tanium-init.dat file does not contain private keys and cannot be used to provide control over a Tanium environment, a user with malicious intent could use the file to connect an unapproved client and use this unauthorized access to learn how your organization uses Tanium.
In Tanium Core Platform 7.4.1 or later, you can also retrieve the tanium-init.dat file from the Tanium Server through the REST API.
DaemonSet
A Kubernetes DaemonSet is a special container configuration that is automatically created for each node. The DaemonSet is commonly used for metrics, logging, and security tooling.
The DaemonSet configuration declares how the Tanium Client Container runs and combines data from the configmap and secret.
The Tanium Client Container must run in privileged mode; be sure to limit access to the Tanium Client Container.
Create a daemonset.yaml file that declares essential configurations and volume mounts to allow the Tanium Client Container to function properly. For example:
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: tcc
namespace: default
labels:
app: tcc
spec:
selector:
matchLabels:
app: tcc
template:
metadata:
labels:
app: tcc
spec:
hostIPC: false
hostPID: true
hostNetwork: true
restartPolicy: Always
containers:
- name: tcc
image: 12345678.dkr.ecr.us-west-1.amazonaws.com/tcc:latest
imagePullPolicy: Always
volumeMounts:
- name: tanium-init-volume
mountPath: /opt/Tanium/init
readOnly: true
- name: host-var-run
mountPath: /host/var/run
- name: host-run
mountPath: /host/run
- name: host-root
mountPath: /host/root
readOnly: true
env:
- name: CONTAINER_RUNTIME
valueFrom:
configMapKeyRef:
name: tcc-config
key: CONTAINER_RUNTIME
- name: CONTAINER_RUNTIME_ENDPOINT
valueFrom:
configMapKeyRef:
name: tcc-config
key: CONTAINER_RUNTIME_ENDPOINT
securityContext:
runAsUser: 0
runAsGroup: 0
privileged: true
volumes:
- name: tanium-init-volume
secret:
secretName: tanium-init
defaultMode: 0400
- name: host-var-run
hostPath:
path: /var/run
type: Directory
- name: host-run
hostPath:
path: /run
type: Directory
- name: host-root
hostPath:
path: /
type: DirectoryOverride tanium-init.dat configuration
If the Tanium Client Container is in an environment with a different Tanium Server configuration than what is included in the tanium-init.dat file, you can override the tanium-init.dat configuration by adding environment variables in the daemonset.yaml or configmap.yaml files. You can use the following environment variables:
-
TANIUM_CLIENT_LISTEN_PORT
- TANIUM_CLIENT_LOG_LEVEL
- TANIUM_SERVER_LIST
- TANIUM_SERVER_PORT
- TANIUM_PROXY_SERVERS
For example:
- name: TANIUM_CLIENT_LOG_LEVEL
value: 11Deploy the Tanium Client Container
With the kubectl command configured for your cluster environment, apply each of the YAML files. For example:
$ kubectl apply --filename="secret-tanium-init.yaml"
$ kubectl apply --filename="configmap.yaml"
$ kubectl apply --filename="daemonset.yaml" --selector="app=tcc"
When complete, the Tanium Client Container should be applied to your Kubernetes environment, each existing node creates a container with the Tanium Client Container, and each new node now runs a Tanium Client Container container as part of the creation process. You can verify the DaemonSet of the Tanium Client Container with the following command:
$ kubectl get --selector="app=tcc" daemonsets
Verify Tanium Containers
After you install the Containers solution on the Tanium Server and install the Tanium Client Container on at least one container host, use the Is Managed Container Host sensor to verify the Tanium Server retrieves results from the Tanium Client Container.
After you install the Tanium Client Container on at least one container host, use the Is Managed Container Host sensor to verify
- Sign in to
- On the Tanium Home page, enter the following question in the Explore Data field:
Get Is Managed Container Host
- Click Search.
The Question Results page opens to show answers from endpoints.
- Endpoints that are container hosts with the Tanium Client Container respond with True.
- Endpoints that are not container hosts with the Tanium Client Container do not respond and appear as [no results].
Verify that there are one or more True responses to confirm that the Tanium Client Container responds.
What to do next
- In Trends, click Boards > Containers to monitor metrics.
-
See Reference: Tanium Containers sensors for a list of sensors in the Containers solution.
Last updated: 5/30/2023 3:43 PM | Feedback