Running centralized scans

This feature is not available in on-premises deployments.

Use centralized scans to scan from the Tanium Module server on unmanaged environments, such as Amazon EC2 or an unmanaged subnet.

Scan unmanaged subnets with a centralized Nmap scan

Use centralized Nmap scans to find interfaces in unmanaged subnets. The Network Mapper (Nmap) utility finds information about network interfaces by running host discovery and OS fingerprinting from the Module Server on a target network.

The Nmap scan runs a combination of Internet Control Message Protocol (ICMP) pings and tests ports by using port 80 and 443.

To perform OS fingerprinting on external networks, the network ports for any of the 1000 ports being scanned must be open on the Tanium Module Server. For a list, see Top 1,000 TCP and UDP ports (nmap default).

OS fingerprinting scans 1000 commonly used TCP ports on each endpoint. In the profile settings, you can configure a preferred source port from which the scan runs on endpoints, and the target endpoint ports. The value of the OS Generation field is a “best guess” from Nmap, and is not displayed for managed interfaces.

Centralized Nmap with the 1000 port default scan generates approximately 122000 bytes of data per IP found.

The accuracy of OS fingerprinting and host name resolution depends on how remote the network is that you choose to scan. The more network hops away you search, the harder it is for Nmap to identify the operating system.

Remote network scans do not return a MAC address. If an interface does not have a MAC address, the IP address is used as the unique identifier.

The Nmap utility is installed on the Module Server after you create a centralized Nmap profile. If you remove all of the centralized Nmap profiles, the Nmap utility gets removed.

Configure profile for centralized Nmap scan

Before you set up the profile, you must have the target network information, which is a comma-separated list of CIDR addresses of up to 4096 or fewer IP addresses.

  1. Add a profile. From the Discover menu, click Profiles. Click Create Profile.
  2. Choose Centralized (scan from Module Server).
  3. For the Discovery Method, choose Nmap Scan with Host Discovery and OS Fingerprinting.
  4. When you define scan inclusions, indicate the set of CIDR addresses for the Tanium Module Server to target with the scan. Add exclusions if specific parts of the target network are VPN networks that might include personal devices, zone servers, or devices with fragile networking.
  5. Click Create.

Discovery process

  1. On the first run of a centralized Nmap profile, install the Nmap utility on the module server. The scan runs at the scheduled interval.
  2. Perform ARP broadcast and OS fingerprinting on the targeted network, as defined in the profile settings.
  3. Import results into Discover at the Import Frequency that you defined.

Scan Amazon EC2 environments

Discover unmanaged interfaces in an Amazon EC2 environment from the Tanium Module Server.

Before you begin

In security, proxy or other tools, configure clear access from the Tanium Module Server to ec2.*.amazonaws.com, sts.*.amazonaws.com, and ssm.*.amazonaws.com on port 443.

Configure API user

To access the EC2 environment, you must have a user that has API access and the required permissions.

  1. Create a user in Amazon Web Services (AWS) with programmatic access. This user must have an access key ID and secret access key. For more information, see AWS docs: Creating an IAM user in your AWS account.
  2. Attach the following policy to the user you created in AWS. This policy limits the access of the user to the minimum requirements for Discover. For more information, see AWS docs: Create and Attach Your First Customer Managed Policy.
    {
    	"Version": "2012-10-17",
    	"Statement": [
    		{
    			"Effect": "Allow",
    			"Action": [
    				"ec2:DescribeImages",
    				"ec2:DescribeInstances",
    				"ssm:DescribeInstanceInformation"
    			],
    			"Resource": "*"
    		}
    	]
    } 

Configure profile for Amazon EC2 centralized scan

Configure a profile for the centralized scan by defining the credentials for AWS and a scan schedule.

  1. Add a profile. From the Discover menu, click Profiles. Click Create Profile.
  2. Choose Centralized (Scan from Module Server).
  3. For the Discovery Method, choose Amazon Web Services EC2 Cloud API.
  4. Enter details for the discovery method to connect the Tanium Module Server to the Amazon EC2 environment.


    The secret access key persists after you save the profile. You do not need to enter the key if you edit the profile later.

     

  5. Test the connection to AWS. Click Test Credentials. The credentials are tested against all selected regions. Edit the Regions setting to include only regions to which the ID and key have access.
  6. Configure the scan schedule, which defines how often to query AWS.
  7. Click Create.

Discovery process

After you save an Amazon EC2 centralized scanning profile, the following actions occur: 

  1. On the scheduled interval, the Tanium Module Server uses the AWS API to query your EC2 environment.
  2. The information from AWS comes from the AWS API. The individual EC2 instances are not contacted by the discovery method.
  3. Import results into Discover at the Import Frequency that you defined.

The unique identifier for AWS instances is instanceID. An EC2 instance with multiple NICs will result in multiple interfaces, one for each NIC.

Centralized scan results

Scan results

After you discover interfaces, the Interfaces pages list the interfaces with the following icons:

  • : Managed interfaces that have Tanium Client installed.
  • : Unmanaged interfaces that do not have Tanium Client installed, but might be a candidate for a Tanium Client installation.
  • : Unmanageable interfaces are on devices that cannot run the Tanium Client. By default, unmanageable interfaces have an OS Platform that is not supported by the Tanium Client, defined by the Unmanageable OS Platforms predefined automatic label. Unmanageable interfaces are not included in the managed and unmanaged interface statistics.

The profile type and discovery method that were used to find the interface return varying columns on the Interfaces pages. For more information, see Reference: Data returned by profile type.

What to do next