Running centralized scans

This feature is not available in TaaS deployments.

Use centralized scans to scan from the Tanium Module server to unmanaged environments, such as Amazon EC2 or an unmanaged subnet.

Scan unmanaged subnets with a centralized Nmap scan

Use centralized Nmap scans to find interfaces in unmanaged subnets. The Network Mapper (Nmap) utility finds information about network interfaces by running host discovery and OS fingerprinting from the Module Server on a target network.

The centralized Nmap scan is an equivalent of a level 4 distributed scan.

To perform OS fingerprinting on external networks, the network ports for any of the 1000 ports being scanned must be open on the Tanium Module Server. For a list, see Top 1,000 TCP and UDP ports (nmap default).

OS fingerprinting scans 1000 commonly used TCP ports on each endpoint. In the profile settings, you can configure a preferred source port from which the scan runs on endpoints, and the target endpoint ports. The value of the OS Generation field is a “best guess” from Nmap, and is not displayed for managed interfaces.

Centralized Nmap with the 1000 port default scan generates approximately 122000 bytes of data per IP found.

The accuracy of OS fingerprinting and host name resolution depends on how remote the network is that you choose to scan. The more network hops away you search, the harder it is for Nmap to identify the operating system.

Remote network scans do not return a MAC address. If an interface does not have a MAC address, the IP address is used as the unique identifier.

The Nmap utility is installed on the Module Server after you create a centralized Nmap profile. If you remove all of the centralized Nmap profiles, the Nmap utility gets removed.

Configure profile for centralized Nmap scan

Before you set up the profile, you must have the target network information, which is a comma-separated list of CIDR addresses of up to 4096 or fewer IP addresses (or the equivalent of a /20 network).

  1. Add a profile. From the Discover menu, click Profiles. Click Create Profile.
  2. Choose Centralized (scan from Module Server).
  3. For the Discovery Method, choose Nmap Scan with Host Discovery and OS Fingerprinting.
  4. When you define scan inclusions, indicate the set of CIDR addresses for the Tanium Module Server to target with the scan. Add exclusions (such as individual IP addresses or subnets) to limit the scan within the specified inclusion range. For example, if you specify the Target Network is 192.168.0.0/20, you might specify to exclude 192.168.1.0/24 and 192.168.0.1.
  5. Configure the scan schedule and scan window.

    1. Schedule: The schedule defines how often to run the scan and how long to take to distribute the scan tools to endpoints.
      Recommended scanning frequency is once an hour in most environments. If you are using level 2 discovery, set the Reissue every interval to an hour or more to ensure that the next scan does not begin before the current scan completes.
    2. Scan Window (Windows, Mac, and Linux endpoints only): Configure specific times to run the discovery process on your endpoints. If a scan is scheduled to run outside the scan window, nothing is run as a part of the scan.
      The time can either be the local endpoint time of the Tanium Client, or the local time of the Tanium user that is configuring the profile. For example, you can choose Local Endpoint Time and create a scan configuration to scan your endpoints daily, but restrict the scans to run during non-business hours, such as from 6:30 PM to 11:30 PM. If some of your endpoints are offline during the scan window, you can choose the Override option to scan any endpoints that have a scan age older than a specified amount of time, in hours or days.
      The Duration of the scan window must be greater than or equal to the Reissue every plus Distribute over settings in the schedule section. If the value is set to less than the sum of these values, some endpoints never scan.

  6. Click Create.

Discovery process

  1. On the first run of a centralized Nmap profile, Discover installs the Nmap utility on the Module Server. The scan runs at the scheduled interval.
  2. Perform an Nmap scan on the targeted network, as defined in the profile settings.
  3. Import results into Discover at the Reissue every interval that you defined.

If you have enabled Endpoint Configuration approval, configuration changes must be approved in Endpoint Configuration before they deploy to endpoints.

Scan Amazon EC2 environments

Discover unmanaged interfaces in an Amazon EC2 environment from the Tanium Module Server.

Before you begin

Configure your network to allow access from the Tanium Module Server to ec2.*.amazonaws.com, sts.*.amazonaws.com, and ssm.*.amazonaws.com on port 443.

Configure API user

To access the EC2 environment, you must have a user that has API access and the required permissions.

  1. Create a user in Amazon Web Services (AWS) with programmatic access. This user must have an access key ID and secret access key. For more information, see AWS docs: Creating an IAM user in your AWS account.
  2. Attach the following policy to the user you created in AWS. This policy limits the access of the user to the minimum requirements for Discover. For more information, see AWS docs: Create and Attach Your First Customer Managed Policy.
    {
    	"Version": "2012-10-17",
    	"Statement": [
    		{
    			"Effect": "Allow",
    			"Action": [
    				"ec2:DescribeImages",
    				"ec2:DescribeInstances",
    				"ssm:DescribeInstanceInformation"
    			],
    			"Resource": "*"
    		}
    	]
    } 

Configure profile for Amazon EC2 centralized scan

Configure a profile for the centralized scan by defining the credentials for AWS and a scan schedule.

  1. Add a profile. From the Discover menu, click Profiles. Click Create Profile.
  2. Choose Centralized (Scan from Module Server).
  3. For the Discovery Method, choose Amazon Web Services EC2 Cloud API.
  4. Enter details for the discovery method to connect the Tanium Module Server to the Amazon EC2 environment.


    The secret access key persists after you save the profile. You do not need to enter the key if you edit the profile later.

     

  5. Test the connection to AWS. Click Test Credentials. The credentials are tested against all selected regions. Edit the Regions setting to include only regions to which the ID and key have access.
  6. Configure the scan schedule, which defines how often to query AWS.
  7. Click Create.

Discovery process

After you save an Amazon EC2 centralized scanning profile, the following actions occur: 

  1. On the scheduled interval, the Tanium Module Server uses the AWS API to query your EC2 environment.
  2. The information from AWS comes from the AWS API. The individual EC2 instances are not contacted by the discovery method.
  3. Import results into Discover at the Reissue every interval that you defined.

An EC2 instance with multiple NICs will result in multiple interfaces in Discover, one for each NIC.

If you have enabled Endpoint Configuration approval, configuration changes must be approved in Endpoint Configuration before they deploy to endpoints.

Centralized scan results

Scan results

After you discover interfaces, the Interfaces pages list the interfaces with the following icons:

  • : Managed interfaces that have Tanium Client installed.
  • : Unmanaged interfaces that do not have Tanium Client installed, but might be a candidate for a Tanium Client installation.
  • : Unmanageable interfaces are on devices that cannot run the Tanium Client. By default, unmanageable interfaces have an OS Platform that is not supported by the Tanium Client, defined by the Unmanageable OS Platforms predefined automatic label. Unmanageable interfaces are not included in the managed and unmanaged interface statistics.

The profile type and discovery method that were used to find the interface return varying columns on the Interfaces pages. For more information, see Reference: Data returned by profile type.

What to do next