Managing packages

Packages overview

A package configuration includes settings, a command, a script, and any other files needed to orchestrate an action on a managed endpoint. You deploy packages through the action deployment workflow, which you initiate from the Interact Question Results page (see Deploying actions) or from the Packages page (see Deploy actions from the Packages page).

The Tanium Client service runs with the permissions of the LocalSystem account (Windows) or root account (non-Windows), so it can perform almost any command line instruction available to an Administrator user who is signed in to the endpoint. Consequently, even if signed-in users do not have administrative rights, a Tanium Console user can deploy actions to the endpoint that install, update, or remove client applications as long as those applications meet the following conditions:

  • The applications are installed from a command line using the permissions of the LocalSystem account or root.
  • The applications are configured to suppress any interaction with an end user who is signed in to a target endpoint at installation time.
  • The applications can be dynamically customized at installation if necessary through options, switches, or input files passed to the application installer.

If the required executables, scripts, and configuration files do not natively have these characteristics, you might be able to use a commercial software packaging tool such as InstallShield or an open-sourced application like Nullsoft Scriptable Install System to create a new version of the installer.

You can use the Tanium Core Platform to track the count of installed applications, as well as whether those applications are being used. Therefore, before installing new software or upgrading versions of existing software, verify that your organization owns the required number of licenses or meets the Acceptable-Use criteria to centrally distribute and install the commercial or open-sourced software to endpoints within your organization.

Some Tanium sensors and packages require Windows Management Instrumentation (WMI) queries, VBScript execution in Windows Script Host (WSH), and PowerShell. If you disable any of these features on Windows endpoints, Tanium functionality is limited.

For the role permissions that are required to manage package configurations, see Manage packages.

Tanium might deliver package files from third-party providers. For more information on each package, see the README.txt file that is referenced with the package.

To troubleshoot issues relating to package downloads, see Troubleshoot actions.

View package details

  1. From the Main menu, go to Administration > Content > Packages.

    The Packages grid displays most of the attributes that are described in Table 1.

  2. (Optional) To display attributes that the grid hides by default, click Customize Columns Customize columns and select the attributes.
  3. (Optional) Use the filters to find specific packages:
    • Filter by text: To filter the grid by package Name, Display Name, or Command, enter a text string in the Filter items field.
    • Filter by attribute: Filter the grid by one or more attributes, such as the Content Set assignment. Expand the ExpandFilters section, click AddAdd, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  4. To see all the attributes of a particular package, click the package Display Name. Table 1 describes the package attributes.

Edit a package

As a best practice, do not edit predefined packages that are provided through Tanium content-only solutions. For details, see Tip 4: Limit customizations to Tanium content. Contact Tanium Support if editing the Tanium-provided packages is necessary. Alternatively, you can clone Tanium-provided packages (see Clone a package) and edit the copies. You can also edit custom packages that you created from scratch.

To change the content set assignment for multiple packages that must belong to the same set, see Move packages between content sets.

  1. From the Main menu, go to Administration > Content > Packages.
  2. (Optional) Use the search and column sorting features to find the package you want to edit.
  3. Click the package Display Name.
  4. Click Edit Mode, configure the settings described in Table 1, and click Save.

Move packages between content sets

You can move packages between content sets as necessary to accommodate changes to the role-based access control (RBAC) configuration of your Tanium deployment. For example, you might want to move certain packages to a content set that only highly privileged users can access.

  1. From the Main menu, go to Administration > Content > Packages.
  2. Select the package and click Move to Content Set.
  3. Select a content set and click Confirm.

Re-download package files

Tanium™ Cloud The Tanium Server stores package files in its cache. If updated file versions are available, or re-downloading the current file versions is necessary for troubleshooting, you can manually re-download to Tanium™ Cloudthe server so that it deploys the correct files to endpoints. Note that Tanium™ Cloudthe server automatically retries downloading every few minutes if the initial download failed for a package.

To download the files of a package associated with an action, go to Administration > Actions > Scheduled Actions, select the action, and click Show Status.

  1. From the Main menu, go to Administration > Content > Packages and select the package for which you want to download files.
  2. Click Status.

    A pop-up displays the status.

  3. Click Re-Download for each file that you want to re-download, or click Re-Download All to re-download all the files.

Tip: If you want Tanium Cloudthe Tanium Server to automatically check for, and download, updated versions of remote package files, set a Check for update interval in the package configuration (see Files).

Clone a package

Cloning is useful when you need to:

  • Create a modified version of a predefined package from a Tanium content-only solution such as Default Content.

    Do not modify the original Tanium package.

  • Create a new package with settings that differ only slightly from an existing package; this is often easier than creating a new package from scratch.

Perform the following steps to clone a package:

  1. From the Main menu, go to Administration > Content > Packages.
  2. Use the search and column sorting features to find the package that you want to clone.
  3. Select the package and click Clone.
  4. Configure the settings as described in Table 1 and click Save.

Create a package

  1. From the Main menu, go to Administration > Content > Packages.
  2. Click New Package, configure the following settings, and click Save.
 Table 1: Package configuration guidelines
Settings Guidelines
Package Name Specify a configuration name to identify the package. For sensor-sourced packages, you have the option to use a sensor variable in the package name. See Package settings.
Display Name (Optional) Specify a name to display for the package in the Packages page and Action Deployment page. If you do not enter a value, the Package Name is the default Display Name.
Content Set Assign the package to a content set. The list displays all content sets for which you have Write Package permission. If you do not select a content set, the Default set is assigned.
Command Specify the command to run on the endpoint.

For details about the commands and scripts for parameterized packages, see Example: Parameterized packages.

For details about the commands and scripts for sensor-sourced packages, see Example: Sensor-sourced packages.
Command Timeout and Download Timeout These timeouts affect the state (Completed, Expired, or Failed) of an action that uses the package. The Download Timeout is the amount of time available to download packages files. The Command Timeout is the amount of time available for the command to run. For details on all the settings that determine action states, see View action status.
Ignore action lock Enable endpoints to execute actions that include this package regardless of whether action locks are on for those endpoints. Use this option in packages that are critical for the health and security of a network. For details, see Managing action locks.
Launch this package in a process group Run the package command within a process group. When the command completes or times out, the process group and any remaining descendant processes are killed.

By default, you cannot change this setting and its default state depends on how the package was added:

  • You created the package through the Tanium Console: The check box is selected by default.

  • You manually imported the package or the Tanium ServerTanium Cloud automatically imported the package: When you view the configurations of Tanium-defined packages, the check box is selected for most packages but deselected for those that must run processes outside of a process group. When you manually import a package file, the check box is deselected unless you set the <process_group_flag> to 1 in the file before importing.

For most packages that you create or manually import, running processes within a process group is the best practice. Some exceptions are:

  • Packages that initiate an installation process that must be able to run beyond the command completion or timeout.

  • A process that must run constantly. For example, some Tanium modules have predefined packages that initiate long-running indexing processes.

To change the Launch this package in a process group setting after you import a package, or while you are creating or editing the package, first make the setting editable as follows:

  1. From the Main menu, go to Administration > Configuration > Settings > Platform Settings.

  2. Set Run Commands in Process Group to ON and click Save All.
Files To select files for the package, select an option in the Add dropdown list:
  • Local Files: Upload one or more files from your local host computer by drag-and-dropping them or by clicking Browse for Files. When you upload it, a SHA-256 hash is generated.
  • Remote File: Enter the File Address, enter the file Name, select a Check for update option, and optionally enter a SHA-256 hash.

Each package can have a maximum of 100 files.

To view or edit file settings for an existing package, select the file name in the list. You can filter the list by entering a search string in the Filter by File Name field.

All the files related to packages are stored in a sub-directory of the Tanium Server installation directory.
Parameter Inputs (Parameterized packages only) Expand Expand the Parameters section and, for each parameter, perform the following steps. For details on the parameter types and their settings, see Parameter input settings.
  1. Select Add Parameter > <Type>.
  2. Select a time format for any date- or time-based parameter:
    • Local Time (default) is local to the system that you use to access the Tanium Console
    • Coordinated Universal Time (UTC)

    This setting applies only to date-time parameters that you see while configuring the package. The setting is not saved with the package configuration.

  3. Configure the settings for the selected input type.
Verification Query Configure a preview question that indicates whether an action that used the package produced the expected results on endpoints. When you run the action, the Action Status page shows the verification states and the Client Status Details section shows the endpoints for which the action is verified (see Action states). You require the Read Sensor permission on the Reserved content set to issue the Verification Query.
  1. Click Add, use the Filter Bar, Filter Builder, or Manual Group tab to build the filter part of the question, and then click Confirm.
  2. Specify a verification failure timeout. The clock begins when the action finishes. If the action is not verified within the timeout period, the Tanium Client reports the action state is Failed.

Export or import packages

The following procedures describe how to export and import specific packages or all packages.

Develop and test custom content in your lab environment before importing that content into your production environment.

Export packages

Export packages as a file in one of the following formats:

  • CSV: When you open the file in an application that supports CSV format, it lists the packages with the same attributes (columns) as the Packages page displays.

  • JSON: If you are assigned a role with the Export Content permission, you can export package configurations as a JSON file to import them into another Tanium Server. The Administrator reserved role has that permission. The export file contains only the configuration settings, not associated files.

Perform the following steps to export packages:

  1. From the Main menu, go to Administration > Content > Packages.
  2. (Optional, CSV exports only) To add or remove attributes (columns) for the CSV file, click Customize Columns Customize Columns in the grid and select the attributes.
  3. Select rows in the grid to export only specific packages. If you want to export all packages, skip this step.
  4. Click Export Export.
  5. (Optional) Edit the default export File Name.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  6. Select an Export Data option: All packages in the grid or just the Selected packages.

  7. Select the file Format:

    • List of Packages - CSV

    • Package Definitions - JSON (Administrator reserved role only)

  8. Click Export.

    Tanium CloudThe Tanium Server exports the file to the downloads folder on the system that you use to access the Tanium Console.

Import packages

Users who are assigned a role with Import Signed Content permission can import content files (such as for Tanium solutions or sensor configurations) that are in JSON format. The Administrator reserved role has this permission.

  1. (Non-Tanium-provided content only) Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.
    You do not have to generate keys or signatures for Tanium-provided solutions. Tanium signs this content before making it available, and the associated public key is distributed to the Tanium Server key store during the server installation process.

    If you plan to import a file that another user signed, you can first perform an integrity check on the file. See Verify content file signatures.

  2. From the Main menu, go to any of the following Administration pages:
    • Configuration > Solutions
    • Permissions > Filter Groups
    • Under Content, select Sensors, Packages, or Saved Questions
    • Under Actions, select Scheduled Actions, All Pending Approvals, or Actions I Can Approve
  3. Select an Import option based on the source of the content:
    • Import > Import Files: Perform one of the following steps to select one or more files:
      • Drag and drop files from your file explorer.
      • Click Browse for File, select the files, and click Open.
    • Import > Import URL: Enter the URL in the Import URL field, and click Import.
  4. For each file, expand Expand the File name, review the content to import, and select resolutions for any conflicts with existing content (see Resolve import conflicts).
  5. If you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, select Include content set overwrite. By default, the Include content set overwrite check box is deselected and the Tanium Server preserves the existing content set assignments.
  6. Click Begin Install.

    Perform the next step only for imported packages that reference other files. You must manually download these files on the Tanium Server because the file that you imported contains only the package configurations, not associated files.

  7. For each package that you imported, select the package, click Status, and click Re-Download All to download the referenced files.

    If the Tanium Server cannot access a file location, move the file to an accessible location, change the File Address in the package configuration (see Edit a package), and repeat this step.

Copy package configuration details

Copy information from the Packages page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Content > Packages.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.

Deploy actions from the Packages page

You can configure an action to deploy any package from the Packages page except for sensor-sourced packages (see Example: Sensor-sourced packages). You can deploy actions for sensor-sourced packages only from the Question Results page (see Deploying actions).

You require a role with Action write and Sensor read permissions to deploy actions.

  1. From the Main menu, go to Administration > Content > Packages.

  2. Select a package, click Deploy Action, and complete the action deployment workflow as described in Deploying actions (skip the first step in the workflow).