Performing quarterly maintenance

Review and update backups and the disaster recovery plan

Verify that a backup of your Tanium deployment is stored in a safe location. Create the backup if it does not exist:
- Tanium Appliance Deployment Guide: Reference: TanOS backup and recovery
- Tanium Core Platform Deployment Guide for Windows: Back up the servers and database
Review the disaster recovery plan for all your Tanium Core Platform servers. Update the plan if necessary to accommodate changes to the deployment:
- Tanium Appliance Deployment Guide: Reference: Define a disaster recovery plan
- Tanium Core Platform Deployment Guide for Windows: Back up Tanium Core Platform servers and databases
Generate support bundles for all the Tanium solutions in your Tanium license every 90 days and store each set of bundles for 180 days. For the steps to generate a support bundle for a solution, see the corresponding user guide:

Test disaster recovery during annual maintenance.

Verify the grub key backup (physical or virtual Appliance only)

You can use the grub key during the boot sequence to diagnose and recover from failure conditions. During recovery, you must provide the key to Tanium Support for a technician to extract the grub password.

Verify that a backup of the latest key resides in a safe location off the Appliance.

A new backup is required whenever the key password is regenerated. See Tanium Appliance Deployment Guide: Change the grub key password.
Export the key and save it in a safe location if no backup exists or if the current backup is not the latest. See Tanium Appliance Deployment Guide: Export the grub key.

Review and update Console user accounts

Review user settings, and update them if necessary, to ensure that account configurations reflect personnel changes as users leave, join, or change roles in your organization:

From the Main menu, go to Administration > Permissions > Users.
Review the following settings:
- Name: If the Users grid is missing accounts, see Tanium Console User Guide: Create a user. If the grid lists accounts for users who are no longer active, see Tanium Console User Guide: Delete, un-delete, or lock out a user.the steps to add them depend on the type of identity store:
  - Remote: Work with your identity store administrator to verify that the accounts exist on the Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server and add the accounts if necessary. If the accounts already exist, verify that the LDAP/AD server connection and synchronization settings are correct. See Tanium Console User Guide: Configure an LDAP server.
  - Local (Tanium Server): See Tanium Console User Guide: Create a user.
  If the Users grid lists accounts for users who are no longer active, see Tanium Console User Guide: Delete, un-delete, or lock out a user.
- Locked Out: If the Users grid indicates that certain accounts are locked out, see Tanium Console User Guide: Locked-out users.
- Last Sign In: If the Users grid indicates that certain users have not signed in for a long time, verify that their accounts are still required. For example, a user administrator might have created accounts only for temporary testing, or users might have left your organization. If any accounts are no longer required, see Tanium Console User Guide: Delete, un-delete, or lock out a user.
- RBAC assignments and authentication: Verify that the appropriate computer groups, user groups, personas, and roles are assigned to user accounts and that they use the appropriate authentication services. See Review and update RBAC permissions and authentication settings.

For details about user accounts, see Tanium Console User Guide: Managing users.

Review and update RBAC permissions and authentication settings

RBAC permissions control what individual Tanium Console and Tanium™ API users can see and do with the Tanium Core Platform, and which endpoints they can monitor and manage. The permissions derive from personas, roles, user groups, and computer groups that are assigned to user accounts. To ensure that users can access all the Tanium features they need but without access to sensitive information they do not need, review and, if necessary, update their permissions. Also review how users are configured to authenticate for Tanium Console and API access.

If it is not feasible to review the RBAC permissions of every user on a quarterly basis, review a sample that is representative of the different types of users in your environment.

For each user, open the Preview User page and review the assigned permissions. See Tanium Console User Guide: View effective role permissions for a user.
The page lists all the permissions that are directly assigned to the user account through roles or that are inherited from user groups. The page also lists the personas and computer groups that are assigned to the account.
Create, edit, reassign, or delete RBAC configurations if necessary to update user permissions. For the steps, see the following sections in the Tanium Console User Guide:
Verify whether any users can access the Tanium Console through local authentication if your organization allows that.

For details and related tasks, see the following sections in the Tanium Console User Guide:
- User authentication
- Disable or enable local user access
If you use an external service for authentication, maintain at least one user account that relies on local authentication and assign the Administrator reserved role to that account.

Review and update TanOS user accounts (Appliance only)

On each appliance, review the TanOS system users to ensure that they can access the Appliance operating system and that they have the appropriate authentication settings. For example, users who authenticate through passwords must comply with the password policy of your organization. See Tanium Appliance Deployment Guide: Modify the local authentication service security policy.

The predefined roles for TanOS system users include:
- tanadmin: Users with this role can access all TanOS console menus. It is useful to have more than one tanadmin user in case you forget the password for the initial tanadmin user that is created during Appliance setup.
- tancopy: Users with this role can copy files to and from the /incoming and /outgoing directories on the Appliance.
- tanuser: Users with this role can access only status menus in the TanOS console.
For details and procedures, see Tanium Appliance Deployment Guide: Reference: User Administration menu.
Verify that the predefined tanremote user account is present if you configured an Integrated Dell Remote Access Controller (iDRAC) interface on the physical Appliance. The account provides remote access to the iDRAC virtual console. This is useful for diagnosing hardware and network interface issues if the TanOS system becomes unavailable. For details and procedures, see Tanium Appliance Deployment Guide: Manage the iDRAC interface.

Review and update site bandwidth throttles

Site bandwidth throttles are subnet-specific throttles that are more restrictive than the global throttles that apply to the rest of your network. Review the site throttles and, if necessary, update them. Disruptions to Tanium CloudTanium Core Platform functions might occur if they consume too much bandwidth or do not have enough bandwidth to perform operations at a reasonable speed.

For details about site throttles, see Tanium Console User Guide: Site throttles.

Check the delays for site throttles to evaluate the current risk of disruptions to Tanium functions. See Tanium Console User Guide: Verify throttle delays.
Update the site throttles if necessary. See Tanium Console User Guide: Configure site throttles.

Delete unnecessary computer groups

Users might create computer management groups and filter groups for time-limited activities that are no longer relevant. For example, a user might create a group for initial testing of a new feature after a Tanium solution update and then never use the group after testing finishes. In a Tanium deployment with numerous obsolete computer groups, users might struggle to identify the groups that are still relevant for ongoing activities, such as filtering questions and deploying actions.

For details about computer groups, see Tanium Console User Guide: Computer groups overview.

Review the existing computer groups and delete any that are no longer useful or that have memberships that duplicate other groups:

Review computer groups. See Tanium Console User Guide: View computer group details.
Delete computer groups. See Tanium Console User Guide: Delete computer groups.

Review and update scheduled actions

You can reduce resource use on Tanium Cloudthe Tanium Server and Tanium Clients by deleting actions that are no longer useful or that duplicate other actions.

Do not delete actions unless you understand the full impact.

For details about scheduled actions, see Tanium Console User Guide: Managing scheduled actions and action history.

From the Main menu, go to Administration > Actions > Scheduled Actions.

Expand the

Filters section and configure a filter based on an attribute that helps you determine whether actions are still useful. The following filters are examples:

Attribute	Operator	Value	Explanation
Status	is equal to	Disabled	Assess whether actions that are currently disabled might be enabled for future use. If a user disabled an action because it will never be useful, delete it.
Issuer	is equal to	<user name>	Knowing the action issuer (owner) can help you assess whether an action is still needed. The issuer can be: taniumconsoleAdministrator (Windows) or tanium (Appliance): This is the account that Tanium solution services use to issue actions. For example, when you save a scan profile in Discover, the module automatically creates a corresponding scheduled action with taniumconsoleAdministrator as the issuer. Scheduled actions that Tanium Cloudthe Tanium Server automatically imports through content-only solutions (such as Core Content) also have taniumconsoleAdministrator or tanium as the issuer. Tanium solution: Tanium modules and shared services have solution-specific content that might include scheduled actions that the solution runs. For example, Tanium Endpoint Configuration is the issuer for the Endpoint Configuration - Manifest actions. To understand the purpose of these actions and the consequences of deleting them, see the user guides for the associated solutions. Tanium user: Users might create scheduled actions for activities that are no longer relevant. For example, a user might create an action for initial testing of a new feature after a Tanium solution update and then never use the action again after testing finishes.

Attribute

Operator

Value

Explanation

Status

is equal to

Disabled

Assess whether actions that are currently disabled might be enabled for future use. If a user disabled an action because it will never be useful, delete it.

Issuer

is equal to

Knowing the action issuer (owner) can help you assess whether an action is still needed. The issuer can be:

taniumconsoleAdministrator (Windows) or tanium (Appliance): This is the account that Tanium solution services use to issue actions. For example, when you save a scan profile in Discover, the module automatically creates a corresponding scheduled action with taniumconsoleAdministrator as the issuer.
Scheduled actions that Tanium Cloudthe Tanium Server automatically imports through content-only solutions (such as Core Content) also have taniumconsoleAdministrator or tanium as the issuer.
Tanium solution: Tanium modules and shared services have solution-specific content that might include scheduled actions that the solution runs. For example, Tanium Endpoint Configuration is the issuer for the Endpoint Configuration - Manifest actions. To understand the purpose of these actions and the consequences of deleting them, see the user guides for the associated solutions.
Tanium user: Users might create scheduled actions for activities that are no longer relevant. For example, a user might create an action for initial testing of a new feature after a Tanium solution update and then never use the action again after testing finishes.

To disable actions that you want to stop deploying now but that you might deploy again in the future, select the actions and select More > Disable Action(s).
To delete actions that are no longer useful, select the actions and select More > Delete.
To troubleshoot actions, see Tanium Console User Guide: Monitor actions.

Review and update Comply assessments

Go to Modules > Comply > Assessments and review the Status of assessments for errors or warnings. See Tanium Comply User Guide: Status definitions.
Investigate the error for each assessment.

To issue a question that returns details about all the endpoints associated with scan errors, click the Scan Errors value above the grid.

In the assessment row, click Additional Data , scroll to Endpoint Statistics, and click the Scan Errors value.
Click the Endpoints value to issue a question that returns details about the affected endpoints. You can then review the results and, optionally, issue a drill-down question to investigate the errors. See Tanium Console User Guide: Managing question results.

Troubleshoot assessments if necessary to resolve issues related to endpoint compliance distribution. See Tanium Comply User Guide: Troubleshooting.
Edit assessments if necessary to resolve issues. See Tanium Comply User Guide: Edit an assessment.
Delete outdated assessments and create new assessments if updated versions of configuration compliance standards are released. See Tanium Comply User Guide: Creating compliance assessments.

Assessments that you delete on the Assessments page are removed from Tanium Cloudthe Tanium Server but not from endpoints. Delete stale assessments from endpoints whenever you delete them from Tanium Cloudthe server if retaining the associated data is no longer necessary. Otherwise, delete assessments from endpoints at intervals that preserve the data for a useful period without allowing the assessments to use too much disk space on endpoints. Base the intervals on how often users delete assessments from Tanium Cloudthe server. See Tanium Comply User Guide: Delete stale assessments from endpoints.

Review and update custom action groups for Deploy

If you install Deploy with default settings, it includes the Tanium Deploy action group, to which the All Computers computer group is assigned. If you changed computer group assignments for the Tanium Deploy action group, or if you created custom action groups for Deploy, review those action groups and, if necessary, update them. For example, if you discover that the Deploy tools are not installed on all the necessary endpoints, you might have to change the computer group assignments in the Tanium Deploy action group.

From the Main menu, go to Administration > Actions > Action Groups.
Use the filters to list only the groups that are for Deploy operations. See Tanium Console User Guide: View action groups.
For example, if the custom action groups all have the string "Deploy" in their names, enter Deploy in the Filter items field.
Edit, create, or delete action groups if necessary to ensure Deploy targets the correct computer groups. See Tanium Console User Guide: Managing action groups.

Review and update custom action groups for Patch

If you install Patch with default settings, it includes the Patch action group, to which the Patch Supported Systems computer group is assigned. If you changed computer group assignments for the Patch action group, or if you created custom action groups for Patch, review those action groups and, if necessary, update them. For example, if you discover that the Patch process is not starting on all the necessary endpoints, you might have to change the computer group assignments in the action group that is specified for Patch - Start Patch Process actions.

From the Main menu, go to Administration > Actions > Action Groups.
Use the filters to list only the groups that are for Patch operations. See Tanium Console User Guide: View action groups.
For example, if the custom action groups all have the string "Patch" in their names, enter Patch in the Filter items field.
Edit, create, or delete action groups if necessary to ensure Patch targets the correct computer groups. See Tanium Console User Guide: Managing action groups.