Configuring Map

If you did not install Map with the Apply All Tanium recommended configurations option, you must enable and configure certain features.

(Tanium Core Platform 7.4.5 or later only) You can set the Map action group to target the No Computers filter group by enabling restricted targeting before adding Map to your Tanium licenseimporting Map. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Tanium Map action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

When you import Map with automatic configuration, the following default setting is configured:

The following default setting is configured: 

Setting Default value
Action group
  • Restricted targeting disabled (default): All Windows Servers and All Linux computer groups
  • Restricted targeting enabled: No Computers computer group

Install and configure Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Optionally, you can use Endpoint Configuration to require approval of configuration changes. When configuration approvals are enabled, Endpoint Configuration does not deploy a configuration change to endpoints until a user with approval permission approves the change. For information about the roles and permissions that are required to approve configuration changes for Map, see User role requirements. For more information about enabling and using configuration approvals in Endpoint Configuration, see Tanium Endpoint Configuration User Guide: Managing approvals.

For solutions to Solutions cannot perform configuration changes or tool deployment through Endpoint Configuration on endpoints with action locks turned on, you must enable the Manifest Package Ignore Action Lock and Deploy Client Configuration and Support Package Ignore Action Lock settings. To access these settings, from the Endpoint Configuration Overview page, click Settings and select Global. on. As a best practice, do not turn on action locks. For more information about action locks, see Tanium Console User Guide: Managing action locks.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

Prepare endpoints

Windows systems

Install the Tanium Event Recorder Driver on Windows servers. If you want to extend the scope of your Map deployment to include other Windows devices, make sure that the Tanium Event Recorder Driver is installed on the additional devices.

  1. From the Tanium Home page, ask the question: Get Tanium Driver Status from all machines with Windows OS Type contains Windows Server and click Search.
  2. Select Install Recommended.
  3. From the Deploy Action page, select Install Tanium Driver.
  4. Validate successful installations by checking the validation query that runs at the end of the package installation.
  5. Collect the action logs from any endpoints that fail the validation query using Live Response.
  6. Run the action Remove Tanium Driver on any endpoints that return anything other than SERVICE_RUNNING for the Tanium Event Recorder Driver service status.

Linux systems

Install and enable the audit daemon and disable raw logging on Linux systems.

  1. Verify that the recent stable version of the audit daemon and audispd-plugins are installed. From the Tanium Home page, ask the question: Get Running Processes contains auditd from all machines with Is Linux contains true. For more information, see Identify Linux endpoints that are missing auditd .
  2. Verify that raw logging is disabled.
    1. Ask the question: Get Client Extensions - Status from all machines with Is Linux contains true. If raw logging is enabled, a health_check status is returned.

      If you do not have the Client Extensions - Status sensor, you can get the Tanium CX content by installing Tanium Client Management. See Tanium Client Management User Guide.

    2. Deploy the Recorder - Disable Raw Logging [Linux] package to Linux endpoints to disable raw logging. This package edits the auditd.conf file with the appropriate settings.
  3. Check if any other tools outside of Tanium are used to modify the audit daemon.

Configure Map

Configure Map action group

Importing the Map module automatically creates an action group to target specific endpoints in the All Windows Servers and All Linux computer groups. If you did not use automatic configuration or you enabled restricted targeting when you imported Map, the action group targets No Computers.

If you used automatic configuration and restricted targeting was disabled when you imported Map, configuring the Map action group is optional.

If you update the action group from the default, verify that the Tanium Event Recorder Driver is installed on the endpoints in the computer group. See Prepare endpoints.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. In the list of action groups, select Tanium Map.
  3. Click Edit, select computer groups to include in the action group, and click Save.

After deploying the tools for the first time, endpoints can take up to 20 minutes to return results that can be seen in application discovery or endpoint maps.

Set up Map users

You can use the following set of predefined user roles to set up Map users.

To review specific permissions for each role, see User role requirements.

On installation, Map creates a Map user to automatically manage the Map service account. Do not edit or delete the Map user.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Map Administrator

Assign the Map Administrator role to users who manage the configuration and deployment of Map functionality to endpoints.
This role can perform the following tasks:

  • Configure Map settings
  • Read and write map application definitions

Map Operator

Assign the Map Operator role to users who manage the configuration and deployment of Map functionality to endpoints.
This role can perform the following tasks:

  • Configure Map operator settings
  • Read and write map application definitions

Map Read Only User

Assign the Map Read Only User role to users who only view maps.
This role can perform the following tasks:

  • Read map application definitions
  • Read Map operator settings

Map Endpoint Configuration Approver

Assign the Map Endpoint Configuration Approver role to a user who approves or rejects Map configuration items in Tanium Endpoint Configuration.
This role can perform the following tasks: approve, reject, or dismiss changes that target endpoints where Map is installed.

Do not assign the Map Service Account role to users. This role is for internal purposes only.