Tanium™ Patch 2.3 User Guide

PDF 2.3
PDF 2.2
  • All Files
Documentation Home > Tanium Patch User Guide

Configuring TDownloader for Linux endpoints

To use Patch on Red Hat Linux endpoints, you must configure Tanium Downloader (TDownloader) to use certificate authentication for downloads to the Red Hat Satellite server. For more information about TDownloader, see Tanium Core Platform Installation Guide: TDownloader.

The available scanning techniques include Repo Scan and Tanium Scan. For the Repo Scan technique, you can use all repositories from which an endpoint can pull. For the Tanium Scan technique, you must use Red Hat Content Delivery Network, Red Hat Satellite 6 or later, or custom repositories.

Before you begin

Ensure that you meet the following prerequesites:

  • Tanium Platform 7.2.314.3235 or later.
  • Tanium Client 6.0.314.1554 or later.
  • Patch 2.3.5 or later.
  • YUM version 3.2.29-17.el6 or later.
  • Enable the RedHat/CentOS Linux option in the Operating Systems tab of the Patch Settings .
  • In the Configuration Settings tab of the Patch Settings , set the Patch List Applicability Bin Count value to 10. For more information about how to fine-tune this setting, consult your TAM.
  • (Optional) Add any custom YUM repositories in the YUM Repositories tab of the Patch Settings .
  • Obtain a valid SSL client certificate and private key and the SSL certificate authority (CA) certificate of the satellite server from the Red Hat, Inc. website. For more information, see Creating a Red Hat certificate for Tanium downloads (login required) and Reference: TDownloader (login required).

Configure TDownloader on Tanium™ Appliance

  1. Upload the SSL client private key and client certificate to your Tanium Appliance. Use SFTP with the tancopy account and copy the files to the /incoming folder.
  2. Using the TanOS menu, verify that the Tanium Server can reach cdn.redhat.com or the Red Hat Satellite server by name:
    1. Enter 3 to go to the Tanium Support menu.
    2. Enter 4 to go to the Run Network Diagnostics menu.
    3. Enter 1 to select the Ping Remote System option.
  3. On each Tanium Server, add the CA root certificate for the Red Hat Satellite or content delivery network (CDN) server:
    1. Enter 2 to go to the Tanium Operations menu.
    2. Enter 2 to go to the Tanium Configuration Settings menu.
    3. Enter 12 to go to the Control RedHat CA Cert menu.
    4. Enter 2 to select the Install redhat-uep.pem option.
  4. On each Tanium Server, add the Red Hat Entitlement client certificate and key:
    1. Enter 2 to go to the Tanium Operations menu.
    2. Enter 2 to go to the Tanium Configuration Settings menu.
    3. Enter 4 to select the Add Tanium Server TDL Auth Cert option.
    4. Enter the URL (https://cdn.redhat.com or the Red Hat Satellite server), client certificate file name, and the SSL client private key file name at each prompt.
    5. At the #Line Content display, enter R to return to the previous menu.

For more information, see Tanium Appliance Deployment Guide: Manage authentication certificates for Tanium Patch connections with Red Hat.

Configure TDownloader on Windows

  1. Copy the SSL client private key, client certificate, and satellite server certificate to your Tanium Server.
  2. Ensure that the Tanium Server can reach cdn.redhat.com or the Red Hat Satellite server by name.
    Example:
    ping cdn.redhat.com
  3. On each Tanium Server, configure TDownloader to use certificate authentication for downloads to the Red Hat Satellite server.
    Example:
    cmd-prompt>TDownloader.exe add-auth-cert --url https://cdn.redhat.com --cert C:\client-certificate.pem --key C:\client-key.pem
    where:
    • https://cdn.redhat.com is the URL prefix for the satellite server download URLs
    • C:\client-certficate.pem is the client certificate
    • C:\client-key.pem is the client certificate private key
  4. Check the TDownloader config to see that your certificate has been configured.
    cmd-prompt>TDownloader.exe config list
Keys:
  - Auth:
        - Auth.0:
          - Auth.0.Certificate: -----BEGIN CERTIFICATE-----
MIIFPTCCBCWgAwIBAgIIbY/mIdQbgMowDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNV
BAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEQMA4GA1UEBwwHUmFsZWln
aDEQMA4GA1UECgwHS2F0ZWxsbzEUMBIGA1UECwwLU29tZU9yZ1VuaXQxKjAoBgNV
BAMMIXJoZWxwYXRjaHNhdGVsbGl0ZTAxLnByb2RxYS5sb2NhbDAeFw0xODA0MjAw
NDAwMDBaFw0xOTA0MjAwMzU5NTlaMEYxGTAXBgNVBAoMEHRhbml1bV9wYXRjaF9k
ZXYxKTAnBgNVBAMTIDBjYjk4NjcyZjBhNTQ0MDJhNzIzYmNjOGI5ODFjYTg3MIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtXPySC20fPzMreenmX+4mUhS
s/cdArQZOeeKliCdXI7Q/ZW0ZrhsgmMZTL+BNbZKUp72e0L3GF3yj0wx/8LWRLVC
S9AaZdbXmJRK7B5mwpQaLtfuE93bJIkmBbzKA49jiwFdDE0J6v+wj0NgBZ3hr0NH
V2O1hAwar2xkzz9fCTwyAR6d2I9Dpcfua8nH0ybO5kR8v1Epp70vw9/uMmGM3PCe
YFX81ll3wxStbHj/DznUzQ/vFE0SZxLXh9LyWy9Nq+obLaFeDxJ0DT7iXotwVqWs
Qow/upQ60vuYpAT57JM5tkrP+rKcct+TVVJNS/QmJC3yOwZWf8rIISRH4cb+GQID
AQABo4IB5jCCAeIwEQYJYIZIAYb4QgEBBAQDAgWgMAsGA1UdDwQEAwIEsDCBwQYD
VR0jBIG5MIG2gBRNdbtnITo9NxbcUdarkRIJv464dqGBkqSBjzCBjDELMAkGA1UE
BhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHDAdSYWxlaWdo
MRAwDgYDVQQKDAdLYXRlbGxvMRQwEgYDVQQLDAtTb21lT3JnVW5pdDEqMCgGA1UE
AwwhcmhlbHBhdGNoc2F0ZWxsaXRlMDEucHJvZHFhLmxvY2FsggkAx2ndp2OhmcYw
HQYDVR0OBBYEFHX7IDsUYNAZdI5dBxckm5a8y60aMBMGA1UdJQQMMAoGCCsGAQUF
BwMCMBIGCSsGAQQBkggJBgQFDAMzLjMwFAYJKwYBBAGSCAkIBAcMBUJhc2ljMIGd
BgkrBgEEAZIICQcEgY8EgYx42i2MMQrDMBAE9zFukyYgfyJdHmDO8oIEis7cXYz9
e8ck1UwxjNM2GsbXj1bYsFQP6BpVuzRk7cEeSP8kYYRL3EK1OZ51NrED6f5ASK+f
97RK5DIt3KAO7mHiGIyN4rwGw/wVsVxwAp4aKvUSzZXb1epTaC96MJ25BX5rmucc
vyYlbSe9CpomkcWhADANBgkqhkiG9w0BAQUFAAOCAQEAubxqAqH/IQqIODQwaX9x
NrIuJp3qWIUFjxZ1Vby4lEg2xmwfBtvNKminJBWNwOMZjq40xrEz0C2sxqkr/npv
cbI4MMdQX1rdxMwsntgUZK8ApRR/pPwyxqAoa8IjahVBHNdFoA4+BBjcLcvzA1PB
PReiXo0GS2gQQAb8U7d/jBTG1gm3ZpJFBxv7NBM9tEey3DwzP5LWPnZZmstRrlfx
7sb5J/2zLvWuMG+dMJ5jkgUKTuNdccdBP9PEVrAKiDuoLCl4UqnP0YzMJd+e9Ktx
FC1QCICFUQLhZ/QVAhh8hIw0jSxIcGN+KVJF52BGdzUxvoidfqtMsjc/8NSTRk+T
/g==
-----END CERTIFICATE-----
     
  - Auth.0.PrivateKey: (protected)
  - Auth.0.URL: https://rhelpatchsatellite01.prodqa.local
 - LogVerbosityLevel: 41
 - ProxyPassword:
 - ProxyPort:
 - ProxyServer:
 - ProxyType: NONE
 - ProxyUserid:
 - TrustedCertPath: C:\Program Files\Tanium\Tanium Server\Certs\installedcacert.crt
 - TrustedHostList: localhost,tanium.local,win-2012-r2
  5. To configure TDownloader to work with the Red Hat CDN, append the PEM-encoded certificate for cdn.redhat.com to the end of the certificate file (C:\Program Files\Tanium\Tanium Server\Certs\installedcacert.crt) that is configured in TDownloader for the TrustedCertPath value, as shown in the previous step, using a plain text editor.

Last updated: 2/5/2019 4:40 PM | Feedback