Reference: Appliance configuration

You are prompted to configure basic host and network settings when you complete the initial configuration. Use the Appliance Configuration menu to modify the configuration.

Changes to the network configuration do not go into effect until you restart network services. If you connect over a remote SSH connection and change the configuration for the interface with which you are connected, your SSH connection terminates.

Modify the host name and DNS configuration

Host, domain, DNS server, and /etc/hosts settings are configured during the initial setup. If necessary, you can use the Hostname/DNS Configuration menu to make changes.

Modify the host name

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu. ClosedView screen
  3. Enter 1 to go to the Hostname/DNS Configuration menu. ClosedView screen
  4. Enter 1 and follow the prompts to change the host name and domain name. ClosedView screen

Modify the DNS server

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter 1 to go to the Hostname/DNS Configuration menu. ClosedView screen
  4. Enter 2 and follow the prompts to modify the DNS server configuration. ClosedView screen

Modify the hosts file

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter 1 to go to the Hostname/DNS Configuration menu. ClosedView screen
  4. Enter 3 and use the hosts menu to update the /etc/hosts file. ClosedView screen

Modify the network interface configuration

Contact Tanium Support before changing the IP address for the interface used by the Tanium Server. The Tanium Server IP address is used in multiple configurations. For information on how to contact Tanium Support, see Contact Tanium Support.

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter 2 to go to the Networking menu. ClosedView screen
  4. Enter 1 to go to the Network Interfaces menu. ClosedView screen
  5. Enter the line number of the interface that you want to configure to go to the selected Network Interface menu. ClosedView screen
  6. Use the menu to change the IP address, MTU size, or up/down status.

Set up an IPsec tunnel

Use IPsec to ensure end-to-end security between two Tanium Server appliances. An IPsec tunnel is automatically configured when you install an Appliance Array.

  1. Start two SSH terminal sessions so you can copy and paste between them:
    • First Tanium Server appliance
    • Second Tanium Server appliance
  2. Sign into each of the Tanium Server appliances as a user with the tanadmin role and go to the IPsec menu:
    1. Enter A to go to the Appliance Configuration menu.
    2. Enter 2 to go to the Networking Configuration menu. ClosedView screen
    3. Enter 2 to go to the IPSEC menu. ClosedView screen
  3. On the second appliance, copy the IPsec host key to the clipboard:
    1. From the IPSEC menu (A-2-2), enter 1 to view the local IPsec host key. ClosedView screen
    2. Copy the key to the clipboard.
  4. On the first appliance, from the IPSEC menu, enter 3 and follow the prompts to configure this side of the IPsec tunnel. When prompted, paste the IPsec host key for the second appliance. ClosedView screen
  5. On the first appliance, copy the IPsec host key to the clipboard:
    1. From the IPSEC menu, enter 1 to view the local IPsec host key.
    2. Copy the key to the clipboard.
  6. Go to the second appliance and complete the IPsec configuration:
    1. From the IPSEC menu, enter 3 and follow the prompts to configure the IPsec tunnel on the second appliance. When prompted, paste the IPsec host key for the first appliance.
    2. Enter 6 to test the connection from the second appliance. ClosedView screen
  7. Go back to the first appliance and enter 6 to test the connection.

Modify the routing configuration

You can add a static route, if necessary.

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter 2 to go to the Networking menu. ClosedView screen
  4. Enter 3 to go to the Routing menu. ClosedView screen
  5. Use the menu to manage the routing table.

Configure the iDRAC interface

Before you begin

Use the tanremote user account to sign into the iDRAC virtual console when the TanOS system has become unavailable and you want to diagnose hardware and network interface issues.

You must use a cable to connect the iDRAC interface to your network and use TanOS to configure the iDRAC interface IP address before you enable the tanremote user.

Configure the iDRAC interface

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu. ClosedView screen
  3. Enter 2 to go to the Networking menu.
  4. Enter I to go to the Configure iDrac menu. ClosedView screen
  5. Follow the prompts to configure the iDrac interface.

Next steps

Enable the tanremote user. See Enable tanremote user.

Configure NIC teaming

Tanium™ Appliance supports active/passive network interface controller (NIC) teaming. Active/passive NIC teaming allows multiple interfaces to be placed in a group to support NIC failover. When you configure the NIC team, you must select interfaces of the same type.

Create NIC team

To create a NIC team, there must be two NICs available for teaming. If you have a hardware appliance, make sure to enable the tanremote user and the configure the iDRAC interface.

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu. ClosedView screen
  3. Enter 2 to go to the Networking menu. ClosedView screen
  4. Enter T to go to the NIC Teaming menu. ClosedView screen
  5. Enter A and follow the prompts to create the NIC team configuration.

Manage NIC team

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu. ClosedView screen
  3. Enter 2 to go to the Networking menu. ClosedView screen
  4. Enter T to go to the NIC Teaming menu. ClosedView screen
  5. Enter the line number of the NIC team that you want to manage.
  6. Use the NIC Team menu to change the IP address, delete the NIC team, or view the status. ClosedView screen

Modify the NTP configuration

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter 3 and follow the prompts to change the NTP configuration. ClosedView screen

Configuring syslog

You can forward appliance logs to a remote syslog server.

Figure  1:  A syslog reader

The Appliance Configuration syslog configuration is separate from the Alerting syslog configuration in the Appliance Maintenance menu. This configuration sends all logs to a syslog destination. The Alerting syslog configuration sends alerts only for events that match the specified alert threshold severity.

Check syslog status

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter 4 to go to the Syslog Configuration menu. ClosedView screen
  4. Enter 1 to view the last 5 logs and current syslog status. ClosedView screen

Import a syslog server trust certificate

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter 4 to go to the Syslog Configuration menu. ClosedView screen
  4. Enter 2 to view the trust certificate, 3 to paste it (PEM format), or 4 to remove it.

Enable syslog forwarding

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter 4 to go to the Syslog Configuration menu. ClosedView screen
  4. Enter 5 and follow the prompts to specify the IP address, port, and protocol for the remote syslog server. ClosedView screen

Configuring SNMP

SNMP is disabled by default. You can configure SNMPv3 credentials for the user tanuser. This user can make a remote SNMP connection to the appliance to walk the MIB from a remote host or SNMP manager.

Figure  2:  SNMP walk

To configure SNMPv3 access:

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter 5 and follow the prompts to change the SNMPv3 credentials for tanuser. ClosedView screen

Configure solution module file share mounts

Tanium™ Connect, Tanium™ Detect, and Tanium™ Trends write consumable files to disk. You can configure the Tanium™ Server to copy these files to a Common Internet File System (CIFS) or Network File System (NFS) share.

Watch the tutorial on configuring remote mounts on the Tanium Appliance on the Tanium Community website.

Add a file share mount

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter 6 to go to the Share Configuration menu. ClosedView screen
  4. Enter the line number of the mount you want to create and complete the configuration to add a file share mount. ClosedView screen

List a file share mount

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter 6 to go to the Share Configuration menu. ClosedView screen
  4. Enter A to go to the List Mounts menu. ClosedView screen

Test a file share mount

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter 6 to go to the Share Configuration menu. ClosedView screen
  4. Enter B to test file share mounts. ClosedView screen

Change from a static IP address to DHCP (VM-only)

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter 7 and follow the prompts to use DHCP.

Configure additional security

Use the Security menu to manage SSH trusted host list configurations.

Use the Security menu to enable/disable factory reset and SSH trusted host list configurations.

Enable/disable factory reset

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu. ClosedView screen
  3. Enter A to go to the Security menu. ClosedView screen
  4. Enter 1 and follow the prompts to disable the tanfactory account that is used to perform a factory reset. ClosedView screen

Manage inbound SSH access rules

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter A to go to the Security menu. ClosedView screen
  4. Enter 2 to go to the Manage SSH menu. ClosedView screen
  5. From this menu, you can add or delete rules that restrict SSH access to hosts from specified subnets only.
    • Enter A and follow the prompts to add a new rule.
    • Enter the line number of an existing rule and follow the prompts to delete the rule.

Configure SSH banner text

You can add custom SSH banner text to TanOS.

  1. Use SFTP to copy a file named banner_ssh.txt to the /incoming folder.
  2. Sign into the TanOS console as a user with the tanadmin role.
  3. Enter A to go to the Appliance Configuration menu.
  4. Enter A to go to the Security menu. ClosedView screen
  5. Enter 3 to add the banner file. ClosedView screen

View SSH fingerprints

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter A to go to the Security menu. ClosedView screen
  4. Enter 4 to view the SSH fingerprints. ClosedView screen

Configure LDAPS

If you have requirements to use the LDAPS protocol for the LDAP sync connection to the back-end LDAP server, you must import the LDAP server root CA certificate and then enable the LDAPS configuration. You can import multiple root CA certificates if necessary. The certificates must be in PEM format. On the appliance, you have the option to paste the contents of the LDAP server root CA certificate or import the file. You do not have to do both.

Paste the LDAP server root CA contents

To add multiple CA certificate files, put all certificates in one file and paste them in them in together.

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter A to go to the Security menu. ClosedView screen
  4. Enter A to go to the LDAP CA Certificate Management menu. ClosedView screen
  5. Enter 1 and follow the prompts to paste the contents of the LDAP server root CA certificate file. ClosedView screen
  6. Restart the Tanium Server service. See Start, stop, and restart Tanium services.

Import the LDAP server root CA certificate files

To add multiple CA certificate files, put all certificates in one file and use the Add Certificate option to paste them in together. See Paste the LDAP server root CA contents.

  1. Use SFTP to copy the file to the /incoming directory of the Tanium Server appliance.
  2. Sign into the TanOS console as a user with the tanadmin role.
  3. Enter A to go to the Appliance Configuration menu.
  4. Enter A to go to the Security menu. ClosedView screen
  5. Enter A to go to the LDAP CA Certificate Management menu. ClosedView screen
  6. Enter 2 and follow the prompts to import the LDAP server root CA certificate file.
    • For the file ID, enter a short, unique string that you can use to reference the certificate.
  7. Restart the Tanium Server service. See Start, stop, and restart Tanium services.

Enable/Disable the LDAPS configuration

You can toggle the LDAPS configuration on and off. When disabled, the connection is unencrypted LDAP.

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter A to go to the Security menu. ClosedView screen
  4. Enter A to go to the LDAP CA Certificate Management menu. ClosedView screen
  5. Enter 3 to enable or disable the LDAPS configuration.

Enable/Disable TLS certificate validation

If necessary during troubleshooting, you can disable TLS certificate validation to help you determine if there is a problem with the certificate.

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter A to go to the Security menu. ClosedView screen
  4. Enter A to go to the LDAP CA Certificate Management menu. ClosedView screen
  5. Enter 4 to disable TLS certificate validation for connections with the LDAP server. ClosedView screen

Manage LDAPS certificates

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter A to go to the Security menu. ClosedView screen
  4. Enter A to go to the LDAP CA Certificate Management menu. ClosedView screen
  5. Enter 5 to list and manage the LDAPS certificates that have been imported. ClosedView screen

Manage CA certificates for the Tanium database server

The Tanium database server uses self-signed certificates for SSL connections. The Tanium PostgreSQL database is an application database. Users do not have direct access to the database. However, if you have requirements to use a CA-issued certificate for the database SSL connections, you can use TanOS menus to import the CA certificates. You can also import a root certificate revocation list (CRL) certificate file. The files you copy to the /incoming folder must be named root.crt, root.crl.pem, server.crt, and server.key.

Import a server certificate

  1. Use SFTP to copy the database server certificate and key files to the /incoming folder.
  2. Sign into the TanOS console as a user with the tanadmin role.
  3. Enter A to go to the Appliance Configuration menu.
  4. Enter A to go to the Security menu. ClosedView screen
  5. Enter B to go to the Database Certificate Management menu. ClosedView screen
  6. Enter 1 and follow the prompts to import the certificate. ClosedView screen

Export a server certificate

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter A to go to the Security menu. ClosedView screen
  4. Enter B to go to the Database Certificate Management menu. ClosedView screen
  5. Enter 2 and follow the prompts to export the certificate to the /outgoing folder. ClosedView screen
  6. Use SFTP to copy the certificate from the /outgoing folder to your management computer.

Import a client certificate

  1. Use SFTP to copy the database server certificate file to the /incoming folder.
  2. Sign into the TanOS console as a user with the tanadmin role.
  3. Enter A to go to the Appliance Configuration menu.
  4. Enter A to go to the Security menu. ClosedView screen
  5. Enter B to go to the Database Certificate Management menu. ClosedView screen
  6. Enter 3 and follow the prompts to import the certificate.

View database certificates

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter A to go to the Security menu. ClosedView screen
  4. Enter B to go to the Database Certificate Management menu. ClosedView screen
  5. Enter L to go to the List Certificate menu. ClosedView screen
  6. Use the menu to view the certificates that have been imported.

Configure security policy rules

The TanOS user access security policy has the following factory settings.

Setting Factory default Description
Password Lifetime Minimum: 0 days

Maximum: 90 days

The minimum sets the minimum number of days between password changes. A value of 0 indicates the password can be changed at any time.

The maximum sets the age at which a current password expires.

Password History 4 most recent The number of most recent passwords to disallow reuse. A setting of 0 allows reuse of any previous passwords.

This setting does not apply to the tanadmin account.

Password Minimum Length 10 characters The minimum number of characters allowed in a password. Valid range is 6 -10 characters.
Password Minimum Characters Changed 0 (disabled) The minimum number of characters in the new password that must not be present in the previous password. 5 is a common practice. STIG requires a minimum of 8. A setting of 0 allows reuse of any character.

This setting does not apply to the tanadmin account.

Login Failure Delay 0 seconds The time, in seconds, between a failed sign-in and the next time the prompt is returned to prompt the user for the password.
Expired Passwords Effect Force Password Change Determine the effect on a user account when a password expires. Two options:
  • Disable the user account
  • Force password change on next sign-in
Account Lockout Time 900 seconds after 3 failures The number of seconds to lock an account after three consecutive unsuccessful sign-in attempts. Valid range is 0-604800 seconds.
Maximum Concurrent Logins 10 The number of concurrent sign-ins for a user account. A setting of 0 disables remote access.

To modify security policy settings:

  1. Sign into the TanOS console as a user with the tanadmin role.
  2. Enter A to go to the Appliance Configuration menu.
  3. Enter A to go to the Security menu. ClosedView screen
  4. Enter P to go to the Appliance Configuration Security Policy menu. ClosedView screen
  5. Use the menu to view and edit password, sign-in, and lockout rules.

After you modify password policy settings, it is expected that password prompts in TanOS menus provide users with guidance on the updated requirements.