Command-line interface

Tanium Cloud does not support a command-line interface.

You can use the command-line interface (CLI) on the Tanium Appliance or on Windows to configure platform settings.

You can also change many platform settings through the Tanium Console. For more information, see Tanium Console User Guide: Managing Tanium Core Platform settings.

Contact Tanium Support for guidance before you create, edit, or delete platform settings.

Appliance: CLI

For Tanium Appliance deployments, you can use the TanOS menu to read and write the configuration, as described under Manage server settings. In rare cases, you might be granted shell access to troubleshoot an issue through the TanOS CLI. The following table lists the locations where the CLI programs reside. Click the links in the table to see descriptions of the settings that you can edit.

For details about the TanOS CLI, see Tanium Appliance Deployment Guide: TanOS command line interface.

 Table 1: CLI directories for Appliance deployment
Component CLI program location
Tanium Server /opt/Tanium/TaniumServer/TaniumServer
Tanium Module Server /opt/Tanium/TaniumModuleServer/TaniumModuleServer
Tanium Zone Server /opt/Tanium/TaniumZoneServer/ZoneServer
TDownloader: Tanium Server /opt/Tanium/TaniumServer/TaniumTDownloader
TDownloader: Module Server /opt/Tanium/TaniumModuleServer/TaniumTDownloader

Windows: CLI

To access the CLI for a Tanium Core Platform component, open the Command Prompt and navigate to the directory where the component CLI program reside. The following table lists the directories. Click the links in the table to see descriptions of the settings that you can edit.

To use the Command Prompt for commands that require administrator permissions, select the Run as administrator option to elevate permissions.

 Table 2: CLI directories for Windows deployment
Component CLI program location
Tanium Server Program Files\Tanium\TaniumReceiver.exe
Tanium Module Server Program Files\Tanium\TaniumModuleServer.exe
Tanium Zone Server or Tanium Zone Server Hub Program Files (x86)\Tanium\Tanium Zone Server\TaniumZoneServer.exe
TDownloader Program Files\Tanium\Tanium Server\TDownloader.exe
Program Files\Tanium\Tanium Module Server\TDownloader.exe

CLI examples

The following examples show how to use the CLI.

Display help

TaniumReceiver --help
Usage: TaniumReceiver [options] <command> [<args>]

General Options:
  -h [ --help ]         Print this help message
  -v [ --version ]      Print the version
  --verbose             Verbose output

Service Options:
  -i                    Install the service
  -u                    Uninstall the service
  -s                    Start the service
  -e                    Stop the service

Internal Tanium Options - DO NOT USE:
  -d                    Run without daemonizing

  config                Manage configuration
  clean-downloads       Clean the downloads catalog
  database              Manages a database
  global-settings       Manages global settings
  license               Manages Deployment License
  pki                   Manages PKI
  python-auth-plugin    Run a python authentication plugin - DO NOT USE
  server-registrations  Manages server registration requests
  test-hsm				Test an HSM configuration
  trust-module-certs    Add trusted Module Server certificates

For help on a specific command run `TaniumReceiver COMMAND -h`

Display config help

cmd-prompt>TaniumReceiver config --help
Usage: TaniumReceiver config <action> [<key>] [<value>]

  config list                         List all keys and non-protected values
  config list-protected               List all keys and values
  config get <key>                    Print non-protected config value
  config get-protected <key>          Print config value
  config set <key> <value>            Set config value and try to guess type
  config set-string <key> <value>     Set string value
  config set-protected <key> <value>  Set protected string value
  config set-number <key> <value>     Set numeric value (in decimal or hex notation)
  config remove <key>                 Remove config value

Example: List configuration settings

When displaying the current settings, note that the CLI output displays (protected) instead of the actual value for settings that are designated as protected, which means they are sensitive in the security sense.

cmd-prompt>TaniumReceiver config list
  - AddressMask: 16777215
  - ConsoleSettingsJSON: C:\Program Files\Tanium\Tanium Server\http\config\console.json
  - DBUserDomain: tam.local
  - DBUserName: taniumsvc
  - LogPath: C:\Program Files\Tanium\Tanium Server\Logs
  - LogVerbosityLevel: 1
  - Logs:
    - Logs.MiniDumpMessages:
      - Logs.MiniDumpMessages.FilterRegex: .*Begin MiniDumper.*
      - Logs.MiniDumpMessages.LogVerbosityLevel: 1
  - ModuleServer: tms1.tam.local,TMS1.tam.local:17477
  - ModuleServerPort: 17477
  - PGDLLPath: C:\Program Files\Tanium\Tanium Server\postgres\bin
  - PKIDatabasePassword: (protected)
  - PGRoot: C:\Program Files\Tanium\Tanium Server\postgres
  - Path: C:\Program Files\Tanium\Tanium Server
  - ProxyPassword: (protected)
  - ProxyPort: 
  - ProxyServer: 
  - ProxyType: NONE
  - ProxyUserid: 
  - SQLConnectionString: postgres:[email protected]=postgres port=5432
  - ServerName:
  - ServerPort: 17472
  - ServerSOAPPort: 443
  - TrustedCertPath: C:\Program Files\Tanium\Tanium Server\Certs\installedcacert.crt
  - TrustedModuleServerCertsPath: C:\Program Files\Tanium\Tanium Server\trusted-module-servers.crt
  - Version:

Example: Set configuration values

cmd-prompt>TaniumReceiver config set BypassProxyHostList,
cmd-prompt>TaniumReceiver config get BypassProxyHostList,

Example: Set configuration values

cmd-prompt>TDownloader config set ProxyServer
cmd-prompt>TDownloader config get ProxyServer

Example: Register the Module Server with the Tanium Server

On the Module Server host computer, use the CLI to register with a Tanium Server. Specify a Tanium Console administrator user name and password.

Registration involves copying files between the Module Server and the Tanium Server. Both servers must be reachable when you issue the registration command or the command fails.

After registering the Module Server, you must restart the services for the Tanium Module Server and all Tanium modules and shared services. On the Module Server, open the Windows Services application and, for each service, right-click the service name and select Restart.

cmd-prompt>TaniumModuleServer register -h
Usage: TaniumModuleServer register <server> [opts]

  --server arg                    Tanium Server hostname (optionally including
  --address arg (=TMS1.tam.local) DNS name or IP that the Tanium Server should
                                  use to connect to this Module Server
  --timeout arg (=120)            Registration timeout in seconds
  --user arg                      Administrator username
  --pass arg                      Administrator password (leave blank for
                                  interactive prompt)
  --pass-file arg                 Administrator password protected file
  --trusted-fingerprint arg       Trust the given server certificate
  --json-out arg                  JSON file to output results to

cmd-prompt>TaniumModuleServer register ts2.tam.local
Enter administrator username: TaniumAdmin

Enter password for user 'TaniumAdmin':
Successfully completed registration.

If the Tanium Console has been configured to use a non-standard port, you must specify the port number, as shown in the following example.

cmd-prompt>TaniumModuleServer register ts2.tam.local:8443
Enter administrator username: TaniumAdmin

Enter password for user 'TaniumAdmin':
Successfully completed registration.


If the Tanium Console is not listening on 443 and you do not specify the port in the registration command, the registration results in failure with the message:

Failed to register module server. Failed to authenticate for registration. SSLClientConnection has failed to complete request.

Example: Configure global settings

cmd-prompt>TaniumReceiver global-settings -h
Usage: TaniumReceiver global-settings list|list-all|get|set|set-string|set-numbe

  -c [ --command ] arg  Command to run:
                            get <setting>
                            set <setting> <value>
                            set-string <setting> <value>
                            set-number <setting> <value>
                            set-flags <setting> [public|hidden|read-only|server...]
                            unset-flags <setting> [public|hidden|read-only|server ...]
                            remove <setting>

cmd-prompt>TaniumReceiver global-settings set ReportingTLSMode 0

Example: Add an administrator user

cmd-prompt>TaniumReceiver database -h
Usage: TaniumReceiver database create|upgrade|create-admin-user

  -c [ --command ] arg  Command to run:
                            create-admin-user [username] [domain]
			     sqlserver2postgre outputfile

cmd-prompt>TaniumReceiver database create-admin-user admin-recover tam.local