Tanium™ Core Platform Deployment Reference Guide

PDF
Documentation Home > Tanium Core Platform Deployment Reference Guide

Settings

Most Tanium Core Platform server component host system settings are configured during installation. When troubleshooting an issue, your Tanium Technical Account Manger (TAM) or Tanium Support might ask you to review or confirm these settings, but would rarely ask you to change them.

Settings specified during installation are saved in the configuration database. You can use TanOS menus to add, delete, or modify settings as directed by your TAM.

Component DB location
Tanium Server /opt/Tanium/TaniumServer/server.db
Module Server /opt/Tanium/TaniumModuleServer/server.db
Zone Server /opt/Tanium/TaniumZoneServer/zoneserver.db
TDownloader /opt/Tanium/TaniumServer/tdownloader.db
/opt/Tanium/TaniumModuleServer/tdownloader.db

Edit server settings

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 2 to go to the Tanium Configuration Settings menu.
  4. Use the menu to view and edit Tanium component server settings.

Tanium Server

Settings Guidelines
AddressMask Hexadecimal value of a subnet CIDR that delineates the clients that belong to a chain.

Do not change this setting unless instructed to do so by your TAM.
AllowedHubs Comma-separated list of Zone Server Hubs allowed to connect to this Tanium Server. Typically, the Zone Server Hub is collocated on the Tanium Server appliance and this setting has a value 127.0.0.1.
AuthPluginTimeoutSeconds The default is 60.
AuthenticationPlugin String that specifies the pluggable authentication module (PAM).
ConsoleSettingsJSON Path to the console settings file.
LogPath The default is /opt/Tanium/TaniumServer/Logs.
LogVerbosityLevel Log verbosity level:
  • 0: Logging disabled.
  • 1: Normal log level.
  • 41: Recommended during troubleshooting.
  • >= 91: Most detailed log level. Enable for short periods of time only.
ModuleServer Module Server IP address.
ModuleServerPort Module Server port. The default is 17477.
ReportingTLSCertPath Setting for inbound connections. Path to the TLS certificate that was created upon installation. This certificate is used in TLS connections initiated by the Tanium Client, the Tanium Zone Server Hub, or the Tanium Zone Server.
ReportingTLSKeyPath Setting for inbound connections. Path to the private key file used in TLS connections. This setting must be present to enable TLS.
ReportingTLSMode Configures TLS for outgoing connections that the server initiates. On a Tanium Server, configure this option if you want to enable TLS for the Tanium Server to Zone Server Hub segment, if the Zone Server Hub is not collocated on the Tanium Server. Otherwise, this setting does not apply to a Tanium Server appliance role, which uses IPSEC instead of TLS to secure the Tanium Server Active-Active cluster communication.
  • 0 (TLS not used)
  • 1 (TLS required)
  • 2 (TLS optional)
RequireIncomingEncryption Setting for inbound connections. Implicitly set to 0 by default. To set a different value, you must add the setting.
  • 0 (TLS not required)
  • 1 (TLS required)

Important: When RequireIncomingEncryption is set to 1, only TLS connection requests are processed, so only Tanium Clients that have TLS enabled are able to register and be managed. Do not set this to 1 until you are sure all Tanium Clients that have been deployed are configured to use TLS (ReportingTLSMode=1 or ReportingTLSMode=2), and you are ready to deploy Tanium Client to new endpoints with TLS configured prior to initial registration. Do not set this to 1 if your deployment has Tanium Client 6.0, which does not support TLS.
ServerPort Tanium Server port. The server listens for Tanium Clients on this port. The default is 17472. Do not change the ServerPort setting in the TaniumServer.ini configuration file; instead, use the Tanium Operations > Change Tanium Port menu.
ServerSOAPPort Tanium Console and SOAP API port. The default is 8443. Port 443 redirects to this 8443.
SQLConnectionString Database server connection information. 

Example:

postgres:[email protected]=postgres password= dbname=tanium ssl mode=required port=5432
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
SSLHonorCipherOrder The default is 1.
TrustedCertPath Path to the certificate file used for secure connections to the Tanium Console port.
Version Tanium Server version number.

Tanium Server TDownloader

Settings Guidelines
BypassCRLCheckHostList Use this setting to list servers that the Tanium Server can trust without checking a certificate revocation list (CRL). The Tanium Server performs a CRL check on all servers that are not in this list, and does not download files from a server that fails the check. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
BypassProxyHostList Must be set with a comma-separated list of FQDN or IP addresses that specify all Tanium Servers and the Module Server, 127.0.0.1, and localhost. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). Specify literal values. Tanium Core Platform 7.0.314.6242 and later supports wildcards.

Note: Enhancements have been made in recent releases to automatically bypass the proxy server for these host addresses:

7.0.314.6573+ — Automatically bypass 127.0.0.1 and localhost.

7.1.314.3204+ — Automatically bypass 127.0.0.1 and localhost.

7.2.314.3181+ — Automatically bypass Tanium Server, 127.0.0.1, and localhost.

7.3.314.2866+ — Automatically bypass Tanium Server, 127.0.0.1, and localhost.
LogVerbosityLevel Log verbosity level:
  • 0: Logging disabled.
  • 1: Normal log level.
  • 41: Recommended during troubleshooting.
  • >= 91: Most detailed log level. Enable for short periods of time only.
ProxyServer IP address of the proxy server.

Note: By default, TDownloader resolves the proxy server address as an IPv4 address. If the proxy server has an IPv6 address, you must enter it within brackets (for example, [2001:db8::1]) and configure the TDownloader setting ForceIPV6 to 1.
ProxyPort Proxy server listening port.
ProxyType The options are Basic, NTLM, or None.
ProxyUserid For a proxy server that requires authentication, enter the user ID to establish the connection with the proxy server.
ProxyPassword The corresponding password.
TrustedCertPath Path to the TLS CA bundle of trusted certificates.
TrustedHostList Must be set with a comma-separated list of FQDN or IP addresses that specify all Tanium Servers and the Module Server. Traffic from 127.0.0.1 and localhost is trusted automatically.

Tanium core platform 7.0.314.6242 and later supports wildcards. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).

Tanium Module Server

Settings Guidelines
LogVerbosityLevel Log verbosity level:
  • 0: Logging disabled.
  • 1: Normal log level.
  • 41: Recommended during troubleshooting.
  • >= 91: Most detailed log level. Enable for short periods of time only.
ServerPort Module Server port. The default is 17477.
Version Tanium Module Server version number.

Module Server TDownloader

Settings Guidelines
BypassCRLCheckHostList Use this setting to list servers that the Tanium Server can trust without checking a certificate revocation list (CRL). The Tanium Server performs a CRL check on all servers that are not in this list, and does not download files from a server that fails the check. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
BypassProxyHostList Must be set with a comma-separated list of FQDN or IP addresses that specify all Tanium Servers and the Module Server, 127.0.0.1, and localhost. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). Specify literal values. Tanium Core Platform 7.0.314.6242 and later supports wildcards.

Note: Enhancements have been made in recent releases to automatically bypass the proxy server for these host addresses:

7.0.314.6573+ — Automatically bypass 127.0.0.1 and localhost.

7.1.314.3204+ — Automatically bypass 127.0.0.1 and localhost.

7.2.314.3181+ — Automatically bypass Tanium Server, 127.0.0.1, and localhost.

7.3.314.2866+ — Automatically bypass Tanium Server, 127.0.0.1, and localhost.
LogVerbosityLevel Log verbosity level:
  • 0: Logging disabled.
  • 1: Normal log level.
  • 41: Recommended during troubleshooting.
  • >= 91: Most detailed log level. Enable for short periods of time only.
ProxyServer IP address of the proxy server.

Note: By default, TDownloader resolves the proxy server address as an IPv4 address. If the proxy server has an IPv6 address, you must enter it within brackets (for example, [2001:db8::1]) and configure the TDownloader setting ForceIPV6 to 1.
ProxyPort Proxy server listening port.
ProxyType The options are Basic, NTLM, or None.
ProxyUserid For a proxy server that requires authentication, enter the user ID to establish the connection with the proxy server.
ProxyPassword The corresponding password.
TrustedCertPath Path to the TLS CA bundle of trusted certificates.
TrustedHostList Must be set with a comma-separated list of FQDN or IP addresses that specify all Tanium Servers and the Module Server. Traffic from 127.0.0.1 and localhost is trusted automatically.

Tanium core platform 7.0.314.6242 and later supports wildcards. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).

Tanium Zone Server

Settings Guidelines
AllowedHubs A comma-separated list of IP addresses of Zone Server Hub(s) that are authorized to communicate with this Zone Server.
EnforceAllowedHubs Set the value to 1.
LogVerbosityLevel Log verbosity level:
  • 0: Logging disabled.
  • 1: Normal log level.
  • 41: Recommended during troubleshooting.
  • >= 91: Most detailed log level. Enable for short periods of time only.
ReportingTLSCertPath Setting for inbound connections. Path to the TLS certificate. This certificate is used in TLS connections initiated by the Tanium Client.
ReportingTLSKeyPath Setting for inbound connections. Path to the private key file used in TLS connections. This setting must be present to enable TLS.
ReportingTLSMode Configures TLS for outgoing connections that the server initiates. On a Zone Server hub, you configure this option to enable TLS for the Zone Server Hub to Zone Server segment. Automatically set to 2 when you complete the Zone Server TLS setup.
  • 0 (TLS not used)
  • 1 (TLS required)
  • 2 (TLS optional)
RequireIncomingEncryption Setting for inbound connections. Automatically set to 0 when you complete the Zone Server TLS setup.
  • 0 (TLS not required)
  • 1 (TLS required)

Important: When RequireIncomingEncryption is set to 1, only TLS connection requests are processed, so only Tanium Clients that have TLS enabled are able to register and be managed. Do not set this to 1 until you are sure all Tanium Clients that have been deployed are configured to use TLS (ReportingTLSMode=1 or ReportingTLSMode=2), and you are ready to deploy Tanium Client to new endpoints with TLS configured prior to initial registration. Do not set this to 1 if your deployment has Tanium Client 6.0, which does not support TLS.
ServerName Tanium Server fully qualified domain name.
ServerPort Tanium Server Port. The default is 17472.
Version Tanium Zone Server version number.
ZoneHubFlag 0 if not the hub; 1 if the hub.

Settings specified during Installation are saved in the Windows Registry.

Component Windows Registry location
Tanium Server HKLM\Software\Wow6432Node\Tanium\Tanium Server
Module Server HKLM\Software\Wow6432Node\Tanium\Tanium Module Server
Zone Server HKLM\Software\Wow6432Node\Tanium\Tanium ZoneServer
TDownloader HKLM\Software\Wow6432Node\Tanium\Downloader

Tanium Server

Name Windows Registry Type Data
AddressMask REG_DWORD Hexadecimal value of a subnet CIDR that delineates the IPv4 clients that belong to a linear chain. Do not change this registry value unless your TAM instructs you to do so.
AddressPrefixIPv6 REG_DWORD IPv6 prefix represented as a decimal number between 0 and 128 inclusive that delineates the clients belonging to a linear chain. The default 0 specifies no peering. Consult your TAM to determine the optimum value for peering in IPv6 networks. Tanium Core Platform 7.3 and later.
AllowedHubs REG_SZ A comma-separated list of Zone Server Hubs that are authorized to communicate with this Tanium Server. Specify the hubs by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). The default value is 127.0.0.1 (localhost). Note that you can configure the AllowLocalHubs key as an exception to the AllowedHubs list.
AllowLocalHubs REG_DWORD By default, this key is not present in the registry but has a value of 1, which enables any local Zone Server Hub to communicate with the Tanium Server regardless of the AllowedHubs setting. Add this registry key manually if you need it, but only with guidance from your TAM. Setting the value to 0 allows local Zone Server Hubs to communicate with the Tanium Server only if they are listed in AllowedHubs.
BypassCRLCheckHostList REG_SZ Servers that the Tanium Server trusts without checking a certificate revocation list (CRL). The Tanium Server performs a CRL check on all servers that are not in this list, and does not download files from a server that fails the check. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
BypassProxyHostList REG_SZ Hosts that bypass the proxy server. For example, do not use a proxy server for traffic between Tanium Servers in an active-active cluster.

A proxy server can cause problems with other traffic to a destination Tanium Server. For example, a package configuration can specify file URIs that are local to the Tanium Server to download content. It is important to bypass the proxy server for these URIs, or else the download will fail.

Enter the exceptions as FQDNs or IP addresses. You must enter IPv6 addresses within square brackets (such as [2001:db8::1]. In most cases, the exceptions you need to specify are localhost, 127.0.0.1 (IPv4), [::1] (IPv6), and all Tanium Server FQDNs and IP addresses. For example:

ts1.example.com, ts2.example.com,localhost,127.0.0.1, [::1],10.10.10.11,10.10.10.15

Specify literal values. Tanium Core Platform 7.0.314.6242 and later supports wildcards.
ConsoleSettingsJSON REG_SZ Path to the console settings file.
DBUserDomain REG_SZ FQDN of the domain for the service account that connects to the database server. Specified when you completed the installation wizard.
DBUserName REG_SZ Username for the service account that connects to the database server. Specified when you completed the installation wizard.
EnforceAllowedHubs REG_DWORD The default value 1 specifies that the Tanium Server enforces the AllowedHubs setting: only Zone Server Hubs listed in AllowedHubs can communicate with the Tanium Server. The value 0 enables any Zone Server Hub to communicate with the Tanium Server regardless of the AllowedHubs setting.
LogPath REG_SZ Path to Tanium Server logs.
LogVerbosityLevel REG_DWORD Specify one of the following decimal values for the log verbosity level:
  • 0: Logging disabled.
  • 1: Log level during normal operation.
  • 41: Best practice log level during troubleshooting.
  • 91 or higher: Enable the most detailed log levels for short periods of time only.
ModuleServer REG_SZ FQDN of the Module Server.
ModuleServerPort REG_DWORD Module Server Port. The default is 17477.
Path REG_SZ Installation path.
PGDLLPath REG_SZ Path to the PostgreSQL Server libraries.
PGRoot REG_SZ Path to the Postgres installation directory.
ProxyPassword REG_SZ For a basic proxy server that requires authentication, this setting is the account password used when establishing a connection with the proxy server. The password is stored in clear text within the registry.

This setting does not apply NTLM proxies, which use the credentials of the user context that runs the Tanium Server service.

ProxyPort REG_SZ Proxy server listening port.
ProxyType REG_SZ Basic or NTLM.
ProxyServer REG_SZ IP address of the proxy server. By default, the Tanium Downloader (TDownloader) service that manages downloads for the Tanium Server and Tanium Module Server resolves the ProxyServer address as an IPv4 address. If the proxy server has an IPv6 address, you must enter it within brackets (for example, [2001:db8::1]) and, on Windows systems, configure the Tanium Downloader registry with a ForceIPV6 key set to 1.
ProxyUserid REG_SZ For a basic proxy server that requires authentication, this setting is the account username used when establishing a connection with the proxy server. The password is stored in clear text within the registry.

This setting does not apply NTLM proxies, which use the credentials of the user context that runs the Tanium Server service.

PythonPath REG_SZ Deprecated setting that is no longer used.
ServerName REG_SZ The network adapter binding that the Tanium Server uses to listen for IPv4 client registrations. The default value 0.0.0.0 indicates binding to all network adapters. Do not change this registry value unless your TAM instructs you to do so.
ServerNameIPv6 REG_SZ Add this registry key manually if you need it, but only with guidance from your TAM. By default, the key is hidden and has a value of [::], which indicates that the Tanium Server binds to all network adapters to listen for IPv6 client registrations. To bind to a specific network adapter, add the key and enter the IPv6 address of the adapter within square brackets (for example, [2001:db8::1]).
ServerPort REG_DWORD Tanium Server Port. The server listens for Tanium Clients on this port. Specified when you completed the installation wizard. The default is 17472.
ServerSOAPPort REG_DWORD Tanium Console and SOAP API port. Specified when you complete the installation wizard. The default is 443.
SQLConnectionString REG_SZ Database server connection information.

Example SQL Server:

SQL1\[email protected]

Example PostgreSQL Server:

postgres:[email protected]=postgres port=5432
TrustedCertPath REG_SZ Path to the certificate file used for secure connections to the Tanium Console port. The certificate is selected when you completed the installation wizard.
TrustedHostList REG_SZ The trusted servers that the Tanium Server can download files from even if those servers do not have valid SSL certificates. In an active-active cluster, specify both Tanium Servers. Tanium Core Platform 7.0.314.6242 and later supports wildcards. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
Version REG_SZ Tanium Server version number.

Tanium Module Server

Name Type Data
LogVerbosityLevel REG_DWORD Specify one of the following decimal values for the log verbosity level:
  • 0: Logging disabled.
  • 1: Log level during normal operation.
  • 41: Best practice log level during troubleshooting.
  • 91 or higher: Enable the most detailed log levels for short periods of time only.
Path REG_SZ Installation path.
PythonPath REG_SZ Deprecated setting that is no longer used.
ServerName REG_SZ The network adapter binding that the Tanium Module Server uses to listen for IPv4 connections. The default value 0.0.0.0 indicates binding to all network adapters.
ServerNameIPv6 REG_SZ Tanium Core Platform 7.3 and later. You must add this registry key manually if you need it, but only with guidance from your TAM. By default, the key is hidden and has a value of [::], which indicates that the Tanium Module Server binds to all network adapters to listen for IPv6 connections. To bind to a specific network adapter, add the key and enter the IPv6 address of the adapter within square brackets (for example, [2001:db8::1]).
ServerPort REG_DWORD Tanium Module Server port. The default is 17477.
Version REG_SZ Tanium Module Server version number.

The Module Server host computer has a registry entry for the Tanium Server: 

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Tanium\Tanium Server

The settings in this registry entry are for the proxy server configuration.

Name Type Data
BypassCRLCheckHostList REG_SZ Servers that the Tanium Server trusts without checking a certificate revocation list (CRL). The Tanium Server performs a CRL check on all servers that are not in this list, and does not download files from a server that fails the check. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
BypassProxyHostList REG_SZ Hosts that bypass the proxy server. For example, do not use a proxy server for traffic between Tanium Servers in an active-active cluster.

A proxy server can cause problems with other traffic to a destination Tanium Server. For example, a package configuration can specify file URIs that are local to the Tanium Server to download content. It is important to bypass the proxy server for these URIs, or else the download will fail.

Enter the exceptions as FQDNs or IP addresses. You must enter IPv6 addresses within square brackets (such as [2001:db8::1]. In most cases, the exceptions you need to specify are localhost, 127.0.0.1 (IPv4), [::1] (IPv6), and all Tanium Server FQDNs and IP addresses. For example:

ts1.example.com, ts2.example.com,localhost,127.0.0.1, [::1],10.10.10.11,10.10.10.15

Specify literal values. Tanium Core Platform 7.0.314.6242 and later supports wildcards.
ProxyPassword REG_SZ

For a basic proxy server that requires authentication, this setting is the account password used when establishing a connection with the proxy server. The password is stored in clear text within the registry.

This setting does not apply NTLM proxies, which use the credentials of the user context that runs the Tanium Server service.

ProxyPort REG_SZ Proxy server listening port.
ProxyType REG_SZ Basic or NTLM.
ProxyServer REG_SZ IP address of the proxy server. By default, the Tanium Downloader (TDownloader) service that manages downloads for the Tanium Server and Tanium Module Server resolves the ProxyServer address as an IPv4 address. If the proxy server has an IPv6 address, you must enter it within brackets (for example, [2001:db8::1]) and, on Windows systems, configure the Tanium Downloader registry with a ForceIPV6 key set to 1.
ProxyUserid REG_SZ For a basic proxy server that requires authentication, this setting is the account username used when establishing a connection with the proxy server. The password is stored in clear text within the registry.

This setting does not apply NTLM proxies, which use the credentials of the user context that runs the Tanium Server service.

TrustedHostList REG_SZ The trusted servers that the Tanium Server can download files from even if those servers do not have valid SSL certificates. In an active-active cluster, specify both Tanium Servers. Tanium Core Platform 7.0.314.6242 and later supports wildcards. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).

TDownloader

The Tanium Downloader (TDownloader) entry is used for log verbosity level and IPv6 support.

Name Type Data
LogVerbosityLevel REG_DWORD Specify one of the following decimal values for the log verbosity level:
  • 0: Logging disabled.
  • 1: Log level during normal operation.
  • 41: Best practice log level during troubleshooting.
  • 91 or higher: Enable the most detailed log levels for short periods of time only.
ForceIPV6 REG_DWORD Tanium Core Platform 7.3 and later. Add this registry key manually if you need it, but only with guidance from your TAM. In deployments where traffic between Tanium core platform servers and the Internet goes through a proxy server, TDownloader resolves the proxy address as an IPv4 address by default. If the proxy server has an IPv6 address, add the key and set its value to 1.

Zone Server

Name Type Data
AllowedHubs REG_SZ A comma-separated list of Zone Server Hubs that are authorized to communicate with this Zone Server. Specify the hubs by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
EnforceAllowedHubs REG_DWORD The default value 1 specifies that the Zone Server enforces the AllowedHubs setting: only Zone Server Hubs listed in AllowedHubs can communicate with the Zone Server. The value 0 enables any Zone Server Hub to communicate with the Zone Server regardless of the AllowedHubs setting.
LogPath REG_SZ Path to Tanium Zone Server logs.
LogVerbosityLevel REG_DWORD Specify one of the following decimal values for the log verbosity level:
  • 0: Logging disabled.
  • 1: Log level during normal operation.
  • 41: Best practice log level during troubleshooting.
  • 91 or higher: Enable the most detailed log levels for short periods of time only.
Path REG_SZ Installation path.
ServerName REG_SZ Tanium Server fully qualified domain name.
ServerPort REG_DWORD Tanium Server Port. Specified when you completed the installation wizard. The default is 17472.
ServiceUserDomain REG_SZ The Zone Server Windows service runs in the context of a service account. This entry contains the domain specified during installation.
ServiceUserName REG_SZ The Zone Server Windows service runs in the context of a service account. This entry contains the username specified during installation.
Version REG_SZ Tanium Zone Server version number.
ZoneHubFlag REG_DWORD The value indicates whether this Zone Server instance is (1) or is not (0) a Zone Server Hub.

Last updated: 12/4/2019 4:10 PM | Feedback