Tanium Core Platform settings
To configure platform settings for your Tanium Cloud deployment, see Tanium Console User Guide: Managing Tanium Core Platform settings.
You configure the host system settings of most Tanium Core Platform servers during installation. When troubleshooting an issue, Tanium Support might ask you to review or confirm these settings, but rarely asks you to change them. If Support does ask you to change settings, you can change many of them through the Tanium Console in Tanium Core Platform 7.4 or later (see Tanium Console User Guide: Managing Tanium Core Platform settings). The following sections describe how to configure server settings through means other than the Console.
You can contact Tanium Support at [email protected].
Tanium Appliance
The following table lists the configuration database locations for settings that you configure when installing Tanium Core Platform servers. You can use TanOS menus to add, delete, or modify settings with guidance from Tanium Support ([email protected]). Click a link in the table to see the settings for a Tanium component.
Component | DB location |
---|---|
Tanium Server | /opt/Tanium/TaniumServer/server.db |
Tanium Module Server | /opt/Tanium/TaniumModuleServer/server.db |
Tanium Zone Server
|
/opt/Tanium/TaniumZoneServer/zoneserver.db |
TDownloader: Tanium Server | /opt/Tanium/TaniumServer/tdownloader.db |
TDownloader: Module Server | /opt/Tanium/TaniumModuleServer/tdownloader.db |
Manage server settings
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter 2 to go to the Tanium Operations menu.
View screen
- Enter 2 to go to the Configuration Settings menu.
View screen
- Use the menu to view and edit settings for Tanium Core Platform servers.
Tanium Server
Settings | Guidelines |
---|---|
AddressMask |
Hexadecimal value of a subnet CIDR that delineates the clients that belong to a chain.
Do not change this setting unless your Tanium Support instructs you to do so. |
AllowedHubs | The Zone Server Hub that is allowed to connect to this Tanium Server. The Zone Server Hub is collocated on the Tanium Server appliance and this setting has the value 127.0.0.1. |
AuthPluginTimeoutSeconds | The default is 60. |
AuthenticationPlugin | String that specifies the Pluggable Authentication Module (PAM). |
ConsoleSettingsJSON | Path to the Tanium Console settings file. |
LogPath | The location for Tanium Server logs. The default is /opt/Tanium/TaniumServer/Logs. |
LogVerbosityLevel | Specify one of the following decimal values for the log verbosity level:
|
ModuleServer | Module Server IP address. |
ModuleServerPort | Module Server port. The default is 17477. |
PKIDatabasePassword | You must manually add this setting to prevent unauthorized access to the pki.db file, which contains the Tanium Server root keys, message-signing keys, and TLS keys. Set the Value Type to protected and specify a password to encrypt the pki.db file. The file is in the Tanium Server installation folder and a copy resides in the /backups subfolder. For details about these keys, see Tanium Console User Guide: Managing Tanium keys. |
ReportingTLSCertPath | Setting for inbound connections. Path to the TLS certificate that was created upon installation. This certificate is used in TLS connections initiated by the Tanium Client, the Tanium Zone Server Hub, or the Tanium Zone Server. |
ReportingTLSKeyPath | Setting for inbound connections. Path to the private key file used in TLS connections. This setting must be present to enable TLS. |
ReportingTLSMode |
Configures TLS for outgoing connections that the Tanium Server initiates.
The possible values are:
Tanium Server appliances use an IPSec tunnel instead of TLS to secure Tanium database and appliance LDAP synchronization traffic. The servers use TLS to secure all other communication between them. |
RequireIncomingEncryption |
Setting for inbound connections.
Implicitly set to 0 by default. To set a different value, you must add the setting.
Important: When RequireIncomingEncryption is set to 1, only TLS connection requests are processed, so only Tanium Clients that have TLS enabled are able to register and be managed. Do not set this to 1 until you are sure all Tanium Clients that have been deployed are configured to use TLS (ReportingTLSMode=1 or ReportingTLSMode=2), and you are ready to deploy Tanium Client to new endpoints with TLS configured prior to initial registration. |
ServerPort | Tanium Server port. The server listens for Tanium Clients on this port. The default is 17472. Do not change the ServerPort setting in the TaniumServer.ini configuration file; instead, use the Tanium Operations > Change Tanium Port menu. |
ServerSOAPPort | Tanium Console and SOAP API port. The default is 8443. Port 443 redirects to this 8443. |
SQLConnectionString | Database server connection information, such as
postgres:<TanOS_IP_Address>@user=postgres dbname=tanium. See the PostgreSQL documentation for the supported keywords, such as dbname, port, and user. If you change this setting, you must restart the Tanium Server. |
SSLCipherSuite | ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK |
SSLHonorCipherOrder | The default is 1. |
TrustedCertPath | Path to the certificate file used for secure connections to the Tanium Console port. |
Version | Tanium Server version number. |
TDownloader: Tanium Server
Settings | Guidelines |
---|---|
BypassCRLCheckHostList | Use this setting to list servers that the Tanium Server can trust without checking a certificate revocation list (CRL). The Tanium Server performs a CRL check on all servers that are not in this list, and does not download files from a server that fails the check. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). |
BypassProxyHostList | Enter a comma-separated list of FQDNs or IP addresses for the hosts that do not go through the proxy server. You do not have to enter 127.0.0.1, localhost, or the Tanium Module Server, but enter active-active Tanium Servers if necessary. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). Specify literal values. All supported Tanium Core Platform versions allow wildcards. |
LogVerbosityLevel | Specify one of the following decimal values for the log verbosity level:
|
ProxyServer |
IP address of the proxy server.
By default, TDownloader resolves the proxy server address as an IPv4 address. If the proxy server has an IPv6 address, you must enter it within brackets (for example, [2001:db8::1]) and configure the TDownloader setting ForceIPV6 to 1. |
ProxyPort | Proxy server listening port. |
ProxyType | The options are Basic, NTLM, or None. |
ProxyUserid | For a proxy server that requires authentication, enter the user ID to establish the connection with the proxy server. |
ProxyPassword | For a proxy server that requires authentication, enter the password of the ProxyUserid user to establish the connection with the proxy server. |
TrustedCertPath | Path to the Transport Layer Security (TLS) certificate authority (CA) bundle of trusted certificates. |
TrustedHostList | By default, the Tanium Server validates the SSL/TLS certificate of remote servers when establishing connections to them (such as for downloading files). To bypass certificate validation for specific servers, enter their
FQDN or IP address. You do not have to enter 127.0.0.1, localhost, the Tanium Module Server, or Tanium Servers (standalone or active-active). All supported Tanium Core Platform versions allow wildcards. Contact Tanium Support before modifying this setting. |
ForceIPV6 | Add this setting manually if you need it, but only with guidance from Tanium Support ([email protected]). In deployments where traffic between Tanium Core Platform servers and the Internet traverses a proxy server, TDownloader resolves the proxy address as an IPv4 address by default. If the proxy server has an IPv6 address, add the ForceIPV6 setting with a value of 1. |
Tanium Module Server
TDownloader: Module Server
Settings | Guidelines |
---|---|
BypassCRLCheckHostList | Use this setting to list servers that the Tanium Server can trust without checking a certificate revocation list (CRL). The Tanium Server performs a CRL check on all servers that are not in this list, and does not download files from a server that fails the check. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). |
BypassProxyHostList | Enter a comma-separated list of FQDNs or IP addresses for the hosts that do not go through the proxy server. You do not have to enter 127.0.0.1, localhost, or the Tanium Module Server, but enter active-active Tanium Servers if necessary. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). Specify literal values. All supported Tanium Core Platform versions allow wildcards. |
LogVerbosityLevel | Specify one of the following decimal values for the log verbosity level:
|
ProxyServer | IP address of the proxy server.
By default, TDownloader resolves the proxy server address as an IPv4 address. If the proxy server has an IPv6 address, you must enter it within brackets (for example, [2001:db8::1]) and configure the TDownloader setting ForceIPV6 to 1. |
ProxyPort | Proxy server listening port. |
ProxyType | The options are Basic, NTLM, or None. |
ProxyUserid | For a proxy server that requires authentication, enter the user ID to establish the connection with the proxy server. |
ProxyPassword | For a proxy server that requires authentication, enter the password of the ProxyUserid user to establish the connection with the proxy server. |
TrustedCertPath | Path to the Transport Layer Security (TLS) certificate authority (CA) bundle of trusted certificates. |
TrustedHostList | By default, the Module Server validates the SSL/TLS certificate of remote servers when establishing connections to them (such as for downloading module software updates). To bypass certificate validation for specific servers, enter their
FQDN or IP address. You do not have to enter 127.0.0.1, localhost, the Tanium Module Server, or Tanium Servers (standalone or active-active). All supported Tanium Core Platform versions allow wildcards. Contact Tanium Support before modifying this setting. |
ForceIPV6 | Add this setting manually if you need it, but only with guidance from your Tanium Support ([email protected]). In deployments where traffic between Tanium Core Platform servers and the Internet traverses a proxy server, TDownloader resolves the proxy address as an IPv4 address by default. If the proxy server has an IPv6 address, add the ForceIPV6 setting with a value of 1. |
Tanium Zone Server
Windows
The following table lists the Windows Registry locations for settings that you configure when installing Tanium Core Platform servers. To view or edit the settings through the CLI, see Windows: CLI. Click a link in the table to see the settings for a Tanium component.
Component | Windows Registry location |
---|---|
Tanium Server | HKLM\Software\Wow6432Node\Tanium\Tanium Server |
Tanium Module Server | HKLM\Software\Wow6432Node\Tanium\Tanium Module Server |
Tanium Zone Server and Zone Server Hub |
HKLM\Software\Wow6432Node\Tanium\Tanium ZoneServer |
TDownloader | HKLM\Software\Wow6432Node\Tanium\Downloader |
Tanium Server
Name | Windows Registry Type | Data |
---|---|---|
AddressMask | REG_DWORD | Hexadecimal value of a subnet CIDR that delineates the IPv4 clients that belong to a linear chain. Do not change this registry value unless your Tanium Support instructs you to do so. |
AddressPrefixIPv6 | REG_DWORD | IPv6 prefix represented as a decimal number between 0 and 128 inclusive that delineates the clients belonging to a linear chain. The default 0 specifies no peering. Contact Tanium Support at [email protected] to determine the optimum value for peering in IPv6 networks. Tanium Core Platform 7.3 and later. |
AllowedHubs | REG_SZ | Enter a comma-separated list of Zone Server Hubs that are authorized to communicate with this Tanium Server. Specify the hubs by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). Note that you can configure the AllowLocalHubs key as an exception to the AllowedHubs list. |
AllowLocalHubs | REG_DWORD | By default, this key is not present in the registry but has a value of 1, which enables any local Zone Server Hub to communicate with the Tanium Server regardless of the AllowedHubs setting. Add this registry key manually if you need it, but only with guidance from your Tanium Support. Setting the value to 0 allows local Zone Server Hubs to communicate with the Tanium Server only if they are listed in AllowedHubs. |
BypassCRLCheckHostList | REG_SZ | Servers that the Tanium Server trusts without checking a certificate revocation list (CRL). The Tanium Server performs a CRL check on all servers that are not in this list, and does not download files from a server that fails the check. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). |
BypassProxyHostList | REG_SZ | A comma-separated list of FQDNs or IP addresses for the hosts that do not go through the proxy server. You do not have to enter 127.0.0.1, localhost, or the Tanium Module Server, but enter active-active Tanium Servers if necessary. You must enter IPv6 addresses within square brackets (such as [2001:db8::1]. Specify literal values. All supported Tanium Core Platform versions allow wildcards. |
ConsoleSettingsJSON | REG_SZ | Path to the Tanium Console settings file. |
DBUserDomain | REG_SZ | The domain for the service account that connects to the database server. Specified when you completed the installation wizard. |
DBUserName | REG_SZ | User name for the service account that connects to the database server. Specified when you completed the installation wizard. |
EnforceAllowedHubs | REG_DWORD | The default value 1 specifies that the Tanium Server enforces the AllowedHubs setting: only Zone Server Hubs listed in AllowedHubs can communicate with the Tanium Server. The value 0 enables any Zone Server Hub to communicate with the Tanium Server regardless of the AllowedHubs setting. |
LogPath | REG_SZ | Path to Tanium Server logs. |
LogVerbosityLevel | REG_DWORD | Specify one of the following decimal values for the logging level:
|
ModuleServer | REG_SZ | FQDN of the Module Server. |
ModuleServerPort | REG_DWORD | Module Server Port. The default is 17477. |
Path | REG_SZ | Installation path. |
PGDLLPath | REG_SZ | Path to the PostgreSQL Server libraries. |
PGRoot | REG_SZ | Path to the Postgres installation directory. |
PKIDatabasePassword | REG_SZ | You must manually add this setting to prevent unauthorized access to the pki.db file, which contains the Tanium Server root keys, message-signing keys, and TLS keys. Set the Value Type to protected and specify a password to encrypt the pki.db file. The file is in the Tanium Server installation folder and a copy resides in the /backups subfolder. For details about these keys, see Tanium Console User Guide: Managing Tanium keys. |
ProxyPassword | REG_SZ |
For a basic proxy server that requires authentication, this setting is the account password used when establishing a connection with the proxy server. The password is stored in clear text within the registry.
This setting does not apply NTLM proxies, which use the credentials of the user context that runs the Tanium Server service. |
ProxyPort | REG_SZ | Proxy server listening port. |
ProxyType | REG_SZ | Basic or NTLM. |
ProxyServer | REG_SZ | IP address of the proxy server. By default, the Tanium Downloader (TDownloader) service that manages downloads for the Tanium Server and Tanium Module Server resolves the ProxyServer address as an IPv4 address. If the proxy server has an IPv6 address, you must enter it within brackets (for example, [2001:db8::1]) and, on Windows systems, configure the Tanium Downloader registry with a ForceIPV6 key set to 1. |
ProxyUserid | REG_SZ |
For a basic proxy server that requires authentication, this setting is the account username used when establishing a connection with the proxy server. The password is stored in clear text within the registry.
This setting does not apply NTLM proxies, which use the credentials of the user context that runs the Tanium Server service. |
PythonPath | REG_SZ | Deprecated setting that is no longer used. |
ServerName | REG_SZ | The network adapter binding that the Tanium Server uses to listen for IPv4 client registrations. The default value 0.0.0.0 indicates binding to all network adapters. Do not change this registry value unless Tanium Support instructs you to do so. |
ServerNameIPv6 | REG_SZ | Add this registry key manually if you need it, but only with guidance from Tanium Support. By default, the key is hidden and has a value of [::], which indicates that the Tanium Server binds to all network adapters to listen for IPv6 client registrations. To bind to a specific network adapter, add the key and enter the IPv6 address of the adapter within square brackets (for example, [2001:db8::1]). |
ServerPort | REG_DWORD | Tanium Server Port. The server listens for Tanium Clients on this port. Specified when you completed the installation wizard. The default is 17472. |
ServerSOAPPort | REG_DWORD | Tanium Console and SOAP API port. Specified when you complete the installation wizard. The default is 443. |
SQLConnectionString | REG_SZ | Database server connection information. The following are examples:
For PostgreSQL, see the PostgreSQL documentation for the supported keywords, such as dbname, port, and user. If you change this setting, you must restart the Tanium Server: see Tanium Console User Guide: Manage the Tanium Server service. |
TrustedCertPath | REG_SZ | Path to the certificate file used for secure connections to the Tanium Console port. The certificate is selected when you completed the installation wizard. |
TrustedHostList | REG_SZ | By default, the Tanium Server validates the SSL/TLS certificate of remote servers when establishing connections to them (such as for downloading files). To bypass certificate validation for specific servers, enter their
FQDN or IP address. You do not have to enter 127.0.0.1, localhost, the Tanium Module Server, or Tanium Servers (standalone or active-active). All supported Tanium Core Platform versions allow wildcards. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). Contact Tanium Support before modifying this setting. |
Version | REG_SZ | Tanium Server version number. |
Tanium Module Server
The Module Server host computer has a registry entry for the Tanium Server:
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Tanium\Tanium Server
The settings in this registry entry are for the proxy server configuration.
Name | Type | Data |
---|---|---|
BypassCRLCheckHostList | REG_SZ | Servers that the Tanium Server trusts without checking a certificate revocation list (CRL). The Tanium Server performs a CRL check on all servers that are not in this list, and does not download files from a server that fails the check. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). |
BypassProxyHostList | REG_SZ | A comma-separated list of FQDNs or IP addresses for the hosts that do not go through the proxy server. You do not have to enter 127.0.0.1, localhost, or the Tanium Module Server, but enter active-active Tanium Servers if necessary. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). Specify literal values. All supported Tanium Core Platform versions allow wildcards. |
ProxyPassword | REG_SZ |
For a basic proxy server that requires authentication, this setting is the account password used when establishing a connection with the proxy server. The password is stored in clear text within the registry. This setting does not apply NTLM proxies, which use the credentials of the user context that runs the Tanium Server service. |
ProxyPort | REG_SZ | Proxy server listening port. |
ProxyType | REG_SZ | Basic or NTLM. |
ProxyServer | REG_SZ | IP address of the proxy server. By default, the Tanium Downloader (TDownloader) service that manages downloads for the Tanium Server and Tanium Module Server resolves the ProxyServer address as an IPv4 address. If the proxy server has an IPv6 address, you must enter it within brackets (for example, [2001:db8::1]) and, on Windows systems, configure the Tanium Downloader registry with a ForceIPV6 key set to 1. |
ProxyUserid | REG_SZ |
For a basic proxy server that requires authentication, this setting is the account username used when establishing a connection with the proxy server. The password is stored in clear text within the registry.
This setting does not apply NTLM proxies, which use the credentials of the user context that runs the Tanium Server service. |
TrustedHostList | REG_SZ |
By default, the Module Server validates the SSL/TLS certificate of remote servers when establishing connections to them (such as for downloading module software updates). To bypass certificate validation for specific servers, enter their
FQDN or IP address. You do not have to enter 127.0.0.1, localhost, the Tanium Module Server, or Tanium Servers. All supported Tanium Core Platform versions allow wildcards. Contact Tanium Support before modifying this setting. |
TDownloader
The Tanium Downloader (TDownloader) entry is used for the log verbosity level and IPv6 support.
Tanium Zone Server
Last updated: 5/17/2022 2:54 PM | Feedback