Authenticating content files

Tanium as a Service (TaaS) automatically imports required content. You cannot import custom content in a TaaS deployment.

Overview of content imports, exports, and authentication

The Tanium Console supports exporting and importing content, which is useful when you want to copy the content between Tanium Servers. The best practice is to develop and test custom content in your lab environment before distributing the content to the production servers in your Tanium deployment. You can export and import the content files in JSON or XML format. The best practice is to export in JSON format, but you can import JSON files only in Tanium Core Platform 7.4 or later.

In Tanium deployments with a production license, content that you import requires a digital signature by default. Signature validation helps to protect your deployment from imports of unauthorized files. A private key is used to create the signature. The Tanium Server uses the associated public key to validate the signature during the import process. You maintain the public keys of trusted signers on the Tanium Server. If none of the public keys in the Tanium Server key store can validate the signature, the server does not import the content, and the Tanium Console displays failure messages.

Figure  1:  Signature validation errors

In Tanium deployments with a lab license, the Tanium Console notifies you if the file you selected to import is unsigned and lets you choose whether to proceed. However, the best practice is to not import unsigned files in any deployment.

You do not have to generate keys or signatures for content that you import as a component of Tanium solutions or Tanium content packs (see Managing Tanium solutions). Tanium signs this content before making it available, and the associated public key is distributed to the Tanium Server key store during the server installation process. For all other content, you must manually generate a public-private key pair to sign and validate the content files that you import.

Users who have the Administrator reserved role can export and import all content types. Users who have a micro admin role with the Import Signed Content permission enabled can import all content types only if the content file is signed. For other users, the ability to export and import varies by content type and role assignments. For details, see Content management permissions.

As one-time tasks before importing content, you must generate the public-private key pair and copy the public key to the Tanium Server key store. You must then use the private key to sign each new content file that you import. For the steps to import signed content files and to export content, see the task for the content type:

Create the key pair for authenticating content files

Use the KeyUtility command-line program to generate a cryptographic key pair for signing and validating content files. The Tanium Server installation process automatically adds the program and associated files to the top-level installation directory (such as D:\Program Files\Tanium\Tanium Server). You can run the program from the installation directory or copy the following files to a working directory:

  • KeyUtility.exe
  • libeay32.dll
  • ssleay32.dll

To generate the key pair, run the following command from the directory where the program files reside. The <file name> argument defines the key-file names, but you do not have to specify the suffix, which is always .pub for the public key and .pvk for the private key.

> KeyUtility.exe makekeys <file name>

The following is an example of the command and the resulting contents of a working directory:

D:\Tanium\Working>KeyUtility.exe makekeys TaniumLab

Directory of D:\Tanium\Working
09/05/2018  08:05 PM    <DIR>          .
09/05/2018  08:05 PM    <DIR>          ..
08/17/2018  03:04 AM         4,254,704 KeyUtility.exe
03/27/2018  07:03 PM         2,632,192 libeay32.dll
03/27/2018  07:03 PM           457,728 ssleay32.dll
09/05/2018  08:05 PM               158
09/05/2018  08:05 PM               241 TaniumLab.pvk
5 File(s)      7,345,023 bytes
2 Dir(s)  41,049,174,016 bytes free

Sign content files

After you create a public-private key pair for authenticating content files, use the following command to sign a file using the private key:

> KeyUtility.exe signcontent <private_key> <content_file>

The following is an example of the command:

> KeyUtility.exe signcontent TaniumLab.pvk "Example Multicolumn Sensor Windows Registry.json"

At the bottom of the content file, the KeyUtility program appends a signature that resembles the following:

<!--hash=2a8bc7529c9fcdad037982bcbfc12306aa88ac8b9d95d02248ec369008188b7c0e356ad1811609c7 54eb01dc97c09b9f2acb10331e2d9dbf77d309124c61950a;signature=01AF3D547A97CCBD62A022F398 586DEAD4E29A30C29406283DA2E8F1E9FCF176194D66D4D9602538102F8F2FBBCFBC7AF370DB44E839C04 7253A246447E9A146706F00E94CD26D2CF29D8916E6EE0F21C77F0E13A6769905E5DDC09458912A94BB74 C1311C9B26301DB8D8C73AC043EBC6A5A836FB6815011F1ACB37E0248A30F100B631-->

Copy the public key to the key store

Before you import a content file, the Tanium Server keys folder (such as D:\Tanium\Tanium Server\content_public_keys\content) must have a copy of the public key that the server uses to validate the signature in the file. Copy the public key from the folder where you ran the key-generation command.

For information on adding the content signing key to the Tanium Server on a Tanium Appliance, see Tanium Appliance Installation Guide: Enable import of user-created content.