Managing and creating packages

Overview

A package configuration includes settings, a command, a script, and any other files needed to orchestrate an action on a managed endpoint. You can deploy a package from the Interact Question Results grid by initiating the Deploy Action workflow.

The Tanium Client service runs with the permissions of the LocalSystem or root account, so it can perform almost any command line instruction available to an Administrator logged into the endpoint. Consequently, even if logged in users do not have administrative rights, a Tanium Console user can deploy actions to the endpoint that install, update, or remove client applications as long as those applications can be:

  • Installed from a command line using the permissions of the LocalSystem account (Windows) or root (non-Windows).
  • Configured to suppress any interaction with an end-user logged into a target endpoint at installation time.
  • Dynamically customized at installation, if needed, through options, switches, or input files passed to the application installer.

If the required executables, scripts, and configuration files do not natively have these characteristics, you might be able to use a commercial software packaging tool such as InstallShield or an open-sourced application like Nullsoft Scriptable Install System to create a new version of the installer.

You can use the Tanium Core Platform to track the count of installed applications, as well as whether those applications are being used. Therefore, before installing new software or upgrading versions of existing software, verify that your organization owns the required number of licenses or meets the Acceptable-Use criteria to centrally distribute and install the commercial or open-sourced software to endpoints within your organization.

User role requirements

To create, modify, or delete package configurations, your user account requires a role with the Write Package permission. Users with the Administrator or Content Administrator reserved roles have this permission.

Edit a package

As a best practice, do not edit predefined packages that are provided through content packs imported from Tanium (for details, see Tip 4: Limit customizations to Tanium content). Consult your Technical Account Manager (TAM) if editing the Tanium-provided packages is necessary. Alternatively, you can clone Tanium-provided packages (see Clone a package) and edit the copies. You can also edit custom packages that you created from scratch. To edit a package:

  1. Go to Content > Packages.
  2. Use the search and column sorting features to find the package you want to edit.
  3. Select the package row, click Edit, and complete the configuration as described in Table 1.
  4. Save your changes.

Re-download package files

  1. Go to Content > Packages.
  2. Use the search and column sorting features to find the package you want to edit.
  3. Select the package row and click Status.

    A pop-up displays the status.

  4. Review the status and, if applicable, click re-download.

Tip: You can also re-download package files from the Action Status page, which you can open from the Actions > Action History page.

Clone a package

Cloning is useful when you need to:

  • Create a modified version of a predefined package from a Tanium content pack. As a best practice, do not modify the original Tanium package.
  • Create a new package with settings that differ only slightly from an existing package; this is often easier than creating a new package from scratch.

To clone a package:

  1. Go to Content > Packages.
  2. Use the search and column sorting features to find the package that you want to clone.
  3. Select the package row, click Clone, and configure the settings as described in Table 1.
  4. Save your changes.

Create a package

  1. Go to Content > Package.
  2. Click New Package and complete the configuration as described in Table 1.
  3. Save the configuration.
Table 1:   Package configuration guidelines
Settings Guidelines
Package Name Configuration name to identify the package.
Display Name This name appears in the Packages page, the Deploy Action page, and the Browse Packages dialog box (opened from the Deploy Actions page).
Content Set Assign to a content set. The list is populated with all content sets for which you have Write Package permission.
Command Specify the command to run on the endpoint.

Optionally, use the Add sensor variable link to insert a reference to a sensor. When the command runs, the value that the sensor returns is substituted for the variable. One example where a sensor-sourced command is useful is when you want to kill a process currently running on an endpoint. The Running Processes sensor returns a list of all the processes running on each endpoint. You can deploy a package directly from a question that uses the Running Processes sensor to then kill one of the identified processes.

Command Timeout / Download Timeout The formula for estimating an action timeout is Command Timeout + Download Timeout. If the action does not finish by the timeout, it must be reissued.
Ignore action lock Enable endpoints to execute actions that include this package regardless of whether the action lock is on for those endpoints. Use this option in packages that promote hygiene. For details, see Using action lock content.
Launch this package in a process group (Requires Tanium Core Platform servers and Tanium Clients to run version 7.2 or later.) Run the package command in a process group. When the command completes or times out, the process group and any remaining descendant processes are killed.

By default, you cannot configure this setting. To make it configurable, go to Administration > Global Settings and set allow_process_group_flag_edit to 1. When you create a new package through the Tanium Console, the setting is enabled by default. However, to enable the setting in an imported package, you must set the <process_group_flag> to 1 in the XML before importing, or configure allow_process_group_flag_edit in the Tanium Console after importing.

Files Select files for the package using the following controls to upload or download the files:
  • Local File

    Browse and select a file from your local host computer. When you upload it, a SHA-256 hash is generated.

  • Remote File

    Specify the URL, its SHA-256 hash (optional), and a Check for update option.

All the files related to packaging are stored in a subdirectory of the Tanium Server directory.

Parameter Inputs (Parameterized packages only) Click + and Add Parameter to configure a parameter. Options include:
  • Checkbox—User enables a setting by checking a box. 0 or 1 is entered into the variable. Returns 1 if checked and 0 if not checked.
  • Date, Date Time, Date Time Range—User selects a date and time or a range. The date time format is epoch with milliseconds. For a range, the user specifies two date times separated by a pipe.
  • Drop Down List—User selects only one option from a list.
  • List—User selects one or more values. Multiple values are separated by a pipe.
  • Numeric—User enters a number. The input can be controlled with minimum and maximums. You can specify a Step Size to require that the input be divisible by the specified value. Snap Interval is the amount that a number is increased or decreased by pressing the up or down button respectively. The value for Step Size should be a multiple of the value for Snap Interval unless Snap Interval is 0. The user-selected number is entered into the variable.
  • Numeric Interval—User selects a number and an item from a list. The list item has a numeric value. The value entered into the variable is the result of the multiplication. For example, if a user selects 2 and selects High (with high having a value of 3), the value is 6 in the variable.
  • Plugin—Not intended for use by most users. Contact your TAM for additional information about its use.
  • Separator—A separator is a graphical way to separate sections in the user input form.
  • Text Area—User enters a large amount of text. The text is entered into the variable.
  • Text Input—User enters text input. Allowed entries can be controlled with regular expressions. The user input is entered into the variable.
  • Time—User selects a time from a drop-down list. The input can be subject to restrictions.
Verification Query
  1. Click Add.
  2. Use the Filter Bar or Filter Builder to build the filter part of a question that will return machines that have successfully performed the action.
  3. Specify a verification failure timeout. The clock begins with the start of the action. If the action is not verified within the timeout period, the Tanium Client reports the action status as failed.

After you configure a Verification Query and run the action, the Action Status page shows an additional progress bar and Client Status Details show the machines for which the action is verified.

The Verification Query configuration uses a preview question. You must have the Read Sensor permission on the Reserved content set to ask the question, and therefore you also require that permission to add a Verification Query.


Import/export a package configuration

As a best practice, develop and test content in your lab environment before distributing it to your production servers. The console import/export XML feature supports this practice.

User role requirements

Users can export specific packages for which they have Write Package permission. Users with the Administrator or Content Administrator reserved role can export and import the complete packages configuration.

Export specific packages

  1. Go to Content > Packages.
  2. Select one or more packages and click Export in the toolbar above the table header.
  3. Enter a File Name or accept the default, and then click OK. The Tanium Server exports the XML file to the Downloads folder on the system you use to access the Tanium Console.

Export the complete packages configuration

  1. Go to Content > Packages and click Export All in the table header.

    Alternatively, or if you want to export other configuration objects in addition to packages, go to any Content or Permissions page, click Export to XML in the top right of the Tanium Console, select Packages and any other object types, and click Export.

  2. Enter a File Name or accept the default, and then click OK. The Tanium Server exports the XML file to the Downloads folder on the system you use to access the Tanium Console.

Import a packages configuration

  1. Use KeyUtility.exe to sign the XML configuration file before you import it. As a one-time action, you must also copy the associated public key to the correct folder. For the procedures, see Signing content XML files.
  2. From any Content or Permissions page, click Import from XML at the top right of the Tanium Console.
  3. Click Choose File, find and select the configuration file, and click Open.
  4. Click Import. If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.
  5. Select resolutions for any conflicts. For guidance, see Conflicts and Best practices or consult your TAM.
  6. Click Import again, and click Close when the import finishes.

Last updated: 3/15/2019 3:19 PM | Feedback