The Tanium Solutions page has two sections: Tanium Modules and Tanium Content.
You must be assigned the Administrator reserved role to import a Tanium™ solution module or content pack.
Tanium modules include content and workbenches that facilitate many operational and security use cases.
Go to the Tanium Solutions page to import or upgrade modules. The tile for each module shows the currently Installed version, if any, and an action button that varies by module status.
|Import||You have purchased this module, but have not yet installed it. The Import button displays the latest version you can import.|
|Reimport||The latest version of the module is installed, but you can reimport it if necessary.|
|Upgrade to <version>||A new version of the module is available, and you can upgrade.|
|Available for Purchase||Contact your Tanium technical account manager (TAM) to purchase this module.|
When you click Import, Reimport, or Upgrade to <version>, the Tanium Console prompts you to resolve any conflicts before proceeding. For details, see Resolve conflicts when importing updates or configurations. After you import a module, the Tanium Console displays it in the Main menu.
When you install a solution module, the solution workbench configuration is written to files that reside on the host computer. In a high availability (HA) deployment, you must import the solution on all Tanium Servers in the HA cluster for the solution workbench to be available in all Tanium Console instances. However, solution content, such as saved questions and packages, is written to the shared database, so it is available to all Tanium Console instances after you import the content on one Tanium Server.
Tanium content is a set of configuration objects that Tanium develops and distributes for a particular purpose. For example, Tanium Initial Content includes the key configuration objects found on the Categories, Dashboards, Saved Questions, Sensors, Packages, and Scheduled Actions pages. Tanium publishes two classes of content:
The essential set of configuration objects you use to query endpoints and take actions.
An experimental set of configuration objects that, as a best practice, you test and qualify for your deployment in a lab environment before importing it into production.
The Tanium Console downloads a manifest of available Tanium Content packs from content.tanium.com. This manifest populates the Supported Solutions table on the Tanium Solutions page. If a lab license was specified during installation, an additional Labs table lists labs content.
The content packs named Initial Content
To import Tanium Content:
- Go to Tanium Solutions.
- Scroll down past the Tanium Modules section to the Tanium Content section.
- Select the row for the content you want to import.
- Click Import Solution.
The Tanium Console prompts you to resolve any conflicts before proceeding. For details, see Resolve conflicts when importing updates or configurations.
Tanium might provide periodic updates to the console UI module. The Tanium Console checks content.tanium.com for updates and, if one is available, displays a message under the console header that indicates Upgrade Available: Common UI Components. The message also indicates the currently Installed UI version. Click the adjacent Upgrade button, which displays the update version, to install the update. You do not need to restart the Tanium Server or your browser session to initialize updates. As a best practice, always accept the updates.
When you import updates to Tanium solution modules and content packs, or import an XML file that contains content, conflicts might occur with existing content. To display and resolve the conflicts:
- Start the import, reimport, or upgrade workflow for one of the following:
- Module: See Import Tanium modules.
- Content pack: See Import Tanium content packs.
- XML configuration file: First, use KeyUtility.exe to sign the XML file before you import it, and copy the associated public key to the correct folder (see Signing content XML files). Then go to any Content or Permissions page and click Import from XML in the top right of the Tanium Console.
A dialog box itemizes any conflicts.
- Select an Import Option to resolve each conflict:
- Overwrite: Replaces existing content with the imported content.
- Skip: Skips the import for that item.
- (Categories only) Merge: Unites objects included in the categories. As a best practice, select Merge and then go to categories to review the resulting configuration.
- (Saved actions only) Overwrite and Disable Action: This option is useful if you want the new action disabled by default. You can go to the Actions > Scheduled Actions page, review the action, and enable it when you are prepared to test it.
The solution or content XML file might include content set definitions. When you first establish your Tanium Core Platform 7.1 content sets, selecting Include content set overwrite is a best practice to ensure that content is assigned to the content sets that the content pack designer developed. After you implement your own role-based access control (RBAC) plan and move content to the content sets that you plan to use, do not select this option; otherwise, the assignments defined in the imported XML file will overwrite your content set assignment.
- Click Import to proceed after selecting all the conflict resolution options.
- Click Close when the dialog box indicates the Import completed successfully.
The following tips can inform your decisions regarding conflicts when you import content.
Tip 1: Read the release notes
Always read the release notes for every version that was release since your last update. The release notes alert your to the scope of changes and may include notes that can help you avoid issues.
Release notes also indicate the release date, which is important if you plan to import multiple content packs. Different content packs might include updates to the same basic sensors or packages. In this case, it is best to install the older content packs before the newer ones.
Tip 2: Confirm you have good restore points
Before you update a Tanium solution module or content pack, confirm you have a recent restore points you can use in case something goes wrong.
The configuration objects for content are stored in the tanium database. You should schedule regular database backups.
The Tanium Server and Tanium Module Server installation directories include important files, such as encryption keys, a license file, string files, and other data files. You should schedule regular file system backups.
Before you import content, make sure you have backups you can use.
Tip 3: Update your lab deployment first
Always update your lab servers first and evaluate the impact changes might have on endpoints before updating your production servers.
During your lab phase:
- Assess the impact on network utilization when the content gets distributed to endpoints. Depending on the type of content, an update can result in additional network traffic. In most cases, this is negligible.
- Test the functionality. If the content update includes sensors, saved questions, dashboards, or categories, test by issuing questions and reviewing results. If it includes packages, deploy them. If it includes saved actions, be sure to edit the configuration to assign them to a proper action group.
After you have qualified the update, import the updates on the production server and spot-test the behavior of new or changed content.
When you import Tanium updates, the configuration specified in the import overwrites the current configuration. In almost every case, overwriting is preferable to maintaining the current configuration because the updates include important changes that optimize performance, avoid issues, and make the tools more useful.
Limit customizations to Tanium content so that updates are minimally disruptive. Maintain notes of any changes you make. For example, keep a log of any changes to a sensor Max Age setting, a package timeout, or a saved question reissue interval. Keep a log of the Tanium objects that you clone as a source for your custom objects
Tip 5: Re-create saved questions and scheduled actions that are based on parameterized objects
When an import overwrites a parameterized sensor or parameterized package, it does not affect previously created saved questions or scheduled actions that reference them.
When you save a question that has a parameterized sensor, the sensor definition, including the substituted values, is saved in an object called a temp sensor. On the endpoint, the Tanium Client runs the temp sensor when it computes answers to a saved question that calls it. A saved question that is reissued according to a schedule continues to use the temp sensor even if the sensor from which it was based is updated. Therefore, if a sensor is updated, and you want the saved question to use the updated code, you must re-create the saved question.
Likewise, when a scheduled action is based on a parameterized package, the package definition, including the substituted values, is saved in an object called a temp package. On the endpoint, the Tanium Client runs the temp package when it has a directive to run the scheduled action that calls it. A scheduled action continues to use the temp package even if the package from which it was based is updated. Therefore, if a package is updated, and you want the scheduled action to use the updated code, you must re-create the scheduled action.
Tip 6: Do not do bulk overwrites to Tanium content
Do not simply export the current configuration and then re-import it after the content upgrade is finished. This practice overwrites the sensor code with old versions and often has unexpected consequences. For example, a Tanium content pack includes a scheduled action to distribute patch tools when the patch tools version, reported by the Has Patch Tools sensor, does not match a particular value. If the package that provides the patch tools and updates the version uses a different version than expected by the Has Patch Tools sensor, the patch tools will continuously be distributed until the Has Patch Tools sensor is using the correct version.
Last updated: 4/23/2019 11:23 AM | Feedback