The Tanium Solutions page has two sections: Tanium Modules and Tanium Content.
You must be assigned the Administrator reserved role to import a Tanium™ solution module or content pack.
Tanium modules include content and workbenches that facilitate many operational and security use cases.
The following figure shows the Tanium Modules section.
The box for each module shows the current version installed along with its status.
|Import||You have purchased this module; you need to install it.|
|Reimport||Module is installed, but you can reimport it if necessary.|
|Upgrade to x.x.x.x||A new version of this module is available, and you can upgrade.|
|Available for Purchase||Contact your Tanium technical account manager (TAM) to purchase this module.|
After you import a module, the Tanium Console displays it in the Main menu. The following figure shows Tanium™ Connect added to the Main menu.
When you install a solution module, the solution workbench configuration is written to files that reside on the host computer. In an HA deployment, you must import the solution on both nodes for the solution workbench to be available in both Tanium Console instances. Solution content, such as saved questions and packages, however, is written to the shared database, so it is available to both instances at once.
In Tanium, content is a set of configuration objects that have been developed and distributed for a particular purpose. For example, Tanium Initial Content includes the key configuration objects found on the Categories, Dashboards, Saved Questions, Sensors, Packages, and Scheduled Actions pages.
Tanium Content is authored by Tanium. Tanium publishes two classes of content:
The essential set of configuration objects you use to query endpoints and take actions.
An experimental set of configuration objects that you should test and qualify for your deployment in a lab environment before importing it into production.
The Tanium Console downloads a manifest of available Tanium Content packs from content.tanium.com. This manifest populates the Tanium Content table on the Tanium Solutions page. If a lab license was specified during installation, an additional table appears, listing Labs Content.
The content packs named Initial Content
To import Tanium Content:
- Go to Tanium Solutions.
- Scroll down past the Tanium Modules section to the Tanium Content section.
- Select the row for the content you want to import.
- Click Import Solution.
Tanium might provide periodic updates to the console UI module. The Tanium Console checks content.tanium.com for updates and prompts you to install them. It is not necessary to restart the Tanium Server or your browser session to initialize updates. As a best practice, always accept the updates.
When you import updates to Tanium solution modules or content packs, or import an XML file that contains content, the Tanium Console shows any conflicts. In general, select Overwrite. You can select Skip if you have made customizations you want to preserve.
The solution or content XML file might include content set definitions. When you first set up your 7.1 content sets, selecting the Include content set overwrite option is a best practice to ensure that content is assigned to the content sets that the content pack designer developed. After you implement your own RBAC plan and move content to the content sets that you plan to use, do not select this option; otherwise, the assignments defined in the imported XML file will overwrite your content set assignment.
For categories only, the dialog box includes a Merge option. The result is the union of objects included in the categories. We recommend that you select Merge and then go to categories to review the resulting configuration.
For saved actions only, the dialog box includes an Overwrite and Disable Action option. This option is useful if you want the new action disabled by default. You can go to the Scheduled Action page, review the action, and enable it when you are prepared to test it.
The following tips can inform your decisions regarding conflicts when you import content.
Tip 1: Read the release notes
Always read the release notes for every version that was release since your last update. The release notes alert your to the scope of changes and may include notes that can help you avoid issues.
Release notes also indicate the release date, which is important if you plan to import multiple content packs. Different content packs might include updates to the same basic sensors or packages. In this case, it is best to install the older content packs before the newer ones.
Tip 2: Confirm you have good restore points
Before you update a Tanium solution module or content pack, confirm you have a recent restore points you can use in case something goes wrong.
The configuration objects for content are stored in the tanium database. You should schedule regular database backups.
The Tanium Server and Tanium Module Server installation directories include important files, such as encryption keys, a license file, string files, and other data files. You should schedule regular file system backups.
Before you import content, make sure you have backups you can use.
Tip 3: Update your lab deployment first
Always update your lab servers first and evaluate the impact changes might have on endpoints before updating your production servers.
During your lab phase:
- Assess the impact on network utilization when the content gets distributed to endpoints. Depending on the type of content, an update can result in additional network traffic. In most cases, this is negligible.
- Test the functionality. If the content update includes sensors, saved questions, dashboards, or categories, test by issuing questions and reviewing results. If it includes packages, deploy them. If it includes saved actions, be sure to edit the configuration to assign them to a proper action group.
After you have qualified the update, import the updates on the production server and spot-test the behavior of new or changed content.
Tip 4: Limit customizations to Tanium content
When you import Tanium updates, the configuration specified in the import overwrites the current configuration. In almost every case, overwriting is preferable to maintaining the current configuration because the updates include important changes that optimize performance, avoid issues, and make the tools more useful.
Limit customizations to Tanium content so that updates are minimally disruptive. Maintain notes of any changes you make. For example, keep a log of any changes to a sensor Max Age setting, a package timeout, or a saved question reissue interval. Keep a log of the Tanium objects that you clone as a source for your custom objects. When a content pack update becomes available, the best practice is to import it and then redo the customizations that the import overwrote.
Tip 5: Re-create saved questions and scheduled actions that are based on parameterized objects
When an import overwrites a parameterized sensor or parameterized package, it does not affect previously created saved questions or scheduled actions that reference them.
When you save a question that has a parameterized sensor, the sensor definition, including the substituted values, is saved in an object called a temp sensor. On the endpoint, the Tanium Client runs the temp sensor when it computes answers to a saved question that calls it. A saved question that is reissued according to a schedule continues to use the temp sensor even if the sensor from which it was based is updated. Therefore, if a sensor is updated, and you want the saved question to use the updated code, you must re-create the saved question.
Likewise, when a scheduled action is based on a parameterized package, the package definition, including the substituted values, is saved in an object called a temp package. On the endpoint, the Tanium Client runs the temp package when it has a directive to run the scheduled action that calls it. A scheduled action continues to use the temp package even if the package from which it was based is updated. Therefore, if a package is updated, and you want the scheduled action to use the updated code, you must re-create the scheduled action.
Tip 6: Do not do bulk overwrites to Tanium content
Do not simply export the current configuration and then re-import it after the content upgrade is finished. This practice overwrites the sensor code with old versions and often has unexpected consequences. For example, a Tanium content pack includes a scheduled action to distribute patch tools when the patch tools version, reported by the Has Patch Tools sensor, does not match a particular value. If the package that provides the patch tools and updates the version uses a different version than expected by the Has Patch Tools sensor, the patch tools will continuously be distributed until the Has Patch Tools sensor is using the correct version.
Last updated: 10/22/2018 2:37 PM | Feedback