Configuring ProductName

If you did not install Reputation with the Apply All Tanium recommended configurations option, you must enable and configure certain features.

(Tanium Core Platform 7.4.5 or later only) You can set the module action group to target the No Computers filter group by enabling restricted targeting before adding the module to your Tanium licenseimporting the module. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the module action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

No default settings are configured for ProductName.

When you import ProductName with automatic configuration, the following default settings are configured:

The following default settings are configured:

Setting Default value
Action group
  • Restricted targeting disabled (default): All Computers computer group
  • Restricted targeting enabled: No Computers computer group
Service account

The service account is set to the account that you used to import the module.

Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization. See Configure service account.

Platform settings

The following platform settings are configured for optimal delivery of larger payloads:

  • ClientCacheLimitInMB = 2048
  • HotCachePercentage = 80
Patch scans
  • Tanium Scan for Windows is configured and synchronized.
  • Default scan configurations are created for each operating system and enforced by the recommended computer group.
Patch lists
  • A [Patch Baseline Deployment] - Windows default baseline deployment patch list is created for Windows endpoints.
  • Default reporting patch lists are created for each supported operating system.
Patch block lists
  • The [Global Block List] - Windows block list is created and targets the All Windows computer group. This block list excludes Security Only patches on Windows systems.
  • Default block lists are created for each supported operating system, but are not targeted.
Patch deployment templates

Default deployment templates are created for each supported operating system.

Patch maintenance windows
  • A [Patch Tuesday] - Windows default maintenance window is created for Patch Tuesday and is not enforced on any computer groups.
  • Default maintenance windows are created for each supported operating system to block patch installations and reboots without first enabling another maintenance window. These maintenance windows are not enforced to any computer groups.
Patch configurations

Configure platform settings

You can configure the Tanium Core Platform for optimal delivery of larger payloads, which are typically associated with patching activity.

  1. From the Main menu, go to Administration > Configuration > Platform Settings.
  2. To increase the client cache size, click New Setting, provide the following information, and click Save.
    Setting Type: Client
    Platform Setting Name: ClientCacheLimitInMB
    Value TypeNumeric
    Value: 2048
  3. To increase the hot cache percentage, click New Setting, provide the following information, and click Save.
    Setting TypeClient
    Platform Setting Name: HotCachePercentage
    Value TypeNumeric
    Setting Value: 80

Changes to platform settings can take two to six hours (the randomized client-reset interval) to propagate to clients.

Install and configure Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Additionally you can use Endpoint Configuration to manage configuration approval. For example, configuration changes are not deployed to endpoints until a user with approval permission approves the configuration changes in Endpoint Configuration. For more information about the roles and permissions that are required to approve configuration changes for Reputation, see User role requirements.

To use Endpoint Configuration to manage approvals, you must enable configuration approvals.

  1. From the Main menu, go to Administration > Shared Services > Endpoint Configuration to open the Endpoint Configuration Overview page.
  2. Click Settings and click the Global tab.
  3. Select Enable configuration approvals, and click Save.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

If you enabled configuration approvals, the following configuration changes must be approved in Endpoint Configuration before they deploy to endpoints:

  • Creating, updating, or deleting patch lists
  • Adding or removing enforcements
  • Removing all enforcements
  • Updating scan configuration priorities
  • Creating deployments
  • Stopping deployments
  • Adding targets to deployments
  • User-initiated actions, such as initializing endpoints, uploading custom field files, enabling Linux

Configure Reputation

Configure service account

The service account is a user that runs several background processes for Reputation. This user requires the following roles and access:

  • Tanium Administrator or Reputation Service Account role
  • (Optional) Connect User role to send Reputation data to Tanium Connect
  • If you installed Tanium Client Management, Endpoint Configuration is installed, and by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

For more information about Reputation permissions, see User role requirements.

If you imported Reputation with default settings, the service account is set to the account that you used to perform the import. Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization.

  1. On the Reputation Overview page, click Settings and then click Service Account if needed.
  2. Provide a user name and password, and then click Save.

Organize computer groups

One way to apply patches and view deployment results is by computer group. Create relevant computer groups to organize your endpoints. Some options include:

  • Endpoint type, such as servers or employee workstations
  • Endpoint location, such as by country or time zone
  • Endpoint priority, such as business-critical machines
  • Endpoint configuration needs, such as VDI machines

For more information, see Tanium Core Platform User Guide: Managing computer groups.

Organize computer groups by operating system generation for useful visibility and scan configuration targeting.

Computer group Filter Purpose
All Windows1 Is Windows equals True
  • Visibility
  • Scan configuration targeting
All Windows Servers1 Windows OS Type equals Windows Server
  • Visibility
  • Scan configuration targeting
All Windows Servers - Physical Windows OS Type contains windows and Is Virtual equals no Scan configuration targeting
All Windows Servers - Virtual Windows OS Type contains windows and Is Virtual equals yes Scan configuration targeting
All Windows Workstations Windows OS Type equals Windows Workstation Scan configuration targeting
All Windows Workstations - Physical Windows OS Type contains windows workstation and Is Virtual equals no Scan configuration targeting
All Windows Workstations - Virtual Windows OS Type contains windows workstation and Is Virtual equals yes Scan configuration targeting
All CentOS 61 Operating System Generation equals CentOS 6
  • Visibility
  • Scan configuration targeting
All CentOS 71 Operating System Generation equals CentOS 7
  • Visibility
  • Scan configuration targeting
All CentOS 81 Operating System Generation equals CentOS 8
  • Visibility
  • Scan configuration targeting
All Red Hat 61 Operating System Generation equals Red Hat Enterprise Linux 6
  • Visibility
  • Scan configuration targeting
All Red Hat 71 Operating System Generation equals Red Hat Enterprise Linux 7
  • Visibility
  • Scan configuration targeting
All Red Hat 81 Operating System Generation equals Red Hat Enterprise Linux 8
  • Visibility
  • Scan configuration targeting
All Oracle 61 Operating System Generation equals Oracle Linux Server 6
  • Visibility
  • Scan configuration targeting
All Oracle 71 Operating System Generation equals Oracle Linux Server 7
  • Visibility
  • Scan configuration targeting
All Oracle 81 Operating System Generation equals Oracle Linux Server 8
  • Visibility
  • Scan configuration targeting
All Amazon1 Operating System Generation equals Amazon Linux
  • Visibility
  • Scan configuration targeting
All Amazon Linux 1 Operating System Generation equals Amazon Linux 1
  • Visibility
  • Scan configuration targeting
All Amazon Linux 2 Operating System Generation equals Amazon Linux 2
  • Visibility
  • Scan configuration targeting
All SUSE1 Operating System contains SUSE
  • Visibility
  • Scan configuration targeting
All SLES 111 Operating System Generation contains SUSE Linux Enterprise Server 11
  • Visibility
  • Scan configuration targeting
All SLES 121 Operating System Generation contains SUSE Linux Enterprise Server 12
  • Visibility
  • Scan configuration targeting
All SLES 151 Operating System Generation contains SUSE Linux Enterprise Server 15
  • Visibility
  • Scan configuration targeting
Tanium Scan Supported Windows Windows OS Major Version > 6.0 and Tanium Client Version >= 7.2.314.3211
  • Visibility
  • Scan configuration targeting
All Supported Linux1 Operating System Generation matches "(Amazon Linux(1|2)|(Oracle Linux Server (6|7))|(Red Hat Enterprise Linux.*(6|7))|(CentOS (6|7))"
  • Visibility
  • Scan configuration targeting
Patch Supported Systems1 Patch - Supported Scan Types matches ".*(Repo|Tanium|CAB|Online).*"
  • Visibility
  • Patch action group
1 Patch creates this computer group if you select the Apply Tanium recommended configurations option during installation on Tanium Core Platform 7.4.2 or later.This computer group is created by default.

Add computer groups to Patch action group

Importing the Patch module automatically creates an action group to target specific endpoints. Select the computer groups to include in the Patch action group. By default, Patch targets No Computers.

Deselect No Computers and ensure that all operating systems that are supported by Patch are included in the Patch action group.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Click Patch.
  3. Select the computer groups that you want to include in the action group and click Save.
    If you select multiple computer groups, choose an operator (AND or OR) to combine the groups.

Set up Reputation users

You can use the following set of predefined user roles to set up Reputation users.

To review specific permissions for each role, see User role requirements.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Reputation Administrator

Assign the Reputation Administrator role to users who manage the configuration and deployment of Reputation functionality to endpoints.
This role can perform the following tasks:

  • Configure Reputation service settings.
  • View and modify Reputation configurations.
  • Dismiss or reject approvals for Reputation tasks in Tanium Endpoint Configuration.

Reputation Operator

Assign the Reputation Operator role to users who manage the configuration and deployment of Reputation functionality to endpoints.
This role can perform the following tasks:

  • Configure Reputation service settings.
  • View and modify Reputation configurations.
  • Dismiss or reject approvals for Reputation tasks in Tanium Endpoint Configuration.

Reputation Read Only User

Assign the Reputation Read Only User role to users who need visibility into Reputation data.
This role can perform the following tasks:

  • View Reputation service settings, alerts, and intel documents.
  • Review quick scans.
  • View connections to remote endpoints.
  • View configurations and profiles.

Reputation Service Account

Assign the Reputation Service Account role to the account that configures system settings for Reputation.
This role can perform several background processes for Reputation.

Initialize Reputation endpoints

Patch installs a set of tools on each endpoint that you have targeted. Initializing or reinitializing Patch is a common troubleshooting step.

  1. On the Reputation Overview page, click Help and then click Support if needed.
  2. Click Initialize Endpoints to start the Patch service and begin distributing these tools to your endpoints.