Tanium Appliance Installation Guide

Tanium Appliance Installation Guide Version 1.0.0 September 25, 2017

The information in this document is subject to change without notice. Further, the information provided in this document is provided as is and is believed to be accurate, but is presented without any warranty of any kind, express or implied, except as provided in Tanium s customer sales terms and conditions. Unless so otherwise provided, Tanium assumes no liability whatsoever, and in no event shall Tanium or its suppliers be liable for any indirect, special, consequential, or incidental damages, including without limitation, lost profits or loss or damage to data arising out of the use or inability to use this document, even if Tanium Inc. has been advised of the possibility of such damages. Any IP addresses used in this document are not intended to be actual addresses. Any examples, command display output, network topology diagrams, and other figures included in this document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Please visit https://docs.tanium.com for the most current Tanium product documentation. Tanium is a trademark of Tanium, Inc. in the U.S. and other countries. Third-party trademarks mentioned are the property of their respective owners. 2017 Tanium Inc. All rights reserved. 2017 Tanium Inc. All Rights Reserved Page 2

Table of contents Overview 9 Topology 10 Prerequisites 11 License 11 SSL certificates 11 Network connectivity and firewall 11 Internet access (direct or by proxy) 12 Getting started 15 Configuring network, host, and user settings 16 Configure temporary bootstrap network settings 16 Before you begin 16 Configure the temporary settings 16 Configure network and host settings 17 Before you begin 17 Configure the network and host settings 18 Configure user access 19 Before you begin 20 Change the default passwords 20 Add SSH keys for the tancopy account 20 Installing a Tanium All-in-One role 28 Before you begin 28 Install the Tanium Server All-in-One role 29 Next steps 31 2017 Tanium Inc. All Rights Reserved Page 3

Installing Tanium Server 32 Before you begin 32 Install Tanium Server 33 Next steps 35 Installing Tanium Module Server 36 Before you begin 36 Add required SSH keys 36 Install the Tanium Module Server 41 Configure the Tanium Server to use the remote Module Server 42 Enable the remote Module Server 44 Next steps 44 Installing Tanium Zone Server 45 Overview 45 Before you begin 46 Install the Tanium Zone Server 46 Install the Zone Server 47 Import the Tanium Server public key file to the Zone Server 48 Install the Zone Server hub 52 Edit the Zone Server List 54 Next steps 55 Installing the license file 56 Before you begin 56 Upload the license file 56 Install the license 59 Next steps 61 2017 Tanium Inc. All Rights Reserved Page 4

Verifying the deployment 62 Log into the Tanium Console 62 Deploy the Tanium Client to your lab computers 63 Before you begin 63 Install the Tanium Client Deployment Tool 64 Deploy the Tanium Client 66 Verify the basic deployment 67 Verify the Zone Server deployment 68 Installing Tanium Server in an active-active cluster 71 Overview 71 HA cluster requirements and limitations 72 Before you begin 73 Add required SSH keys 73 Set up the IPsec tunnel 77 Deploy the HA cluster 81 Verify the installation 83 Upgrading Tanium server software 86 Before you begin 86 Upgrade Tanium server software 86 Troubleshooting the installation 89 Run the Health Check 89 Restart services or networking 90 Restart services 91 Restart networking 91 Review logs 92 2017 Tanium Inc. All Rights Reserved Page 5

Review the configuration 93 Run Tanium Support Gatherer 94 Examine OS processes and files 95 Perform a software reset 100 Managing user access 102 Change TanOS user passwords 102 Change the tanadmin password 103 Reset the tanuser password 104 Reset the tanfactory password 105 Manage SSH keys 105 Before you begin 106 Generate keys 106 Add authorized keys 107 Display public keys 108 Configure the local authentication service 109 Add a local user 109 Set a user password 111 Delete a user 111 Disable the local authentication service 112 Configuring syslog 113 Configuring SNMP 117 Reference: Certificate and key files 120 Before you begin 120 Install a CA certificate file 120 Upload the CA certificate file 121 2017 Tanium Inc. All Rights Reserved Page 6

Install the SOAP certificate file 123 Manage content signing keys 126 Download the content signing key utility 126 Download the Tanium Server public key file 127 Import the Tanium public/private key pair 128 Upload the public and private key files 128 Replace the public and private keys 131 Reference: Tanium Service Control menu 132 Reference: Server configuration files 135 TaniumServer.ini reference 138 TaniumModuleServer.ini reference 140 TaniumZoneServer.ini reference 141 Reference: Appliance Maintenance menu 143 Back up and restore 143 Back up 143 Restore 145 Perform a software reset 145 Upgrade the TanOS shell 147 Clean SFTP and cores directories 148 Reboot or shut down 149 Reboot 149 Shut down 149 Reference: Appliance configuration 151 Modify the hostname and DNS configuration 151 Modify the IPv4 address configuration 152 2017 Tanium Inc. All Rights Reserved Page 7

Modify the NTP configuration 152 Modify the time zone configuration 153 Change from a static IP address to DHCP (VM-only) 153 Reference: File share mounts 154 Reference: Appliance security 157 Enable/disable factory reset 157 Manage the SSH trusted host list 159 Reference: Diagnostic menus 160 Use the Tanium Support menu 161 Use the Status menus 162 Display system status 163 Display Tanium status 164 Display appliance status 164 Reference: Tanium Appliance specifications 166 Tanium Server Appliance (small) 166 Tanium Server Appliance (medium) 166 Tanium Server Appliance (large) 167 Tanium Server Appliance (extra large) 167 Tanium Module Server Appliance (small, medium, large) 168 Tanium Module Server Appliance (extra large) 168 Change log 170 2017 Tanium Inc. All Rights Reserved Page 8

Overview You can deploy a Tanium Appliance in any of the following Appliance roles: Tanium Server The core server that communicates with clients. The Tanium Server also runs the UI console and API services and communicates with all other platform and solution components, as well as the content.tanium.com servers that host Tanium content packs and Tanium solution module import packages. The Tanium Server depends on a database server that is installed when the Tanium Server Role is installed. Tanium Module Server A dedicated server to run application services and store files for Tanium solution modules. It is installed on a separate appliance to prevent intentional or accidental scripts from having a direct impact on the Tanium Server. All-in-One Tanium Server, Tanium Module Server, and database server on the same appliance. An All-in-One deployment is supported only for proof-of-concept (POC) deployments. Tanium Zone Server A server typically deployed in an enterprise DMZ network to proxy traffic between Tanium Clients that reside on limited-access networks and a Tanium Server that resides on the trusted core network. 2017 Tanium Inc. All Rights Reserved Page 9

Topology In an enterprise production deployment, the Tanium Server and Tanium Module Server reside on separate Tanium Appliances. Figure 1: Enterprise production or enterprise lab deployment 2017 Tanium Inc. All Rights Reserved Page 10

Prerequisites This topic summarizes prerequisites to Tanium Appliance installation. License A license is bound to the hostname(s) that you assign to the Tanium Server(s). For HA deployments, both hostnames are used in the license data. Let your technical account manager (TAM) know if the hostnames provisioned for the Tanium Server(s) are changed. SSL certificates The connections to the Tanium Console or SOAP and REST APIs, the connections between Tanium Server and Tanium Module Server, and connections to the Module Server are secured with SSL/TLS certificate and key exchanges. The installation process uses selfsigned certificates. We recommend that you verify the installation with the self-signed certificates before you replace them with your commercial or enterprise CA certificates. Doing this facilitates troubleshooting by separating potential installation issues and SSL issues. For more information on SSL certificate requirements, see the Tanium Core Platform Installation Guide. Network connectivity and firewall Tanium components use TCP/IP to communicate over IPv4 networks. IPv6 is not supported. You must work with your network administrator to ensure that the Tanium components are provisioned IP addresses and that DNS can be used to resolve hostnames. The following table summarizes the Tanium processes and default values for ports used in Tanium core platform communication. Network firewalls might need to be configured to allow the specified processes to send/receive TCP via the ports listed. For a detailed explanation, see the Tanium Core Platform Installation Guide. Table 1: Network communication ports used by Tanium components Components Processes Inbound Port Destination Port Tanium Server taniumserver 443, 8443, 17472 80, 443, 17477 Tanium Module Server taniummoduleserver 17477 80, 443, 8443 2017 Tanium Inc. All Rights Reserved Page 11

Components Processes Inbound Port Destination Port Tanium Zone Server taniumzoneserver 17472 Tanium Zone Server Hub taniumzoneserver 17472 Tanium Client TaniumClient.exe, TaniumClient, taniumclient 17472 17472 Tanium Client Deployment Tool (CDT) TaniumClientDeploy.exe 22, 135, 445 Unmanaged Asset CDT platform-specific methods (during deployment only) 22, 135, 445 In addition, the installation and management of the appliance requires communication over common network service ports. The following table shows the default ports for these services. Table 2: Appliance network service ports Services Inbound port Destination port DNS 53/tcp, 53/udp ESP (HA cluster) 50/ip 50/ip IKE (HA cluster) 500/udp, 4500/udp 500/udp, 4500/udp LDAP (optional) NTP 389/tcp, 636/tcp 123/udp SSH, SCP, SFTP 22/tcp 22/tcp SNMP (optional) 161/tcp syslog (optional) 514/udp Internet access (direct or by proxy) During both installation and ongoing operations, the Tanium Server must be able to connect to https://content.tanium.com to import updates to Tanium core components and 2017 Tanium Inc. All Rights Reserved Page 12

modules. The Tanium Server may need to connect to additional locations, based on the components you import. The following table lists URLs that are accessed by Tanium Server. Import type Components URLs Any Any https://content.tanium.com Content Initial Content http://linux-usb.org Managed Applications http://ardownload.adobe.com/ http://airdownload.adobe.com/ http://download.macromedia.com/ http://dl.google.com/ https://download.mozilla.org/ https://secure-appldnld.apple.com/ Windows Security Patch Management IR Gatherer http://download.windowsupdate.com https://download.sysinternals.com Modules IR https://download.sysinternals.com Patch IOC Detect http://download.windowsupdate.com https://download.sysinternals.com Labs Content EMET https://download.microsoft.com IR Memory MSERT Stinger Symantec https://github.com/google/rekall-profiles/raw/ghpages/v1.0/* https://definitionupdates.microsoft.com http://downloadcenter.mcafee.com https://support.symantec.com Notes: If a Tanium content pack or solution module is not listed, it means no additional URLs are required for it. Previous Tanium Server versions required access to http://curl.haxx.se. Tanium Server 7.0 and later do not require access to this site. 2017 Tanium Inc. All Rights Reserved Page 13

If your enterprise security policy does not allow Tanium Server to access these locations directly, you can use proxy servers. See the Tanium Core Platform User Guide. If your enterprise network uses SSL intercept technologies, such as man-in-the-middle (MITM) proxies, you must configure them so that they do not prevent the Tanium Server and Tanium Module Server from downloading files from these locations. If you plan to deploy Tanium into an air-gapped environment, consult with your TAM. 2017 Tanium Inc. All Rights Reserved Page 14

Getting started 1. Install the Tanium Appliance into a machine room and configure bootstrap network settings. For details, see the Tanium Appliance Quick Start Guide. 2. Connect to the TanOS console using SSH and configure basic network, host, and user settings. See Configuring network, host, and user settings on page 16. 3. Install the Tanium servers. See: Installing Tanium Server on page 32 Installing Tanium Module Server on page 36 Installing Tanium Zone Server on page 45 4. Install the license file. See Installing the license file on page 56. 5. Verify the installation. See Verifying the deployment on page 62. 2017 Tanium Inc. All Rights Reserved Page 15

Configuring network, host, and user settings You must configure basic network, host, and user settings before you can install a Tanium Appliance role. Configure temporary bootstrap network settings The Tanium Appliance Quick Start Guide describes how to install the appliance into a machine room and configure bootstrap network settings so that you can make a remote SSH connection and complete the setup and Appliance role installation from your desk. The Quick Start steps are repeated here to give context to the starting point for your initial workflows. Before you begin Connect a keyboard, video, and mouse (KVM) to the console port. Obtain an IPv4 address from your network administrator and be prepared to specify the IP address, subnet mask (dotted-decimal), and default gateway IP address. Configure the temporary settings 1. Power on the appliance. The boot and start-up processes take a few minutes. 2. When prompted to log in, specify the user name tanuser and the default password Tanium1. 2017 Tanium Inc. All Rights Reserved Page 16

3. When prompted, indicate that you want to configure temporary settings. 4. Specify the IPv4 address, subnet mask, and default gateway IP address. The TanOS console confirms that the settings are applied and logs you out. Configure network and host settings Network and host settings enable the appliance to establish connections with other computers in your local network and with other servers and hosts on the Internet. Specify appropriate settings for the network in which the appliance is deployed. Before you begin Your local "management computer" must be connected to a subnet that can reach the appliance IP address. 2017 Tanium Inc. All Rights Reserved Page 17

Your management computer must have an SSH client application or terminal emulator that can make a client connection to the appliance. Be ready to specify the static IP address, subnet mask (dotted-decimal), default gateway IP address, hostname, domain name, primary and secondary DNS servers, NTP server(s), and time zone settings. You must have an SSH client such as PuTTY to log into the TanOS console. The latest version of PuTTY was used in testing. You must have an SSH key generator such as PuTTYgen to generate keys for the tancopy user. The latest version of PuTTYgen was used in testing. You must have an SFTP client such as WinSCP to copy files to and from the appliance. The latest version of WinSCP was used in testing. Configure the network and host settings 1. Make an SSH connection to the appliance IP address that was configured in the previous step. 2. When prompted to log in, specify the user name tanadmin and the default password Tanium1. 3. When prompted, indicate that you want to complete the initial configuration. 2017 Tanium Inc. All Rights Reserved Page 18

4. Accept the end-user license agreement (EULA). 5. Specify network and host configuration settings. The console displays a notice that the passwords will be reset and the system restarted. You must configure a new password the next time you log in. Configure user access TanOS has a few built-in user accounts that you use to access the appliance operating system and perform tasks. Before you install a Tanium Appliance role, you must configure new passwords or add SSH keys to authenticate access for the following accounts: tanuser: Can make an SSH connection with password authentication to the TanOS console and access status menus. 2017 Tanium Inc. All Rights Reserved Page 19

tanadmin: Can make an SSH connection with password authentication to the TanOS console and access all menus. tancopy: Can make an SFTP connection with SSH key authentication to TanOS and copy files to and from the /incoming and /outgoing directories. Before you begin Be ready to specify new passwords for the tanuser and tanadmin accounts. The password string must be at least 10 characters long and have at least 1 uppercase character, 1 lowercase character, 1 numeric character, and 1 nonalphanumeric character. You must have an SSH client to log into the TanOS console and an SFTP client to copy files to and from the appliance. You must have an SSH key generator to generate keys for the tancopy user. Change the default passwords 1. Log into the TanOS console as tanuser and then follow the prompts to change the password. 2. Log into the TanOS console as tanadmin and then follow the prompts to change the password. Add SSH keys for the tancopy account IMPORTANT: This procedure adds an authorized key for the tancopy user to the appliance configuration. The purpose of this key is to enable you to use an SFTP client on your management computer to copy files to the /incoming and from the /outgoing directories on the appliance. In the Tanium Module Server and HA active-active installations, you are instructed to add a different authorized key for the tancopy user. Be careful not to mistake one for the other. The authorized keys serve different purposes. Both are required. 2017 Tanium Inc. All Rights Reserved Page 20

1. Use an SSH key generator such as PuTTYgen to generate a public/private key pair. 2. In PuTTYgen, select all of the text in the Public key for pasting into OpenSSH authorized_keys file box and copy it to the clipboard. IMPORTANT: In an SSH key exchange, the keys must match precisely as expected, including line endings. For this reason, the PuTTy documentation recommends loading the key in PuttyGen and copying it from the Public key for pasting... box instead of copying it from an open file. 2017 Tanium Inc. All Rights Reserved Page 21

6. Enter the line number for the tancopy user to display the key management menu for this user. 7. Enter 3 to go to the Authorized Keys menu. 8. Enter 2 and then follow the prompts to paste the public key generated in Step 1. 2017 Tanium Inc. All Rights Reserved Page 24

9. To test it, on your management computer, set up an SFTP client such as WinSCP to connect to the Tanium Server appliance: a. Specify tancopy for user name. b. Click the Advanced button. 2017 Tanium Inc. All Rights Reserved Page 25

c. Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance. You should be able to connect to the appliance /incoming and /outgoing directories. 2017 Tanium Inc. All Rights Reserved Page 26

Note: You might see permission denied messages because WinSCP attempts to read the listing of the /incoming directory. This is expected. The user tancopy has permission to write to /incoming but not read /incoming. 2017 Tanium Inc. All Rights Reserved Page 27

Installing a Tanium All-in-One role In an All-in-One deployment, the Tanium Server, the Tanium Module Server, and a database server reside on the same Tanium Appliance. All-in-One deployments are supported only for proof-of-concept (POC) demonstrations. Figure 2: All-in-One deployment The All-in-One role installation creates the necessary component servers, SSL certificates, SSH keys, and configuration files. Before you begin Make sure: Basic network, host, and user settings are configured. See Configuring network, host, and user settings on page 16. Network firewalls rules allow Tanium processes to communicate as expected. See Network connectivity and firewall on page 11. 2017 Tanium Inc. All Rights Reserved Page 28

4. When prompted, specify a password for the initial Tanium Console user (tanium). 5. Enter YES to continue with the installation. The installation is completed in about 30 seconds. Next steps 1. Download the Tanium Server public key file on page 127 so you can include it in Tanium Client installation packages. 2. Installing the license file on page 56. 3. Verifying the deployment on page 62. 2017 Tanium Inc. All Rights Reserved Page 31

Installing Tanium Server The Tanium Server role installation creates the Tanium Server and database server, SSL certificates, SSH keys, and Tanium Server configuration file. Before you begin Make sure: Basic network, host, and user settings are configured. See Configuring network, host, and user settings on page 16. Network firewalls rules allow Tanium processes to communicate as expected. See Network connectivity and firewall on page 11. 2017 Tanium Inc. All Rights Reserved Page 32

4. When prompted, specify a password for the initial Tanium Console user (tanium). 5. Enter YES to continue with the installation. The installation is completed in about 30 seconds. Next steps 1. Download the Tanium Server public key file on page 127 so you can include it in Tanium Client installation packages. 2. Installing Tanium Module Server on page 36. 2017 Tanium Inc. All Rights Reserved Page 35

Installing Tanium Module Server The Tanium Module Server role installation creates the Tanium Module Server, SSL certificate, and configuration file. The workflow described here also configures the Tanium Server to use the remote Module Server. In this workflow, the required certificate files are copied from the Tanium Server to the Module Server, the configuration files are updated, and the services are restarted. Before you begin Make sure: Basic network, host, and user settings are configured. See Configuring network, host, and user settings on page 16. Network firewalls rules allow communication between Tanium Server and Tanium Module Server on TCP port 17477. Add required SSH keys An SSH key exchange is used to securely copy files from the Tanium Server to the remote Module Server during installation. 1. Start two SSH terminal sessions so you can copy and paste between them: Tanium Server Tanium Module Server 2017 Tanium Inc. All Rights Reserved Page 36

5. Enter the line number for tanadmin to display the key management menu for this user. 6. Enter 2 to display the public key. 7. Copy the contents of the public key to the clipboard. 8. Log into the Tanium Module Server appliance as the user tanadmin. 9. Enter C to go to the User Administration menu. 10. Enter 3 to go to the SSH Key Management menu. 11. Enter the line number for the tancopy user. 2017 Tanium Inc. All Rights Reserved Page 39

12. Enter 3 to go to the Authorized Keys menu. 13. Enter 2 and then follow the prompts to paste the contents of the Tanium Server tanadmin user public key file you copied in Step 7. 2017 Tanium Inc. All Rights Reserved Page 40

Install the Tanium Module Server 1. Log into the Module Server appliance as the user tanadmin. 2. Enter 1 to go to the Tanium Installation menu. 3. Enter 3 to install the Tanium Module Server. The installation is completed in about 30 seconds. 2017 Tanium Inc. All Rights Reserved Page 41

Configure the Tanium Server to use the remote Module Server 1. Log into the Tanium Server appliance as the user tanadmin. 2. Enter 2 to go to the Tanium Operations menu. 2017 Tanium Inc. All Rights Reserved Page 42

3. Enter A to go to the Configure Remote Module Server menu. 4. Enter 1 and then follow the prompts to configure the Tanium Server to use the remote Module Server. 2017 Tanium Inc. All Rights Reserved Page 43

Enable the remote Module Server 1. Log into the Tanium Module Server appliance as the user tanadmin. 2. Enter 2 to go to the Tanium Operations menu. 3. Enter A to go to the Configure Remote Module Server menu. 4. Enter 2 and then follow the prompts to enable the remote Module Server and to configure its connection with the Tanium Server. For active-active deployments, be sure to specify the IP address, hostname, and domain for both Tanium Servers. Next steps Installing Tanium Zone Server on page 45 (if applicable). Installing the license file on page 56. 2017 Tanium Inc. All Rights Reserved Page 44

Installing Tanium Zone Server The Tanium Zone Server role installation creates the Tanium Zone Server and configuration file. The workflow described here also installs the Tanium Zone Server Hub Add-On and configures the Zone Server Hub to listen for connections from the Zone Server. Overview In Tanium deployments, Tanium Clients initiate communication with the Tanium Server. Your enterprise network security policies likely do not allow endpoints that reside in the untrusted network to initiate connections to resources that reside in the internal network, such as the Tanium Server. To enable the Tanium Server to manage these endpoints, you can deploy one or more Tanium Zone Servers in the DMZ to proxy communication from the external endpoints. The figure below illustrates Zone Server communication. The Zone Server is installed as a service, typically on an existing, shared device in the DMZ. It communicates with the Tanium Server through a Zone Server Hub process that you install as an add-on to the Tanium Server appliance. You set up external clients to register with the Zone Server as if it were the primary Tanium Server. To optimize performance as much as possible, the Zone Server is designed to cache sensor definitions, configuration information, and the files packaged in actions. It provides these resources to clients without having to re-request them from the Tanium Server. IMPORTANT: When using Tanium to manage external clients, be mindful that they might not have the same access to internal resources as internal clients. Target actions so that external clients are not instructed to attempt to access resources on the internal network, like an Active Directory server, or package files staged on an internal URL. 2017 Tanium Inc. All Rights Reserved Page 45

Figure 3: Zone Server deployment Before you begin Make sure: Basic network, host, and user settings are configured. See Configuring network, host, and user settings on page 16. Network firewalls rules allow communication between the Zone Server hub and Zone Server on TCP port 17472. You have a copy of the Tanium Server public key file (tanium.pub) that you can upload to the Zone Server. See Download the Tanium Server public key file on page 127. Install the Tanium Zone Server This section provides procedures for the following workflow: 1. Deploy one or more Zone Server appliances in the DMZ. 2. Install the Zone Server hub add-on on the Tanium Server appliance and configure a Zone Server list that defines the Zone Servers with which it can communicate. 2017 Tanium Inc. All Rights Reserved Page 46

2. Enter 1 to go to the Tanium Installation menu. 3. Enter 4 to install the Tanium Zone Server. The installation is completed in about 30 seconds. Import the Tanium Server public key file to the Zone Server 1. On your management computer, set up an SFTP client such as WinSCP to connect to the Tanium Zone Server appliance: 2017 Tanium Inc. All Rights Reserved Page 48

c. Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance in Configure user access on page 19. 2. Use SFTP to copy the tanium.pub file to the /incoming directory on the Zone Server appliance. 2017 Tanium Inc. All Rights Reserved Page 50

5. Enter 6 and then follow the prompts to copy the Tanium Server public key file (tanium.pub) into the Zone Server installation directory. Install the Zone Server hub After you have installed the Tanium Server role on a Tanium Appliance, you can install the Zone Server Hub Add-On. 2017 Tanium Inc. All Rights Reserved Page 52

3. Enter A and then follow the prompts to install the Tanium Zone Server Hub Add-On. The installation is completed in about 30 seconds. Edit the Zone Server List 1. Log into the Tanium Server appliance as the user tanadmin. 2. Enter 2 to go to the Tanium Operations menu. 2017 Tanium Inc. All Rights Reserved Page 54

3. Enter 2 to go to the Configuration Files menu. 4. Enter 9 to edit the zoneserverlist.txt file. 5. Add the IP address or FQDN for each Zone Server and save the file. Next steps Installing the license file on page 56. 2017 Tanium Inc. All Rights Reserved Page 55

Installing the license file You install the Tanium license file on the appliance that hosts the Tanium Server. Tip: Install the license file before you log into the Tanium Console for the first time so that Tanium Interact is installed automatically during the Tanium Console launch. Before you begin Your management computer must have an SFTP client such as WinSCP to copy files to and from the appliance. You must generate a public/private key pair to use with the tancopy user and upload the public key to the Tanium Server Appliance as described in Configure user access on page 19. Upload the license file 1. On your management computer, set up an SFTP client such as WinSCP to connect to the Tanium Server appliance: a. Specify tancopy for user name. 2017 Tanium Inc. All Rights Reserved Page 56

b. Click the Advanced button. c. Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance in Configure user access on page 19. 2017 Tanium Inc. All Rights Reserved Page 57

Verifying the deployment Log into the Tanium Console to verify proper communication among deployment components: Successful installation of Tanium content packs verifies communication with content.tanium.com. Successful installation of Tanium Interact verifies communication between the Tanium Server and Tanium Module Server. Successful registration by Tanium Clients verifies communication with clients. Successful registration by a Tanium Client configured to use the Zone Server address verifies communication between the Zone Server and Zone Server hub service. Log into the Tanium Console 1. In a web browser, go to https://tanium_server_fqdn[:port] to log into the Tanium Console. 2017 Tanium Inc. All Rights Reserved Page 62

Tanium_Server_FQDN is the fully-qualified domain name for the Tanium Server appliance. The default port is 8843, and it is redirected to 443. You do not have to specify port if you use the default. 2. Enter the user name tanium and the password you set when you installed the Tanium Server. When you first log into the Tanium Console, it automatically initiates the following actions: Imports the Initial Content - Base content pack. The Initial Content packs include the sensors, packages, saved questions, and dashboards that are essential for getting started with Tanium. Imports the Client Maintenance content pack. The Client Maintenance pack includes the sensors, packages, actions, and saved questions that are used to perform hygiene checks on Tanium Clients. Imports the Interact workbench. The Interact workbench includes the user interface for questions and results. Deploy the Tanium Client to your lab computers This installation guide includes a brief section on deploying Tanium Clients so that you can use basic client-server registration to verify successful installation of the Tanium core server components. For comprehensive information on client deployment options, see the Tanium Client Deployment Guide. Before you begin Make sure: You have a Windows computer on which you can install the Tanium Client Deployment Tool (CDT). Network firewalls rules allow the Tanium CDT to make connections to the target endpoints. See the Tanium Core Platform Installation Guide Reference: Network ports. You know the username and password of an administrator account that can log into the target endpoint and install the Tanium Client. You have downloaded the Tanium Server public key file so you can include it in Tanium Client installation packages. 2017 Tanium Inc. All Rights Reserved Page 63

Install the Tanium Client Deployment Tool 1. Download the Tanium Client Deployment Tool. Click here to begin the download. 2. Run the installer. The installation wizard prompts you for one value the installation directory. The default is C:\Program Files (x86)\tanium\tanium Client Deployment Tool. 3. Select Start > Tanium Client Deployment Tool to open the tool. Upon initialization, the tool prompts you to download the latest endpoint software from content.tanium.com. 2017 Tanium Inc. All Rights Reserved Page 64

4. Click OK to download the latest endpoint software. 5. If you plan to use Microsoft PSExec to push Tanium Client to endpoints: a. When prompted, follow the link to download PSTools from the Microsoft download site. 2017 Tanium Inc. All Rights Reserved Page 65

b. Unzip the package and copy the PsExec.exe and PSExec64.exe files to the CDT installation directory. c. Restart the Tanium CDT. Deploy the Tanium Client 1. Open the Tanium CDT. 2. Configure the following settings. Username/Password Local or domain user with administrative privileges on the targeted endpoints. The deployment tool uses this account when it connects to the targeted endpoint and executes the client installer. Tanium.pub Server Name Path to the Tanium Server public key file (tanium.pub). The FQDN for the Tanium Server. Specify a comma-separated list. For example, ts1.example.com,ts2.example.com. Port 17472 Log Verbosity Level Execution Method Specify 1 for this initial deployment. Level 1 writes a minimal logs that might be useful if there are issues with the initial deployment. Select PSEXEC if you downloaded it in the previous procedure. 3. Use the Computer List tab to specify the computer names, IP addresses or IP address ranges for a few endpoints in your lab. 2017 Tanium Inc. All Rights Reserved Page 66

4. Click Install to deploy the client to a few host computers in your lab. Verify the basic deployment 1. In Interact, verify the endpoints respond to the following query: Get Computer Name and Tanium Server Name from all machines 2. Review the results grid to verify that all clients on which Tanium Client software was deployed are now reporting. 2017 Tanium Inc. All Rights Reserved Page 67

3. You can also go to the System Status page to review recent client registration details. Go to Administration > System Status to display the page. Verify the Zone Server deployment 1. Use the Tanium CDT to deploy the Tanium Client to a client in your lab. In the configuration, for Tanium Server, specify the Zone Server FQDN (appliancezs.tam.local in this example). 2017 Tanium Inc. All Rights Reserved Page 68

2. In Interact, ask Get Computer Name and Tanium Server Name from all machines and verify that the Tanium Client on the Zone Server is reporting via the Tanium 2017 Tanium Inc. All Rights Reserved Page 69

Installing Tanium Server in an active-active cluster High-availability (HA) features support Tanium Server availability even when there is a failure or scheduled maintenance. The active-active cluster setup workflow installs the Tanium Server and a database server on each appliance, makes updates in the configuration files, and copies the license file, SSL certificates, and SSH public/private key pair from the first appliance to the second appliance. Overview HA clustering is not required to scale Tanium capacity or to improve performance. You can size the host system hardware and OS of standalone platform servers to meet your capacity and performance requirements. Rather, the Tanium Core Platform supports HA activeactive clustering of Tanium Server to ensure continuous availability in the event of an outage or scheduled maintenance. The following figure shows an HA topology. In an active-active deployment: Tanium Clients use a Tanium Server list to automatically find a backup server in the event the first Tanium Server assigned to them is unavailable. The Tanium Servers read and write to the database co-located on the first appliance. Data is periodically replicated from the first appliance database to the second appliance database. The local authentication user configuration is periodically synchronized between the two appliances. IPsec ensures end-to-end security between the two appliances. Each cluster member has a Tanium Console with its own URL. Tanium solution modules are installed on a shared Module Server. However, they must be imported in each Tanium Console in order to be accessed from each. The order in which you import solution modules into the Tanium Console determines the order in which they are displayed in the navigation menu. We recommend you import the modules in the same order on TaniumServer01 as you will on TaniumServer02 so that the menus are in the same order. 2017 Tanium Inc. All Rights Reserved Page 71

Each server passes Tanium messages (for example, answers to questions) to the other cluster members. Package files that are uploaded to one member are synchronized to the other cluster members. HA is not supported for Tanium Module Server. You might want to provision a cold standby that you can bring into service to replace the Module Server in the event of hardware failure. Follow database administration best practices to ensure availability of the database server and that the Tanium databases and related database objects are backed up routinely. Figure 4: HA topology HA cluster requirements and limitations An HA deployment has the following requirements: Each Tanium Server must run the same software version, including build number (for example, each must have build number 7.1.314.2828). Each Tanium Server in the cluster must meet or exceed the requirements for the total number of endpoints targeted by your deployment. (Each must be able to independently handle load from the full deployment in the event of failure.) 2017 Tanium Inc. All Rights Reserved Page 72

The cluster members must be able to connect to each other via a reliable Ethernet connection. A minimum 1 Gbps connection is required. Each cluster member must be able to access the Internet to download files from designated domains. Access can be direct or made through a proxy server. Each cluster member must be able to connect to the shared Module Server. Before you begin Make sure: Basic network, host, and user settings are configured on both appliances. See Configuring network, host, and user settings on page 16. We recommend you allocate a network interface on each Tanium Server appliance for the HA cluster communication. Specify the IP addresses of the HA interfaces when you configure the IPsec tunnel. Specify the IP addresses of the Tanium traffic interfaces when you configure the HA cluster IP addresses. Your network security administrator has configured security rules to allow communication on the TCP ports that the Tanium core platform components use. In addition to the ports used by individual Tanium Servers, a Tanium Server in an HA cluster sends and receives HA-related data over an IPsec connection. The network security rules must allow ESP (50/ip) and IKE (500/udp, 4500/udp). Add required SSH keys An SSH key exchange is used to securely copy files from the first Tanium Server to the second Tanium Server during installation. 1. Start two SSH terminal sessions so you can copy and paste between them: First Tanium Server Second Tanium Server 2017 Tanium Inc. All Rights Reserved Page 73

5. Enter the line number for tanadmin to display the key management menu for this user. 6. Enter 2 to display the public key. 7. Copy the contents of the public key to the clipboard. 8. Log into the second Tanium Server appliance as the user tanadmin. 9. Enter C to go to the User Administration menu. 10. Enter 3 to go to the SSH Key Management menu. 11. Enter the line number for the tancopy user. 2017 Tanium Inc. All Rights Reserved Page 76

12. Enter 3 to go to the Authorized Keys menu. 13. Enter 2 and then follow the prompts to paste the contents of the Tanium Server tanadmin user public key file you copied in Step 7. Set up the IPsec tunnel IPsec is used to ensure end-to-end security between the two appliances. 1. Start two SSH terminal sessions so you can copy and paste between them: First Tanium Server Second Tanium Server 2. Log into the first Tanium Server appliance as the user tanadmin. 2017 Tanium Inc. All Rights Reserved Page 77

5. Enter 2 to go to the IPsec menu. 6. Log into the second Tanium Server appliance as the user tanadmin. 7. Go to the IPsec menu. 8. Enter 1 to display the local IPsec host key. 9. Copy it to the clipboard. 10. Go back to the first appliance. 2017 Tanium Inc. All Rights Reserved Page 79

11. Enter 3 and follow the prompts to configure this side of the IPsec tunnel. Paste the IPsec host key for the second appliance. 12. Enter 1 to display the local IPsec host key for the first appliance and copy it to the clipboard so you can paste it into the configuration for the second appliance. 13. Go back to the second appliance. 14. Go to the IPsec menu. 15. Enter 3 and follow the prompts to configure this side of the IPsec tunnel. Paste the IPsec host key for the first appliance. 16. Enter 6 to test the connection from this side. 17. Go back to the first appliance. 18. Enter 6 to test the connection from this side. 2017 Tanium Inc. All Rights Reserved Page 80

Deploy the HA cluster 1. Complete the installation for the first Tanium Server as described in Installing Tanium Server on page 32. 2. Install the license file. See Installing the license file on page 56. 3. Complete the installation for the Tanium Module server as described in Installing Tanium Module Server on page 36. When you configure the remote Module Server, be sure to specify the host, domain, and IP address of both Tanium Servers. 4. Complete the installation for the second Tanium Server as described in Installing Tanium Server on page 32. 5. Log into the first Tanium Server appliance as the user tanadmin. 6. Enter 2 to go to the Tanium Operations menu. 2017 Tanium Inc. All Rights Reserved Page 81

7. Enter B to go to the Cluster Configuration menu. 8. Enter 1 and then follow the prompts to configure the connection with the second member and initialize the HA cluster. 2017 Tanium Inc. All Rights Reserved Page 82

9. Log into the second Tanium Server appliance as the user tanadmin. 10. Enter 2 to go to the Tanium Operations menu. 11. Enter B to go to the Cluster Configuration menu. 12. Enter 2 and then follow the prompts to configure the connection with the first member and join the HA cluster. Verify the installation 1. Deploy the Tanium Client to endpoints. When you configure client settings, specify both server names so the Tanium Clients use the ServerNameList setting to select a Tanium Server. See the Tanium Client Deployment Guide. 2017 Tanium Inc. All Rights Reserved Page 83

2. In Interact, ask Get Computer Name and Tanium Server Name from all machines and verify that both Tanium Servers are active. 3. Verify that both servers can download packages with URL-specified files when such a package is created or imported. Distribute Copy Tools is an example of a package with URL-specified files: a. Go to Authoring > Packages. b. Select the row for Distribute Copy Tools. c. Click Status and check that the files have been downloaded and are now cached on both servers. 4. Create a new package and specify a locally uploaded file. After you have saved the package, wait a moment for HA sync to occur, and then check that the files are 2017 Tanium Inc. All Rights Reserved Page 84

Upgrading Tanium server software You can use TanOS to install an upgrade of Tanium Server, Tanium Module Server, or Tanium Zone Server software. Before you begin Read the release notes for all of the core platform software versions that were released after your current version to stay informed about expected behavior. Your Tanium Technical Account Manager (TAM) will let you know when upgrades are advised and can assist you with the upgrade. Your TAM will provide the upgrade package files. All servers must have the same version number (for example, 7.1.314.2874), so you must be ready to upgrade all Tanium servers in your environment. Import the latest version of the solutions. The latest version has been tested with the target server version. Make sure the current deployment is working as expected. Back up the database. Back up the appliance. Upgrade Tanium server software 1. Use SFTP to copy the Tanium server RPM file to the /incoming directory on the appliance. 2. Log into the TanOS console as the user tanadmin. 2017 Tanium Inc. All Rights Reserved Page 86

Troubleshooting the installation 1. Run the Health Check. 2. Check whether a Tanium service or networking needs to be restarted. 3. Review logs. 4. Review the configuration. 5. Run Tanium Support Gather. 6. Examine OS processes and files written to the filesystem. 7. Perform a software reset. Run the Health Check 1. From the tanadmin menu, enter 3 to go to the Tanium Support menu. 2. Enter 4 to run the health check. Welcome tanadmin to appliance-ts1.tam.local ------------------------------------------------------ >>> Tanium Support menu <<< 1: Tanium Log Files 2: Database Monitoring 3: Run Network Diagnostics 4: Run Health Check 5: Display Last Scheduled Health Check Results 6: Appliance Hardware Report A: Generate T.H.A.T Report B: Run TSG (Tanium Support Gatherer) C: Copy Core Files H: Help R: Return to main menu ------------------------------------------------------ TanOS Version: TanOS.1.0.0-329 TanOS_Shell Version: 1.0.0-329 Please select: 4 Launching Health Check... >>> Tanium Support -> Run Health Check <<< Current date: 02-06-2017 UTC (day-month-year) Current time: 05:30:27 Uptime: 05:30:27 up 8:11, 1 user, load average: 1.15, 1.44, 1.23 >>> Operating System health (will take 7-10 seconds) <<< 2017 Tanium Inc. All Rights Reserved Page 89

CPU: pass Memory: pass Swap: pass Partition /: pass Partition /boot: pass Partition /var: pass Partition /var/log: pass Partition /var/log/audit: pass Partition /opt: pass Partition /tmp: pass Partition /home: pass >>> User health <<< user tanium: pass user tanadmin: pass user tanuser: pass user tancopy: pass user tanfactory: pass user tanium (OTP): pass (not active) >>> Network health (will take 5-7 seconds) <<< default gateway: pass name resolution: pass L2 check ens33: pass L2 check ens34: pass L2 check ens38: pass mount /opt/mounts/connect: pass (not configured) mount /opt/mounts/detect: pass (not configured) >>> Service health <<< ntpd service: fail (system status failure) rsyslog service: pass iptables service: pass sshd service: pass ipsec service: pass local auth service: pass >>> Application health <<< taniumserver.service: pass taniumserver.service: pass (iptables) taniumserver.service: pass (clients connected) taniumserver.service: pass (database connected) taniummoduleserver.service: pass (does not exist/not installed) taniumzoneserver.service: pass (does not exist/not installed) executed checks: 36 failed checks: 1 new health status setting: warning >>> End Health Check <<< Press enter to continue... Restart services or networking Check whether a Tanium service needs to be restarted. 2017 Tanium Inc. All Rights Reserved Page 90

Restart services 1. From the tanadmin menu, enter 2 to go to the Tanium Operations menu. 2. Enter 1 to go to the Tanium Service Control menu. 3. Enter the line number of the service you want to manage to display the service commands. 4. Type the number of a service control command to issue it. Welcome tanadmin to appliance-ts1.tam.local ------------------------------------------------------ >>> Tanium Operations -> Tanium Service Control <<< # Service State Status 1 ipsec enabled started 2 postgresql-9.5 enabled started 3 slapd enabled started 4 taniumserver enabled started H: Help R: Return to main menu ------------------------------------------------------ TanOS Version: TanOS.1.0.0-329 TanOS_Shell Version: 1.0.0-293 Please select a line number or menu item: Restart networking 1. From the tanadmin menu, enter A to go to the Appliance Configuration menu. 2. Enter 2 to go to the IP Configuration menu. 3. Enter 4 to restart networking. >>> Appliance Configuration -> IP Configuration -> Restart Networking <<< About to restart networking on the appliance. Warning: service interruptions will occur! If an IP address change was pending, you will need to connect to the new IP address. Would you like to restart networking? [YES/NO]: yes Restarting networking... Network restart completed. Press enter to continue... 2017 Tanium Inc. All Rights Reserved Page 91

Review logs 1. From the tanadmin menu, enter 3 to go to the Tanium Support menu. 2. Enter 1 to go to the Log Files menu. 3. Select an item to view the log. You can use commands similar to ex editor commands to search for patterns (keywords). >>> Tanium Support -> Log files <<< Not all log files will be available with each server role! Note: to access module specific logfiles, please use TSG 1: Tanium Service Log file 2: Tanium Service RBAC file 3: Tanium Service TDL Log file ------------------------------------------------------- 4: Tanium Module Service Log file 5: Tanium Module Service TDL Log file ------------------------------------------------------- 6: Tanium Zone Service Log file ------------------------------------------------------- 7: Tanium Postgres Log file H: Help R: Return to main menu ------------------------------------------------------ TanOS Version: TanOS.1.0.0-365 TanOS_Shell Version: 1.0.0-372 Please select: 3 Calling Tanium Service TDL Log file... >>> Tanium Support -> Log files -> View <<< About to open a copy of the current log file - enter "q" to exit 2017-05-30T20:34:50.267Z[00:007565:] Begin Log (TDownloader) 2017-05-30T20:34:50.313Z[00:007572:] Begin Log (TDownloader) 2017-05-30T20:34:50.384Z[00:007575:] Begin Log (TDownloader) 2017-05-30T20:34:50.412Z[00:007579:] Begin Log (TDownloader) 2017-05-30T20:34:50.411Z[00:007577:] Begin Log (TDownloader) 2017-05-30T20:34:52.293Z[00:007582:] Begin Log (TDownloader) 2017-05-30T20:34:52.339Z[00:007580:] Begin Log (TDownloader) 2017-05-30T20:34:52.370Z[00:007584:] Begin Log (TDownloader) 2017-05-30T20:34:52.399Z[00:007589:] Begin Log (TDownloader) 2017-05-30T20:34:52.395Z[00:007586:] Begin Log (TDownloader) 2017-05-30T20:34:52.623Z[00:007589:] Finished with status 200 (SUCCESS) for URL https://content.tanium.com/files/published/ic_base/[...] progress file id=(pfid=5) 2017-05-30T20:34:52.623Z[00:007589:] End Log (TDownloader) 2017-05-30T20:34:52.655Z[00:007586:] Finished with status 200 (SUCCESS) for URL https://content.tanium.com/files/published/ic_base/ [...] progress file id=(pfid=9) 2017-05-30T20:34:52.655Z[00:007586:] End Log (TDownloader) 2017-05-30T20:34:52.660Z[00:007584:] Finished with status 200 (SUCCESS) for URL https://content.tanium.com/files/published/ic_base/[...] progress file id=(pfid=7) 2017-05-30T20:34:52.660Z[00:007584:] End Log (TDownloader) 2017 Tanium Inc. All Rights Reserved Page 92

2017-05-30T20:34:52.686Z[00:007580:] Finished with status 200 (SUCCESS) for URL https://content.tanium.com/files/published/ic_base/[...] progress file id=(pfid=8) /tmp/log0.txt Review the configuration 1. From the tanadmin menu, enter 2 to go to the Tanium Operations menu. 2. Enter 2 to go to the Configuration Files menu. 3. Enter the line number of the action you want to take. Welcome root to appliance-ts2.tam.local ------------------------------------------------------ >>> Tanium Operations -> Configuration files <<< 1: View Tanium Server INI 2: Edit Tanium Server INI 3: Set Tanium Server TDL LogLevel H: Help R: Return to main menu ------------------------------------------------------ TanOS Version: TanOS.1.0.0-329 TanOS_Shell Version: 1.0.0-293 Please select: 2 Calling edit Tanium Server INI >>> Tanium Operations -> Configuration files -> Edit TaniumServer.ini <<< LogVerbosityLevel=1 TrustedCertPath=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ConsoleSettingsJSON=/opt/Tanium/TaniumServer/http/config/console.json LogPath=/opt/Tanium/TaniumServer/Logs ServerPort=17472 ServerSOAPPort=8443 AddressMask=16777215 ModuleServer=10.10.10.134 ModuleServerPort=17477 SQLConnectionString=postgres:10.10.10.132@user=postgres password=sgtfer2bcajqwgjd6av7wdq dbname=tanium sslmode=require AuthenticationPlugin=InternalPython:tanium_pam4/pam_workflow.py Version=7.1.314.2838 TrustedHostList=appliance-ts1.tam.local,appliance-ts2.tam.local ~ ~ ~ ~ ~ ~ ~ ~ 2017 Tanium Inc. All Rights Reserved Page 93

~ ~ ~ ~ ~ / Run Tanium Support Gatherer The Tanium Support Gatherer (TSG) collects system status, process status, network interface status, and so on, to help your Tanium Technical Account Manager (TAM) evaluate possible appliance or Tanium server issues. 1. From the tanadmin menu, enter 3 to go to the Tanium Support menu. 2. Enter B to run the TSG. >>> Tanium Support menu <<< 1: Tanium Log Files 2: Run PG_TOP 3: Run Diagnostics 4: Run Health Check 5: Display Last Scheduled Health Check Results 6: Appliance Hardware Report A: Generate T.H.A.T Report B: Run TSG (Tanium Support Gatherer) H: Help R: Return to main menu ------------------------------------------------------ TanOS Version: TanOS.1.0.0-329 TanOS_Shell Version: 1.0.0-293 Please select: b Launching TSG... >>> Tanium Support -> Run TSG (Tanium Support Gatherer)<<< Current date: 02-06-2017 UTC (day-month-year) /opt/tanos_shell/tsg/tsg-20170602063115 Making output dir /opt/tanos_shell/tsg/tsg-20170602063115 Requested All Making the output DIR Running commands for db [...] Copying TaniumServer log0.txt Can't find the TaniumModuleServer log0.txt Can't find the TaniumZoneServer log0.txt 2017 Tanium Inc. All Rights Reserved Page 94

Creating zip file adding: tsg-20170602063115/auth.log (deflated 53%) adding: tsg-20170602063115/db.log (deflated 82%) adding: tsg-20170602063115/hw.log (deflated 77%) adding: tsg-20170602063115/net.log (deflated 85%) adding: tsg-20170602063115/os.log (deflated 81%) adding: tsg-20170602063115/tms.log (deflated 76%) adding: tsg-20170602063115/ts.log (deflated 72%) adding: tsg-20170602063115/ts_log0.txt (deflated 97%) adding: tsg-20170602063115/tzs.log (deflated 64%) Pub directory does not exist. Do you want to create? [YES/NO]: yes Copying to the http directory You can get the file from https://appliance-ts1.tam.local/pub/tsg-20170602063115.zip Completed the TSG run Press enter to continue... The last stanza of the output shows the location where you can download the encrypted and compressed archive file. For example: https://appliance-ts1.tam.local/pub/tsg-20170602063115.zip Examine OS processes and files In rare cases, you or your TAM might need to examine OS processes and files written to the filesystem. You must follow a special procedure to request shell access. 1. Log into the TanOS console as the user tanadmin. The TanOS console displays the tanadmin menu. 2017 Tanium Inc. All Rights Reserved Page 95

4. Enter 1 and follow the prompts to generate a challenge key. Remember the "challenge password" you specify. You will need it to validate the response in a later step. The challenge key is written to the /outgoing folder. 5. Use SFTP to copy the request file from the /outgoing directory to your local computer. 6. Email the file and TanOS version information to your TAM. Your TAM will send you a response file. 2017 Tanium Inc. All Rights Reserved Page 98

7. Use SFTP to copy the response file to the /incoming directory. 8. At the Appliance Maintenance > Shell menu prompt, enter 2 and then follow the prompts to validate the response. Specify the "challenge password" provided in a previous step. 2017 Tanium Inc. All Rights Reserved Page 99

The Shell menu now has additional options. 9. Enter 3 to launch the shell. 10. Enter exit to close the shell. 11. When you are finished troubleshooting, go to the Shell Access (restricted) menu and enter 4 to remove the shell key. Perform a software reset The Appliance Maintenance > Reset menu has two options: Perform a software reset to erase the Tanium application software. Perform a factory reset only if you want to erase both the configuration and the installed software. 2017 Tanium Inc. All Rights Reserved Page 100

1. From the tanadmin menu, enter B to go to the Appliance Maintenance menu. 2. Enter 2 to go to the Reset menu. 3. Enter the appropriate option. Welcome tanadmin to appliance-ts1.tam.local ------------------------------------------------------ >>> Appliance Maintenance -> Reset <<< 1: Software reset (remove all Tanium application software) 2: Factory reset (remove software and configurations) H: Help R: Return to main menu ------------------------------------------------------ TanOS Version: TanOS.1.0.0-329 TanOS_Shell Version: 1.0.0-293 Please select: 2017 Tanium Inc. All Rights Reserved Page 101

Managing user access The TanOS special users tanadmin, tancopy, tanfactory, and tanuser are not Tanium Console users. TanOS access requirements are enforced. Apart from special users, TanOS hosts a local authentication service that can be used for Tanium Console user authentication. You can create and delete users and manage their passwords. In addition, you can configure Tanium Console authentication against your enterprise LDAP server. For details on using LDAP, see the Tanium Core Platform User Guide. Change TanOS user passwords The TanOS special users tanadmin, tanuser, and tanfactory can make passwordauthenticated SSH connections to the TanOS console. The passwords for TanOS special users must be changed every 45 days. You can also change the passwords whenever it is necessary. The password string must be at least 10 characters long and have at least 1 uppercase character, 1 lowercase character, 1 numeric character, and 1 nonalphanumeric character. 2017 Tanium Inc. All Rights Reserved Page 102

2. Enter P and then follow the prompts to change the password. After the password has been changed, you are logged out. Reset the tanuser password 1. Log into the TanOS console as the user tanadmin. 2. Enter C to go to the User Administration menu. 2017 Tanium Inc. All Rights Reserved Page 104

3. Enter 1 and then follow the prompts to reset the password. Reset the tanfactory password 1. Log into the TanOS console as the user tanadmin. 2. Enter C to go to the User Administration menu. 3. Enter 2 and then follow the prompts to reset the password. Manage SSH keys The installation process generates a public/private SSH key pair for the tanadmin user. You can use the SSH Key menu to regenerate this pair, generate keys for the other TanOS 2017 Tanium Inc. All Rights Reserved Page 105

special users, add authorized keys to support inbound user connections, and display the public key so you can copy and paste it into other appliance configurations as described in some of the installation procedures in this guide. Before you begin You must have an SSH client to log into the TanOS console and an SFTP client such as WinSCP to copy files to and from the appliance. You must have an SSH key generator such as PuTTYgen to generate keys for the tancopy user. Generate keys 1. Log into the TanOS console as the user tanadmin. 2. Enter C to go to the User Administration menu. 3. Enter 3 to go to the SSH Key Management menu. 4. Enter the line number for tancopy to display the key management menu for this user. 2017 Tanium Inc. All Rights Reserved Page 106

5. Enter 1 to generate a public/private key pair. Add authorized keys 1. Use an SSH key generator such as PuTTYgen to generate a public/private key pair. 2. In PuTTYgen, select all of the text in the Public key for pasting into OpenSSH authorized_keys file box and copy it to the clipboard. 3. Log into the TanOS console as the user tanadmin. 4. Enter C to go to the User Administration menu. 5. Enter 2 to go to the SSH Key Management menu. 2017 Tanium Inc. All Rights Reserved Page 107

6. Enter the line number for the tancopy user to display the key management menu for this user. 7. Enter 3 to go to the Authorized Keys menu. 8. Enter 2 and then follow the prompts to add the contents of the public key generated in Step 1. Display public keys 1. Log into the TanOS console as the user tanadmin. 2. Enter C to go to the User Administration menu. 3. Enter 3 to go to the SSH Key Management menu. 4. Enter the line number for the tancopy user to display the key management menu for this user. 2017 Tanium Inc. All Rights Reserved Page 108

5. Enter 2 to display the public key. Configure the local authentication service You can use the local authentication service to set up Tanium Console user accounts for demo or testing purposes. Tanium recommends you configure the Tanium Console to use an external LDAP server to authenticate Tanium users. For details, see the Tanium Core Platform User Guide. Note: The Local Authentication Service menu is available only after you install the Tanium Server role. It is not available when other roles are installed. Add a local user 1. Log into the TanOS console as the user tanadmin. 2. Enter C to go to the User Administration menu. 2017 Tanium Inc. All Rights Reserved Page 109

Set a user password 1. Log into the TanOS console as the user tanadmin. 2. Enter C to go to the User Administration menu. 3. Enter A to go to the Local Authentication Service menu. 4. Enter 2 to display the Manage Local Users menu. 5. Enter the user line number to display the user menu. 6. Enter 2 and then follow the prompts to set the user password. Delete a user 1. Log into the TanOS console as the user tanadmin. 2. Enter C to go to the User Administration menu. 3. Enter A to go to the Local Authentication Service menu. 4. Enter 2 and to display the Manager Local Users menu. 5. Enter the user line number to display the user menu. 6. Enter 1 and then follow the prompts to delete the user. 2017 Tanium Inc. All Rights Reserved Page 111

Disable the local authentication service 1. Log into the TanOS console as the user tanadmin. 2. Enter C to go to the User Administration menu. 3. Enter A to go to the Local Authentication Service menu. 4. Enter A and then follow the prompts to enable or disable the local authentication service. 2017 Tanium Inc. All Rights Reserved Page 112

Configuring SNMP SNMP is enabled by default. You can configure SNMPv3 credentials for the user tanuser. This user can make a remote SNMP connection to the appliance to walk the MIB from a remote host or SNMP manager. Figure 6: SNMP walk To configure SNMPv3 access: 2017 Tanium Inc. All Rights Reserved Page 117

Reference: Certificate and key files Some deployment tasks instruct you to import/export SSL certificate and key files. Before you begin Your management computer must have an SFTP client such as WinSCP to copy files to and from the appliance. You must generate a public/private key pair to use with the tancopy user and upload the public key to the Tanium Appliance as described in Configure user access on page 19. Install a CA certificate file You can replace the self-signed certificates generated by the Tanium Server and Tanium Module Server installers with an SSL certificate issued by a commercial or enterprise certificate authority (CA). For details on certificate requirements, including the filenames expected in the Tanium installations, see the Tanium Core Platform Installation Guide. 2017 Tanium Inc. All Rights Reserved Page 120

Upload the CA certificate file 1. Set up an SFTP client to connect to the Tanium appliance: a. Specify tancopy for user name. b. Click the Advanced button. 2017 Tanium Inc. All Rights Reserved Page 121

c. Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance in Configure user access on page 19. 2. Use SFTP to copy the SOAP certificate and key files to the /incoming directory on the appliance. 2017 Tanium Inc. All Rights Reserved Page 122

3. Enter 5 to go to the Install Custom SOAP Cert procedure. 4. Follow the prompts to install the certificate and key files you uploaded in the previous procedure. 2017 Tanium Inc. All Rights Reserved Page 125

Manage content signing keys 1. Log into the TanOS console as the user tanadmin. 2. Enter 2 to go to the Tanium Operations menu. 3. Enter 6 to go to the Manage Custom Signing Keys menu. 4. Use the menus to add, remove, or list the key files. Download the content signing key utility 1. Log into the TanOS console as the user tanadmin. 2. Enter 2 to go to the Tanium Operations menu. 3. Enter 6 to go to the Manage Custom Signing Keys menu. 4. Enter 1 to copy the KeyUtility.exe and related files to a zip file in the /outgoing directory. 2017 Tanium Inc. All Rights Reserved Page 126

5. Use SFTP to copy the file from the /outgoing directory to your local computer. Download the Tanium Server public key file Download the Tanium Server public key file so you can include it in Tanium Client installation packages. 1. Log into the TanOS console as the user tanadmin. 2. Enter 2 to go to the Tanium Operations menu. 3. Enter 7 to go to the Download Public Key procedure. 4. Follow the prompts to copy the public key to the /outgoing directory. 2017 Tanium Inc. All Rights Reserved Page 127

5. Use SFTP to copy the tanium.pub file from the /outgoing directory on the appliance to your management computer. Import the Tanium public/private key pair When you migrate an existing deployment to new installations, you might want to migrate the Tanium Server public/private key pair to avoid redistributing the tanium.pub key file to Tanium Clients. Upload the public and private key files 1. Add the public/private key pair you want to copy to a passphrase-protected tanum.zip file. 2. Set up an SFTP client to connect to the Tanium Server appliance: 2017 Tanium Inc. All Rights Reserved Page 128

Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance in Configure user access on page 19. 3. Use SFTP to copy the tanium.zip file to the /incoming directory on the Tanium Server appliance. 2017 Tanium Inc. All Rights Reserved Page 130

Replace the public and private keys 1. Log into the TanOS console as the user tanadmin. 2. Enter 2 to go to the Tanium Operations menu. 3. Enter 8 and then follow the prompts to import the zip file and install the keys. 2017 Tanium Inc. All Rights Reserved Page 131

Reference: Tanium Service Control menu Tanium component servers and the database server can be managed with common service control commands: Start Stop Restart Disable Enable To issue a command: 1. Log into the TanOS console as the user tanadmin. The TanOS console displays the tanadmin menu. 2017 Tanium Inc. All Rights Reserved Page 132

3. Enter 1 to go to the Tanium Service Control menu. 4. Enter the line number of the service you want to manage to display the service commands. 5. Type the number of a service control command to issue it. 2017 Tanium Inc. All Rights Reserved Page 134

Reference: Server configuration files You can use the Configuration Files menu to change the log level or the Tanium component server configuration settings. Contact your Tanium Technical Account Manager (TAM) before changing Tanium configuration settings. To edit a configuration file: 1. Log into the TanOS console as the user tanadmin. The TanOS console displays the tanadmin menu. 2017 Tanium Inc. All Rights Reserved Page 135

4. Use the menu to view and edit Tanium server configuration files. To change the Tanium Server port: 1. Log into the TanOS console of the Tanium Server appliance as the user tanadmin. 2. Enter 2 to go to the Tanium Operations menu. 3. Enter 3 and then follow the prompts to change the Tanium Server port. 2017 Tanium Inc. All Rights Reserved Page 137

TaniumServer.ini reference In general, you do not need to edit the Tanium Server configuration settings. During troubleshooting, your Tanium Technical Account Manager (TAM) might advise you to review and modify the settings described in the following table. Table 3: Settings Tanium Server settings Guidelines AddressMask Hexadecimal value of a subnet CIDR that delineates the clients that belong to a chain. Do not change this setting unless instructed to do so by your TAM. BypassCRLCheckHostLi st BypassProxyHostList Use this setting to list servers that should be trusted without CRL checking. Unless a server is specified in this list, the Tanium Server performs a CRL check and does not download files from a server that does not pass. If you configure a proxy server, you might need to configure exceptions so that connections to specified hosts do not go through the proxy server. For example, a proxy server should not be used for traffic between Tanium Servers in an active-active cluster. A proxy server can cause problems with other traffic to a destination Tanium Server. For example, a package configuration can specify file URIs that are local to the Tanium Server. It is important to bypass the proxy server for these URIs. Use this setting to specify destinations that should not use the proxy servers. In most cases, specify localhost, 127.0.0.1, and all Tanium Server names and IP addresses. For example: ts1.example.com, ts2.example.com,localhost,127.0.0.1,10.10.10.11,10.10.10.15 Version 7.0.314.6242 and later support wildcards. ConsoleSettingsJSON LogPath Path to the console settings file. The default is /opt/tanium/taniumserver/logs. 2017 Tanium Inc. All Rights Reserved Page 138

Settings LogVerbosityLevel Guidelines Log verbosity level: 0: Logging disabled. 1: Normal log level. 41: Recommended during troubleshooting. >= 91: Most detailed log level. Enable for short periods of time only. ModuleServer Module Server IP address. ModuleServerPort Module Server port. The default is 17477. ProxyPassword ProxyPort ProxyType ProxyServer ProxyUserid ServerPort ServerSOAPPort SQLConnectionString Account password. Required if a Basic proxy is configured. Port number of the proxy server. Basic or NTLM. IP address of the proxy server. Account username to establish the connection with the proxy server. Required if a Basic proxy is configured. NTLM proxies use the credentials of the user context that runs the Tanium Server service. Tanium Server port. The server listens for Tanium Clients on this port. The default is 17472. Do not change the ServerPort setting in the TaniumServer.ini configuration file; instead, use the Tanium Operations > Change Tanium Port menu. Tanium Console and SOAP API port. The default is 8443. Port 443 redirects to this 8443. Database server connection information. Example: postgres:127.0.0.1@user=postgres password= dbname=tanium ssl mode=required port=5432 TrustedHostList Use this setting to list hosts that should be trusted without a valid SSL certificate. The Tanium Server does not download files from a server without a valid SSL certificate, unless it is included in this list. Add the FQDN or IP address of any servers you want to trust. In an Active/Active cluster, specify the FQDN for both Tanium Servers. Version 7.0.314.6242 and later support wildcards. 2017 Tanium Inc. All Rights Reserved Page 139

Settings Version Guidelines Tanium Server version number. TaniumModuleServer.ini reference In general, you do not need to edit the Tanium Module Server configuration settings. During troubleshooting, your TAM might advise you to review and modify settings described in the following table. Table 4: Settings Tanium Module Server settings Guidelines BypassCRLCheckHostLi st BypassProxyHostList Use this setting to list servers that should be trusted without CRL checking. Unless a server is specified in this list, the Tanium Server performs a CRL check and does not download files from a server that does not pass. If you configure a proxy server, you might need to configure exceptions so that connections to specified hosts do not go through the proxy server. For example, a proxy server should not be used for traffic between Tanium Servers in an active-active cluster. A proxy server can cause problems with other traffic to a destination Tanium Server. For example, a package configuration can specify file URIs that are local to the Tanium Server. It is important to bypass the proxy server for these URIs. Use this setting to specify destinations that should not use the proxy servers. In most cases, specify localhost, 127.0.0.1, and all Tanium Server names and IP addresses. For example: ts1.example.com, ts2.example.com,localhost,127.0.0.1,10.10.10.11,10.10.10.15 Version 7.0.314.6242 and later support wildcards. 2017 Tanium Inc. All Rights Reserved Page 140

Settings LogVerbosityLevel Guidelines Log verbosity level: 0: Logging disabled. 1: Normal log level. 41: Recommended during troubleshooting. >= 91: Most detailed log level. Enable for short periods of time only. ProxyPassword Account password. Required if a Basic proxy is configured. Note: The Proxy settings have entries only if a proxy server has been manually configured. ProxyPort ProxyType ProxyServer ProxyUserid ServerName Port number of the proxy server. Basic or NTLM. IP address of the proxy server. Account username to establish the connection with the proxy server. Required if a Basic proxy is configured. NTLM proxies use the credentials of the user context that runs the Tanium Server service. 0.0.0.0 indicates bind to all network adapters. ServerPort Module Server port. The default is 17477. TrustedHostList Use this setting to list hosts that should be trusted without a valid SSL certificate. The Tanium Server does not download files from a server without a valid SSL certificate, unless it is included in this list. Add the FQDN or IP address of any servers you want to trust. In an Active/Active cluster, specify the FQDN for both Tanium Servers. Version 7.0.314.6242 and later support wildcards. Version Tanium Module Server version number. TaniumZoneServer.ini reference In general, you do not need to edit the Tanium Zone Server configuration settings. During troubleshooting, your TAM might advise you to review and modify settings described in the following table. 2017 Tanium Inc. All Rights Reserved Page 141

Table 5: Tanium Zone Server settings Settings Guidelines LogVerbosityLevel Log verbosity level: 0: Logging disabled. 1: Normal log level. 41: Recommended during troubleshooting. >= 91: Most detailed log level. Enable for short periods of time only. ServerName Tanium Server fully qualified domain name. ServerPort Tanium Server Port. The default is 17472. Version ZoneHubFlag Tanium Zone Server version number. 0 if not the hub; 1 if the hub. 2017 Tanium Inc. All Rights Reserved Page 142

Reference: Appliance Maintenance menu You can use the Appliance Maintenance menu to perform backup and restore, factory reset, TanOS upgrade, and system reboot or shutdown. Back up and restore The backup procedure uses the rsync utility to copy the active partition to a backup partition. The restore procedure boots the system from the backup partition. Back up 1. Log into the TanOS console as the user tanadmin. The TanOS console displays the tanadmin menu. 2017 Tanium Inc. All Rights Reserved Page 143

4. Enter 1 and then follow the prompts to complete the backup. Restore 1. Log into the TanOS console as the user tanadmin. 2. Enter B to go to the Appliance Maintenance menu. 3. Enter 1 to go to the Backup/Restore menu. 4. Enter 4 and then follow the prompts to complete the restore. Perform a software reset The Appliance Maintenance > Reset menu has two options: Perform a software reset to erase the Tanium application software. Perform a factory reset only if you want to erase both the appliance configuration and the Tanium software. 2017 Tanium Inc. All Rights Reserved Page 145

Upgrade the TanOS shell The TanOS shell is the TanOS menu system. Your Tanium Technical Account Manager (TAM) will let you know when upgrades are advised and can assist you with the upgrade. 1. Use SFTP to copy the TanOS shell RPM file to the /incoming directory on the appliance. 2. Log into the TanOS console as the user tanadmin. 3. Enter B to go to the Appliance Maintenance menu. 2017 Tanium Inc. All Rights Reserved Page 147

4. Enter 4 and then follow the prompts to complete the upgrade. Clean SFTP and cores directories 1. Log into the TanOS console as the user tanadmin. 2. Enter B to go to the Appliance Maintenance menu. 3. Enter A to go to the Clean Directories menu. 2017 Tanium Inc. All Rights Reserved Page 148

4. Enter 1 and follow the prompts to delete files in the SFTP /incoming and /outgoing directories; or enter 2 and follow the prompts to delete files from cores. Reboot or shut down Tasks you complete with TanOS menus typically do not require you to reboot the system. Reboot might be required during troubleshooting workflows. Shutdown turns off the system and powers down the appliance. CAUTION: You must have physical access to the appliance to power it on. Do not perform a system shutdown unless you are prepared to power the appliance back on. Reboot 1. Log into the TanOS console as the user tanadmin. 2. Enter B to go to the Appliance Maintenance menu. 3. Enter B to go to the Reboot/Shutdown menu. 4. Enter 1 to reboot the appliance. Shut down 1. Log into the TanOS console as the user tanadmin. 2. Enter B to go to the Appliance Maintenance menu. 2017 Tanium Inc. All Rights Reserved Page 149

Reference: Appliance configuration You configure basic host and network setting when you complete the initial configuration. You can use the TanOS Appliance Configuration menu to modify the configuration. Modify the hostname and DNS configuration 1. Log into the TanOS console as the user tanadmin. The TanOS console displays the tanadmin menu. 2017 Tanium Inc. All Rights Reserved Page 151

2. Enter A to display the Appliance Configuration menu. 3. Enter 1 and then follow the prompts to change the hostname or DNS service configuration. Modify the IPv4 address configuration 1. Log into the TanOS console as the user tanadmin. 2. Enter A to display the Appliance Configuration menu. 3. Enter 2 and then follow the prompts to change the IPv4 configuration. Modify the NTP configuration 1. Log into the TanOS console as the user tanadmin. 2. Enter A to display the Appliance Configuration menu. 3. Enter 3 and then follow the prompts to change the NTP configuration. 2017 Tanium Inc. All Rights Reserved Page 152

Modify the time zone configuration 1. Log into the TanOS console as the user tanadmin. 2. Enter A to display the Appliance Configuration menu. 3. Enter 4 and then follow the prompts to change the time zone configuration. Change from a static IP address to DHCP (VM-only) 1. Log into the TanOS console as the user tanadmin. 2. Enter A to display the Appliance Configuration menu. 3. Enter 8 and then follow the prompts to use DHCP. 2017 Tanium Inc. All Rights Reserved Page 153

Reference: File share mounts Tanium Connect (Connect) and Tanium IOC Detect (Detect) write consumable files to disk. You can configure the Tanium Server to copy these files to a Common Internet File System (CIFS) or Network File System (NFS) share. 1. Log into the TanOS console as the user tanadmin. The TanOS console displays the tanadmin menu. 2017 Tanium Inc. All Rights Reserved Page 154

Reference: Appliance security You can use the Security menu to enable/disable factory reset and SSH trusted host list configurations. Enable/disable factory reset 1. Log into the TanOS console as the user tanadmin. The TanOS console displays the tanadmin menu. 2017 Tanium Inc. All Rights Reserved Page 157

4. Enter 1 and then follow the prompts to disable the tanfactory account that is used to perform a factory reset. Manage the SSH trusted host list 1. Log into the TanOS console as the user tanadmin. 2. Enter A to display the Appliance Configuration menu. 3. Enter A to display the Security menu. 4. Enter 2 and then follow the prompts to manage the SSH trusted hosts list. 2017 Tanium Inc. All Rights Reserved Page 159

Reference: Diagnostic menus TanOS includes the following diagnostic menus. Tanium Support Menu Tanium Log Files Database Monitoring Run Network Diagnostics Run Health Check Display Last Scheduled Health Check Results Appliance Hardware Report Generate T.H.A.T Report Run TSG Copy Core Files Usage Review logs. Run the Postgres top command. Use ping, nslookup, and IPsec check utilites. Check the status of network services and Tanium services. A health check is run automatically every 15 minutes. Use this option to view previous results. Check hardware status. Generate the Tanium Hygiene Assessment Tool report. Run the Tanium Support Gatherer (TSG) scripts. The output is written to a file you can share with your Tanium Technical Account Manager (TAM) or Tanium Support. Copy any core dump files to the /outgoing folder so they can be copied by the tancopy user. Status System Status Display OS or network status. Tanium Status Appliance Status Displays the status of Tanium processes. Display appliance version information, OS status, or hardware status. 2017 Tanium Inc. All Rights Reserved Page 160

2. Enter 3 to go to the Tanium Support menu. 3. Use the menu to run a report. Use the Status menus System Status shows OS and network status. Tanium Status shows Tanium component status. Appliance Status shows appliance version information, OS status, or hardware status. 2017 Tanium Inc. All Rights Reserved Page 162

Display system status 1. Log into the TanOS console as the user tanadmin. 2. Enter 4 to go to the Status menu. 3. Enter 1 to display the System Status menu. 4. Enter 1 to display OS status or 2 to display network status. 2017 Tanium Inc. All Rights Reserved Page 163

Display Tanium status 1. Log into the TanOS console as the user tanadmin. 2. Enter 4 to go to the Status menu. 3. Enter 3 to display Tanium component status. Display appliance status 1. Log into the TanOS console as the user tanadmin. 2. Enter 4 to go to the Status menu. 2017 Tanium Inc. All Rights Reserved Page 164