You are prompted to configure basic host and network settings when you complete the initial configuration. Use the Appliance Configuration menu to modify the configuration.
Changes to the network configuration do not go into effect until you restart network services. If you connect over a remote SSH connection and change the configuration for the interface with which you are connected, your SSH connection terminates.
Modify the host name and DNS configuration
Host, domain, DNS server, and /etc/hosts settings are configured during the initial setup. If necessary, you can use the Hostname/DNS Configuration menu to make changes.
Contact Tanium Support if you plan to change the Tanium Server host name.Tanium Support needs the new host name to update the Tanium license for you. For more information, see Support for Tanium Appliances.
Modify the host name
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration <<<1: Hostname/DNS Configuration
2: Networking Configuration
3: NTP Configuration
4: Syslog Configuration
5: SNMP Configuration
6: Module File Share Configuration
7: Reset all NICs to DHCP (VM only)
A: Security
I: iDRAC Management
X: Advanced Configuration
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter 1 to go to the Hostname/DNS Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Hostname/DNS Configuration <<<1: Manage Hostname/Domain Name
2: Manage DNS Server
3: Edit manual hosts entries
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter 1 and follow the prompts to change the host name, which must be a fully qualified domain name (FQDN). View screen
>>> Appliance Configuration -> Hostname/DNS Configuration -> Hostname <<<
Current hostname (FQDN):
ts1.test.tanium.local
Please contact Tanium Support prior to changing the hostname of an
active TanOS appliance!
New FQDN: ts1.test.tanium.local
Modify the DNS server
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
Enter 1 to go to the Hostname/DNS Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Hostname/DNS Configuration <<<1: Manage Hostname/Domain Name
2: Manage DNS Server
3: Edit manual hosts entries
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter 2 and follow the prompts to modify the DNS server configuration. View screen
>>> Appliance Configuration -> Hostname/DNS Configuration -> Domain Name <<<
Currently configured name server(s):
192.168.76.2
Would you like to change the DNS Server address? [Yes|No]: yes
Please provide the first DNS server address: 10.10.10.10
Please provide second DNS server address:
Finished setting new DNS Servers
Press enter to continue
Modify the hosts file
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
Enter 1 to go to the Hostname/DNS Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Hostname/DNS Configuration <<<1: Manage Hostname/Domain Name
2: Manage DNS Server
3: Edit manual hosts entries
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter 3 and use the manual_hosts menu to update the /etc/hosts file. View screen
>>> Tanium TanOS -> Tools -> Edit Files -> manual_hosts <<<
#### Contents of /etc/hosts #####
# Generated 2022-03-07 19:06:46
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
# This appliance
10.20.70.11 ts1.test.tanium.local ts1
# Appliance array members
10.20.70.12 ts2.test.tanium.local ts2
10.20.70.13 tms1.test.tanium.local tms1
10.20.70.14 tms2.test.tanium.local tms2
10.20.70.15 tzs.test.tanium.local tzs
# Manual entries
# No manual entries
#################################
file is empty
A: Add a line
R: Return to previous menu RR: Return to top
Modify the network interface configuration
Contact Tanium Support before changing the IP address for the interface used by the Tanium Server. The Tanium Server IP address is used in multiple configurations.
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
------------------------------------------------------
>>> Appliance Configuration -> Networking <<<1: Network Interfaces
2: IPSEC Configuration
3: Routing Configuration
4: Restart Networking
T: NIC Teaming
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter 1 to go to the Network Interfaces menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Networking -> Network Interfaces <<<
Manage network interfaces and their configuration such as assigned IP address
or MTU settings.
Available network interfaces:
#: Interface State Link MAC IP Location
1: eth0 UP YES ca:bc:69:8a:0d:4b 10.20.70.161/22 virtual
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter the line number of the interface that you want to configure to go to the selected Network Interface menu. View screen
>>> Appliance Configuration -> Networking -> Network Interface <<<
Current settings:
Interface: ens160
IPv4 Address: 10.10.10.60/24
Default IPv4 Gateway: 10.10.10.2
IPv6 Address: fe80::20c:29ff:feed:26f/64
IPv6 Gateway:
1: Manage IP address
2: Manage MTU Size
3: Manage Temporary Interface Status (up/down)
R: Return to previous menu RR: Return to top
------------------------------------------------------
Use the menu to change the IP address, MTU size, or up/down status.
Set up an IPsec tunnel
Use IPsec to ensure end-to-end security between two Tanium Server appliances. An IPsec tunnel is automatically configured when you install an Appliance Array.
Start two SSH terminal sessions so you can copy and paste between them:
First Tanium Server appliance
Second Tanium Server appliance
Sign in to each of the Tanium Server appliances as a user with the tanadmin role and go to the IPsec menu:
Enter A to go to the Appliance Configuration menu.
Enter 2 to go to the Networking Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Networking <<<1: Network Interfaces
2: IPSEC Configuration
3: Routing Configuration
4: Restart Networking
T: NIC Teaming
R: Return to previous menu RR: Return to top
------------------------------------------------------
------------------------------------------------------
>>> Appliance Configuration -> IP -> IPSEC <<<1: Display Local IPSEC host key
2: Display IPSEC Configuration
3: Configure IPSEC
4: Delete IPSEC
5: Restart IPSEC
6: Test IPSEC
R: Return to previous menu RR: Return to top
------------------------------------------------------
On the second appliance, copy the IPsec host key to the clipboard:
From the IPSEC menu (A-2-2), enter 1 to view the local IPsec host key. View screen
>>> Appliance Configuration -> IP -> IPSEC -> Display Host Key <<<
Local Host Key Information:
0sAwEAAbnlzZ6venWVMdFLWEHGNEd6bMnNMVBkH+Ye3f7y360CbeBa6SSTOzI0NqHNOCnTWBDEMVWpfE3Dk/2feh1rjH
pNpMdhknhO5+8B47Q9HsH7DEGN4VoybNtH42xVKnApD51CGkH4Ns2o7JfHLUo+Dkv1Tw03b2vGNs/m//bLcUHwFKQLd1
xKNOkR4BhbQ0d7AVctY5tIKzhA8BS+aIkI7XuKCfy9YEMPOgyWVvPY2UTRXwvTcvK0+JHyxuu0UL6yvIVKeV1H8ohSbr
DD213ut8lDQJ6KbJQ5Zl/x3A0LrgTg8l0jNCGIB6d0oPiKpL7vePApViTTAgGh2l2b3KiwZldH6fof/h+dADWWuwcgge
k4NzyI1DRtBbdA5bWuAEYdzC3038/N++FQnKJ5QRXe+b9O9aHf8VTUjZbFWc/5Q0wYeQ1GoTny1OiWArEDJUoW8IYUQI
qPvmItG76zKwfIL1z07dMIAs71W3L/X0QthogKCAYYawktpgukqJ3HHGkAWQFHgHKoJxVhJeF4Lw46G2OQaO1Eg5LHzY
GS6BnEUG896yXvlxZJWZgG7Y9yj3mIea9ltV7/ifPIbXoMRkWMYbnK81biqw1j2yPJfj6MrHet5LrI+kUpA8FUCgY1tI
dQPdXMU6F0K+wWapSzCtbs8D343LYOMmiKgP2rZpFPOEc9
Press enter to continue
Copy the key to the clipboard.
On the first appliance, from the IPSEC menu, enter 3 and follow the prompts to configure this side of the IPsec tunnel. When prompted, paste the IPsec host key for the second appliance. View screen
>>> Appliance Configuration -> IP -> IPSEC -> Configure IPSEC <<<
To configure IPSEC connectivity between TanOS systems the following information is required
- Local IP address
- Remote IP address
- Remote host key
Any exiting configuration will be overwritten!
Would you like to continue with IPSEC configuration? [Yes|No]: yes
Please provide the local ip address: 192.168.76.101
Please provide the remote ip address: 192.168.76.102
Please provide the remote hostkey: 0sAwEAAbnlzZ6venWVMdFLWEHGNEd6bMnNMVBkH+Ye3f7y360CbeBa6SSTO
zI0NqHNOCnTWBDEMVWpfE3Dk/2feh1rjHpNpMdhknhO5+8B47Q9HsH7DEGN4VoybNtH42xVKnApD51CGkH4Ns2o7JfHLUo+
Dkv1Tw03b2vGNs/m//bLcUHwFKQLd1xKNOkR4BhbQ0d7AVctY5tIKzhA8BS+aIkI7XuKCfy9YEMPOgyWVvPY2UTRXwvTcvK
0+JHyxuu0UL6yvIVKeV1H8ohSbrDD213ut8lDQJ6KbJQ5Zl/x3A0LrgTg8l0jNCGIB6d0oPiKpL7vePApViTTAgGh2l2b3K
iwZldH6fof/h+dADWWuwcggek4NzyI1DRtBbdA5bWuAEYdzC3038/N++FQnKJ5QRXe+b9O9aHf8VTUjZbFWc/5Q0wYeQ1Go
Tny1OiWArEDJUoW8IYUQIqPvmItG76zKwfIL1z07dMIAs71W3L/X0QthogKCAYYawktpgukqJ3HHGkAWQFHgHKoJxVhJeF4
Lw46G2OQaO1Eg5LHzYGS6BnEUG896yXvlxZJWZgG7Y9yj3mIea9ltV7/ifPIbXoMRkWMYbnK81biqw1j2yPJfj6MrHet5Lr
I+kUpA8FUCgY1tIdQPdXMU6F0K+wWapSzCtbs8D343LYOMmiKgP2rZpFPOEc9
On the first appliance, copy the IPsec host key to the clipboard:
From the IPSEC menu, enter 1 to view the local IPsec host key.
Copy the key to the clipboard.
Go to the second appliance and complete the IPsec configuration:
From the IPSEC menu, enter 3 and follow the prompts to configure the IPsec tunnel on the second appliance. When prompted, paste the IPsec host key for the first appliance.
Enter 6 to test the connection from the second appliance. View screen
>>> Appliance Configuration -> IP -> IPSEC -> Test IPSEC <<<
Testing secured connectivity to the remote ip.
Secure connectivity to remote IP 192.168.76.101 is working
Press enter to continue
Go back to the first appliance and enter 6 to test the connection.
View the IPSEC configuration for an appliance
Sign in to the appliance as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
Enter 2 to go to the Networking Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Networking <<<1: Network Interfaces
2: IPSEC Configuration
3: Routing Configuration
4: Restart Networking
T: NIC Teaming
R: Return to previous menu RR: Return to top
------------------------------------------------------
>>> Appliance Configuration -> Networking -> Routing <<<
Manage local routing entries.
Note: this appliance is NOT a router!
Routing table:
#: Destination Interface Next Hop
1: default ens160 10.10.10.2
2: 10.10.10.0/24 ens160 LOCAL
3: 169.254.0.0/16 ens160 LOCAL
4: 169.254.0.0/16 ens192 LOCAL
5: 169.254.0.0/16 ens224 LOCAL
6: 169.254.0.0/16 ens256 LOCAL
A: Add a routing entry
R: Return to previous menu RR: Return to top
------------------------------------------------------
Use the menu to manage the routing table.
Configure NIC teaming
This procedure applies only to the physical Tanium Appliance.
Tanium™ Appliance supports active/passive network interface controller (NIC) teaming. Active/passive NIC teaming allows multiple interfaces to be placed in a group to support NIC failover. When you configure the NIC team, you must select interfaces of the same type.
------------------------------------------------------
>>> Appliance Configuration -> Networking <<<1: Network Interfaces
2: IPSEC Configuration
3: Routing Configuration
4: Restart Networking
T: NIC Teaming
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter T to go to the NIC Teaming menu. View screen
>>> Appliance Configuration -> Networking -> NIC Teaming <<<
NIC Teaming is enabled when appliance has more than one NIC interface and
if on physical appliance tanremote user is enabled and iDRAC IP is configured.
#: Interface State MAC IP Location
A: Create a network team
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter A and follow the prompts to create the NIC team configuration.
When you create a NIC team, the system automatically assigns a MAC address from one of the NICs to the team. The NIC Teaming menu displays the details for each NIC team, including the assigned MAC address.
Manage NIC team
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration <<<1: Hostname/DNS Configuration
2: Networking Configuration
3: NTP Configuration
4: Syslog Configuration
5: SNMP Configuration
6: Module File Share Configuration
7: Reset all NICs to DHCP (VM only)
A: Security
I: iDRAC Management
X: Advanced Configuration
R: Return to previous menu RR: Return to top
------------------------------------------------------
------------------------------------------------------
>>> Appliance Configuration -> Networking <<<1: Network Interfaces
2: IPSEC Configuration
3: Routing Configuration
4: Restart Networking
T: NIC Teaming
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter T to go to the NIC Teaming menu. View screen
>>> Appliance Configuration -> Networking -> NIC Teaming <<<
#: Interface State MAC IP Location
1: team1 DOWN None No IPv4 address team
A: Create a network team
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter the line number of the NIC team that you want to manage.
Use the NIC Team menu to change the IP address, delete the NIC team, or view the status. View screen
>>> Appliance Configuration -> Networking -> NIC Team <<<
Current settings:
Interface: team1
IPv4 Address: 10.10.10.61/24
Default IPv4 Gateway: 10.10.10.2
IPv6 Address:
IPv6 Gateway:
C: Change Team IP Address
D: Delete
S: Show Status
R: Return to previous menu RR: Return to top
------------------------------------------------------
Modify the NTP configuration
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
Enter 3 to go to the NTP Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> NTP Configuration <<<Currently configured ntp servers:
pool.ntp.org
Current NTP Status: Normal
Current NTP Peers:
time-a-g.nist.gov
1: time-a-g.nist.gov
2: pool.ntp.org
A: Add NTP server
R: Return to previous menu RR: Return to top
TanOS Version: 1.7.6
Please select: a
Please enter the NTP server address: my.ntpserver.local
Does this server require authentication? [Yes|No]: y
Please enter the NTP key ID (1-65534): 1234
Please enter the NTP key type: sha1
Please enter the NTP key: c3499c2729730a7f807efb8676a92dcb6f8a3f8f
Save changes and restart NTP? [Yes|No]: y
Press enter to continue
Enter the line number of the existing NTP server to modify or remove, or enter A to add a new NTP server.
Follow the prompts to add, modify, or remove the NTP server. To add or modify an NTP server, enter the NTP server address and whether the server requires authentication. If the NTP server requires authentication, enter the NTP key ID, NTP key type, and NTP key at the prompts.
Enter yes to save changes and restart the NTP server.
Configuring syslog
You can forward appliance logs to a remote syslog server.
Syslog forwarding versus alerts
The syslog forwarding configuration under Appliance Configuration is separate from the syslog alert configuration in the Appliance Maintenance menu. Note these key differences:
Syslog forwarding configuration sends all messages located in /var/logs/messages to a syslog destination.
Syslog configuration for alerts sends events that match the specified alert threshold severity (info, warn, and error). See Configure alerts for more information.
Check syslog status
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
Enter 4 to go to the Syslog Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Syslog Configuration <<<
Note: If using TLS, set the cert before configuring forwarding
Syslog forwarding is disabled
1: Check current status
2: View Trust Certificate
3: Upload Trust Certificate
4: Remove Trust Certificate
5: Configure syslog forwarding
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter 1 to view the last 5 logs and current syslog status. View screen
------------------------------------------------------
>>> Appliance Configuration -> Syslog Configuration -> Check Status <<<
Checking existing syslog configuration
###
Found TanOS syslog configuration with destination logfile Kernel
Current size of /var/log/tanos :76924
Last 5 entries in /var/log/tanos:
2020-05-22T14:00:01.756970+00:00 appliance-160 TanOS_Shell: privileged_support_health_check.sh:
DEBUG called by root -b
2020-05-22T14:15:01.908001+00:00 appliance-160 TanOS_Shell: privileged_support_health_check.sh:
DEBUG called by root -b
2020-05-22T14:30:01.962601+00:00 appliance-160 TanOS_Shell: privileged_support_health_check.sh:
DEBUG called by root -b
2020-05-22T14:31:19.706181+00:00 appliance-160 TanOS_Shell: privileged_appliance_configuration_
ntp.sh: DEBUG called by tanadmin
2020-05-22T14:33:36.632542+00:00 appliance-160 TanOS_Shell: privileged_appliance_sub_configurat
ion_syslog.sh: DEBUG called by tanadmin
###
No existing TanOS syslog forwarding configuration found
Press enter to continue
Import a syslog server trust certificate
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
Enter 4 to go to the Syslog Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Syslog Configuration <<<
Note: If using TLS, set the cert before configuring forwarding
Syslog forwarding is disabled
1: Check current status
2: View Trust Certificate
3: Upload Trust Certificate
4: Remove Trust Certificate
5: Configure syslog forwarding
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter 2 to view the trust certificate, 3 to paste it (PEM format), or 4 to remove it.
Enable syslog forwarding
Syslog Forwarding sends the same data that gets logged in /var/log/messages to the destination.
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
Enter 4 to go to the Syslog Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Syslog Configuration <<<
Note: If using TLS, set the cert before configuring forwarding
Syslog forwarding is disabled
1: Check current status
2: View Trust Certificate
3: Upload Trust Certificate
4: Remove Trust Certificate
5: Configure syslog forwarding
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter 5 and follow the prompts to specify the settings for the remote syslog server. View screen
------------------------------------------------------
>>> Appliance Configuration -> Syslog Configuration -> Configure <<<
Configuring syslog forwarding (empty destination to disable forwarding)
Please enter the destination host: 10.10.10.10
Please enter the destination port: 514
Please enter the destination protocol [tcp/udp]: tcp
Enable TLS? [Yes|No]: n
Enable TCP octet framing? [Yes|No]: y
Enable RFC5424 output format? [Yes|No]: y
Will create syslog forwarding configuration
Finished configuring syslog forwarding
Press enter to continue
If you do not enable RFC5424 output format, TanOS defaults to RFC3164 syslog output.
Configuring SNMP
Tanium Appliances support SNMP v3, though the SNMP service is not enabled by default. You can configure SNMP credentials and start the service to allow remote SNMP connections to the appliance or to the iDRAC interface of a physical Tanium Appliance. The default user name for SNMP connections is tansnmp. A remote host or SNMP manager can use the configured credentials to conduct SNMP polling on the appliance. Tanium Appliances only respond to SNMP requests; they do not send SNMP traps.
There is not a Tanium-specific MIB. Tanium Appliances report a specific SNMPv2 sysObjectID and include the following standard MIBs:
SNMPv2-MIB
IP-MIB
IF-MIB
TCP-MIB
UDP-MIB
HOST-RESOURCES-MIB
UCD-SNMP-MIB
For a physical Tanium Appliance, see Dell Technologies: SNMP Reference Guide for iDRAC and Chassis Management Controller for information about the MIB used with iDRAC. Some limitations apply for the iDRAC implementation in the Tanium Appliance. For example, the Tanium Appliance does not support SNMP v1 or v2, nor does it send SNMP traps.
Example of SNMP polling using snmpwalk
Set password and start the SNMP service
Passwords must contain at least 8 characters.
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
Enter 5 to go to the SNMP Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> SNMP Configuration <<<
State: Enabled
Username: tansnmp
Location: New York, NY
Contact: [email protected]
EngineID: 0x80001f8880d6736914ae15e56000000000
Sample:
snmpwalk -v3 -u tansnmp -A 'password' -X 'password' -a sha -x AES -l authPriv 10.10.10.61
U: Change the Username
L: Change the Location
C: Change the Contact
V: View SNMP Service Status
D: Stop the SNMP Service
S: Set Password and Start the SNMP Service
R: Return to previous menu RR: Return to top
Enter S , enter the desired SNMP password at the prompt, and hit enter to save the password and enable the SNMP service. View screen
------------------------------------------------------
>>> Appliance Configuration -> SNMP Configuration <<<
State: Enabled
Username: tansnmp
Location: New York, NY
Contact: [email protected]
EngineID: 0x80001f8880d6736914ae15e56000000000
Sample:
snmpwalk -v3 -u tansnmp -A 'password' -X 'password' -a sha -x AES -l authPriv 10.10.10.61
U: Change the Username
L: Change the Location
C: Change the Contact
V: View SNMP Service Status
D: Stop the SNMP Service
S: Set Password and Start the SNMP Service
R: Return to previous menu RR: Return to top
------------------------------------------------------
TanOS Version: 1.7.6
Please select: s
Enter the desired SNMP password:
Successfully saved and enabled the SNMP service
Press enter to continue
Change the SNMP user name, location, or contact
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
Enter 5 to go to the SNMP Configuration menu.
Enter U to change the user name, L to change the location, or C to change the contact and follow the prompts to enter the new value.
View SNMP service status
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
Enter 5 to go to the SNMP Configuration menu.
Enter V to view the SNMP service status details.
Stop the SNMP service
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
Enter 5 to go to the SNMP Configuration menu.
Enter D to stop and disable the SNMP service.
Configure solution module file share mounts
Tanium™ Connect and Tanium™ Detect can write consumable files to disk. You can configure the Module Server to copy these files to a Common Internet File System (CIFS) or Network File System (NFS) share on a file server, or to an internal share on the appliance itself. An internal share is a directory that the tancopy user can access using SFTP.
If you configure an internal share, the tancopy user can make an SFTP connection to the appliance with SSH key authentication and copy files to or from the /modules/connect or /modules/detect directory (depending on which shares are configured). For information about adding SSH keys for the tancopy user, see one of the following sections:
When two module servers are deployed in an active standby configuration, file share mounts are not replicated. Configure each module server in the same way to maintain functionality in the event of a failover.
Add a file share mount
Sign in to the TanOS console on the Tanium Module Server as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
Enter 6 to go to the Share Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Share Configuration <<<1: Create a new Connect mount
2: Create a new Detect mount
4: Delete an existing Connect mount
5: Delete an existing Detect mount
A: List existing mounts
B: Test existing mounts
C: Re-attempt mounts
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter the line number of the mount you want to create and complete the configuration to add a file share mount. View screen
>>> Appliance Configuration -> Share Configuration -> Create Mount Connect <<<
Before configuring shares, ensure you have the following information at hand,
depending on the type of share you are configuring.
CIFS:
- hostname/IP of the server (do not use a cname if the server is Windows OS)
- share name
- credentials (username, domain, password)
NFS:
- hostname or IP of the server
- export name
Internal:
- tancopy (SFTP) access to the appliance
Would you like to continue? [Yes|No]: yes
Please enter share type (cifs/nfs/internal): cifs
Please enter the servername for mount: 192.168.154.219
Please enter the share name / export: connect
Please enter the user name: bernd
Please enter the domain name: tam.local
Please enter the password (will not be displayed):
Checking if CIFS mounting would be successful (might take a while)
Mount successfully established, creating permanent connection
Added CIFS share permanently.
Press enter to exit
List a file share mount
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
Enter 6 to go to the Share Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Share Configuration <<<1: Create a new Connect mount
2: Create a new Detect mount
4: Delete an existing Connect mount
5: Delete an existing Detect mount
A: List existing mounts
B: Test existing mounts
C: Re-attempt mounts
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter A to go to the List Mounts menu. View screen
>>> Appliance Configuration -> Share Configuration -> List Mounts <<<
Hint: This should finish in less than 1 second
If it takes a long time, the target system may be down!
Service State Target Persistent Type
Connect Mounted 192.168.154.62:/opt/share Yes nfs
Detect Mounted //192.168.154.219/detect$ Yes cifs
Press enter to exit
Test a file share mount
Sign in to the TanOS console on the Tanium Module Server as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
Enter 6 to go to the Share Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Share Configuration <<<1: Create a new Connect mount
2: Create a new Detect mount
4: Delete an existing Connect mount
5: Delete an existing Detect mount
A: List existing mounts
B: Test existing mounts
C: Re-attempt mounts
R: Return to previous menu RR: Return to top
------------------------------------------------------
>>> Appliance Configuration -> Share Configuration -> Test Mounts <<<
Share for connect service mounted, we expect write access to succeed:
Write test successful
Read test successful
Share for detect service mounted - we expect write access to succeed:
Write test successful
Read test successful
Press enter to exit
Change from a static IP address to DHCP (virtual Tanium Appliance only)
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
Enter 7 and follow the prompts to use DHCP.
Configure additional security
Use the Security menu to manage SSH trusted host list configurations.
Manage inbound SSH access rules
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
>>> Appliance Configuration -> Security -> Manage SSH <<<
The following rules allowing inbound SSH are currently active
#: Source
1: 0.0.0.0/0
2: ::/0
A: Add Rule
R: Return to previous menu RR: Return to top
------------------------------------------------------
From this menu, you can add or delete rules that restrict SSH access to hosts from specified subnets only.
Enter A and follow the prompts to add a new rule.
Enter the line number of an existing rule and follow the prompts to delete the rule.
Configure SSH banner text
You can add custom SSH banner text to TanOS.
Use SFTP to copy a file named banner_ssh.txt to the /incoming folder.
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
>>> Appliance Configuration -> Security -> Manage SSH -> Configure SSH Banner <<<
Uploaded banner_ssh.txt file found in tancopy incoming.
TanOS will replace the existing banner with the new file.
Log out of ssh and re-connect to view the banner.
Banner file copy successful
Press enter to continue
View SSH fingerprints
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
If you have requirements to use the LDAPS or StartTLS protocol for the LDAP sync connection to the back-end LDAP server, you must import the LDAP server root certificate authority (CA) certificate and then enable the LDAPS/StartTLS configuration. You can import multiple root CA certificates if necessary. The certificates must be in PEM format. On the appliance, you have the option to paste the contents of the LDAP server root CA certificate or import the file. You do not have to do both.
The LDAP server root CA certificate must be able to validate the LDAP server certificate. The subject field of the LDAP server certificate must match the host field in the LDAP configuration.
In a clustered environment, upload the LDAP server CA certificate to both Tanium Servers.
Paste the LDAP server root CA contents
To add multiple CA certificate files, put all certificates in one file and paste them in them in together.
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
------------------------------------------------------
>>> Appliance Configuration -> Security <<<2: Manage SSH
3: Configure SSH Banner
4: Display SSH Fingerprints
5: Regenerate SSH Host keys
A: LDAP CA Certificate Management
B: Database Certificate Management
P: Security Policy
X: Advanced Security
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter A to go to the LDAP CA Certificate Management menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> LDAP Sync CA Certificate Management <<<
Nubmer of certificates: 1
LDAPS/STARTTLS Status: Enabled
Certificate validation: Enabled1: Add Certificate
2: Import Certificate
3: Toggle LDAPS or STARTTLS Configuration
4: Toggle TLS Certificate Validation
5: List Certificates
S: Sync Configuration to Peer TS
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter 1 and follow the prompts to paste the contents of the LDAP server root CA certificate file. View screen
>>> Appliance Configuration -> LDAP Sync CA Cert Mgmt -> Create Certificate <<<
Please paste the certificate text (Empty line to end):
-----BEGIN CERTIFICATE-----
MIIC+TCCAeGgAwIBAgIgT6zZwxXi3vGl+DFiachhuiDEc/Rak9ECxUEhRcHZx8ww
DQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTA5MTIwNDA4
MTY1NVoXDTI5MTIwNDA0NDA1NVowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2xC69YszWNu1p4pdyC1rWGtiqEWg
X+s1Hykq23bDzA56CqbsM3FO+HkDSty6HLCDZttDOJ4EG+DvVjOGSdyTPDF/O2B1
Ztc1hxr/YSGu/4zm/SEgrHpw4iU4+fEcyK8LXlS19o36mZ1J/jy7LU4JFe6MLcIQ
c6Stq1FbUJl7M7qO6NwIAaWnjX0gw3jpCtYHPqwGw9K0Sg0a5Rrsbam64srrm2Yl
q9P7lMtJqTpwmglg8CxJ6QEPEyzprF6VNaNnT6KUlNhc634KChGXw5otwsU4lfvW
2Yti1C8ofG96fGwFr189KqjWTCXI/K7eCDi/9AYnmFgvJbuUdUF9fVS/oQIDAQAB
ozcwNTAdBgNVHQ4EFgQU9P/VO7ipszDcUQaWdE3RmH0w/gwwFAYDVR0RBA0wC4IJ
bG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQAb0TK8LhdsdWbaPIQFI2K2QgKt
OvBuf4j1Mbm0rT1hyOyvpP0Bl429gr7AwDlnSZgBQzjIVjtUpgLlTlarZmAnaaLz
/EBY4cq9PGPXeLEiFGNh6/LQfGt5Gx7y/hpv+xutPS2uo2IBhidlePNuLoAX3tY4
B4vW1LFcD2mkPXvZHeZ4vrmpls1nxLo+wP7pgvLxL6GqYi6hZVAuHrKmsvsT0E09
3JDYgvGm5drX+Y3hsmMn7IaG4e/53qm7TiVjFGAFVwd+3K6apdMUabVaz5oQ161I
tgcXvdk4RvVOdFL/ZSC+PsPyhZrwyXFQF9C494P7utu4Lnqc/Ke5buWeHTz5
-----END CERTIFICATE-----
Validating input
Please enter a short name for this certificate: ldaps_ca
Installing certificate
Finished adding LDAPS certificate
You will need to restart the Tanium Server service for this change to take effect.
Do you wish to restart the service now? [Yes|No]:
To add multiple CA certificate files, put all certificates in one file and use the Add Certificate option to paste them in together. See Paste the LDAP server root CA contents.
Use SFTP to copy the file to the /incoming directory of the Tanium Server appliance.
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
------------------------------------------------------
>>> Appliance Configuration -> Security <<<2: Manage SSH
3: Configure SSH Banner
4: Display SSH Fingerprints
5: Regenerate SSH Host keys
A: LDAP CA Certificate Management
B: Database Certificate Management
P: Security Policy
X: Advanced Security
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter A to go to the LDAP CA Certificate Management menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> LDAP Sync CA Certificate Management <<<
Nubmer of certificates: 1
LDAPS/STARTTLS Status: Enabled
Certificate validation: Enabled1: Add Certificate
2: Import Certificate
3: Toggle LDAPS or STARTTLS Configuration
4: Toggle TLS Certificate Validation
5: List Certificates
S: Sync Configuration to Peer TS
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter 3 to enable or disable the LDAPS configuration.
Enable/Disable TLS certificate validation
If necessary during troubleshooting, you can disable TLS certificate validation to help you determine if there is a problem with the certificate. After troubleshooting, re-enable certificate validation.
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
------------------------------------------------------
>>> Appliance Configuration -> Security <<<2: Manage SSH
3: Configure SSH Banner
4: Display SSH Fingerprints
5: Regenerate SSH Host keys
A: LDAP CA Certificate Management
B: Database Certificate Management
P: Security Policy
X: Advanced Security
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter A to go to the LDAP CA Certificate Management menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> LDAP Sync CA Certificate Management <<<
Nubmer of certificates: 1
LDAPS/STARTTLS Status: Enabled
Certificate validation: Enabled1: Add Certificate
2: Import Certificate
3: Toggle LDAPS or STARTTLS Configuration
4: Toggle TLS Certificate Validation
5: List Certificates
S: Sync Configuration to Peer TS
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter 4 and then E to enable or D to disable TLS certificate validation for connections with the LDAP server, and follow the prompt to restart the Tanium Server service. View screen
------------------------------------------------------
>>> Appliance Configuration -> LDAP Sync CA Cert Mgmt -> Validation <<<
Ignore certificate validity when using LDAPS or StartTLS.
Certificate Validation: Enabled
E: Enable Certificate Validation
D: Disable Certificate Validation
R: Return to previous menu RR: Return to top
Please select: D
You will need to restart the Tanium Server service for this change to
take effect.
Do you wish to restart the service now? [Yes|No]: Yes
Press enter to continue
View and manage LDAPS certificates
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
The TanOS user access security policy has the following factory settings.
Setting
Factory default
Description
Password Lifetime
Minimum: 0
days
Maximum: 90 days
The minimum sets the minimum number of days between password changes.
A value of 0 indicates the password can be changed at any time.
The maximum sets the age at which a current password expires.
Password History
4 most recent
The number of most recent passwords to disallow reuse. A setting of 0 allows reuse of any previous passwords.
This setting does not apply to the tanadmin account.
Password Minimum Length
10 characters
The minimum number of characters allowed in a password. Valid range is 6 -10 characters.
Password Minimum Characters Changed
0 (disabled)
The minimum number of characters in the new password that must not be present in the previous password. 5 is a common practice. STIG requires a minimum of 8.
A setting of 0 allows reuse of any character.
This setting does not apply to the tanadmin account.
Login Failure Delay
0 seconds
The time, in seconds, between a failed sign in attempt and the next time the prompt is returned to prompt the user for the password.
Expired Passwords Effect
Force Password Change
Determine the effect on a user account when a password expires. Two options:
Disable the user account
Force password change on next sign in
Account Lockout Time
900 seconds after 3 failures
The number of seconds to lock an account after three consecutive unsuccessful sign in attempts. Valid range is 0-604800 seconds.
Maximum Concurrent Logins
10
The number of concurrent sign in sessions for a user account. A setting of 0 disables remote access.
To modify security policy settings:
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu.
------------------------------------------------------
>>> Appliance Configuration -> Security <<<2: Manage SSH
3: Configure SSH Banner
4: Display SSH Fingerprints
5: Regenerate SSH Host keys
A: LDAP CA Certificate Management
B: Database Certificate Management
P: Security Policy
X: Advanced Security
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter P to go to the Appliance Configuration Security Policy menu. View screen
------------------------------------------------------
>>> Appliance Configuration Security Policy <<<
Current Settings:
Password Lifetime: min 0 days, max 90 days
Password History: remember 4 most recent
Password Minimum length: 10 characters
Minimum changed: disabled
Login Failure delay: 0 seconds
Expired Passwords Effect: Force Password Change
Account lockout: 900 seconds after 3 failures
Max concurent logins: 10 users
Login Timeout: 120 seconds
1: Password Lifetime
2: Password History Reuse Limit
3: Password Minimum Length
4: Password Minimum Characters Changed
D: Login Failure Delay
E: Expired Passwords Effect
L: Account Lockout Time
M: Maximum Concurrent Logins
T: Login Timeout
R: Return to previous menu RR: Return to top
------------------------------------------------------
Use the menu to view and edit password, sign in, and lockout rules.
After you modify password policy settings, it is expected that password prompts in TanOS menus provide users with guidance on the updated requirements.
Manage the iDRAC interface
The procedures in this section apply only to the physical Tanium Appliance.
Use the tanremote user account to sign in to the iDRAC virtual console to diagnose hardware and network interface issues in the event the TanOS system becomes unavailable. The tanremote user is not a TanOS user or a Tanium Console user.
Before you begin
You must use a cable to connect the iDRAC interface to your network and use TanOS to configure the iDRAC interface before you enable the tanremote user.
Configure the iDRAC interface
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration <<<1: Hostname/DNS Configuration
2: Networking Configuration
3: NTP Configuration
4: Syslog Configuration
5: SNMP Configuration
6: Module File Share Configuration
7: Reset all NICs to DHCP (VM only)
A: Security
I: iDRAC Management
X: Advanced Configuration
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter I to go to the Manage iDRAC menu. View screen
>>> Appliance Configuration -> Manage iDRAC <<<
After executing some iDRAC commands it can take up to three minutes
before valid status is available or further commands will succeed.
iDRAC User tanremote: Enabled
Current iDRAC configuration settings:
IPv4 Address: 10.20.110.58/24
IPv4 Gateway: 10.20.110.1
IPv6 Address: ::/64
IPv6 Gateway: ::
N: iDRAC Network Configuration
P: Set tanremote Password
E: Enable tanremote User
D: Disable tanremote User
C: Close all iDRAC sessions
K: Reset iDRAC
R: Return to previous menu RR: Return to top
Enter N and follow the prompts to configure the iDRAC interface.
Set password for the tanremote user
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration <<<1: Hostname/DNS Configuration
2: Networking Configuration
3: NTP Configuration
4: Syslog Configuration
5: SNMP Configuration
6: Module File Share Configuration
7: Reset all NICs to DHCP (VM only)
A: Security
I: iDRAC Management
X: Advanced Configuration
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter I to go to the Manage iDRAC menu. View screen
>>> Appliance Configuration -> Manage iDRAC <<<
After executing some iDRAC commands it can take up to three minutes
before valid status is available or further commands will succeed.
iDRAC User tanremote: Enabled
Current iDRAC configuration settings:
IPv4 Address: 10.20.110.58/24
IPv4 Gateway: 10.20.110.1
IPv6 Address: ::/64
IPv6 Gateway: ::
N: iDRAC Network Configuration
P: Set tanremote Password
E: Enable tanremote User
D: Disable tanremote User
C: Close all iDRAC sessions
K: Reset iDRAC
R: Return to previous menu RR: Return to top
Enter P and follow the prompts to change the password of the tanremote user. View screen
>>> Appliance Configuration -> Manage iDRAC -> Set iDRAC Password <<<
This will change the iDRAC user tanremote password.
Access to the iDRAC is via the specific iDRAC IP.
Would you like to change the tanremote password? [YES/NO]: yes
The password policy requires meeting these rules:
- Minimum 10 characters long
- Maximum 20 characters long
- At least 1 upper case character
- At least 1 lower case character
- At least 1 numeric character
- At least 1 other character
- Must not be based on a dictionary word
- Must not contain part of the username
Please enter password (will not be displayed):
Enable the tanremote user
Set the password for the tanremote user before you enable the user.
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration <<<1: Hostname/DNS Configuration
2: Networking Configuration
3: NTP Configuration
4: Syslog Configuration
5: SNMP Configuration
6: Module File Share Configuration
7: Reset all NICs to DHCP (VM only)
A: Security
I: iDRAC Management
X: Advanced Configuration
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter I to go to the Manage iDRAC menu. View screen
>>> Appliance Configuration -> Manage iDRAC <<<
After executing some iDRAC commands it can take up to three minutes
before valid status is available or further commands will succeed.
iDRAC User tanremote: Enabled
Current iDRAC configuration settings:
IPv4 Address: 10.20.110.58/24
IPv4 Gateway: 10.20.110.1
IPv6 Address: ::/64
IPv6 Gateway: ::
N: iDRAC Network Configuration
P: Set tanremote Password
E: Enable tanremote User
D: Disable tanremote User
C: Close all iDRAC sessions
K: Reset iDRAC
R: Return to previous menu RR: Return to top
Enter E and follow the prompts to enable the tanremote user.
Disable the tanremote user
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration <<<1: Hostname/DNS Configuration
2: Networking Configuration
3: NTP Configuration
4: Syslog Configuration
5: SNMP Configuration
6: Module File Share Configuration
7: Reset all NICs to DHCP (VM only)
A: Security
I: iDRAC Management
X: Advanced Configuration
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter I to go to the Manage iDRAC menu. View screen
>>> Appliance Configuration -> Manage iDRAC <<<
After executing some iDRAC commands it can take up to three minutes
before valid status is available or further commands will succeed.
iDRAC User tanremote: Enabled
Current iDRAC configuration settings:
IPv4 Address: 10.20.110.58/24
IPv4 Gateway: 10.20.110.1
IPv6 Address: ::/64
IPv6 Gateway: ::
N: iDRAC Network Configuration
P: Set tanremote Password
E: Enable tanremote User
D: Disable tanremote User
C: Close all iDRAC sessions
K: Reset iDRAC
R: Return to previous menu RR: Return to top
Enter D and follow the prompts to disable the tanremote user.
Close all iDRAC sessions
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration <<<1: Hostname/DNS Configuration
2: Networking Configuration
3: NTP Configuration
4: Syslog Configuration
5: SNMP Configuration
6: Module File Share Configuration
7: Reset all NICs to DHCP (VM only)
A: Security
I: iDRAC Management
X: Advanced Configuration
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter I to go to the Manage iDRAC menu. View screen
>>> Appliance Configuration -> Manage iDRAC <<<
After executing some iDRAC commands it can take up to three minutes
before valid status is available or further commands will succeed.
iDRAC User tanremote: Enabled
Current iDRAC configuration settings:
IPv4 Address: 10.20.110.58/24
IPv4 Gateway: 10.20.110.1
IPv6 Address: ::/64
IPv6 Gateway: ::
N: iDRAC Network Configuration
P: Set tanremote Password
E: Enable tanremote User
D: Disable tanremote User
C: Close all iDRAC sessions
K: Reset iDRAC
R: Return to previous menu RR: Return to top
Enter C and follow the prompts the close all iDRAC sessions.
Reset iDRAC
Sign in to the TanOS console as a user with the tanadmin role.
Enter A to go to the Appliance Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration <<<1: Hostname/DNS Configuration
2: Networking Configuration
3: NTP Configuration
4: Syslog Configuration
5: SNMP Configuration
6: Module File Share Configuration
7: Reset all NICs to DHCP (VM only)
A: Security
I: iDRAC Management
X: Advanced Configuration
R: Return to previous menu RR: Return to top
------------------------------------------------------
Enter I to go to the Manage iDRAC menu. View screen
>>> Appliance Configuration -> Manage iDRAC <<<
After executing some iDRAC commands it can take up to three minutes
before valid status is available or further commands will succeed.
iDRAC User tanremote: Enabled
Current iDRAC configuration settings:
IPv4 Address: 10.20.110.58/24
IPv4 Gateway: 10.20.110.1
IPv6 Address: ::/64
IPv6 Gateway: ::
N: iDRAC Network Configuration
P: Set tanremote Password
E: Enable tanremote User
D: Disable tanremote User
C: Close all iDRAC sessions
K: Reset iDRAC
R: Return to previous menu RR: Return to top
Enter R and follow the prompts to reset the iDRAC interface.
Access the iDRAC virtual console
You can access the iDRAC virtual console at http://<iDRAC interface IP address>. Sign in with username tanremote and the password that was set with this procedure.
View screen
