Reference: Appliance Maintenance menu

Use the Appliance Maintenance menu to perform backups, system resets, TanOS upgrades, and system reboots or shutdowns.

Backup overview

TanOS contains the options to perform core and comprehensive backups. Tanium™ Physical Appliances and Tanium™ Virtual Appliances with inactive partitions also have the option to back up the active partition to the inactive partition. On Tanium™ Cloud Appliances and Tanium Virtual Appliances, you can also take a snapshot of the Appliance's image. For core and comprehensive backups, you can schedule automatic backups or perform a manual backup. The following sections describe the available options:

Configure and run automatic backups

Use TanOS to schedule automatic backups for the Tanium Appliance. Through TanOS, you can schedule core and comprehensive backups.

After you perform the initial setup for an appliance, a core backup is scheduled by default. The TanOS health check reports an error that automatic backups cannot complete until you set up an encryption key. To remove the error from the health check, you can either add an encryption key or disable the scheduled core backup. For more information on the TanOS health check, see Run the Health Check.

The general process to set up an automatic backup includes the following steps:

  1. Add an encryption key for all backups.
  2. Configure a core or comprehensive backup.
  3. Test the automatic backup.
  4. Schedule the automatic backup.

When you schedule an automatic backup, TanOS prompts you to select a remote host to which to save the recovery bundle. TanOS also saves the recovery bundle to the /outgoing directory, where you can use SFTP to download the recovery bundle.

Add encryption key for the backups

Encrypt all core and comprehensive backup recovery bundles with a key pair. Encryption is required for both automatic and manual backups.

  1. Use OpenSSL to generate a public/private key pair in a PEM file. Enter a passphrase when prompted.

    openssl genrsa -aes256 -out ssl-pvk.pem 3072

  2. For customers that need to decrypt backup bundles on a FIPS-enabled appliance, encrypt your backup key using the following command:

    openssl pkcs8 -topk8 -in OLD_FILENAME.pem -v2 aes-256-cbc -out NEW_FILENAME.pem'

  3. Extract the public key from the PEM file. Enter your passphrase when prompted.

    openssl pkey -in ssl-pvk.pem -pubout -out ssl-pub.pem

  4. Extract the identifier for the public key. This identifier is visible in the backup file and can be useful to find a particular public key.

    openssl pkey -pubin -in ssl-pub.pem -outform DER | openssl dgst -sha1

  5. Copy the contents of the ssl-pub.pem file (the public key) to the clipboard.

  6. Sign in to the TanOS console as a user with the tanadmin role.

  7. Enter B to go to the Appliance Maintenance menu. ClosedView screen

  8. Enter 1 to go to the Backup menu. ClosedView screen

  9. Enter E, paste the public key from the clipboard, and press Ctrl-D. ClosedView screen

  10. Press Enter to go to the Backup menu.

  11. To test the encryption, perform a manual core backup using the steps described in Perform a core or comprehensive backup.

    1. After the backup completes, download the recovery bundle. Note that you are not prompted to set a password.
    2. Extract the recovery bundle. The folder contains a README.txt file that describes how to decrypt the recovery bundle.

Configure an automatic backup

In a new installation with a Tanium role installed, an automatic core backup is scheduled to run nightly at 2:01 AM UTC. You can edit the backup, disable the backup, or configure an automatic comprehensive backup.

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter 1 to go to the Backup menu. ClosedView screen
  4. Enter C to configure an automatic backup. ClosedView screen
  5. Select the type of backup to configure:
    • To configure a core backup, enter N.
    • To configure a comprehensive backup, enter F.
  6. Follow the prompts to enable the backup and to specify file transfer options.
    • Automatic backups always save the recovery bundles to the /outgoing directory for download with SFTP.
    • You can specify a username and IP address for a destination server to reach with secure copy protocol (SCP). If you set up a file transfer with SCP, copy the public SSH key of the TanOS user that you are using to configure and run the backup to the remote user's ~/.ssh/authorized_keys file on the remote system. Ensure proper privileges on the remote system; you may need to run CHMOD 600 on the ~/.ssh/authorized_keys file.
      To locate a TanOS user's public SSH key to copy and store in the remote user's authorized keys file, sign in to the TanOS menu and navigate to User Administration C > TanOS U > user # > Key Pair P. The public SSH key is presented for copying.

      The backup files are stored on the remote system at /home/<remote user>/ .

      For information on managing TanOS user SSH keys, see Manage SSH keys.

Test an automatic backup

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter 1 to go to the Backup menu. ClosedView screen
  4. Enter A to go to the Run Now menu. ClosedView screen
  5. Select the type of backup to run.
  6. Verify the backup settings and enter Yes to run the backup.
  7. Verify the backup completes successfully. ClosedView screen
    • If the backup exports the recovery bundle to a remote server with SCP, sign in to the remote server and verify the recovery bundle exists.
    • Extract the recovery bundle. The folder contains a README.txt file that describes how to decrypt the recovery bundle.

Schedule an automatic backup

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter 1 to go to the Backup menu. ClosedView screen
  4. Enter S to go to the Schedule menu. ClosedView screen
  5. Select the type of backup to view the schedule settings. The schedule settings include the current settings and the pending settings. ClosedView screen
    • Enter 1 to disable the backup.
    • Enter 2 to enable the backup.
    • Enter 4 to enter the days of the month to run the backup. You can enter a date range or comma-separated days.
    • Enter 5 to enter the days of the week to run the backup. You can enter a range or comma-separated values.
    • Enter 6 to select the time to run the backup. Enter the hours and minutes in UTC time.
    • To confirm the pending settings, enter 7 to activate the settings. The active settings update to match the pending settings.

    6. If you enter R and do not activate the settings, the changes do not save.

View log files after a backup

If a backup fails, you can review the TanOS log file for additional information.

  1. Sign in to the TanOS console as a user with the tanadmin role.

  2. Enter 3 to go to the Tanium Support Menu menu.
  3. Enter 1 to go to the Tanium Log Files menu.
  4. Enter 1 to go to the TanOS Appliance menu.
  5. Enter 1 to go to the TanOS Log menu.
  6. Enter V to view the log file.

Configure and run manual backups

You must encrypt all backups with a key pair. Encryption is required for both automatic and manual backups. For steps on how to set up encryption, see Add encryption key for the backups.

Perform a partition sync (Tanium Physical Appliance and Tanium Virtual Appliance only)

In TanOS 1.6.5 and later, in an array, start the partition sync on the primary appliance only. The array automatically performs the sync on all other servers in the array.

In TanOS 1.6.1 and later, virtual appliances contain only one partition by default. Appliances with only one partition do not contain the option to perform a partition sync.

To protect data consistency, the partition sync job disables (shuts down) the Tanium Server, Tanium database server, and other related services for the duration of the partition sync. Make sure that manually performing a partition sync does not disrupt solution processes.

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter 1 to go to the Backup menu. ClosedView screen
  4. Enter P to go to the Partition Sync menu. ClosedView screen
  5. Follow the prompts to complete the backup.
  6. After the backup completes, press Enter to go to the Backup menu.

For information on how to change the active partition to the inactive partition, see Change the active partition.

Perform a core or comprehensive backup

Complete the following steps to perform a manual backup of the Tanium Appliance:

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter 1 to go to the Backup menu.
  4. Use the menu to create a backup:
    • Enter N to go to the Backup off-box Core menu.
    • Enter F to go to the Backup off-box Comprehensive menu.
  5. Follow the prompts to confirm the backup and to specify file transfer options. You can save the backup file to the /outgoing directory for download with SFTP, and you can specify a username and IP address for a destination server that can be reached with secure copy protocol (SCP). ClosedView screen
  6. After the backup completes, press Enter to go to the Backup menu.

If a backup fails, you can review the TanOS log file for additional information.

  1. Sign in to the TanOS console as a user with the tanadmin role.

  2. Enter 3 to go to the Tanium Support Menu menu.
  3. Enter 1 to go to the Tanium Log Files menu.
  4. Enter 1 to go to the TanOS Appliance menu.
  5. Enter 1 to go to the TanOS Log menu.
  6. Enter V to view the log file.

Manage Tanium database backups

Beginning with TanOS 1.6.3, Tanium database backups are included with core backups and comprehensive backups. TanOS contains the option to manage Tanium database backups produced prior to TanOS 1.6.3.

To select a specific backup from the last 7 days, navigate to the List Tanium Database Backups menu.

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter 1 to go to the Backup menu.
  4. Enter L to list the Tanium database backups.
  5. Follow the prompts to export, rename, or delete the backup.

Configure alerts

TanOS can send alerts to a syslog server or to an email recipient. For optimal results, configure an SMTP email recipient. If the syslog server fails, the SMTP recipient receives a failure notification every 15 minutes until the failure is resolved or syslog forwarding is disabled.

Severity level is a global setting that applies to both Syslog and SMTP alerts.

Configure alerts

Use the Configure Alerts menu to set the alert severity threshold to info, warn, or error.

  • Info: Includes all alerts
  • Warn: Includes all error and warning alerts
  • Error: Includes error alerts
  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter 2 to go to the Alerting menu. ClosedView screen
  4. Enter 3 to go to the Configure Alerts menu. ClosedView screen
  5. Use the menu to set a severity level and enable/disable alerting.

Configure syslog destination

The syslog alert configuration is separate from the syslog configuration in the Appliance Configuration menu. This configuration sends alerts for the alert threshold severity. The syslog configuration in the Appliance Configuration menu sends all logs.

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter 2 to go to the Alerting menu. ClosedView screen
  4. Enter 1 to go to the Configure Syslog Destination menu. ClosedView screen
  5. Enter 2 and follow the prompts to configure a syslog destination. ClosedView screen
  6. Enter 1 to enable syslog alerts. The Configure Syslog Destination menu updates to show the current status. ClosedView screen
  7. Enter 3 to send a test alert to the syslog server.

The test alert appears in the syslog server logs.

Configure SMTP destination

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter 2 to go to the Alerting menu. ClosedView screen
  4. Enter 2 to go to the Configure SMTP Destination menu. ClosedView screen
  5. Enter 2 and follow the prompts to configure the SMTP destination. ClosedView screen
  6. Enter 1 to enable SMTP alerts. The Configure SMTP Destination menu updates to show the current status. ClosedView screen
  7. Enter 3 to send a test alert to the mail recipient.

Upgrade TanOS

See Upgrade TanOS.

Request a shell access key

You can request OS shell access to examine OS processes and files written to the file system. See Examine Tanium and TanOS files.

Clean up generated files

Clean directories to clear up disk space or clear logs to make it easier to work with new entries in the log viewer.

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter A to go to the Clean directories menu. ClosedView screen
  4. Use the menu to delete files that have been generated in the SFTP /incoming and /outgoing directories, core dump files, application logs, and so on.

Reboot or shut down

Tasks that you complete with TanOS menus typically do not require you to reboot the system. A reboot might be required during troubleshooting workflows.

Shutdown turns off the system and powers down the appliance.

On a Tanium Physical Appliance, you must have physical or iDRAC access to the appliance to power it on. Do not perform a system shutdown unless you are prepared to power the appliance back on.

Reboot

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter B to go to the Reboot/Shutdown menu. ClosedView screen
  4. Enter 1 to go to the Reboot menu. ClosedView screen
  5. Follow the prompts to reboot the appliance.

Shut down

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter B to go to the Reboot/Shutdown menu. ClosedView screen
  4. Enter 2 to go to the Shutdown menu. ClosedView screen
  5. Follow the prompts to shut down the appliance.

Exit maintenance mode

Some maintenance procedures that you perform with TanOS menus prompt you to enter maintenance mode to ensure Tanium services are not affected by the maintenance operation. When the operation completes, exit maintenance mode to resume normal operations.

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter C to go to the Maintenance Mode menu.
  4. Enter 1 to clear any maintenance actions.

Enable alternate partitions (Tanium Physical Appliance and Tanium Virtual Appliance only)

In TanOS 1.6.1 and later, Tanium Virtual Appliances contain only one partition set by default. On Virtual Appliances, you can add an alternate (inactive) partition set to use as a backup partition.

Enabling an alternate partition allows you to perform a partition sync, as described in Perform a partition sync (Tanium Physical Appliance and Tanium Virtual Appliance only).

The option to enable partitions only appears if you have a single partition on a virtual appliance.

Enabling an alternate partition is a long-running operation. This operation performs an initial partition sync, which may take a long time depending on the configuration of your storage subsystem.

  1. If needed, modify the virtual image to add disk storage.

    This action is not reversible. Storage that you add to the appliance is permanently allocated. Do not attempt to remove disk storage from an appliance, as the appliance becomes unusable.

  2. Sign in to the TanOS console as a user with the tanadmin role.

  3. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  4. Enter E and follow the prompts to enable alternate partitions.
    If your virtual appliance does not have enough space to enable the alternate partition, the TanOS console displays the minimum amount of space needed.

Disable alternate partitions (Tanium Physical Appliance and Tanium Virtual Appliance only)

Use this option on Tanium Virtual Appliances to remove the alternate (inactive) partition set. Use this option if you do not need the alternate partition. After you remove the alternate partition set, you can allocate the unused storage to the primary partition.

Do not disable the alternate partition set with the intent to reclaim disk storage. Disk storage on the appliance is permanently allocated. Do not attempt to remove disk storage from an appliance, as the appliance becomes unusable.

Disabling an alternate partition used for a partition sync removes the partition sync backup.

In TanOS 1.6.1 and later, virtual images contain only one partition set by default. If you upgrade from a previous version of TanOS, the existing partition configuration is preserved. This menu option only appears if your virtual appliance has an alternate partition set.

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  3. Enter D and follow the prompts to remove all alternate partitions. ClosedView screen

Use the Increase storage option to reallocate the storage from the deleted partition set.

Increase storage

On Tanium Cloud Appliances and Tanium Virtual Appliances, you can add a disk to the virtual image or increase the size of the existing virtual disk to increase the amount of storage that is available to TanOS.

This action is not reversible. Storage that you add to the Appliance is permanently allocated. Do not attempt to remove disk storage from an Appliance, as the Appliance becomes unusable.

  1. Modify the virtual image to add a disk or increase the size of the existing virtual disk.
  2. Sign in to the TanOS console as a user with the tanadmin role.
  3. Enter B to go to the Appliance Maintenance menu. ClosedView screen
  4. Enter I to go to the Increase Storage menu. ClosedView screen
  5. Follow the prompts to add the disk storage. ClosedView screen

    If your Tanium Virtual Appliance has an inactive partition set, any new storage is evenly allocated across the active (/OPT) and inactive (/ALTOPT) partitions.

Manage OS services

Use this menu to start, stop, restart, enable, and view status details for the network time protocol daemon (chronyd) and SSH daemon (sshd) services.

  1. Sign in to the TanOS console as a user with the tanadmin role.

  2. Enter B to go to the Appliance Maintenance menu. ClosedView screen

  3. Enter S to go to the OS Services menu.ClosedView screen

  4. Select a service to open the Service Control menu:

    • To manage chronyd, enter 1.ClosedView screen

    • To manage sshd, enter 2.ClosedView screen

  5. Use the menu to select an action to start, stop, restart, enable, or view status details for the service.

  6. Follow the prompts to perform the action.