Reference: TanOS command line interface

Tanium Appliances contain a command line interface (CLI) that you can access from SSH.

Requirements

To access all CLI commands, you must access the CLI as a user with the tanadmin role. Some CLI commands are available to users with the tanuser role, as noted in Tanium platform commands.

Syntax

ssh -qt <user>@<ip> <command> <options...>

Tanium platform commands

Command	Description
add hub	Install the Tanium Zone Server Hub add-on to an existing Tanium Server role.
configure ipsec	Configure IPsec communication with a peer appliance in an array. Both appliances must have the same Tanium role of either Tanium Server or Tanium Module Server. This command has the following options: show - Shows the current IPsec configuration Format: ssh -q user@appliance configure ipsec show set - Enables IPsec with the indicated appliance Format: ssh -q user@appliance configure ipsec set serial Where serial is the serial number of the peer appliance test - Tests the IPsec connection Format: ssh -q user@appliance configure ipsec test disable - Clears the IPsec configuration and preserve the key Format: ssh -q user@appliance configure ipsec disable reset - Resets the IPsec configuration and generate a new key Format: ssh -q user@appliance configure ipsec reset After you perform an IPsec reset, run refresh array on an array manager appliance to distribute the updated IPsec key to the other appliances in the array.
configure tms sync	Configure the Tanium Module Server synchronization feature, which copies content from an active Tanium Module Server to a standby Tanium Module Server. To use this feature, you must: Install two Tanium Module Servers. Add both Tanium Module Servers to the array. For more information about Tanium Module Server synchronization, see Schedule sync jobs. This command has the following options: status - Shows the current Tanium Module Server synchronization status Format: ssh -q user@appliance configure tms sync status source - Specifies the source, or active, Tanium Module Server from which data is copied Format: ssh -q user@appliance configure tms sync source target - Specifies the target, or standby, Tanium Module Server to which data is copied Format: ssh -q user@appliance configure tms sync target disable - Disables synchronization between the two Tanium Module Servers Format: ssh -q user@appliance configure tms sync disable
help	Show a list of available commands. Add help to any command to show help for the particular command.
install aio	Install the Tanium All-in-One role. Specify the version of Tanium to install, such as: ssh -qt user@appliance install aio 7.5.6.1113 If you run the command without a version, the server returns the available versions found on the server; this includes the versions that ship with TanOS and any other versions (of the RPM upgrade files) that are found in the /incoming directory. Use Tanium Appliances configured with the All-in-One role only for evaluation purposes. Tanium does not support All-in-One deployments in production environments. Do not allow a Tanium Appliance that is configured with the All-in-One role to accept inbound connections from the internet.
install tms	Install the Tanium Module Server role. Specify the version of Tanium to install, such as: ssh -qt user@appliance install tms 7.5.6.1113 If you run the command without a version, the server returns the available versions found on the server; this includes the versions that ship with TanOS and any other versions (of the RPM upgrade files) that are found in the /incoming directory.
install ts	Install the Tanium Server role. Specify the version of Tanium to install, such as: ssh -qt user@appliance install ts 7.5.6.1113 If you run the command without a version, the server returns the available versions found on the server; this includes the versions that ship with TanOS and any other versions (of the RPM upgrade files) that are found in the /incoming directory.
install tzs	Install the Tanium Zone Server role. Specify the version of Tanium to install, such as: ssh -qt user@appliance install tzs 7.5.6.1113 If you run the command without a version, the server returns the available versions found on the server; this includes the versions that ship with TanOS and any other versions (of the RPM upgrade files) that are found in the /incoming directory. Make sure to import the public key to the Zone Server appliance before you run this command (TanOS menu 2-I).The public keys are stored in the tanium-init.dat file. For detailed steps, see Import the Tanium Server public key file to the Zone Server.
promote tms	Promote a secondary Tanium Module Server to become the active Module Server in an array. Run this command from an array manager appliance. This command performs the following actions: Stops the Tanium Module Server synchronization target from receiving data from the active Module Server Updates all Tanium Servers in the array to use the specified Tanium Module Server as the active remote Module Server Registers the selected Tanium Module Server with all Tanium Servers in the array Format: echo "TaniumPassword" \| ssh -q user@appliance promote tms <user> <serial> Where: TaniumPassword and user are the sign in details for the administrative user of the web-based Tanium Console. Serial is the serial number of the Module Server to promote.
remove hub	Remove the Tanium Zone Server Hub add-on.
show fingerprint	Show the Tanium fingerprint for the Tanium Server (ts), Tanium Zone Server (tzs), or Tanium Zone Server hub (hub). Specify the type of server, such as: ssh -qt user@appliance show fingerprint ts
sync tms	Copy the contents of the active Tanium Module Server to the standby Tanium Module Server. Run this command in interactive mode using the -t option for ssh to ensure proper cleanup after canceling. Format: ssh -qt user@appliance sync tms
upgrade tanium	Upgrade the Tanium software on the appliance. Specify the version of Tanium to install, such as: ssh -qt user@appliance upgrade tanium 7.5.6.1113 If you run the command without a version, the server returns the available versions found on the server; this includes the versions that ship with TanOS and any other versions (of the RPM upgrade files) that are found in the /incoming directory.

Appliance Array commands

Command	Description
add array member	Add another appliance to the Appliance Array that is defined on the current appliance. Format: ssh -qt user@appliance add array member <ip_address> This command requires you to access the CLI as the tanadmin user. It is not available for other users with the tanadmin role. When you run this command, it might include interactive prompts to trust the new array member and to enter the password for the new array member. If you are using this command in a script, you can avoid these prompts as follows: To avoid a prompt that asks whether to trust the new array member and continue connecting, you can use the following command to register the fingerprint of the new array member before you use the add array member command to add it: ssh -qt user@new_array_member show ssh-host-fingerprints \| \ ssh -qt user@array_manager register ssh-host \ new_array_member To avoid a password prompt when you add an array member, you can use one of the following methods: Copy the public key for the tanadmin user on the primary appliance to the tanadmin user accounts on the remaining appliances. For information on how to use TanOS menus to add a public key for a user account, see Manage SSH keys. For information on how to use the CLI to add a public key for a user account, see the add pubkeys command at TanOS management commands. Configure separate public keys for the tanadmin user on each appliance, and then use agent forwarding to authenticate with the added array members by including the -A SSH option in the command. ssh -qtA user@appliance add array member <ip_address> Agent forwarding requires an SSH agent (such as ssh-agent in OpenSSH) to be running on your local host. For more information, see the documentation for your SSH client.
array assign roles	Use a JSON document to assign the desired roles to array members and perform necessary setup steps. Command actions are: show: Provides a template for the JSON configuration file. Requires no input. Example: ssh -q user@appliance array assign roles show >config.json dryrun: Using JSON on stdin, display the actions. Example: ssh -q user@appliance array assign roles dryrun <config.json apply: Using JSON on stdin, apply the requested changes. Example: ssh -q user@appliance array assign roles apply <config.json In the JSON configuration file template you retrieve from the array assign roles show command, you typically must configure the following settings: password_b64: The base64-encoded password for the Tanium Console admin user that is specified for the tanium_username setting. role: The role to assign for each array member, using one of the following numeric settings: 1: All-in-One 2: Tanium Server 3: Tanium Module Server 4: Tanium Zone Server
array sync partitions	Create backups of the active partitions by copying their contents to the inactive partitions for each affected appliance in the array. This may take a while to complete. Tanium services are stopped during the backup. Appliances that do not have alternate partitions are not affected.
array upgrade appliance	Upgrade the operating system for all appliances in the array. Run this command only on the primary Tanium Server in the array. Specify the upgrade version or use the --interactive flag to select from a list of options. Format: ssh -qt user@appliance array upgrade appliance <TanOS_version>
array upgrade tanium	Upgrade the Tanium software on all appliances in the array. Load all RPMs to the incoming directory on the primary Tanium Server before running this command. Specify the upgrade version or use the --interactive flag to select from a list of options. Format: ssh -qt user@appliance array upgrade tanium <Tanium_version>
create array	Create an Appliance Array and add the current appliance as a member. Specify the IP address of the appliance and the name of the array (can include spaces). Format: ssh -qt user@appliance create array <ip_address> <name of array>
promote member	Promote an array member with the Tanium Server role to be the array manager. Specify the serial number of the Tanium Server to promote. Format: ssh -qt user@appliance promote member <serial_number>
reset array	Remove the current appliance from an Appliance Array. Format: ssh -qt user@appliance reset array

TanOS management commands

Command	Description
create health-check	Generate a new health check report. Any previous reports are deleted. After running this command, the results of the latest report are stored in the health.log file in the /outgoing directory.
create tsg	Create a Tanium Support Gatherer (TSG) ZIP file, list the types of TSGs that you can create, and upload a TSG ZIP file to an SFTP location. Available options: --list - List the available TSG types for this appliance. Format: create tsg --list Usage example: ssh -qt user@appliance create tsg --list type - Specify the TSG type, such as appliance or a specific solution. Format: create tsg <type> Usage example: ssh -qt user@appliance create tsg connect sftp-destination - SFTP destination where the TSG will be uploaded Format: create tsg <type> <sftpuser@host:destination> Where sftpuser is the user name for the SFTP destination, host is the SFTP location's IP address or fully qualified domain name (FQDN), and destination is the destination directory and file name for the TSG. If you do not include a destination, the TSG is uploaded to the SFTP server's home directory with the default generated file name. The following example includes the A option to use agent forwarding to authenticate with the SFTP destination. Agent forwarding requires an SSH agent (such as ssh-agent in OpenSSH) to be running on your local host. For more information, see the documentation for your SSH client. Alternatively, you can generate an SSH key pair using the TanOS console for the specified TanOS user and add the public key to the SFTP destination's authorized keys. For information, see Manage SSH keys. Usage example: ssh -qtA user@appliance create tsg appliance [email protected]:newfilename.zip
dec proxy	Install, upgrade or remove the Direct Connect (DEC) Zone Proxy. Available options: list: List the available DEC proxy versions. install <version>: Install the selected version of DEC proxy. remove: Uninstall the DEC proxy. show <item>: Show the current DEC proxy status (version or apipayload). show instructions: Show instructions for how to configure a DEC proxy.
performance <tool> <options>	Manage performance data collection. Tools: perf record - Record performance data. Format: performance perf record <duration> <options> Where duration is the number of seconds to record. Usage examples: ssh -q user@appliance performance perf record 60 -t perf top - Monitor a performance counter in real-time. This command requires the ssh -t option. To exit, press Q. Format: performance perf top <options> Usage example: ssh -qt user@appliance performance perf top vmstat - Monitor virtual memory statistics. Format: performance vmstat <delay> <count> <options> Where delay is the number of seconds between updates, and count is the number of times to show statistics. For example, if you enter a delay of 3 and a count of 10, the command shows statistics every three seconds for ten times (total duration is 30 seconds). If you omit the count, the command returns statistics according to the delay until you press Ctrl-C. Usage example: ssh -qt user@appliance performance vmstat 3 10 iostat - Monitor I/O statistics. Format: performance iostat <delay> <count> Where delay is the number of seconds between updates, and count is the number of times to show statistics. For example, if you enter a delay of 3 and a count of 10, the command shows statistics every three seconds for ten times (total duration is 30 seconds). If you omit the count, the command returns statistics according to the delay until you press Ctrl-C. Usage example: ssh -qt user@appliance performance iostat 1 pidstat - Monitor individual processes. Format: performance pidstat <delay> <count> Where delay is the number of seconds between updates, and count is the number of times to show statistics. For example, if you enter a delay of 3 and a count of 10, the command shows statistics every three seconds for ten times (total duration is 30 seconds). If you omit the count, the command returns statistics according to the delay until you press Ctrl-C. Usage example: ssh -qt user@appliance performance pidstat 1 5 -t htop - Monitor process usage in real-time. This command requires the ssh -t option. To exit, press Q. Format: performance htop <options> Usage example: ssh -qt user@appliance performance htop -t iotop - Monitor I/O usage in real-time. This command requires the ssh -t option. To exit, press Q. Format: performance perf top <options> Usage example: ssh -qt user@appliance performance perf top <options> Options: -t - Limit results to Tanium-related process. This option is unavailable for the iostat and pidstat tools. -D - Data clean-up, for when a command is interrupted.
reboot appliance	Reboots the appliance. Requires confirmation.
report info	Report basic information for the appliance, including the serial number, server name, TanOS version, role, and Tanium version. This command is available to users with the tanuser role.
reset software	Removes all Tanium Core Platform software from the appliance, but preserves network and system user configuration. Requires a confirmation to proceed.
set backup key	Set the public key to encrypt backup files. The public key must be in PEM format.
set fqdn	Set the FQDN for the appliance. This command is available only when the appliance does not have a role installed. Usage example: ssh -qt user@appliance set fqdn appliance.example.com
set nameservers	Set one or more DNS name servers for the appliance. Any existing name servers are overwritten. Usage example: ssh -qt user@appliance set nameservers 8.8.8.8 9.9.9.9
show nameservers	Show the DNS name servers for the appliance.
show ntp	Show the NTP servers that are configured and connection information. This command is available to users with the tanuser role.
show ssh-host-fingerprints	Show the SSH host fingerprints.
sync partitions	Create a backup of the active partition by copying its contents to the inactive partition. This may take a while to complete. Tanium services are stopped during the backup/
upgrade appliance	Upgrade TanOS on the appliance. Specify the version of TanOS to upgrade to, such as: ssh -qt user@appliance upgrade appliance 1.8.1 If you run the command without a version, the server returns the available versions (of the RPM upgrade files) that are found in the /incoming directory.

TanOS user management commands

Command	Description
add pubkeys	Add entries to the authorized_keys file for the user. This command is available to users with the tanuser role. You can use the ssh-copy-id command in OpenSSH to add an SSH public key from your local host to any TanOS user with the tanadmin role on the Tanium Appliance. For example: ssh-copy-id -i public_key_file user@appliance
copy pubkeys tancopy	Copy the SSH keys for the user to the tancopy user account.
delete pubkeys	Remove entries from the authorized_keys file for the user. The command prompts you to paste the contents of keys to delete, or you can provide a list of key contents on stdin. Use the following command to list the contents of the authorized_keys file. You can copy the contents of individual keys from the provided list. ssh -qt user@appliance show pubkeys authorized_keys This command is available to users with the tanuser role. Format: ssh -qt user@appliance delete pubkeys
register ssh-host <remote_host> [scan]	Add entries to a user's SSH known_hosts file. You can provide fingerprints for the remote host on stdin, or you can use the scan action to automatically discover and add the fingerprints of a remote host. For example: ssh -qt user@array_manager register ssh-host 192.168.15.115 <fingerprints.txt ssh -qt user@array_manager register ssh-host 192.168.15.253 scan For a higher level of security, explicitly provide the fingerprints that you have verified to belong to the remote host on stdin.
show pubkeys <key_type>	Show the user's SSH public keys. Key types: identity - Show the identity public key file for the user (id_rsa.pub). authorized_keys - Show entries in the authorized_keys file for the user.
set password	Change a user's own password to a specified value. You can run the command interactively or non-interactively, such as through an external system. Requires a confirmation to proceed when run interactively. When run non-interactively, requires only the new password on the standard input stream. This command is available to users with the tanuser role.

Local authentication service commands

The following commands manage Tanium Console user accounts when the local authentication service is enabled. See Configure the local authentication service.

Command	Description
local-auth add user	Add a Tanium Console user account to the local authentication service. You can run the command interactively or non-interactively, such as through an external system. Requires entering the password for the new user to proceed when run interactively. When run non-interactively, requires the password for the new user on the standard input stream. Format: ssh -qt user@appliance local-auth add user username first_name last_name
local-auth delete user	Delete a Tanium Console user account from the local authentication service. Format: ssh -qt user@appliance local-auth delete user username
local-auth list users	List Tanium Console user accounts in the local authentication service. Format: ssh -qt user@appliance local-auth list users
local-auth set password	Set the password for Tanium Console user in from the local authentication service. You can run the command interactively or non-interactively, such as through an external system. Requires entering the the new password to proceed when run interactively. When run non-interactively, requires the new password on the standard input stream. Format: ssh -qt user@appliance local-auth set password username
local-auth unlock user	Unlock a Tanium Console user account in the local authentication service. Format: ssh -qt user@appliance local-auth unlock user username

Examples

Show a list of commands

Command:

ssh -qt [email protected] help

Example response:

The following commands are available in the TanOS CLI.

Tanium Platform
 install aio: Install the All-in-One role
 install ts: Install the Tanium Server role
 install tms: Install the Tanium Module Server role
 install tzs: Install the Tanium Zone Server role
 add hub: Add a Zone Server Hub to a TS or AiO
 remove hub: Remove the Tanium Zone Server Hub
 upgrade tanium: Upgrade Tanium software
 configure module service: Configure the Tanium Server to use a module server
 register module service: Register the Tanium Module Server

TanOS Appliance Array
 create array: Create a new Appliance Array
 reset array: Reset this appliance's Array configuration
 add array member: Add a Member to the Array

TanOS Management
 report info: Report information about the appliance
 reset software: Reset the software on the appliance
 upgrade appliance: Upgrade the appliance
 set backup key: Set the Backup Encryption Key
 copy pubkeys tancopy: Copy the user's SSH keys to tancopy

To see more information about each command, run it with the option "help". E.g.
ssh -qt user@appliance install ts help

Show help for the install aio command

Command:

ssh -qt [email protected] install aio help

Example response:

Install the All-in-One role

Installs the All-in-One role (TaniumServer and TaniumModuleServer) onto the
appliance. This option requires the password to be used for the 'tanium'
console user.

Usage:   install aio <version>
Example: ssh -qt user@appliance install aio 7.5.6.1113 
Menu:    1-1

Install the Tanium Zone Server Hub add-on

Command:

ssh -qt [email protected] add hub

Example response:

staging /opt/utils/installers/TaniumZoneServer-7.5.6.1113-1.rhe7.x86_64.rpm
Checking RPM signatures
Signature verification succeeded.
Installing Tanium Zone Server
Preparing packages...
TaniumZoneServer-7.5.6.1113-1.rhe7.x86_64
TaniumZoneServer service installed. Complete installation by:
1. Set ServerName with '/opt/Tanium/TaniumZoneServer/TaniumZoneServer config set ServerName <name>'
2. Set any desired optional settings (ServerPort, LogVerbosityLevel, etc) by running '/opt/Tanium/TaniumZoneServer/TaniumZoneServer config set <key> <value>'
3. Copy tanium-init.dat file into /opt/Tanium/TaniumZoneServer/TaniumZoneServer
4. Enable the TaniumZoneServer with 'systemctl enable taniumzoneserver'
5. Start the TaniumZoneServer with 'systemctl start taniumzoneserver'
If you are configuring this to be a TaniumZoneServer Hub do the following:
1. '/opt/Tanium/TaniumZoneServer/TaniumZoneServer config set ZoneHubFlag 1'
2. Create a file named ZoneServerList.txt in the /opt/Tanium/TaniumZoneServer/ directory with the ip addresses/FQDNs of the ZoneServers
Tanium Zone Server Installation completed
Configuring Zone Server Hub
 Add-On Zone Server Hub install - copied public key
Tanium Zone Server Installation completed

Retrieve appliance information

Command:

ssh -qt [email protected] report info

Example response:

Serial Number:      5c7a65fd-2b96-4732-b2a1-fd9f56b8801e
Name:               ts1
TanOS Version:      1.8.1.0149
Role:               Tanium Server
TaniumServer:       7.5.6.1113