Completing the initial setup (physical Tanium Appliance)

Configure basic network, host, and user settings before you install a Tanium Appliance role.

Requirements

License

Contact Tanium Support to obtain a valid license. Tanium Support must know the fully qualified domain name (FQDN) for each Tanium Server appliance in your deployment to generate your license file.
Network Be ready to specify the static IP address in CIDR format (such as 192.168.2.0/24), default gateway IP address, host name, domain name, primary and secondary DNS servers, and NTP servers.

The Tanium Appliance does not support LACP or respond to LACP packets. On a switch that is connected to a Tanium Appliance, either disable LACP or configure the switch to enable LACP only on ports where an LACP device is detected. After initial configuration is complete, a user with the tanadmin role can configure static NIC teaming on the appliance to provide link redundancy.

In rare circumstances, a physical Tanium Appliance might fail to boot and hang at the TanOS boot screen. In this situation, it is best to disable LLDP at the switch or in the appliance BIOS. LLDP is not supported or required by TanOS. Contact Tanium Support for more information.

(FIPS-compliant organizations) Enable FIPS 140-3 mode before initial setup

Enabling Federal Information Processing Standards (FIPS) mode causes the appliance to use a FIPS-validated cryptographic module for all cryptographic operations. It also ensures that services like SSH use only cryptographic algorithms that FIPS 140-3 allows.

If FIPS mode is required for your organization, you can enable it before you continue with initial setup so that the password and keys that you configure during setup are FIPS-compliant.

Enable FIPS mode only if you are required to do so for your organization.

  • In Tanium Core Platform 7.4.5.1200 and later, enabling FIPS mode in TanOS also puts the Tanium Platform in FIPS mode.
  • You can later disable FIPS mode if it is not required and it was inadvertently enabled during setup. See Enable FIPS 140-3 mode.

  1. Sign in to the TanOS console as the tanadmin user.

  2. Enter M and follow the prompt to enable FIPS 140-3 mode and reboot the appliance, and then continue initial setup.

Configuration options

  • Configure iDRAC if you want to configure the tanremote user account and then continue from the iDRAC interface with initial configuration.
  • Configure IP address only if you want to complete the network configuration from the console and then later resume initial configuration elsewhere (for example, in a different location through an SSH connection).

  • Perform full initial configuration if you want to configure the tanadmin account and then complete all of the initial configuration steps at once from the console.

Configure iDRAC

Use these steps to configure the iDRAC interface. With these steps, you set up the tanremote user account, which can be used to complete the initial configuration later.

For the best results, configure the iDRAC interface for access to the physical Tanium Appliance. This significantly reduces the need to re-enter the data center for Tanium Appliance maintenance in the future.

Before you begin

You must use a cable to connect the iDRAC interface to your network.

Configure the iDRAC

  1. Sign in to the TanOS console as the tanadmin user.

  2. Enter I (Manage iDRAC).

  3. Enter N to go to the Configure iDRAC Network.
  4. Follow the prompts to configure the iDRAC network. ClosedView screen
  5. Enter P and follow the prompts to change the password of the tanremote user. ClosedView screen
  6. Access the iDRAC virtual console at http://<iDRAC interface IP address>.
  7. Sign in with user name tanremote and the password that was set with this procedure and then proceed with initial configuration. See Perform full initial configuration.





Configure IP address only

Use these steps to assign only an IP address to the appliance. After these steps, you can sign out of the console and connect through SSH later to resume the full initial configuration.

  1. Power on the appliance.

    The boot and start-up processes take a few minutes.

  2. When prompted to sign in, specify the user name tanadmin and the default password Tanium1 or the password set by your data center team when the Tanium Appliance was racked. ClosedView screen
  3. Enter P and then follow the prompts to change the password. ClosedView screen

    Follow the password policy guidelines closely. Note the password score that appears and aim for a strong password.

  4. Press Enter to return to the Initial Configuration menu. ClosedView screen
  5. Enter A, and then follow the prompts to set the static IP address, IPv6 settings, and gateway. The TanOS console confirms that the settings are applied. ClosedView screen

    The IP address setting changes from incomplete to complete.

  6. When ready, follow the steps in Perform full initial configuration.

Perform full initial configuration

You can perform initial configuration in the order that you prefer. As you finish configuring settings, the status changes from incomplete to complete.

You may have already completed some of these steps from the data center.

Before you begin

Connect a keyboard, video, and mouse (KVM) to the console port.

Complete the initial configuration

  1. Power on the appliance.

    The boot and start-up processes take a few minutes.

  2. When prompted to sign in, specify the user name tanadmin and the default password Tanium1 or the password set by your data center team when the Tanium Appliance was racked. ClosedView screen
  3. Enter P and then follow the prompts to change the password. ClosedView screen

    Follow the password policy guidelines closely. Note the password score that appears and aim for a strong password.

  4. Press Enter to return to the Initial Configuration menu. ClosedView screen
  5. If necessary, enter A, and then follow the prompts to set the static IP address, IPv6 settings, and gateway. ClosedView screen
  6. After the initial configuration screen appears with the updated IP address configuration, enter N and then follow the prompts to configure the fully qualified domain name (FQDN). ClosedView screen

  7. After the initial configuration screen appears with the updated FQDN configuration, enter D and then follow the prompts to set the DNS name servers. ClosedView screen

  8. After the initial configuration screen appears with the updated DNS configuration, enter T and then follow the prompts to set the NTP servers. ClosedView screen

  9. After the initial configuration screen appears with the updated NTP configuration, enter E and then use the spacebar to page through the end-user license agreement (EULA). When complete, press the Q key, enter your email address, and enter YES to accept.

    The email address is stored locally only. It is not used externally for any reason.

  10. (Optional) Configure the iDRAC. This can also be done later from the TanOS menus.
  11. Enter F to finish initial configuration.

    The appliance reboots, and when you sign in, the initial configuration menu is replaced by the tanadmin menu.

Access TanOS remotely

To access your Tanium Appliances remotely, note the following requirements.

  • Your local management computer must be connected to a subnet that can reach the appliance IP address.
  • Your management computer must have an SSH client application or terminal emulator that can make a client connection to the appliance.
  • You must have an SSH client such as PuTTY to sign in to the TanOS console. For PuTTY, use version 0.71 or later.
  • You must have an SSH key generator such as ssh-keygen to generate keys for the tancopy user.
  • You must have an SFTP client such as WinSCP to copy files to and from the appliance. For WinSCP, use version 5.15.2 or later.

Watch the tutorial about how to configure WinSCP for the Tanium Appliance.

Configure SSH keys

TanOS has built-in and customer-created user accounts to access the appliance operating system and perform tasks.

Before you install a Tanium Appliance role, you must add SSH keys to authenticate access for the tancopy built-in user. tancopy can make an SFTP connection with SSH key authentication to TanOS and copy files to and from the /incoming and /outgoing directories.

TanOS does not support self-service password reset methods. If you forget your password, you must ask a user with the tanadmin role to reset it for you. You can avoid this risk by setting up SSH key authentication.

Watch the tutorial about how to configure SSH key authentication for the Tanium Appliance.

Before you begin

  • You must have an SSH client to sign in to the TanOS console, and an SFTP client to copy files to and from the appliance.
  • You must have an SSH key generator to generate keys for the tancopy user.

Add SSH keys

You must set up an SSH key for the tancopy user. For the best results, set up SSH key authentication for TanOS user accounts.

Add SSH keys for the tancopy user

You must set up an SSH key for the tancopy user. The SSH key is used when you transfer files through SFTP to the /incoming and /outgoing directories.

  1. Use an SSH key generator such as ssh-keygen to generate a public/private key pair. Note:
    • Specify an RSA key with 2048 bits (such as ssh-keygen -t rsa -b 2048).
    • Specify a passphrase that is easy to remember.
    • Save the private key to a location that you can access when you set up your SFTP client.
  2. Copy the text in the public key file to the clipboard. If you use ssh-keygen, copy the contents of the .pub file that you created.

    In an SSH key exchange, the keys must match exactly, including line endings.

  3. Sign in to the TanOS console as a user with the tanadmin role.

  4. Enter C-U (User Administration > TanOS User Management).

  5. Enter the line number for the tancopy user to go to the user administration menu for this user. ClosedView screen

  6. Enter A (Authorized Keys).

  7. Enter A and follow the prompts to add the contents of the public key generated in Step 1. ClosedView screen
  8. To test, on your management computer, set up an SFTP client such as WinSCP to connect to the Tanium Server appliance:
    1. Specify tancopy for user name.
    2. Click Advanced.
    3. Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance.
    4. Save the configuration and click Login to initiate the connection.

      5. You should be able to connect to the appliance and see the /incoming and /outgoing directories.

 

Add SSH keys for TanOS users

It is a best practice to also set up SSH key authentication for TanOS user accounts.

As an alternative to the following procedure, you can use ssh-copy-id to add an SSH public key to any TanOS user with the tanadmin profile.

  1. Use an SSH key generator such as ssh-keygen to generate a public/private key pair. Note:
    • Specify an RSA key with 2048 bits (such as ssh-keygen -t rsa -b 2048).
    • Specify a passphrase that is easy to remember.
    • Save the private key to a location that you can access when you set up your SFTP client.
  2. Copy all of the text in the public key file to the clipboard. If you use ssh-keygen, copy the contents of the .pub file that you created.

    In an SSH key exchange, the keys must match exactly, including line endings.

  3. Sign in to the TanOS console as a user with the tanadmin role.

  4. Enter C-U (User Administration > TanOS User Management).

  5. Enter the line number of the user account that you want to manage. ClosedView screen

  6. Enter A (Authorized Keys).

  7. Enter A and follow the prompts to paste the public key generated in Step 1. ClosedView screen
  8. To test, on your management computer, set up an SSH client such as PuTTY to connect to the Tanium Server appliance:
    1. Specify the Tanium Server IP address, port 22, and SSH connection type.
    2. Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance.
    3. Open the SSH session and enter the tanadmin user name.
    4. You are prompted for the SSH key passphrase instead of the tanadmin password. ClosedView screen

Add TanOS system users

Create additional TanOS system users based on tanadmin (privileged) and tanuser (restricted) profiles.

Create more than one privileged user with the tanadmin role in case you forget the password for the built-in tanadmin user.

  1. Sign in to the TanOS console as a user with the tanadmin role.

  2. Enter C-U (User Administration > TanOS User Management).

  3. Enter A and follow the prompts to add a system user. ClosedView screen

 

Export the RAID controller security key

The RAID controller security key is used by the controller to lock and unlock access to encryption-capable physical disks. You can export the key and store it in a safe location. During recovery from controller failure, you will need to provide the key. When you run a Health Check, you might see messages alerting you to export the RAID controller security key.

Boot Check: Pass (EFI Boot)
Active partition: pass (VolGroup1-root)

>>> Hardware health (will take 1-12 seconds) <<<
hardware type: pass (TV-220)
RAID controller RAID.Integrated.1-1 Security Key: pass
disk encryption: pass


>>> RAID Controller Security Key <<<

RAID Security key check: fail (key has NOT been exported)  <-------- 

>>> Tanium Application file Permissions <<<

executed checks: 48
failed checks: 4
new health status setting: warning
  1. Sign in to the TanOS console as a user with the tanadmin role.

  2. Enter A-X-5 (Appliance Configuration > Advanced Configuration > Export RAID Controller Security Key).

  3. Follow the prompts to export the RAID controller security key to the /outgoing directory. ClosedView screen
  4. Use SFTP to copy the file from the /outgoing directory to your local computer.

Files copied to the /outgoing directory that are older than 24 hours are deleted every day at 02:00 AM UTC. You should copy the RAID controller security key file from the /outgoing directory to your local computer immediately after you have used the TanOS menu to export it and save it in a protected location. If you lose the RAID controller key file, you can return to the Advanced Menu and export the key file again.

The default name of the RAID controller key file is TanOS-key-controller-Cfg.tgz. It is recommended to change the name to include the host name or serial number of the appliance it came from before you store it. You likely have more than one appliance, so a name based on a unique host name or serial number is useful if you later need to locate the correct file.

Export the grub key

The grub key can be used during the boot sequence to diagnose and recover from failure conditions. You can export the key and store it in a safe location. During recovery, you need to provide the key to Tanium Support for a technician to extract the grub password.

  1. Sign in to the TanOS console as a user with the tanadmin role.

  2. Enter A-X (Appliance Configuration > Advanced Configuration).

  3. Enter 6 and follow the prompts to export the grub key to the /outgoing folder. ClosedView screen
  4. Use SFTP to copy the file from the /outgoing directory to your local computer.

What to do next