Reference: User Administration menu

Use TanOS to manage user accounts on the Tanium appliance. Users with the tanadmin role can manage two types of user accounts:

  • Use the TanOS User Management menu (C-U) to manage TanOS system users. These user accounts can access the TanOS console, but not the Tanium™ Console. This includes the predefined TanOS users tanadmin and tancopy. TanOS system users are local to each appliance, users are not shared across appliances. For more information on the predefined TanOS user accounts, see Completing the initial setup (Tanium Physical Appliance), Completing the initial setup (Tanium Virtual Appliance), or Completing the initial setup (Tanium Cloud Appliance).
  • Use the Local Tanium User Management menu (C-L) to manage Tanium users who can access the Tanium Console through a web browser. These user accounts cannot access the TanOS console. TanOS hosts a local authentication service that you can use for Tanium Console user authentication. In addition, you can use your enterprise LDAP server to manage Tanium Console authentication. For details on using LDAP, see the Tanium Core Platform User Guide.

Change TanOS user passwords

The tanadmin user can make password-authenticated SSH connections to the TanOS console.

Change the tanadmin password

Use these steps to reset the password for the current tanadmin user. For TanOS 1.7.3 onward, the password reset prompt appears if the tanadmin user password expires. To change the password for another tanadmin user, see Manage system users.

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter P and follow the prompts to change the password. ClosedView screen

After the password changes, you are signed out.

Manage SSH keys

The installation process generates a public/private SSH key pair for the tanadmin user. Use the User Administration menus to perform the following functions:

  • Regenerate the key pair.
  • Generate keys for the other TanOS special users.
  • Add authorized keys to support inbound user connections.
  • View the public key so you can copy and paste it into other appliance configurations.

You can use ssh-copy-id to add an SSH public key to any TanOS user with the tanadmin role.

Before you begin

  • You must have an SSH client to sign in to the TanOS console and an SFTP client such as WinSCP to copy files to and from the appliance.
  • You must have an SSH key generator such as ssh-keygen to generate keys for the user.

Generate keys

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter C to go to the User Administration menu. ClosedView screen
  3. Enter U to manage TanOS users.
  4. Enter the line number of the user account that you want to manage. ClosedView screen
  5. Enter P to manage the SSH key pair. ClosedView screen
  6. Enter G to generate a public/private key pair. ClosedView screen

Add authorized keys

  1. Use an SSH key generator such as ssh-keygen to generate a public/private key pair. Note:
    • Specify an RSA key with 2048 bits (such as ssh-keygen -t rsa -b 2048).
    • Specify a passphrase that is easy to remember.
    • Save the private key to a location that you can access when you set up your SFTP client.
  2. Copy all of the text in the public key file to the clipboard. If you use ssh-keygen, copy the contents of the .pub file that you created.

    In an SSH key exchange, the keys must match exactly.

  3. Sign in to the TanOS console as a user with the tanadmin role.
  4. Enter C to go to the User Administration menu.
  5. Enter U to manage TanOS users.
  6. Enter the line number for the tancopy user to go to the user administration menu for this user. ClosedView screen
  7. Enter A to go to the Authorized Keys menu. ClosedView screen
  8. Enter A and follow the prompts to add the contents of the public key generated in Step 1. ClosedView screen

View public keys

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter C to go to the User Administration menu.
  3. Enter U to manage TanOS users.
  4. Enter the line number for the tancopy user to go to the user administration menu for this user. ClosedView screen
  5. Enter P to go to the Key Pair menu to view the public key. ClosedView screen

Configure TanOS system users

You can create TanOS users that have tanadmin or tanuser permissions. The system users with the tanadmin role have access to all menus. System users with the tanuser role have access to status menus.

Add a system user

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter C to go to the User Administration menu. ClosedView screen
  3. Enter U to go to the User Administration -> TanOS menu. ClosedView screen
  4. Enter A and follow the prompts to add a system user. ClosedView screen

Disable password access

You can disable password access for any user except the tanadmin special user. When you disable password access for a user, the user can only sign in through SSH using the configured SSH private key.

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter C to go to the User Administration menu.
  3. Enter U to go to the User Administration -> TanOS menu. ClosedView screen
  4. Enter the line item of the user that you want to manage. ClosedView screen
  5. Enter N and follow the prompts to disable password access for the user. ClosedView screen

Enable password access

Password access is enabled by default. If you disable password access for a user and want to re-enable password access, perform the following steps.

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter C to go to the User Administration menu.
  3. Enter U to go to the User Administration -> TanOS menu. ClosedView screen
  4. Enter the line item of the user that you want to manage. ClosedView screen
  5. Enter C to enable password access or reset the password for the selected user.
    • If you enable the password for the current user, enter a password.
    • If you enable password access for another user, TanOS generates a random password. ClosedView screen

Manage system users

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter C to go to the User Administration menu.
  3. Enter U to go to the User Administration -> TanOS menu. ClosedView screen
  4. Enter the line number of the user that you want to manage. ClosedView screen
  5. Use the menu to delete the user, reset or enable the password, manage SSH keys, disable password access, manage multi-factor authentication, enable/disable the account, or delete entries from the known_hosts file for the user.

View history of sign in attempts

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter C to go to the User Administration menu.
  3. Enter I to go to the Recent Login Information menu. ClosedView screen
  4. Use options A, B, and C to view the history of sign in attempts.

Configure individual multi-factor authentication

In addition to global multi-factor authentication, you can configure multi-factor authentication for individual users or exempt individual users from global multi-factor authentication requirements.

To manage global multi-factor authentication settings, see Configure global multi-factor authentication.

Exempt user from global multi-factor requirements

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter C to go to the User Administration menu.
  3. Enter U to go to the User Administration -> TanOS menu. ClosedView screen
  4. Enter the line item of the user that you want to edit. ClosedView screen
  5. Enter M to manage the multi-factor authentication settings for the user. ClosedView screen
  6. Enter E and follow the prompts to exempt the user from all multi-factor authentication requirements. ClosedView screen

To remove the exemption for the user, perform the steps in Reset user multi-factor settings.

Configure Google Authenticator for a user

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter C to go to the User Administration menu.
  3. Enter U to go to the User Administration -> TanOS menu. ClosedView screen
  4. Enter the line item of the user that you want to edit. ClosedView screen
  5. Enter M to manage the multi-factor authentication settings for the user. ClosedView screen
  6. Enter G and follow the prompts to configure Google Authenticator for the user.

View user multi-factor settings

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter C to go to the User Administration menu.
  3. Enter U to go to the User Administration -> TanOS menu. ClosedView screen
  4. Enter the line item of the user that you want to edit. ClosedView screen
  5. Enter M to manage the multi-factor authentication settings for the user. ClosedView screen
  6. Enter V to show the multi-factor authentication settings for the user.

Reset user multi-factor settings

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter C to go to the User Administration menu.
  3. Enter U to go to the User Administration -> TanOS menu. ClosedView screen
  4. Enter the line item of the user that you want to edit. ClosedView screen
  5. Enter M to manage the multi-factor authentication settings for the user. ClosedView screen
  6. Enter X and follow the prompts to reset the multi-factor authentication settings for the user.

Configure global multi-factor authentication

You can configure the appliance to use multi-factor authentication to validate TanOS user accounts on sign-ins through SSH connections. You can configure multi-factor authentication as a global setting or for individual users, and you can exempt selected accounts from global multi-factor authentication settings.

Tanium Appliances use Google Authenticator for multi-factor authentication.

Enable global key authentication

Perform the following steps to require all users who sign-in through SSH to use an authorized key configured in their profiles.

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter C to go to the User Administration menu.
  3. Enter M to go to the Multi-Factor Global Settings menu. ClosedView screen
  4. Enter K to go to the key authentication menu. ClosedView screen
  5. Enter E and follow the prompts to enable global key authentication.

Disable global key authentication

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter C to go to the User Administration menu.
  3. Enter M to go to the Multi-Factor Global Settings menu. ClosedView screen
  4. Enter K to go to the key authentication menu. ClosedView screen
  5. Enter D and follow the prompts to disable global key authentication.

Enable global password authentication

Perform the following steps to require all users who sign-in through SSH to input a password.

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter C to go to the User Administration menu.
  3. Enter M to go to the Multi-Factor Global Settings menu. ClosedView screen
  4. Enter P to go to the password authentication menu. ClosedView screen
  5. Enter E and follow the prompts to enable global key authentication.

Disable global password authentication

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter C to go to the User Administration menu.
  3. Enter M to go to the Multi-Factor Global Settings menu. ClosedView screen
  4. Enter P to go to the key authentication menu. ClosedView screen
  5. Enter D and follow the prompts to disable global key authentication.

Enable global multi-factor authentication

If you want to exempt specific accounts from requiring multi-factor authentication, you should exempt the accounts before you enable global multi-factor authentication to minimize disruption. To exempt a user from multi-factor authentication, see Exempt user from global multi-factor requirements.

At least one admin user must be exempt or have an SSH key pair configured before you enable global multi-factor authentication. See Manage SSH keys.

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter C to go to the User Administration menu.
  3. Enter M to go to the Multi-Factor Global Settings menu. ClosedView screen
  4. Enter M to require multi-factor authentication. ClosedView screen
  5. Enter E and follow the prompts to enable global multi-factor authentication.

Disable global multi-factor authentication

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter C to go to the User Administration menu.
  3. Enter M to go to the Multi-Factor Global Settings menu. ClosedView screen
  4. Enter M to require multi-factor authentication. ClosedView screen
  5. Enter D and follow the prompts to disable global multi-factor authentication.

Configure the local authentication service

You can use the local authentication service to set up Tanium Console user accounts for demo or testing purposes.

For best results, configure the Tanium Console to use an external LDAP server to authenticate Tanium users. For details, see the Tanium Core Platform User Guide. Additionally, if you plan to use the local authentication service with the Tanium LDAP Sync connector, you must use the following user filter in the LDAP Sync Connector configuration:

(&(objectClass=person)(uidNumber>=20000))

The Local Authentication Service menu is available only after you install the Tanium Server on the appliance.

Add a local user

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter C to go to the User Administration menu.
  3. Enter L to go to the Local Tanium User Management menu. ClosedView screen
  4. Enter 1 and follow the prompts to add a local user. ClosedView screen
  5. Sign in to the Tanium Console as an administrator to create the user and assign roles to it. For details, see Tanium Console User Guide: Managing users.

Set a user password

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter C to go to the User Administration menu.
  3. Enter L to go to the Local Tanium User Management menu. ClosedView screen
  4. Enter 2 to go to the Manage Local Users menu. ClosedView screen
  5. Enter the user line number to go to the User menu. ClosedView screen
  6. Enter 2 and follow the prompts to set the user password. ClosedView screen

Delete a user

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter C to go to the User Administration menu.
  3. Enter L to go to the Local Tanium User Management menu. ClosedView screen
  4. Enter 2 to go to the Manage Local Users menu. ClosedView screen
  5. Enter the user line number to go to the User menu. ClosedView screen
  6. Enter 1 and follow the prompts to delete the user.

Disable the local authentication service

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter C to go to the User Administration menu.
  3. Enter L to go to the Local Tanium User Management menu. ClosedView screen
  4. Enter A and follow the prompts to enable or disable the local authentication service. ClosedView screen

Although the Tanium Console contains a soap_enable_local_auth platform setting to disable local authentication, that setting is not supported for Tanium Appliance installations.

Modify the local authentication service security policy

The local authentication service security policy has the following default settings.

Setting Factory Default Description
Password Minimum Age (days) 1 The minimum number of days between password changes. A value of 0 indicates the password can be changed at any time. Valid range is 0-20.
Password Maximum Age (days) 90 The age at which a current password expires. A value of 0 indicates the password does not expire. Valid range is 0-360.
Password Minimum Length 10 The minimum number of characters allowed in a password. Valid range is 0-30.
Password History 5 The number of most recent passwords that a user cannot reuse. A setting of 0 allows reuse of any previous passwords. Valid range is 0-10.
Password Lockout True True locks out a user with an expired password. False forces the user to change the password.
Password Maximum Failure 5 The number of failed attempts before a user is locked out. A setting of 0 allows unlimited failed attempts. Valid range is 0-10.

To modify the default settings:

  1. Sign in to the TanOS console as a user with the tanadmin role.
  2. Enter C to go to the User Administration menu.
  3. Enter L to go to the Local Tanium User Management menu. ClosedView screen
  4. Enter B to go to the Security Policy Local Authentication Service menu. ClosedView screen
  5. Follow the prompts to modify the settings.