Managing users

Use TanOS to manage user accounts on the Tanium Appliance. Users with the tanadmin role can manage two types of user accounts:

• TanOS system users: These user accounts can access the TanOS console. This includes the predefined TanOS users tanadmin and tancopy. The Local Tanium User Management menu (C-U) contains options to manage these users. TanOS users are separate from Tanium users who can access the Tanium™ Console. TanOS users are also local to each appliance; users are not shared across appliances.

  • You can optionally use your enterprise LDAP server to manage TanOS authentication. For details on using LDAP for TanOS users, see Configure LDAP authentication for TanOS system users.

  • For more information on the predefined TanOS user accounts, see Completing the initial setup (physical Tanium Appliance), Completing the initial setup (virtual Tanium Appliance), or Completing the initial setup (cloud-based Tanium Appliance).

• Tanium users (for demo or testing): You can use the local authentication service in TanOS to manage Tanium users who can access the Tanium Console through a web browser for demo or testing purposes. The Local Tanium User Management menu (C-L)contains options to manage these users. These user accounts cannot access the TanOS console. For details on setting up local Tanium user management, see Configure the local authentication service.

  For production use, configure the Tanium Console to use an external LDAP server to authenticate Tanium users. For information about using LDAP for Tanium users, see Tanium Console User Guide: Integrating with LDAP servers.

Change the password for the current TanOS user

Use these steps to reset the password for the TanOS user who is currently signed in. On TanOS 1.7.3 or later, the password reset prompt appears if the user password expires. To reset the password for another TanOS user, see Manage system users.

1. Sign in to the TanOS console.
2. Enter P and follow the prompts to change the password. View screen

   >>> User Administration -> TanOS -> tanadmin -> Change Password <<< 
   
   
    Preparing to change the password for tanadmin
   
    The password policy requires meeting these rules:
     - Minimum of 10 characters long
     - At least 1 upper case character
     - At least 1 lower case character
     - At least 1 numeric character
     - At least 1 other character
     - Must not match any of recent 4 passwords
     - Must not be based on a dictionary word
     - Must not contain part of the username
   
    Please enter password (will not be displayed):
   Password score: 55 out of 100 (strong)
    Please enter password again:
   
    The password change was successful.
   
    Press enter to continue

After the password changes, you are signed out.

Manage SSH keys

The installation process generates a public/private SSH key pair for the tanadmin user. Use the User Administration menus to perform the following functions:

• Regenerate the key pair.
• Generate keys for the other TanOS special users.
• Add authorized keys to support inbound user connections.
• View the public key so you can copy and paste it into other appliance configurations.

Before you begin

• You must have an SSH client to sign in to the TanOS console and an SFTP client such as WinSCP to copy files to and from the appliance.
• You must have an SSH key generator such as ssh-keygen to generate keys for the user.

Generate keys

1. Sign in to the TanOS console as a user with the tanadmin role.

2. Enter C-U (User Administration > TanOS User Management).

3. Enter the line number of the user account that you want to manage. View screen

   >>> User Administration -> TanOS -> tanadmin <<<
   
    Username:        tanadmin 
    Account Enabled: Yes
    Authentication:  SSH Key or Password
    SSH Lockout:     No (0)
    Multi-Factor:    Not configured
   
    Notes:
      * This user account cannot be deleted
   
             A: Manage SSH Authorized Keys
             P: Manage SSH Key Pair
             L: Reset SSH Lockout
             C: Change/Enable Password (Randomized)
             N: Disable Password Access
             M: Multi-Factor Authentication
   
             E: Enable Account
             D: Disable Account
             X: [DISABLED] Delete User
   
             F: Edit known hosts file
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

4. Enter P to manage the SSH key pair. View screen

   >>> User Administration -> TanOS -> tanadmin -> Key Pair <<< 
   
    Account: tanadmin 
    No SSH keys found for user tanadmin. Please create key pair first
   
             G: Generate ssh key pair
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

5. Enter G to generate a public/private key pair. View screen

   >>> User Administration -> Manage -> User -> SSH <<< 
   
   	Account: tanadmin
   	Action:  Generate SSH Keys
   	No .ssh directory for user tanadmin found - creating and securing it
   	keygen process finished successful
   	Finished generating keys for tanuser
   
   	Press enter to continue

Add authorized keys

1. Use an SSH key generator such as ssh-keygen to generate a public/private key pair. Note:
   • Specify an RSA key with 2048 bits (such as ssh-keygen -t rsa -b 2048).
   • Specify a passphrase that is easy to remember.
   • Save the private key to a location that you can access when you set up your SFTP client.
2. Copy all of the text in the public key file to the clipboard. If you use ssh-keygen, copy the contents of the .pub file that you created.

   In an SSH key exchange, the keys must match exactly.

3. Sign in to the TanOS console as a user with the tanadmin role.

4. Enter C-U (User Administration > TanOS User Management).

5. Enter the line number for the tancopy user to go to the user administration menu for this user. View screen

   >>> User Administration -> TanOS -> tancopy <<< 
   
    Username:        tancopy 
    Account Enabled: Yes
    Authentication:  SSH Key Only
    SSH Lockout:     No (0)
    Multi-Factor:    Not configured
    
    Notes:
      * This user account cannot be deleted
      * This user account cannot have a password
      * This user account cannot use multi-factor
   
             A: Manage SSH Authorized Keys
             P: Manage SSH Key Pair
             L: Reset SSH Lockout
             C: [DISABLED] Change Password
             N: [DISABLED] Disable Password Access
             M: [DISABLED] Multi-Factor Authentication
   
             E: Enable Account
             D: Disable Account
             X: [DISABLED] Delete User
   
             F: Edit known hosts file
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

6. Enter A (Authorized Keys).

7. Enter A and follow the prompts to add the contents of the public key generated in Step 1. View screen

   >>> User Administration -> TanOS -> tancopy -> Authorized Keys -> Add <<< 
   
   Account: tancopy
   Please paste the public key and press enter: 
   ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA1ClmgkMrbbxB7jND/Y4/Giupck35xAuGNKfZWqVLM5F0CNXuTScf6v2z
   MDxW5TO5tm/U8P9sqh19RDEzTn2RayXzsoZmXyB8abCCpHG4+03Zv05RHiX4i5QomAMBnbZejdA9/fGTxO1rPo1rdtTq
   Z+KCgzbEhHLWUD44+If5RtG+U4kgyzlYsyjgwhfho+BrRY6e7QYBsXVbuBQ9ROGV6PCTB80jXZVAKrAbsTQ1DVkpuBue
   mftv7vOn3b8MKzJ/IY/LLL1tIgpSGvgvjr2mOJJ+JoZF2XnPVUFmYiDSCkPAzhCyFHILHfOVAfws9n1G6p3fwILqNhvB
   oPeaCFaApQ== rsa-key-20200123
    Validating input
    Adding key to authorized keys after validation
    Finished adding authorized keys for tancopy
   
   
    Press enter to continue

View public keys

1. Sign in to the TanOS console as a user with the tanadmin role.

2. Enter C-U (User Administration > TanOS User Management).

3. Enter the line number for the tancopy user to go to the user administration menu for this user. View screen

   >>> User Administration -> TanOS -> tancopy <<< 
   
    Username:        tancopy 
    Account Enabled: Yes
    Authentication:  SSH Key Only
    SSH Lockout:     No (0)
    Multi-Factor:    Not configured
    
    Notes:
      * This user account cannot be deleted
      * This user account cannot have a password
      * This user account cannot use multi-factor
   
             A: Manage SSH Authorized Keys
             P: Manage SSH Key Pair
             L: Reset SSH Lockout
             C: [DISABLED] Change Password
             N: [DISABLED] Disable Password Access
             M: [DISABLED] Multi-Factor Authentication
   
             E: Enable Account
             D: Disable Account
             X: [DISABLED] Delete User
   
             F: Edit known hosts file
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

4. Enter P to go to the Key Pair menu to view the public key. View screen

   >>> User Administration -> TanOS -> tancopy -> Key Pair <<< 
   
    Account: tancopy 
    SSH Public Key for user tancopy:
   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDZCvC+
   nF93Nqmv2lrlUJoDTrwCnpJkcm5Er5ywNFNem5MJZZd0esToJTpY43gb8XppB5JP7SdHVJk2M3Nm0DP+xapjAL35Cs/
   bdX48kwDc0R1m4Qc7/4aqQQkBcF/95Z3OrpD1EVW0bwF3KlsX9vEojQ3sO4PjNBQJxTepLI+iU1IQzu44OvUx4A7Jpk
   ZSZBL+t1KdyNl75vZ8vCfcG4KqdHqwVds1XIplaW77LcN8+G4kYUthlpWVrSLvWtKdZztGG+Kasj0y/VSqhlP7AHorU
   mDzuV4z4AOB7+UI8lcx8B5FPEverfNhPAXkemOrqnkd0oolLKeoEdiaakqANJHboI5gFJPJe1v1ZLDr47wXYqnGBccm
   1Tp/MQyMvtf98HKesBk4qXOgvBICLs44/pLVqXou/3c+sI+uCj1aNDlTjmpvG1TBLAuuCUiu3SkUi3zcZxlvqRD/YgVq/
   w9yGryG7pamAmBkYVXYqIx0JHfjxhO6er+pAZOpXPV8B4p3ie7lhzOJO+g7JRHwOEo+yLOyCU9yWwfvs6dsP7RqKS4EL
   asTLFnaKFT4D+sxZnEIxJPpy/gO8tQdfm69fz6RXh8GkWt/2CyyQ4DWVXt5AXLt6YbMFk0nNVbnOVih1/g6yHsTcxQKP
   zVDO/6fQ/tb33kbj5M5KhC1YI3pXxjMYZN1aQ
   
             G: Generate ssh key pair
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

Configure TanOS system users

You can create TanOS users that have tanadmin or tanuser permissions. The system users with the tanadmin role have access to all menus. System users with the tanuser role have access to status menus.

Create more than one privileged user with the tanadmin role in case you forget the password for the built-in tanadmin user.

You can optionally use your enterprise LDAP server to manage TanOS authentication. For more information, see Configure LDAP authentication for TanOS system users.

Add a system user

1. Sign in to the TanOS console as a user with the tanadmin role.

2. Enter C-U (User Administration > TanOS User Management).

3. Enter A and follow the prompts to add a system user. View screen

   >>> User Administration -> System Users -> Add System User <<< 
   
    Adding a system user requires first name, last name, user name and user role.
   
    Attention: 
    TanUser Role:  Monitor/Check the status of the appliance, no changes are allowed
    TanAdmin Role: Full administrative role to manage the appliance
   
    A temporary password will be generated and the new user is required to change 
    their password upon first login! 
   
    The password policy requires meeting these rules:
    - Minimum of 10 characters long
    - At least 1 upper case character
    - At least 1 lower case character
    - At least 1 numeric character
    - At least 1 other character
    - Must not match any of recent 4 passwords
    - Must not be based on a dictionary word
    - Must not contain part of the username
   
    Please enter first name: John
    Please enter last name: Doe
    Please enter desired user name (max 30 chars): john.doe
    Which role should be assigned to john.doe?
   
    1: TanUser (Monitoring)
    2: TanAdmin (Administrative)
   
    Please select: 2
   
    The temporary password for john.doe is: proudbrownwildfowl
   
    Adding local user john doe ...
    Successfully added user john doe (username: john.doe) with role tanadmin.
   
    Press enter to continue

Disable password access

You can disable password access for any user except the tanadmin special user. When you disable password access for a user, the user can only sign in through SSH using the configured SSH private key.

1. Sign in to the TanOS console as a user with the tanadmin role.

2. Enter C-U (User Administration > TanOS User Management).

3. Enter the line number of the user that you want to manage. View screen

   >>> User Administration -> TanOS -> tanadmin <<<
   
    Username:        tanadmin 
    Account Enabled: Yes
    Authentication:  SSH Key or Password
    SSH Lockout:     No (0)
    Multi-Factor:    Not configured
   
    Notes:
      * This user account cannot be deleted
   
             A: Manage SSH Authorized Keys
             P: Manage SSH Key Pair
             L: Reset SSH Lockout
             C: Change/Enable Password (Randomized)
             N: Disable Password Access
             M: Multi-Factor Authentication
   
             E: Enable Account
             D: Disable Account
             X: [DISABLED] Delete User
   
             F: Edit known hosts file
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

4. Enter N and follow the prompts to disable password access for the user. View screen

    ------------------------------------------------------
   
     >>> User Administration -> TanOS -> john.doe <<< 
   
    Username:        john.doe 
    Account Enabled: Yes
    Authentication:  SSH Key or Password
    SSH Lockout:     No (0)
    Multi-Factor:    Not configured
   
             A: Manage SSH Authorized Keys
             P: Manage SSH Key Pair
             L: Reset SSH Lockout
             C: Change/Enable Password (Randomized)
             N: Disable Password Access
   
             E: Enable Account
             D: Disable Account
             X: Delete User
   
             F: Edit known hosts file
   
             R: Return to previous menu  RR: Return to top
   
    ------------------------------------------------------
   
    TanOS Version:1.8.1 
   
    Please select: N
   
    Disabling the password for an account means that
    1. The user can only log in via SSH (not a serial console or equivalent)
    2. The user can only log in using the configured SSH private key
    3. The user will not need to change their password periodically
   
    This operation can be reversed by setting a password again.
   
    Do you want to disable password access for john.doe? [Yes|No]: yes
    Successfully removed the password.
   
    Press enter to continue

Enable password access

Password access is enabled by default. If you disable password access for a user and want to re-enable password access, perform the following steps.

1. Sign in to the TanOS console as a user with the tanadmin role.

2. Enter C-U (User Administration > TanOS User Management).

3. Enter the line number of the user that you want to manage. View screen

   >>> User Administration -> TanOS -> tanadmin <<<
   
    Username:        tanadmin 
    Account Enabled: Yes
    Authentication:  SSH Key or Password
    SSH Lockout:     No (0)
    Multi-Factor:    Not configured
   
    Notes:
      * This user account cannot be deleted
   
             A: Manage SSH Authorized Keys
             P: Manage SSH Key Pair
             L: Reset SSH Lockout
             C: Change/Enable Password (Randomized)
             N: Disable Password Access
             M: Multi-Factor Authentication
   
             E: Enable Account
             D: Disable Account
             X: [DISABLED] Delete User
   
             F: Edit known hosts file
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

4. Enter C to enable password access or reset the password for the selected user.
   • If you enable the password for the current user, enter a password.
   • If you enable password access for another user, TanOS generates a random password. View screen

     >>> User Administration -> System Users -> Reset Password  <<< 
     
      A temporary password will be generate and the user is required to change 
      their password upon login! 
      
      The password policy requires meeting these rules:
       - Minimum of 10 characters long
       - At least 1 upper case character
       - At least 1 lower case character
       - At least 1 numeric character
       - At least 1 other character
       - Must not match any of recent 4 passwords
       - Must not be based on a dictionary word
       - Must not contain part of the username
     
      The temporary password for tanuser is: temporarypassword 
      Successfully reset password for user tanuser.
     
      Resetting ssh lockout for user tanuser ...
      Successfully reset any lockout for user tanuser.
     
      Press enter to continue

Edit known hosts

1. Sign in to the TanOS console as a user with the tanadmin role.

2. Enter C-U (User Administration > TanOS User Management).

3. Enter the line number of the user that you want to manage. View screen

   >>> User Administration -> TanOS -> tanadmin <<<
   
    Username:        tanadmin 
    Account Enabled: Yes
    Authentication:  SSH Key or Password
    SSH Lockout:     No (0)
    Multi-Factor:    Not configured
   
    Notes:
      * This user account cannot be deleted
   
             A: Manage SSH Authorized Keys
             P: Manage SSH Key Pair
             L: Reset SSH Lockout
             C: Change/Enable Password (Randomized)
             N: Disable Password Access
             M: Multi-Factor Authentication
   
             E: Enable Account
             D: Disable Account
             X: [DISABLED] Delete User
   
             F: Edit known hosts file
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

4. Enter F to edit the known hosts file. You can delete existing fingerprints from the file, or you can scan a remote host to automatically add fingerprints.
   • To delete a fingerprint, enter a line number and confirm the deletion.
   • To scan a remote host and automatically add all discovered fingerprints, enter S and follow the prompts. View screen

      ------------------------------------------------------
       >>> User Administration -> TanOS -> tanadmin <<< 
     
       Username: tanadmin
       File:     /home/tanadmin/.ssh/known_hosts
     
       Action:   Select line number to delete
       #: Host Key                    Host
       1: AAAAE2VjZHN...qsTE1rkC2o=   192.168.15.253
       2: AAAAC3NzaC1...kHgZ1TUXjDW   192.168.15.253
     
       S: Scan remote host keys
     
       R: Return to previous menu  RR: Return to top
     
      ------------------------------------------------------
     
       Please select: s
     
       Enter the remote host to scan: 192.168.15.115
     
       Found additional host keys for 192.168.15.115
     
       192.168.15.115 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzd...
       192.168.15.115 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL2FCJQS3...
       192.168.15.115 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLtuGBN...
     
       Do you want to add these entries to known_hosts? [Yes|No]: y
     
       Done adding 3 entries
       Press enter to continue

Manage system users

1. Sign in to the TanOS console as a user with the tanadmin role.

2. Enter C-U (User Administration > TanOS User Management).

3. Enter the line number of the user that you want to manage. View screen

   >>> User Administration -> TanOS -> tanadmin <<<
   
    Username:        tanadmin 
    Account Enabled: Yes
    Authentication:  SSH Key or Password
    SSH Lockout:     No (0)
    Multi-Factor:    Not configured
   
    Notes:
      * This user account cannot be deleted
   
             A: Manage SSH Authorized Keys
             P: Manage SSH Key Pair
             L: Reset SSH Lockout
             C: Change/Enable Password (Randomized)
             N: Disable Password Access
             M: Multi-Factor Authentication
   
             E: Enable Account
             D: Disable Account
             X: [DISABLED] Delete User
   
             F: Edit known hosts file
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

4. Use the menu to delete the user, reset or enable the password, manage SSH keys, disable password access, manage multi-factor authentication, enable/disable the account, or delete entries from the known_hosts file for the user.

View history of sign in attempts

1. Sign in to the TanOS console as a user with the tanadmin role.

2. Enter C-I (User Administration > Recent Login Information).

3. Use options A, B, and C to view the history of sign in attempts.

Configure LDAP authentication for TanOS system users

You can optionally configure an LDAP connection to use Active Directory or another directory service to manage TanOS system users.

Manage the authentication certificate for the LDAP server

TanOS requires TLS encryption using StartTLS for communication with the LDAP server. You must import the LDAP server root certificate authority (CA) certificate. The certificate must be in PEM format. On the appliance, you have the option to paste the contents of the LDAP server root CA certificate or import the file.

If you import a new certificate after you have already configured LDAP server connection settings, you must re-enter the bind credentials for the connection. For more information, see Configure specific LDAP connection settings.

Option 1: Paste the LDAP server root CA certificate Contents

1. Sign in to the TanOS console as a user with the tanadmin role.

2. Enter C-A-M (User Administration > AD/LDAP TanOS Authentication > Manage AD/LDAP Certificate).

3. Enter P and follow the prompts to paste the contents of the LDAP server root CA certificate file. View screen

   ------------------------------------------------------
   
   >>> User Management -> AD/LDAP TanOS Authentication -> Paste Certificate <<< 
   
   Please paste the certificate text (Empty line to end):
   -----BEGIN CERTIFICATE-----
   MIIEYzCCAsugAwIBAgIQHIaS1rg5zQdeFajAwRMjdjANBgkqhkiG9w0BAQsFADCB
   jTEeMBwGA1UEChMVbWtjZXJ0IGRldmVsb3BtZW50IENBMTEwLwYDVQQLDChtYXR0
   LmphcnZpc0BNTEMwMlpXNUZDTUQ2VCAoTWF0dCBKYXJ2aXMpMTgwNgYDVQQDDC9t
   a2NlcnQgbWF0dC5qYXJ2aXNATUxDMDJaVzVGQ01ENlQgKE1hdHQgSmFydmlzKTAe
   Fw0yMjA4MjUxNjQyMjlaFw0yNDExMjUxNzQyMjlaMFwxJzAlBgNVBAoTHm1rY2Vy
   dCBkZXZlbG9wbWVudCBjZXJ0aWZpY2F0ZTExMC8GA1UECwwobWF0dC5qYXJ2aXNA
   TUxDMDJaVzVGQ01ENlQgKE1hdHQgSmFydmlzKTCCASIwDQYJKoZIhvcNAQEBBQAD
   ggEPADCCAQoCggEBAM3mTuqiIk5b8GI7M0JUsYA/4eucvCpC6eOAhLA6MkL5rsFf
   ZYg7hi7wLnxZWB7uU8/44XExA2Ez4rDb3HDUVcv8rZXbKtwk0pQdol/KY77X9Cfw
   wR6UeucVizR3UbmDKfwG24ktlFxlsR4Uy/oLgwyiT/PiUSuB4qMY0NaljAG4wTZu
   KYPX5mh29zxMi9oOkInqJH6QqgX72mYglpExtMHC0LRaacJPP1WjI8E1uSiBknYE
   NBpRTP2y4yWe7e7PnrWzEz/7nMOE/UrCWcdy8/Iapd3asHSinGrdcV/jRkU7Sr9s
   VvctWpQbMClol4Gah860Ilk0dckluLV+UFrA+EsCAwEAAaNvMG0wDgYDVR0PAQH/
   BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB8GA1UdIwQYMBaAFL/3vApgNNHk
   pDLfc+FAGkg+VbacMCUGA1UdEQQeMByCC2xvY2FsZG9tYWlugg0qLmxvY2FsZG9t
   YWluMA0GCSqGSIb3DQEBCwUAA4IBgQBgxYa7sEeQZKaYxsemoig+l34BA+fxieO4
   k4OpmPcyfEAqbCtDVCTwJ5bFeF4LjwYhHddwq9qSvuD6NWJhR4lO2JahGFZPIakS
   VarVMBxm8ktn4XKxoFuSf5YSwFD4QjusWlVBXFokjdHVInLLoSkiBBKMonlDbiZw
   zXxVR0GaOMgRLJfoVz9hmOZpWPhkOxfSwTdyLJgeqtSf237laZhXyFRFmBM/F0Zd
   upitvpc9zpcjdRVFC5rO0YVWmBKtSr9vemOIZJtBYrTC1EuOvAbJPiMg2EXNZt9H
   My2vKMLrQ4La7vsM3Er9w02qKNtWXrLIvx65P81anVUhRKmLBsMtQgoIOFi5uk8t
   OkOdTcFUlJbVP5vGa9ZQSnopZw1jYF6IpKkKHpA0WMWFez5peQ8ZdRt7IgY/q1CE
   cDUcl9LAwQkeZ9g5B0uZ6VX7tP5oafLqChptskp3xDR/IfduX7dOuSCQNYbPAtlb
   lKgJjqSTaM4vmsWOPhlkoLmqLh4IyAk=
   -----END CERTIFICATE-----
   
   Validating input
   
   Certificate successfully installed
   
    Press enter to continue
   
   ------------------------------------------------------

Option 2: Import the LDAP server root CA certificate file

1. Use SFTP to copy the certificate file to the /incoming directory of the Tanium Server appliance.

2. Sign in to the TanOS console as a user with the tanadmin role.

3. Enter C-A-M (User Administration > AD/LDAP TanOS Authentication > Manage AD/LDAP Certificate).

4. Enter I and follow the prompts to import the LDAP server root CA certificate file.

Manage the imported LDAP server root CA certificate

1. Sign in to the TanOS console as a user with the tanadmin role.

2. Enter C-A (User Administration > AD/LDAP TanOS Authentication).

3. Enter M to go to the Manage AD/LDAP Certificate menu and view the certificate information. Use the menu options to manage the certificate.

Configure the LDAP server connection settings

Import the LDAP server root CA certificate before you configure the LDAP server connection settings. Though you can complete the configuration without the certificate, TanOS cannot connect to the LDAP server during the process to validate the users or groups that you enter for tandamin and tanuser role mappings.

Complete the walk-through configuration

The walk-through configuration provides a series of prompts that help you complete the necessary settings for an LDAP server connection. The prompts provide contextual information for each setting. For a reference of the settings that you configure during the walk-through configuration, see Configure specific LDAP connection settings.

1. Sign in to the TanOS console as a user with the tanadmin role.

2. Enter C-A (User Administration > AD/LDAP TanOS Authentication).

3. Enter W to go to the Walkthrough Configuration screen. Follow the prompts to configure the connection to the LDAP server.

   After you complete the configuration, the full AD/LDAP TanOS Authentication menu becomes available. View screen

   ------------------------------------------------------
   
   >>> User Management -> AD/LDAP TanOS Authentication <<< 
   
               Certificate: Installed 
             Configuration: Valid (Online) 
   
             M: Manage AD/LDAP Certificate
             C: Configure AD/LDAP TanOS Authentication
             W: Walkthrough Configuration
   
             S: Detailed Status
             V: Verify AD/LDAP User or Group
             T: Troubleshooting
   
             E: Export configuration to SFTP outgoing
             I: Import configuration from SFTP incoming
   
             X: Reset ALL AD/LDAP TanOS Auth Settings
   
             R: Return to previous menu  RR: Return to top
   
   ------------------------------------------------------

Configure specific LDAP connection settings

Use the Configure AD/LDAP TanOS Authentication menu to change specific LDAP connection settings.

For the initial configuration, use the walk-through configuration. Use this menu to configure specific settings that you need to change after the initial configuration is complete. For more information, see Complete the walk-through configuration.

1. Sign in to the TanOS console as a user with the tanadmin role.

2. Enter C-A-C (User Administration > AD/LDAP TanOS Authentication > Configure AD/LDAP TanOS Authentication).

3. Use the menu options to modify the following settings as necessary:

   Setting	Menu Key	Description
   Enable	E	Specifies whether LDAP authentication is enabled for authenticating TanOS system users. For more information, see Enable or disable LDAP authentication.
   Domain	D	The domain by which the system and logs refer to the LDAP configuration. This setting does not affect the connection to the LDAP server
   Host	H	The host name of the LDAP server TanOS requires TLS encryption for communication with the LDAP server. The host name configured for this setting must match the common name or subject alternative name in the TLS certificate presented by the LDAP server. An IP address is not usually not valid. If you change the host name in an existing configuration, you must re-enter the bind credentials for the connection. (Enter C from the Configure menu.)
   Port	P	The port on which to connect to the LDAP server This is typically port 389. If you change the port number in an existing configuration, you must re-enter the bind credentials for the connection. (Enter C from the Configure menu.)
   Bind Credentials	C	The user name used to sign in to and query the LDAP server in a format accepted by the server, and the password for the user name The following user name formats are commonly used, depending on the configuration of your Active Directory or LDAP server: User principal name (UPN): user@domain.name
   Base Search DN	B	The base DN from which TanOS queries the directory
   Schema	S	The schema used by the LDAP server. TanOS supports Active Directory, RFC2307, RFC2307bis, Red Hat Identity Manager (IdM), and FreeIPA.
   Referrals	Q	Specifies whether TanOS allows the LDAP server to refer the query to other connected LDAP servers when you have multiple LDAP servers in your organization Referrals can significantly increase the time required to process a query. TanOS does not always allow a user returned from a referral to sign on, depending on the configuration of the directory.
   SSH Public Key Attribute	K	The LDAP attribute that contains the SSH public key for each user The user that is specified for the Bind Credentials setting must have read access to this attribute. This attribute is commonly sshPublicKey.
   Users Filter	U	The LDAP search filter to use to limit the users that the LDAP server returns for the query. Leave this setting blank to return all users under the base search DN. Most LDAP servers do not support using wildcard characters or nested groups with the MemberOf attribute in a filter.
   Groups Filter	G	The LDAP search filter to use to limit the groups that the LDAP server returns for the query. Leave this setting blank to return all groups under the base search DN.
   TanOS Roles Mapping	M	The LDAP users or groups that map to the tanadmin and tanuser roles. If TanOS can successfully connect to the LDAP server when you configure this setting, it displays a list of valid users or groups and then validates the users or groups that you enter with the server. Enter A to go to the tanadmin Mappings menu and manage the users or groups that map to the tanadmin role. Users in these groups have access to all TanOS menus. View screen ------------------------------------------------------ >>> User Management -> AD/LDAP TanOS Auth -> tanadmin Mappings <<<  1: Administrators (Group) 2: TanOS Admins (Group) A: Add Mapping X: Remove ALL tanadmin Mappings R: Return to previous menu RR: Return to top ------------------------------------------------------ Enter U to go to the tanuser Mappings menu and manage the users or groups that map to the tanuser role. Users in these groups have access to TanOS status menus. View screen ------------------------------------------------------ >>> User Management -> AD/LDAP TanOS Auth -> tanuser Mappings <<<  1: TanOS Users (Group) A: Add Mapping X: Remove ALL tanadmin Mappings R: Return to previous menu RR: Return to top ------------------------------------------------------ Avoid assigning users in the directory to both a group that is mapped to the tanadmin role and a group that is mapped to the tanuser role. If a user is assigned both roles, the user can perform most administrative tasks in TanOS, but permissions might be unpredictable. You can review users with conflicting mappings in the Detailed Status report. For more information, see View the LDAP connection status and query results. You cannot delete the tanadmin and tancopy special users. These user accounts are always administered locally within TanOS. Even if an LDAP query returns either of these user names, the locally administered user and associated password takes precedence.

4. Enter V to validate the updated configuration.

   This option validates that the required settings are configured, but it does not verify the connection to the LDAP server. If TanOS successfully connects to the server, Configuration: Valid (Online) appears in the AD/LDAP TanOS Authentication menu after you apply the configuration. The Detailed Status report displays additional information and any errors that occur during the query. For more information, see View the LDAP connection status and query results.

5. Enter A to apply the updated configuration.

View the LDAP connection status and query results

The Detailed Status report displays the following information:

• Users and groups returned from the LDAP query

• Users that map to the tanadmin and tanuser roles

• Any connection errors or errors that the query returns

This report is available only after you have configured a connection to an LDAP server.

1. Sign in to the TanOS console as a user with the tanadmin role.

2. Enter C-A (User Administration > AD/LDAP TanOS Authentication).

3. Enter S to display the Detailed Status report. View screen

    Viewing AD/LDAP TanOS Authentication Status, press 'q' to exit
   
   
   System Security Services Daemon (sssd)
   --------------------------------------
   Online status: Online
   
   Active servers:
   LDAP: dc01.localdomain
   
   Discovered LDAP servers:
   - dc01.localdomain
   
   Object Counts
   -------------
   Visible users: 4
   Visible groups: 2
   
   Users with tanadmin: 1
   Users with tanuser: 1
   Users with conflicting mappings: 0
   
   Visible Users
   -------------
   Administrator
   Guest
   tanos.domain.admin
   tanos.domain.user
   
   Visible Groups
   --------------
   TanOS Admins
   TanOS Users
   
   Users With Privileges Based on Mappings
   ---------------------------------------
   User                      Role
   ====                      ====
   tanos.domain.user               tanuser
   tanos.domain.admin               tanadmin
   (END)

Verify that the LDAP query returns a specific user

This menu is available only after you have configured a connection to an LDAP server.

1. Sign in to the TanOS console as a user with the tanadmin role.

2. Enter C-A-V (User Administration > AD/LDAP TanOS Authentication > Verify User/Group).

3. Enter U to verify a user.

4. Follow the prompts to enter a user name to verify.

Verify that the LDAP query returns a specific group

This menu is available only after you have configured a connection to an LDAP server.

1. Sign in to the TanOS console as a user with the tanadmin role.

2. Enter C-A-V (User Administration > AD/LDAP TanOS Authentication > Verify User/Group).

3. Enter G to verify a group.

4. Follow the prompts to enter a group name to verify.

Export the LDAP configuration for use on another TanOS appliance

This menu is available only after you have configured a connection to an LDAP server.

1. Sign in to the TanOS console as a user with the tanadmin role.

2. Enter C-A (User Administration > AD/LDAP TanOS Authentication).

3. Enter E to export the LDAP configuration.

   The exported configuration is stored as ldapauth.conf in the /outgoing directory.

Import an LDAP configuration that was exported from another TanOS appliance

1. Use SFTP to copy the ldapauth.conf file to the /incoming directory of the TanOS appliance where you want to import the configuration.

2. Sign in to the TanOS console on the TanOS appliance where you want to import the configuration as a user with the tanadmin role.

3. Enter C-A (User Administration > AD/LDAP TanOS Authentication).

4. Enter I to import the LDAP configuration.

Enable or disable LDAP authentication

After you complete the configuration for an LDAP connection and TanOS successfully connects to the Active Directory or LDAP server, LDAP authentication is automatically enabled for the appliance. You can disable or re-enable LDAP authentication with the configuration still in place.

1. Sign in to the TanOS console as a user with the tanadmin role.

2. Enter C-A-C-E (User Administration > AD/LDAP TanOS Authentication > Configure AD/LDAP TanOS Authentication > Enable/Disable).

3. Enter D to disable LDAP authentication, or enter E to enable LDAP authentication.

   If you disable LDAP authentication, TanOS might close sessions for any users who are signed on with user names authenticated with LDAP.

Configure the local authentication service

You can use the local authentication service to set up Tanium Console user accounts for demo or testing purposes.

For production use, configure the Tanium Console to use an external LDAP server to authenticate Tanium users. For information about using LDAP for Tanium users, see Tanium Console User Guide: Integrating with LDAP servers.

Add a local user

1. Sign in to the TanOS console as a user with the tanadmin role.

2. Enter C-L (User Administration > Local Tanium User Management).

3. Enter 1 and follow the prompts to add a local user. View screen

   >>> Appliance User Administration -> Local Authentication -> Add Local User <<< 
   
    Adding a local user requires first name, last name and a user name.
   
    Attention: 
    Please assign the new user appropriate roles and rights in the Tanium application!
   
    Please enter first name: John
    Please enter last name: Doe
    Please enter desired user name (max 20 chars): john.doe
   
   
    The password policy requires meeting these rules:
     - Minimum 10 characters long
     - At least 1 upper case character
     - At least 1 lower case character
     - At least 1 numeric character
     - At least 1 other character
     - Must not be based on a dictionary word
     - Must not contain part of the username
   
    Please enter password (will not be displayed): 
    Password score: 50 out of 100 (strong)
    Please enter password again: 
   
    Successfully added user John Doe (username: john.doe) to the local authentication service.
    Press enter to continue

4. Sign in to the Tanium Console as an administrator, create a user with the same user name, and assign roles to it. For details, see Tanium Console User Guide: Managing users.

Set a user password

1. Sign in to the TanOS console as a user with the tanadmin role.

2. Enter C-L-2 (User Administration > Local Tanium User Management > Manage Local Users).

3. Enter the user line number to go to the User menu. View screen

    ------------------------------------------------------
   
   >>> User Administration -> Tanium Users -> tanldap <<< 
   
     UserID:         tanldap 
     Name:           tanldap tanldap 
     Lock Time:      n/a 
     Expiry Time:    n/a 
   
             1: Delete User
             2: Set Password
   
             R: Return to previous menu  RR: Return to top
   
    ------------------------------------------------------

4. Enter 2 and follow the prompts to set the user password. View screen

    ------------------------------------------------------
   
   >>> User Administration -> Tanium Users -> tanldap <<< 
   
     UserID:         tanldap 
     Name:           tanldap tanldap 
     Lock Time:      n/a 
     Expiry Time:    n/a 
   
             1: Delete User
             2: Set Password
   
             R: Return to previous menu  RR: Return to top
   
    ------------------------------------------------------
   
    TanOS Version:        1.8.1 
   
    Please select: 2
   
    Setting new password for tanldap
   
   
    The password policy requires meeting these rules:
     - Minimum 10 characters long
     - At least 1 upper case character
     - At least 1 lower case character
     - At least 1 numeric character
     - At least 1 other character
     - Must not be based on a dictionary word
     - Must not contain part of the username
   
    Please enter password (will not be displayed):

Delete a user

1. Sign in to the TanOS console as a user with the tanadmin role.

2. Enter C-L-2 (User Administration > Local Tanium User Management > Manage Local Users).

3. Enter the user line number to go to the User menu. View screen

    ------------------------------------------------------
   
   >>> User Administration -> Tanium Users -> tanldap <<< 
   
     UserID:         tanldap 
     Name:           tanldap tanldap 
     Lock Time:      n/a 
     Expiry Time:    n/a 
   
             1: Delete User
             2: Set Password
   
             R: Return to previous menu  RR: Return to top
   
    ------------------------------------------------------

4. Enter 1 and follow the prompts to delete the user.

Disable the local authentication service

1. Sign in to the TanOS console as a user with the tanadmin role.

2. Enter C-L (User Administration > Local Tanium User Management).

3. Enter A and follow the prompts to enable or disable the local authentication service. View screen

   >>> User Administration -> Enable/Disable Local Authentication <<< 
   
    Current status of the Local Authentication Service:
    Enabled 
    Active 
   
    Warning: make sure that you have configured the Tanium application to use an 
    external authentication service prior to disabling the local authentication service!
   
    Would you like to disable the Local Authentication Service? [Yes|No]: yes
    
    Disabling Local Authentication Service
   
    Local Authentication Service has been disabled.
    Press enter to continue

Although the Tanium Console contains a soap_enable_local_auth platform setting to disable local authentication, that setting is not supported for Tanium Appliance installations.

Modify the local authentication service security policy

The local authentication service security policy has the following default settings.

Setting	Factory Default	Description
Password Minimum Age (days)	1	The minimum number of days between password changes. A value of 0 indicates the password can be changed at any time. Valid range is 0-20.
Password Maximum Age (days)	90	The age at which a current password expires. A value of 0 indicates the password does not expire. Valid range is 0-360.
Password Minimum Length	10	The minimum number of characters allowed in a password. Valid range is 0-30.
Password History	5	The number of most recent passwords that a user cannot reuse. A setting of 0 allows reuse of any previous passwords. Valid range is 0-10.
Password Lockout	True	True locks out a user with an expired password. False forces the user to change the password.
Password Maximum Failure	5	The number of failed attempts before a user is locked out. A setting of 0 allows unlimited failed attempts. Valid range is 0-10.

To modify the default settings:

1. Sign in to the TanOS console as a user with the tanadmin role.

2. Enter C-L-B (User Administration > Local Tanium User Management > Security Policy Local Authentication Service).

3. Follow the prompts to modify the settings.