Reference: User Administration menu

Use TanOS to manage user accounts on the Tanium Appliance. Users with the tanadmin role can manage two types of user accounts:

Use the TanOS User Management menu (C-U) to manage TanOS system users. These user accounts can access the TanOS console, but not the Tanium™ Console. This includes the predefined TanOS users tanadmin and tancopy. TanOS system users are local to each appliance; users are not shared across appliances. You can optionally use your enterprise LDAP server to manage TanOS authentication. For details on using LDAP for TanOS users, see Configure LDAP authentication for TanOS system users.

For more information on the predefined TanOS user accounts, see Completing the initial setup (physical Tanium Appliance), Completing the initial setup (virtual Tanium Appliance), or Completing the initial setup (cloud-based Tanium Appliance).
Use the Local Tanium User Management menu (C-L) to manage Tanium users who can access the Tanium Console through a web browser. These user accounts cannot access the TanOS console. TanOS hosts a local authentication service that you can use for Tanium Console user authentication. For details on setting up local Tanium user management, see Configure the local authentication service. In addition, you can use your enterprise LDAP server to manage Tanium Console authentication. For information about using LDAP for Tanium users, see Tanium Console User Guide: Integrating with LDAP servers.

Change TanOS user passwords

The tanadmin user can make password-authenticated SSH connections to the TanOS console.

Change the tanadmin password

Use these steps to reset the password for the current tanadmin user. On TanOS 1.7.3 or later, the password reset prompt appears if the tanadmin user password expires. To change the password for another tanadmin user, see Manage system users.

Enter P and follow the prompts to change the password.

View screen

>>> User Administration -> TanOS -> tanadmin -> Change Password <<< 


 Preparing to change the password for tanadmin

 The password policy requires meeting these rules:
  - Minimum of 10 characters long
  - At least 1 upper case character
  - At least 1 lower case character
  - At least 1 numeric character
  - At least 1 other character
  - Must not match any of recent 4 passwords
  - Must not be based on a dictionary word
  - Must not contain part of the username

 Please enter password (will not be displayed):
Password score: 55 out of 100 (strong)
 Please enter password again:

 The password change was successful.

 Press enter to continue

After the password changes, you are signed out.

Manage SSH keys

The installation process generates a public/private SSH key pair for the tanadmin user. Use the User Administration menus to perform the following functions:

Regenerate the key pair.
Generate keys for the other TanOS special users.
Add authorized keys to support inbound user connections.
View the public key so you can copy and paste it into other appliance configurations.

You can use ssh-copy-id to add an SSH public key to any TanOS user with the tanadmin role.

Before you begin

You must have an SSH client to sign in to the TanOS console and an SFTP client such as WinSCP to copy files to and from the appliance.
You must have an SSH key generator such as ssh-keygen to generate keys for the user.

Generate keys

Enter C to go to the User Administration menu.

View screen

------------------------------------------------------

>>> User Administration <<< 

          U: TanOS User Management
          I: Recent Login Information
          M: Multi-Factor Global Settings
          A: AD/LDAP TanOS Authentication

          L: Local Tanium User Management

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter U to manage TanOS users.

Enter the line number of the user account that you want to manage.

View screen

>>> User Administration -> TanOS -> tanadmin <<<

 Username:        tanadmin 
 Account Enabled: Yes
 Authentication:  SSH Key or Password
 SSH Lockout:     No (0)
 Multi-Factor:    Not configured

 Notes:
   * This user account cannot be deleted

          A: Manage SSH Authorized Keys
          P: Manage SSH Key Pair
          L: Reset SSH Lockout
          C: Change/Enable Password (Randomized)
          N: Disable Password Access
          M: Multi-Factor Authentication

          E: Enable Account
          D: Disable Account
          X: [DISABLED] Delete User

          F: Edit known hosts file

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter P to manage the SSH key pair.

View screen

>>> User Administration -> TanOS -> tanadmin -> Key Pair <<< 

 Account: tanadmin 
 No SSH keys found for user tanadmin. Please create key pair first

          G: Generate ssh key pair

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter G to generate a public/private key pair.

View screen

>>> User Administration -> Manage -> User -> SSH <<< 

	Account: tanadmin
	Action:  Generate SSH Keys
	No .ssh directory for user tanadmin found - creating and securing it
	keygen process finished successful
	Finished generating keys for tanuser

	Press enter to continue

Add authorized keys

Use an SSH key generator such as ssh-keygen to generate a public/private key pair. Note:
- Specify an RSA key with 2048 bits (such as ssh-keygen -t rsa -b 2048).
- Specify a passphrase that is easy to remember.
- Save the private key to a location that you can access when you set up your SFTP client.
Copy all of the text in the public key file to the clipboard. If you use ssh-keygen, copy the contents of the .pub file that you created.
In an SSH key exchange, the keys must match exactly.
Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.
Enter U to manage TanOS users.

Enter the line number for the tancopy user to go to the user administration menu for this user.

View screen

>>> User Administration -> TanOS -> tancopy <<< 

 Username:        tancopy 
 Account Enabled: Yes
 Authentication:  SSH Key Only
 SSH Lockout:     No (0)
 Multi-Factor:    Not configured
 
 Notes:
   * This user account cannot be deleted
   * This user account cannot have a password
   * This user account cannot use multi-factor

          A: Manage SSH Authorized Keys
          P: Manage SSH Key Pair
          L: Reset SSH Lockout
          C: [DISABLED] Change Password
          N: [DISABLED] Disable Password Access
          M: [DISABLED] Multi-Factor Authentication

          E: Enable Account
          D: Disable Account
          X: [DISABLED] Delete User

          F: Edit known hosts file

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter A to go to the Authorized Keys menu.

View screen

>>> User Administration -> TanOS -> tancopy -> Authorized Keys <<< 

 Account: tancopy 
 Select an entry to view or delete.

       1: 2048 SHA256:m/0rT0o+rDfKLWQQULUQqbOUdMkojZhco60dCuu3elY 
       2: 2048 SHA256:8OV4S5V30aFu9pZKexRVaElF3BgJNEx+Y91fgbnzxIU

       A: Add key

       R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter A and follow the prompts to add the contents of the public key generated in Step 1.

View screen

>>> User Administration -> TanOS -> tancopy -> Authorized Keys -> Add <<< 

Account: tancopy
Please paste the public key and press enter: 
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA1ClmgkMrbbxB7jND/Y4/Giupck35xAuGNKfZWqVLM5F0CNXuTScf6v2z
MDxW5TO5tm/U8P9sqh19RDEzTn2RayXzsoZmXyB8abCCpHG4+03Zv05RHiX4i5QomAMBnbZejdA9/fGTxO1rPo1rdtTq
Z+KCgzbEhHLWUD44+If5RtG+U4kgyzlYsyjgwhfho+BrRY6e7QYBsXVbuBQ9ROGV6PCTB80jXZVAKrAbsTQ1DVkpuBue
mftv7vOn3b8MKzJ/IY/LLL1tIgpSGvgvjr2mOJJ+JoZF2XnPVUFmYiDSCkPAzhCyFHILHfOVAfws9n1G6p3fwILqNhvB
oPeaCFaApQ== rsa-key-20200123
 Validating input
 Adding key to authorized keys after validation
 Finished adding authorized keys for tancopy


 Press enter to continue

View public keys

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.
Enter U to manage TanOS users.

Enter the line number for the tancopy user to go to the user administration menu for this user.

View screen

>>> User Administration -> TanOS -> tancopy <<< 

 Username:        tancopy 
 Account Enabled: Yes
 Authentication:  SSH Key Only
 SSH Lockout:     No (0)
 Multi-Factor:    Not configured
 
 Notes:
   * This user account cannot be deleted
   * This user account cannot have a password
   * This user account cannot use multi-factor

          A: Manage SSH Authorized Keys
          P: Manage SSH Key Pair
          L: Reset SSH Lockout
          C: [DISABLED] Change Password
          N: [DISABLED] Disable Password Access
          M: [DISABLED] Multi-Factor Authentication

          E: Enable Account
          D: Disable Account
          X: [DISABLED] Delete User

          F: Edit known hosts file

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter P to go to the Key Pair menu to view the public key.

View screen

>>> User Administration -> TanOS -> tancopy -> Key Pair <<< 

 Account: tancopy 
 SSH Public Key for user tancopy:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDZCvC+
nF93Nqmv2lrlUJoDTrwCnpJkcm5Er5ywNFNem5MJZZd0esToJTpY43gb8XppB5JP7SdHVJk2M3Nm0DP+xapjAL35Cs/
bdX48kwDc0R1m4Qc7/4aqQQkBcF/95Z3OrpD1EVW0bwF3KlsX9vEojQ3sO4PjNBQJxTepLI+iU1IQzu44OvUx4A7Jpk
ZSZBL+t1KdyNl75vZ8vCfcG4KqdHqwVds1XIplaW77LcN8+G4kYUthlpWVrSLvWtKdZztGG+Kasj0y/VSqhlP7AHorU
mDzuV4z4AOB7+UI8lcx8B5FPEverfNhPAXkemOrqnkd0oolLKeoEdiaakqANJHboI5gFJPJe1v1ZLDr47wXYqnGBccm
1Tp/MQyMvtf98HKesBk4qXOgvBICLs44/pLVqXou/3c+sI+uCj1aNDlTjmpvG1TBLAuuCUiu3SkUi3zcZxlvqRD/YgVq/
w9yGryG7pamAmBkYVXYqIx0JHfjxhO6er+pAZOpXPV8B4p3ie7lhzOJO+g7JRHwOEo+yLOyCU9yWwfvs6dsP7RqKS4EL
asTLFnaKFT4D+sxZnEIxJPpy/gO8tQdfm69fz6RXh8GkWt/2CyyQ4DWVXt5AXLt6YbMFk0nNVbnOVih1/g6yHsTcxQKP
zVDO/6fQ/tb33kbj5M5KhC1YI3pXxjMYZN1aQ

          G: Generate ssh key pair

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Configure TanOS system users

You can create TanOS users that have tanadmin or tanuser permissions. The system users with the tanadmin role have access to all menus. System users with the tanuser role have access to status menus.

You can optionally use your enterprise LDAP server to manage TanOS authentication. For more information, see Configure LDAP authentication for TanOS system users.

Add a system user

Enter C to go to the User Administration menu.

View screen

------------------------------------------------------

>>> User Administration <<< 

          U: TanOS User Management
          I: Recent Login Information
          M: Multi-Factor Global Settings
          A: AD/LDAP TanOS Authentication

          L: Local Tanium User Management

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter U to go to the User Administration -> TanOS menu.

View screen

 ------------------------------------------------------
          >>> User Administration -> TanOS <<< 

          #: User ID              Role       Auth       Name

          1: tanadmin             tanadmin   Key+Pwd    Tanium Privileged User
          2: tancopy              tanuser    Key        Tanium Copy User

          A: Add System User

          R: Return to previous menu  RR: Return to top

 ------------------------------------------------------

Enter A and follow the prompts to add a system user.

View screen

>>> User Administration -> System Users -> Add System User <<< 

 Adding a system user requires first name, last name, user name and user role.

 Attention: 
 TanUser Role:  Monitor/Check the status of the appliance, no changes are allowed
 TanAdmin Role: Full administrative role to manage the appliance

 A temporary password will be generated and the new user is required to change 
 their password upon first login! 

 The password policy requires meeting these rules:
 - Minimum of 10 characters long
 - At least 1 upper case character
 - At least 1 lower case character
 - At least 1 numeric character
 - At least 1 other character
 - Must not match any of recent 4 passwords
 - Must not be based on a dictionary word
 - Must not contain part of the username

 Please enter first name: John
 Please enter last name: Doe
 Please enter desired user name (max 30 chars): john.doe
 Which role should be assigned to john.doe?

 1: TanUser (Monitoring)
 2: TanAdmin (Administrative)

 Please select: 2

 The temporary password for john.doe is: proudbrownwildfowl

 Adding local user john doe ...
 Successfully added user john doe (username: john.doe) with role tanadmin.

 Press enter to continue

Disable password access

You can disable password access for any user except the tanadmin special user. When you disable password access for a user, the user can only sign in through SSH using the configured SSH private key.

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.

Enter U to go to the User Administration -> TanOS menu.

View screen

 ------------------------------------------------------
          >>> User Administration -> TanOS <<< 

          #: User ID              Role       Auth       Name

          1: tanadmin             tanadmin   Key+Pwd    Tanium Privileged User
          2: tancopy              tanuser    Key        Tanium Copy User

          A: Add System User

          R: Return to previous menu  RR: Return to top

 ------------------------------------------------------

Enter the line item of the user that you want to manage.

View screen

>>> User Administration -> TanOS -> tanadmin <<<

 Username:        tanadmin 
 Account Enabled: Yes
 Authentication:  SSH Key or Password
 SSH Lockout:     No (0)
 Multi-Factor:    Not configured

 Notes:
   * This user account cannot be deleted

          A: Manage SSH Authorized Keys
          P: Manage SSH Key Pair
          L: Reset SSH Lockout
          C: Change/Enable Password (Randomized)
          N: Disable Password Access
          M: Multi-Factor Authentication

          E: Enable Account
          D: Disable Account
          X: [DISABLED] Delete User

          F: Edit known hosts file

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter N and follow the prompts to disable password access for the user.

View screen

 ------------------------------------------------------

  >>> User Administration -> TanOS -> john.doe <<< 

 Username:        john.doe 
 Account Enabled: Yes
 Authentication:  SSH Key or Password
 SSH Lockout:     No (0)
 Multi-Factor:    Not configured

          A: Manage SSH Authorized Keys
          P: Manage SSH Key Pair
          L: Reset SSH Lockout
          C: Change/Enable Password (Randomized)
          N: Disable Password Access

          E: Enable Account
          D: Disable Account
          X: Delete User

          F: Edit known hosts file

          R: Return to previous menu  RR: Return to top

 ------------------------------------------------------

 TanOS Version:        1.7.4
 TanOS_Shell Version:  1.7.4

 Please select: N

 Disabling the password for an account means that
 1. The user can only log in via SSH (not a serial console or equivalent)
 2. The user can only log in using the configured SSH private key
 3. The user will not need to change their password periodically

 This operation can be reversed by setting a password again.

 Do you want to disable password access for john.doe? [Yes|No]: yes
 Successfully removed the password.

 Press enter to continue

Enable password access

Password access is enabled by default. If you disable password access for a user and want to re-enable password access, perform the following steps.

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.

Enter U to go to the User Administration -> TanOS menu.

View screen

 ------------------------------------------------------
          >>> User Administration -> TanOS <<< 

          #: User ID              Role       Auth       Name

          1: tanadmin             tanadmin   Key+Pwd    Tanium Privileged User
          2: tancopy              tanuser    Key        Tanium Copy User

          A: Add System User

          R: Return to previous menu  RR: Return to top

 ------------------------------------------------------

Enter the line item of the user that you want to manage.

View screen

>>> User Administration -> TanOS -> tanadmin <<<

 Username:        tanadmin 
 Account Enabled: Yes
 Authentication:  SSH Key or Password
 SSH Lockout:     No (0)
 Multi-Factor:    Not configured

 Notes:
   * This user account cannot be deleted

          A: Manage SSH Authorized Keys
          P: Manage SSH Key Pair
          L: Reset SSH Lockout
          C: Change/Enable Password (Randomized)
          N: Disable Password Access
          M: Multi-Factor Authentication

          E: Enable Account
          D: Disable Account
          X: [DISABLED] Delete User

          F: Edit known hosts file

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter C to enable password access or reset the password for the selected user.

If you enable the password for the current user, enter a password.

If you enable password access for another user, TanOS generates a random password.

View screen

>>> User Administration -> System Users -> Reset Password  <<< 

 A temporary password will be generate and the user is required to change 
 their password upon login! 
 
 The password policy requires meeting these rules:
  - Minimum of 10 characters long
  - At least 1 upper case character
  - At least 1 lower case character
  - At least 1 numeric character
  - At least 1 other character
  - Must not match any of recent 4 passwords
  - Must not be based on a dictionary word
  - Must not contain part of the username

 The temporary password for tanuser is: temporarypassword 
 Successfully reset password for user tanuser.

 Resetting ssh lockout for user tanuser ...
 Successfully reset any lockout for user tanuser.

 Press enter to continue

Manage system users

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.

Enter U to go to the User Administration -> TanOS menu.

View screen

 ------------------------------------------------------
          >>> User Administration -> TanOS <<< 

          #: User ID              Role       Auth       Name

          1: tanadmin             tanadmin   Key+Pwd    Tanium Privileged User
          2: tancopy              tanuser    Key        Tanium Copy User

          A: Add System User

          R: Return to previous menu  RR: Return to top

 ------------------------------------------------------

Enter the line number of the user that you want to manage.

View screen

>>> User Administration -> TanOS -> tanadmin <<<

 Username:        tanadmin 
 Account Enabled: Yes
 Authentication:  SSH Key or Password
 SSH Lockout:     No (0)
 Multi-Factor:    Not configured

 Notes:
   * This user account cannot be deleted

          A: Manage SSH Authorized Keys
          P: Manage SSH Key Pair
          L: Reset SSH Lockout
          C: Change/Enable Password (Randomized)
          N: Disable Password Access
          M: Multi-Factor Authentication

          E: Enable Account
          D: Disable Account
          X: [DISABLED] Delete User

          F: Edit known hosts file

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Use the menu to delete the user, reset or enable the password, manage SSH keys, disable password access, manage multi-factor authentication, enable/disable the account, or delete entries from the known_hosts file for the user.

View history of sign in attempts

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.

Enter I to go to the Recent Login Information menu.

View screen

------------------------------------------------------

>>> User Administration -> Recent Login Information <<< 

 System users can login to monitor the appliance or perform administrative
 tasks.

          A: View Last 20 Successful Logins
          B: View Last 20 Failed Logins
          C: View Login Statistics

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Use options A, B, and C to view the history of sign in attempts.

Configure individual multi-factor authentication

In addition to global multi-factor authentication, you can configure multi-factor authentication for individual users or exempt individual users from global multi-factor authentication requirements.

To manage global multi-factor authentication settings, see Configure global multi-factor authentication.

Exempt user from global multi-factor requirements

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.

Enter U to go to the User Administration -> TanOS menu.

View screen

 ------------------------------------------------------
          >>> User Administration -> TanOS <<< 

          #: User ID              Role       Auth       Name

          1: tanadmin             tanadmin   Key+Pwd    Tanium Privileged User
          2: tancopy              tanuser    Key        Tanium Copy User

          A: Add System User

          R: Return to previous menu  RR: Return to top

 ------------------------------------------------------

Enter the line item of the user that you want to edit.

View screen

>>> User Administration -> TanOS -> tanadmin <<<

 Username:        tanadmin 
 Account Enabled: Yes
 Authentication:  SSH Key or Password
 SSH Lockout:     No (0)
 Multi-Factor:    Not configured

 Notes:
   * This user account cannot be deleted

          A: Manage SSH Authorized Keys
          P: Manage SSH Key Pair
          L: Reset SSH Lockout
          C: Change/Enable Password (Randomized)
          N: Disable Password Access
          M: Multi-Factor Authentication

          E: Enable Account
          D: Disable Account
          X: [DISABLED] Delete User

          F: Edit known hosts file

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter M to manage the multi-factor authentication settings for the user.

View screen

 ------------------------------------------------------

        >>> User -> tanadmin -> Multi-Factor <<< 

 Current Configuration: Not configured

          E: Exempt User from Multi-Factor Requirement
          G: Configure Google Authenticator for User

          V: View Configuration

          X: Reset User Multi-Factor Settings

          R: Return to previous menu  RR: Return to top

 ------------------------------------------------------

Enter E and follow the prompts to exempt the user from all multi-factor authentication requirements.

View screen

>>> User -> tanadmin -> Multi-factor Exemption <<< 

 This will disable the requirement for multi-factor for this user, even if
 multi-factor is globally enforced.

 Would you like to continue? [Yes|No]: yes

 Resetting MFA user configuration and disabling MFA requirement for user
 Adding user tanuser to group tanmfano

 Press enter to continue

To remove the exemption for the user, perform the steps in Reset user multi-factor settings.

Configure Google Authenticator for a user

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.

Enter U to go to the User Administration -> TanOS menu.

View screen

 ------------------------------------------------------
          >>> User Administration -> TanOS <<< 

          #: User ID              Role       Auth       Name

          1: tanadmin             tanadmin   Key+Pwd    Tanium Privileged User
          2: tancopy              tanuser    Key        Tanium Copy User

          A: Add System User

          R: Return to previous menu  RR: Return to top

 ------------------------------------------------------

Enter the line item of the user that you want to edit.

View screen

>>> User Administration -> TanOS -> tanadmin <<<

 Username:        tanadmin 
 Account Enabled: Yes
 Authentication:  SSH Key or Password
 SSH Lockout:     No (0)
 Multi-Factor:    Not configured

 Notes:
   * This user account cannot be deleted

          A: Manage SSH Authorized Keys
          P: Manage SSH Key Pair
          L: Reset SSH Lockout
          C: Change/Enable Password (Randomized)
          N: Disable Password Access
          M: Multi-Factor Authentication

          E: Enable Account
          D: Disable Account
          X: [DISABLED] Delete User

          F: Edit known hosts file

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter M to manage the multi-factor authentication settings for the user.

View screen

 ------------------------------------------------------

        >>> User -> tanadmin -> Multi-Factor <<< 

 Current Configuration: Not configured

          E: Exempt User from Multi-Factor Requirement
          G: Configure Google Authenticator for User

          V: View Configuration

          X: Reset User Multi-Factor Settings

          R: Return to previous menu  RR: Return to top

 ------------------------------------------------------

Enter G and follow the prompts to configure Google Authenticator for the user.

View user multi-factor settings

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.

Enter U to go to the User Administration -> TanOS menu.

View screen

 ------------------------------------------------------
          >>> User Administration -> TanOS <<< 

          #: User ID              Role       Auth       Name

          1: tanadmin             tanadmin   Key+Pwd    Tanium Privileged User
          2: tancopy              tanuser    Key        Tanium Copy User

          A: Add System User

          R: Return to previous menu  RR: Return to top

 ------------------------------------------------------

Enter the line item of the user that you want to edit.

View screen

>>> User Administration -> TanOS -> tanadmin <<<

 Username:        tanadmin 
 Account Enabled: Yes
 Authentication:  SSH Key or Password
 SSH Lockout:     No (0)
 Multi-Factor:    Not configured

 Notes:
   * This user account cannot be deleted

          A: Manage SSH Authorized Keys
          P: Manage SSH Key Pair
          L: Reset SSH Lockout
          C: Change/Enable Password (Randomized)
          N: Disable Password Access
          M: Multi-Factor Authentication

          E: Enable Account
          D: Disable Account
          X: [DISABLED] Delete User

          F: Edit known hosts file

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter M to manage the multi-factor authentication settings for the user.

View screen

 ------------------------------------------------------

        >>> User -> tanadmin -> Multi-Factor <<< 

 Current Configuration: Not configured

          E: Exempt User from Multi-Factor Requirement
          G: Configure Google Authenticator for User

          V: View Configuration

          X: Reset User Multi-Factor Settings

          R: Return to previous menu  RR: Return to top

 ------------------------------------------------------

Enter V to show the multi-factor authentication settings for the user.

Reset user multi-factor settings

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.

Enter U to go to the User Administration -> TanOS menu.

View screen

 ------------------------------------------------------
          >>> User Administration -> TanOS <<< 

          #: User ID              Role       Auth       Name

          1: tanadmin             tanadmin   Key+Pwd    Tanium Privileged User
          2: tancopy              tanuser    Key        Tanium Copy User

          A: Add System User

          R: Return to previous menu  RR: Return to top

 ------------------------------------------------------

Enter the line item of the user that you want to edit.

View screen

>>> User Administration -> TanOS -> tanadmin <<<

 Username:        tanadmin 
 Account Enabled: Yes
 Authentication:  SSH Key or Password
 SSH Lockout:     No (0)
 Multi-Factor:    Not configured

 Notes:
   * This user account cannot be deleted

          A: Manage SSH Authorized Keys
          P: Manage SSH Key Pair
          L: Reset SSH Lockout
          C: Change/Enable Password (Randomized)
          N: Disable Password Access
          M: Multi-Factor Authentication

          E: Enable Account
          D: Disable Account
          X: [DISABLED] Delete User

          F: Edit known hosts file

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter M to manage the multi-factor authentication settings for the user.

View screen

 ------------------------------------------------------

        >>> User -> tanadmin -> Multi-Factor <<< 

 Current Configuration: Not configured

          E: Exempt User from Multi-Factor Requirement
          G: Configure Google Authenticator for User

          V: View Configuration

          X: Reset User Multi-Factor Settings

          R: Return to previous menu  RR: Return to top

 ------------------------------------------------------

Enter X and follow the prompts to reset the multi-factor authentication settings for the user.

Configure global multi-factor authentication

You can configure the appliance to use multi-factor authentication to validate TanOS user accounts on sign-ins through SSH connections. You can configure multi-factor authentication as a global setting or for individual users, and you can exempt selected accounts from global multi-factor authentication settings.

Tanium Appliances use Google Authenticator for multi-factor authentication.

Enable global key authentication

Perform the following steps to require all users who sign-in through SSH to use an authorized key configured in their profiles.

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.

Enter M to go to the Multi-Factor Global Settings menu.

View screen

------------------------------------------------------

>>> User Management -> Multi-Factor Global Settings <<< 

 These settings apply to SSH logins only.

          Key: Optional
     Password: Optional
 Multi-Factor: Optional

          K: Require Key Authentication
          P: Require Password Authentication
          M: Require Multi-Factor Authentication

          X: Reset ALL Multi-Factor Settings

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter K to go to the key authentication menu.

View screen

------------------------------------------------------

>>> User Management -> Multi-Factor Global Settings <<< 

 This will require that all users that login via SSH will need to login using
 an authorized key configured under the user profile. At least one admin must
 be setup with an authorized key in order to enable this setting.

 Require Key Authentication: Optional 

          E: Enable Require Key Authentication
          D: Disable Require Key Authentication

          R: Return to previous menu  RR: Return to top

 Please select:

Enter E and follow the prompts to enable global key authentication.

Disable global key authentication

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.

Enter M to go to the Multi-Factor Global Settings menu.

View screen

------------------------------------------------------

>>> User Management -> Multi-Factor Global Settings <<< 

 These settings apply to SSH logins only.

          Key: Optional
     Password: Optional
 Multi-Factor: Optional

          K: Require Key Authentication
          P: Require Password Authentication
          M: Require Multi-Factor Authentication

          X: Reset ALL Multi-Factor Settings

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter K to go to the key authentication menu.

View screen

------------------------------------------------------

>>> User Management -> Multi-Factor Global Settings <<< 

 This will require that all users that login via SSH will need to login using
 an authorized key configured under the user profile. At least one admin must
 be setup with an authorized key in order to enable this setting.

 Require Key Authentication: Optional 

          E: Enable Require Key Authentication
          D: Disable Require Key Authentication

          R: Return to previous menu  RR: Return to top

 Please select:

Enter D and follow the prompts to disable global key authentication.

Enable global password authentication

Perform the following steps to require all users who sign-in through SSH to input a password.

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.

Enter M to go to the Multi-Factor Global Settings menu.

View screen

------------------------------------------------------

>>> User Management -> Multi-Factor Global Settings <<< 

 These settings apply to SSH logins only.

          Key: Optional
     Password: Optional
 Multi-Factor: Optional

          K: Require Key Authentication
          P: Require Password Authentication
          M: Require Multi-Factor Authentication

          X: Reset ALL Multi-Factor Settings

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter P to go to the password authentication menu.

View screen

------------------------------------------------------

>>> User Management -> Multi-Factor Global Settings <<< 

 This will require that all users that login via SSH will need to input a
 password even if an authorized key is configured under the user profile.

 Require Password Authentication: Optional 

          E: Enable Require Password Authentication
          D: Disable Require Password Authentication

          R: Return to previous menu  RR: Return to top

 Please select:

Enter E and follow the prompts to enable global key authentication.

Disable global password authentication

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.

Enter M to go to the Multi-Factor Global Settings menu.

View screen

------------------------------------------------------

>>> User Management -> Multi-Factor Global Settings <<< 

 These settings apply to SSH logins only.

          Key: Optional
     Password: Optional
 Multi-Factor: Optional

          K: Require Key Authentication
          P: Require Password Authentication
          M: Require Multi-Factor Authentication

          X: Reset ALL Multi-Factor Settings

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter P to go to the key authentication menu.

View screen

------------------------------------------------------

>>> User Management -> Multi-Factor Global Settings <<< 

 This will require that all users that login via SSH will need to input a
 password even if an authorized key is configured under the user profile.

 Require Password Authentication: Optional 

          E: Enable Require Password Authentication
          D: Disable Require Password Authentication

          R: Return to previous menu  RR: Return to top

 Please select:

Enter D and follow the prompts to disable global key authentication.

Enable global multi-factor authentication

If you want to exempt specific accounts from requiring multi-factor authentication, you should exempt the accounts before you enable global multi-factor authentication to minimize disruption. To exempt a user from multi-factor authentication, see Exempt user from global multi-factor requirements.

At least one admin user must be exempt or have an SSH key pair configured before you enable global multi-factor authentication. See Manage SSH keys.

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.

Enter M to go to the Multi-Factor Global Settings menu.

View screen

------------------------------------------------------

>>> User Management -> Multi-Factor Global Settings <<< 

 These settings apply to SSH logins only.

          Key: Optional
     Password: Optional
 Multi-Factor: Optional

          K: Require Key Authentication
          P: Require Password Authentication
          M: Require Multi-Factor Authentication

          X: Reset ALL Multi-Factor Settings

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter M to require multi-factor authentication.

View screen

------------------------------------------------------

>>> User Management -> Multi-Factor Global Settings <<< 

 This will require that all users that login via SSH will need to complete an
 additional factor of authentication before being permitted to login. At least
 one admin user must be configured or exempt before proceeding.

 Require Multi-factor Authentication: Optional 

          E: Enable Require Multi-factor Authentication
          D: Disable Require Multi-factor Authentication

          R: Return to previous menu  RR: Return to top

 Please select:

Enter E and follow the prompts to enable global multi-factor authentication.

Disable global multi-factor authentication

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.

Enter M to go to the Multi-Factor Global Settings menu.

View screen

------------------------------------------------------

>>> User Management -> Multi-Factor Global Settings <<< 

 These settings apply to SSH logins only.

          Key: Optional
     Password: Optional
 Multi-Factor: Optional

          K: Require Key Authentication
          P: Require Password Authentication
          M: Require Multi-Factor Authentication

          X: Reset ALL Multi-Factor Settings

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter M to require multi-factor authentication.

View screen

------------------------------------------------------

>>> User Management -> Multi-Factor Global Settings <<< 

 This will require that all users that login via SSH will need to complete an
 additional factor of authentication before being permitted to login. At least
 one admin user must be configured or exempt before proceeding.

 Require Multi-factor Authentication: Optional 

          E: Enable Require Multi-factor Authentication
          D: Disable Require Multi-factor Authentication

          R: Return to previous menu  RR: Return to top

 Please select:

Enter D and follow the prompts to disable global multi-factor authentication.

Configure LDAP authentication for TanOS system users

You can optionally configure an LDAP connection to use Active Directory or another directory service to manage TanOS system users.

You cannot delete the tanadmin and tancopy special users. These user accounts are always administered locally within TanOS. Even if an LDAP query returns either of these user names, the locally administered user and associated password takes precedence.
This LDAP configuration applies only for authentication in the TanOS console. For information about using LDAP for Tanium users, see Tanium Console User Guide: Integrating with LDAP servers.

Manage the authentication certificate for the LDAP server

TanOS requires TLS encryption using StartTLS for communication with the LDAP server. You must import the LDAP server root certificate authority (CA) certificate. The certificate must be in PEM format. On the appliance, you have the option to paste the contents of the LDAP server root CA certificate or import the file.

If you import a new certificate after you have already configured LDAP server connection settings, you must re-enter the bind credentials for the connection. For more information, see Configure specific LDAP connection settings.

Option 1: Paste the LDAP server root CA certificate Contents

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.

Enter A to go to the AD/LDAP TanOS Authentication menu.

View screen

------------------------------------------------------

>>> User Management -> AD/LDAP TanOS Authentication <<< 

            Certificate: Not Installed 
          Configuration: Missing 

          M: [REQUIRED] Manage AD/LDAP Certificate
          C: [REQUIRED] Configure AD/LDAP TanOS Authentication
          W: [RECOMMENDED] Walkthrough Configuration
          I: Import configuration from SFTP incoming

          X: Reset ALL AD/LDAP TanOS Auth Settings

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter M to go to the Manage AD/LDAP Certificate menu.

Enter P and follow the prompts to paste the contents of the LDAP server root CA certificate file.

View screen

------------------------------------------------------

>>> User Management -> AD/LDAP TanOS Authentication -> Paste Certificate <<< 

Please paste the certificate text (Empty line to end):
-----BEGIN CERTIFICATE-----
MIIEYzCCAsugAwIBAgIQHIaS1rg5zQdeFajAwRMjdjANBgkqhkiG9w0BAQsFADCB
jTEeMBwGA1UEChMVbWtjZXJ0IGRldmVsb3BtZW50IENBMTEwLwYDVQQLDChtYXR0
LmphcnZpc0BNTEMwMlpXNUZDTUQ2VCAoTWF0dCBKYXJ2aXMpMTgwNgYDVQQDDC9t
a2NlcnQgbWF0dC5qYXJ2aXNATUxDMDJaVzVGQ01ENlQgKE1hdHQgSmFydmlzKTAe
Fw0yMjA4MjUxNjQyMjlaFw0yNDExMjUxNzQyMjlaMFwxJzAlBgNVBAoTHm1rY2Vy
dCBkZXZlbG9wbWVudCBjZXJ0aWZpY2F0ZTExMC8GA1UECwwobWF0dC5qYXJ2aXNA
TUxDMDJaVzVGQ01ENlQgKE1hdHQgSmFydmlzKTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAM3mTuqiIk5b8GI7M0JUsYA/4eucvCpC6eOAhLA6MkL5rsFf
ZYg7hi7wLnxZWB7uU8/44XExA2Ez4rDb3HDUVcv8rZXbKtwk0pQdol/KY77X9Cfw
wR6UeucVizR3UbmDKfwG24ktlFxlsR4Uy/oLgwyiT/PiUSuB4qMY0NaljAG4wTZu
KYPX5mh29zxMi9oOkInqJH6QqgX72mYglpExtMHC0LRaacJPP1WjI8E1uSiBknYE
NBpRTP2y4yWe7e7PnrWzEz/7nMOE/UrCWcdy8/Iapd3asHSinGrdcV/jRkU7Sr9s
VvctWpQbMClol4Gah860Ilk0dckluLV+UFrA+EsCAwEAAaNvMG0wDgYDVR0PAQH/
BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB8GA1UdIwQYMBaAFL/3vApgNNHk
pDLfc+FAGkg+VbacMCUGA1UdEQQeMByCC2xvY2FsZG9tYWlugg0qLmxvY2FsZG9t
YWluMA0GCSqGSIb3DQEBCwUAA4IBgQBgxYa7sEeQZKaYxsemoig+l34BA+fxieO4
k4OpmPcyfEAqbCtDVCTwJ5bFeF4LjwYhHddwq9qSvuD6NWJhR4lO2JahGFZPIakS
VarVMBxm8ktn4XKxoFuSf5YSwFD4QjusWlVBXFokjdHVInLLoSkiBBKMonlDbiZw
zXxVR0GaOMgRLJfoVz9hmOZpWPhkOxfSwTdyLJgeqtSf237laZhXyFRFmBM/F0Zd
upitvpc9zpcjdRVFC5rO0YVWmBKtSr9vemOIZJtBYrTC1EuOvAbJPiMg2EXNZt9H
My2vKMLrQ4La7vsM3Er9w02qKNtWXrLIvx65P81anVUhRKmLBsMtQgoIOFi5uk8t
OkOdTcFUlJbVP5vGa9ZQSnopZw1jYF6IpKkKHpA0WMWFez5peQ8ZdRt7IgY/q1CE
cDUcl9LAwQkeZ9g5B0uZ6VX7tP5oafLqChptskp3xDR/IfduX7dOuSCQNYbPAtlb
lKgJjqSTaM4vmsWOPhlkoLmqLh4IyAk=
-----END CERTIFICATE-----

Validating input

Certificate successfully installed

 Press enter to continue

------------------------------------------------------

Option 2: Import the LDAP server root CA certificate file

Use SFTP to copy the certificate file to the /incoming directory of the Tanium Server appliance.
Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.

Enter A to go to the AD/LDAP TanOS Authentication menu.

View screen

------------------------------------------------------

>>> User Management -> AD/LDAP TanOS Authentication <<< 

            Certificate: Not Installed 
          Configuration: Missing 

          M: [REQUIRED] Manage AD/LDAP Certificate
          C: [REQUIRED] Configure AD/LDAP TanOS Authentication
          W: [RECOMMENDED] Walkthrough Configuration
          I: Import configuration from SFTP incoming

          X: Reset ALL AD/LDAP TanOS Auth Settings

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter M to go to the Manage AD/LDAP Certificate menu.
Enter I and follow the prompts to import the LDAP server root CA certificate file.

Manage the imported LDAP server root CA certificate

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.
Enter A to go to the AD/LDAP TanOS Authentication menu.
Enter M to go to the Manage AD/LDAP Certificate menu and view the certificate information. Use the menu options to manage the certificate.

Configure the LDAP server connection settings

Import the LDAP server root CA certificate before you configure the LDAP server connection settings. Though you can complete the configuration without the certificate, TanOS cannot connect to the LDAP server during the process to validate the users or groups that you enter for tandamin and tanuser role mappings.

Complete the walk-through configuration

The walk-through configuration provides a series of prompts that help you complete the necessary settings for an LDAP server connection. The prompts provide contextual information for each setting. For a reference of the settings that you configure during the walk-through configuration, see Configure specific LDAP connection settings.

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.
Enter A to go to the AD/LDAP TanOS Authentication menu.

Enter W to go to the Walkthrough Configuration screen. Follow the prompts to configure the connection to the LDAP server.

After you complete the configuration, the full AD/LDAP TanOS Authentication menu becomes available. View screen

------------------------------------------------------

>>> User Management -> AD/LDAP TanOS Authentication <<< 

            Certificate: Installed 
          Configuration: Valid (Online) 

          M: Manage AD/LDAP Certificate
          C: Configure AD/LDAP TanOS Authentication
          W: Walkthrough Configuration

          S: Detailed Status
          V: Verify AD/LDAP User or Group
          T: Troubleshooting

          E: Export configuration to SFTP outgoing
          I: Import configuration from SFTP incoming

          X: Reset ALL AD/LDAP TanOS Auth Settings

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Configure specific LDAP connection settings

Use the Configure AD/LDAP TanOS Authentication menu to change specific LDAP connection settings.

For the initial configuration, use the walk-through configuration. Use this menu to configure specific settings that you need to change after the initial configuration is complete. For more information, see Complete the walk-through configuration.

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.
Enter A to go to the AD/LDAP TanOS Authentication menu.

Enter C to go to the Configure AD/LDAP TanOS Authentication menu.

View screen

------------------------------------------------------

>>> User Management -> AD/LDAP TanOS Auth -> Configure <<< 

Configuration Status: Valid (Online) 

          E: Enable [true]
          D: Domain [localdomain]
          H: Host [dc01.localdomain]
          P: Port [389]
          C: Bind Credentials [[email protected]]
          B: Base Search DN [cn=users,dc=localdomain]
          S: Schema [Active Directory]
          Q: Referrals [false]
          K: SSH Public Key Attribute [sshPublicKeys]

          U: Users Filter []
          G: Groups Filter [(cn=TanOS*)]
          M: TanOS Roles Mapping

          V: Validate Configuration
          A: Activate Configuration Changes

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Use the menu options to modify the following settings as necessary:

Setting	Menu Key	Description
Enable	E	Specifies whether LDAP authentication is enabled for authenticating TanOS system users. For more information, see Enable or disable LDAP authentication.
Domain	D	The domain by which the system and logs refer to the LDAP configuration. This setting does not affect the connection to the LDAP server
Host	H	The host name of the LDAP server TanOS requires TLS encryption for communication with the LDAP server. The host name configured for this setting must match the common name or subject alternative name in the TLS certificate presented by the LDAP server. An IP address is not usually not valid. If you change the host name in an existing configuration, you must re-enter the bind credentials for the connection. (Enter C from the Configure menu.)
Port	P	The port on which to connect to the LDAP server This is typically port 389. If you change the port number in an existing configuration, you must re-enter the bind credentials for the connection. (Enter C from the Configure menu.)
Bind Credentials	C	The user name used to sign in to and query the LDAP server in a format accepted by the server, and the password for the user name The following user name formats are commonly used, depending on the configuration of your Active Directory or LDAP server: User principal name (UPN): user@domain.name Down-level logon name: DOMAIN\user Distinguished name (DN): CN=user, DC=domain,DC=tld
Base Search DN	B	The base DN from which TanOS queries the directory
Schema	S	The schema used by the LDAP server. TanOS supports Active Directory, RFC2307, RFC2307bis, Red Hat Identity Manager (IdM), and FreeIPA.
Referrals	Q	Specifies whether TanOS allows the LDAP server to refer the query to other connected LDAP servers when you have multiple LDAP servers in your organization Referrals can significantly increase the time required to process a query. TanOS does not always allow a user returned from a referral to sign on, depending on the configuration of the directory.
SSH Public Key Attribute	K	The LDAP attribute that contains the SSH public key for each user The user that is specified for the Bind Credentials setting must have read access to this attribute. This attribute is commonly sshPublicKey.
Users Filter	U	The LDAP search filter to use to limit the users that the LDAP server returns for the query. Leave this setting blank to return all users under the base search DN. Most LDAP servers do not support using wildcard characters or nested groups with the MemberOf attribute in a filter.
Groups Filter	G	The LDAP search filter to use to limit the groups that the LDAP server returns for the query. Leave this setting blank to return all groups under the base search DN.
TanOS Roles Mapping	M	The LDAP users or groups that map to the tanadmin and tanuser roles. If TanOS can successfully connect to the LDAP server when you configure this setting, it displays a list of valid users or groups and then validates the users or groups that you enter with the server. Enter A to go to the tanadmin Mappings menu and manage the users or groups that map to the tanadmin role. Users in these groups have access to all TanOS menus. View screen ------------------------------------------------------ >>> User Management -> AD/LDAP TanOS Auth -> tanadmin Mappings <<< 1: Administrators (Group) 2: TanOS Admins (Group) A: Add Mapping X: Remove ALL tanadmin Mappings R: Return to previous menu RR: Return to top ------------------------------------------------------ Enter U to go to the tanuser Mappings menu and manage the users or groups that map to the tanuser role. Users in these groups have access to TanOS status menus. View screen ------------------------------------------------------ >>> User Management -> AD/LDAP TanOS Auth -> tanuser Mappings <<< 1: TanOS Users (Group) A: Add Mapping X: Remove ALL tanadmin Mappings R: Return to previous menu RR: Return to top ------------------------------------------------------ Avoid assigning users in the directory to both a group that is mapped to the tanadmin role and a group that is mapped to the tanuser role. If a user is assigned both roles, the user can perform most administrative tasks in TanOS, but permissions might be unpredictable. You can review users with conflicting mappings in the Detailed Status report. For more information, see View the LDAP connection status and query results. You cannot delete the tanadmin and tancopy special users. These user accounts are always administered locally within TanOS. Even if an LDAP query returns either of these user names, the locally administered user and associated password takes precedence.

Enter V to validate the updated configuration.

This option validates that the required settings are configured, but it does not verify the connection to the LDAP server. If TanOS successfully connects to the server, Configuration: Valid (Online) appears in the AD/LDAP TanOS Authentication menu after you apply the configuration. The Detailed Status report displays additional information and any errors that occur during the query. For more information, see View the LDAP connection status and query results.
Enter A to apply the updated configuration.

View the LDAP connection status and query results

The Detailed Status report displays the following information:

Users and groups returned from the LDAP query
Users that map to the tanadmin and tanuser roles
Any connection errors or errors that the query returns

This report is available only after you have configured a connection to an LDAP server.

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.
Enter A to go to the AD/LDAP TanOS Authentication menu.

Enter S to display the Detailed Status report.

View screen

 Viewing AD/LDAP TanOS Authentication Status, press 'q' to exit


System Security Services Daemon (sssd)
--------------------------------------
Online status: Online

Active servers:
LDAP: dc01.localdomain

Discovered LDAP servers:
- dc01.localdomain

Object Counts
-------------
Visible users: 4
Visible groups: 2

Users with tanadmin: 1
Users with tanuser: 1
Users with conflicting mappings: 0

Visible Users
-------------
Administrator
Guest
tanos.domain.admin
tanos.domain.user

Visible Groups
--------------
TanOS Admins
TanOS Users

Users With Privileges Based on Mappings
---------------------------------------
User                      Role
====                      ====
tanos.domain.user               tanuser
tanos.domain.admin               tanadmin
(END)

Verify that the LDAP query returns a specific user

This menu is available only after you have configured a connection to an LDAP server.

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.
Enter A to go to the AD/LDAP TanOS Authentication menu.
Enter V to go to the Verify User/Group menu.
Enter U to verify a user.
Follow the prompts to enter a user name to verify.

Verify that the LDAP query returns a specific group

This menu is available only after you have configured a connection to an LDAP server.

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.
Enter A to go to the AD/LDAP TanOS Authentication menu.
Enter V to go to the Verify User/Group menu.
Enter G to verify a group.
Follow the prompts to enter a group name to verify.

Export the LDAP configuration for use on another TanOS appliance

This menu is available only after you have configured a connection to an LDAP server.

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.
Enter A to go to the AD/LDAP TanOS Authentication menu.
Enter E to export the LDAP configuration.

The exported configuration is stored as ldapauth.conf in the /outgoing directory.

Import an LDAP configuration that was exported from another TanOS appliance

Use SFTP to copy the ldapauth.conf file to the /incoming directory of the TanOS appliance where you want to import the configuration.
Sign in to the TanOS console on the TanOS appliance where you want to import the configuration as a user with the tanadmin role.
Enter C to go to the User Administration menu.
Enter A to go to the AD/LDAP TanOS Authentication menu.
Enter I to import the LDAP configuration.

Enable or disable LDAP authentication

After you complete the configuration for an LDAP connection and TanOS successfully connects to the Active Directory or LDAP server, LDAP authentication is automatically enabled for the appliance. You can disable or re-enable LDAP authentication with the configuration still in place.

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.
Enter A to go to the AD/LDAP TanOS Authentication menu.
Enter C to go to the Configure AD/LDAP TanOS Authentication menu.

Enter E to go to the Enable/Disable menu.

View screen

------------------------------------------------------

>>> User Management -> AD/LDAP TanOS Auth -> Enable/Disable <<< 

 To enable this setting a valid CA certificate must be present, the
 required configuration must be completed, and at least one role mapping
 must exist. Toggling this setting will re-generate the system files used
 for AD/LDAP authentication and restart the System Security Service Daemon.

 WARNING: Disabling could logoff any AD/LDAP users!

 AD/LDAP Authentication: True

          E: Enable AD/LDAP Authentication
          D: Disable AD/LDAP Authentication

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter D to disable LDAP authentication, or enter E to enable LDAP authentication.

If you disable LDAP authentication, TanOS might close sessions for any users who are signed on with user names authenticated with LDAP.

Configure the local authentication service

You can use the local authentication service to set up Tanium Console user accounts for demo or testing purposes.

For production use, configure the Tanium Console to use an external LDAP server to authenticate Tanium users. For information about using LDAP for Tanium users, see Tanium Console User Guide: Integrating with LDAP servers.

If you use the local authentication service together with LDAP integration, you must use the following user filter in the LDAP configuration:

(&(objectClass=person)(uidNumber>=20000))
The Local Authentication Service menu is available only after you install the Tanium Server on the appliance.

Add a local user

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.

Enter L to go to the Local Tanium User Management menu.

View screen

  ------------------------------------------------------

>>> Appliance User Administration -> Local Tanium User Management <<< 

 Local Users can be used for Tanium application authentication.

          1: Add Local User
          2: Manage Local User(s)

          A: Enable/Disable Local Authentication Service
          B: Security Policy Local Authentication Service

          R: Return to previous menu  RR: Return to top

  ------------------------------------------------------

Enter 1 and follow the prompts to add a local user.

View screen

>>> Appliance User Administration -> Local Authentication -> Add Local User <<< 

 Adding a local user requires first name, last name and a user name.

 Attention: 
 Please assign the new user appropriate roles and rights in the Tanium application!

 Please enter first name: John
 Please enter last name: Doe
 Please enter desired user name (max 20 chars): john.doe


 The password policy requires meeting these rules:
  - Minimum 10 characters long
  - At least 1 upper case character
  - At least 1 lower case character
  - At least 1 numeric character
  - At least 1 other character
  - Must not be based on a dictionary word
  - Must not contain part of the username

 Please enter password (will not be displayed): 
 Password score: 50 out of 100 (strong)
 Please enter password again: 

 Successfully added user John Doe (username: john.doe) to the local authentication service.
 Press enter to continue

Sign in to the Tanium Console as an administrator, create a user with the same user name, and assign roles to it. For details, see Tanium Console User Guide: Managing users.

Set a user password

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.

Enter L to go to the Local Tanium User Management menu.

View screen

  ------------------------------------------------------

>>> Appliance User Administration -> Local Tanium User Management <<< 

 Local Users can be used for Tanium application authentication.

          1: Add Local User
          2: Manage Local User(s)

          A: Enable/Disable Local Authentication Service
          B: Security Policy Local Authentication Service

          R: Return to previous menu  RR: Return to top

  ------------------------------------------------------

Enter 2 to go to the Manage Local Users menu.

View screen

  ------------------------------------------------------

>>> Appliance User Administration -> Tanium Users <<< 


   The following local users currently exist:

          #: User ID                Locked   Expired  User Name

          1: tanldap                NO       NO       tanldap tanldap 
          2: tanium                 NO       NO       tanium tanium 

          R: Return to previous menu  RR: Return to top

  ------------------------------------------------------

Enter the user line number to go to the User menu.

View screen

 ------------------------------------------------------

>>> User Administration -> Tanium Users -> tanldap <<< 

  UserID:         tanldap 
  Name:           tanldap tanldap 
  Lock Time:      n/a 
  Expiry Time:    n/a 

          1: Delete User
          2: Set Password

          R: Return to previous menu  RR: Return to top

 ------------------------------------------------------

Enter 2 and follow the prompts to set the user password.

View screen

 ------------------------------------------------------

>>> User Administration -> Tanium Users -> tanldap <<< 

  UserID:         tanldap 
  Name:           tanldap tanldap 
  Lock Time:      n/a 
  Expiry Time:    n/a 

          1: Delete User
          2: Set Password

          R: Return to previous menu  RR: Return to top

 ------------------------------------------------------

 TanOS Version:        1.7.4
 TanOS_Shell Version:  1.7.4

 Please select: 2

 Setting new password for tanldap


 The password policy requires meeting these rules:
  - Minimum 10 characters long
  - At least 1 upper case character
  - At least 1 lower case character
  - At least 1 numeric character
  - At least 1 other character
  - Must not be based on a dictionary word
  - Must not contain part of the username

 Please enter password (will not be displayed):

Delete a user

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.

Enter L to go to the Local Tanium User Management menu.

View screen

  ------------------------------------------------------

>>> Appliance User Administration -> Local Tanium User Management <<< 

 Local Users can be used for Tanium application authentication.

          1: Add Local User
          2: Manage Local User(s)

          A: Enable/Disable Local Authentication Service
          B: Security Policy Local Authentication Service

          R: Return to previous menu  RR: Return to top

  ------------------------------------------------------

Enter 2 to go to the Manage Local Users menu.

View screen

  ------------------------------------------------------

>>> Appliance User Administration -> Tanium Users <<< 


   The following local users currently exist:

          #: User ID                Locked   Expired  User Name

          1: tanldap                NO       NO       tanldap tanldap 
          2: tanium                 NO       NO       tanium tanium 

          R: Return to previous menu  RR: Return to top

  ------------------------------------------------------

Enter the user line number to go to the User menu.

View screen

 ------------------------------------------------------

>>> User Administration -> Tanium Users -> tanldap <<< 

  UserID:         tanldap 
  Name:           tanldap tanldap 
  Lock Time:      n/a 
  Expiry Time:    n/a 

          1: Delete User
          2: Set Password

          R: Return to previous menu  RR: Return to top

 ------------------------------------------------------

Enter 1 and follow the prompts to delete the user.

Disable the local authentication service

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.

Enter L to go to the Local Tanium User Management menu.

View screen

  ------------------------------------------------------

>>> Appliance User Administration -> Local Tanium User Management <<< 

 Local Users can be used for Tanium application authentication.

          1: Add Local User
          2: Manage Local User(s)

          A: Enable/Disable Local Authentication Service
          B: Security Policy Local Authentication Service

          R: Return to previous menu  RR: Return to top

  ------------------------------------------------------

Enter A and follow the prompts to enable or disable the local authentication service.

View screen

>>> User Administration -> Enable/Disable Local Authentication <<< 

 Current status of the Local Authentication Service:
 Enabled 
 Active 

 Warning: make sure that you have configured the Tanium application to use an 
 external authentication service prior to disabling the local authentication service!

 Would you like to disable the Local Authentication Service? [Yes|No]: yes
 
 Disabling Local Authentication Service

 Local Authentication Service has been disabled.
 Press enter to continue

Although the Tanium Console contains a soap_enable_local_auth platform setting to disable local authentication, that setting is not supported for Tanium Appliance installations.

Modify the local authentication service security policy

The local authentication service security policy has the following default settings.

Setting	Factory Default	Description
Password Minimum Age (days)	1	The minimum number of days between password changes. A value of 0 indicates the password can be changed at any time. Valid range is 0-20.
Password Maximum Age (days)	90	The age at which a current password expires. A value of 0 indicates the password does not expire. Valid range is 0-360.
Password Minimum Length	10	The minimum number of characters allowed in a password. Valid range is 0-30.
Password History	5	The number of most recent passwords that a user cannot reuse. A setting of 0 allows reuse of any previous passwords. Valid range is 0-10.
Password Lockout	True	True locks out a user with an expired password. False forces the user to change the password.
Password Maximum Failure	5	The number of failed attempts before a user is locked out. A setting of 0 allows unlimited failed attempts. Valid range is 0-10.

To modify the default settings:

Sign in to the TanOS console as a user with the tanadmin role.
Enter C to go to the User Administration menu.

Enter L to go to the Local Tanium User Management menu.

View screen

  ------------------------------------------------------

>>> Appliance User Administration -> Local Tanium User Management <<< 

 Local Users can be used for Tanium application authentication.

          1: Add Local User
          2: Manage Local User(s)

          A: Enable/Disable Local Authentication Service
          B: Security Policy Local Authentication Service

          R: Return to previous menu  RR: Return to top

  ------------------------------------------------------

Enter B to go to the Security Policy Local Authentication Service menu.

View screen

 ------------------------------------------------------
>>> User Security Policy for Local Authentication Service <<< 

 Current Security Policy:

 Password Minimum Age (days):   1
 Password Maximum Age (days):   90
 Password Minimum Length:       10
 Password History:              5
 Password Lockout:              TRUE
 Password Maximum Failure:      5

 Would you like to change the security policy? [Yes|No]:

Follow the prompts to modify the settings.