Upload
others
View
17
Download
0
Embed Size (px)
Citation preview
Tanium™ Core Platform DeploymentReference GuideVersion: All
December 09, 2021
© 2021 Tanium Inc. All Rights Reserved Page 2
The information in this document is subject to change without notice. Further, the information provided in this document is provided “as
is” and is believed to be accurate, but is presented without any warranty of any kind, express or implied, except as provided in Tanium’s
customer sales terms and conditions. Unless so otherwise provided, Tanium assumes no liability whatsoever, and in no event shall
Tanium or its suppliers be liable for any indirect, special, consequential, or incidental damages, including without limitation, lost profits
or loss or damage to data arising out of the use or inability to use this document, even if Tanium Inc. has been advised of the possibility
of such damages.
Any IP addresses used in this document are not intended to be actual addresses. Any examples, command display output, network
topology diagrams, and other figures included in this document are shown for illustrative purposes only. Any use of actual IP addresses
in illustrative content is unintentional and coincidental.
Please visit https://docs.tanium.com for the most current Tanium product documentation.
This documentation may provide access to or information about content, products (including hardware and software), and services
provided by third parties (“Third Party Items”). With respect to such Third Party Items, Tanium Inc. and its affiliates (i) are not
responsible for such items, and expressly disclaim all warranties and liability of any kind related to such Third Party Items and (ii) will
not be responsible for any loss, costs, or damages incurred due to your access to or use of such Third Party Items unless expressly set
forth otherwise in an applicable agreement between you and Tanium.
Further, this documentation does not require or contemplate the use of or combination with Tanium products with any particular Third
Party Items and neither Tanium nor its affiliates shall have any responsibility for any infringement of intellectual property rights caused
by any such combination. You, and not Tanium, are responsible for determining that any combination of Third Party Items with Tanium
products is appropriate and will not cause infringement of any third party intellectual property rights.
Tanium is committed to the highest accessibility standards for our products. To date, Tanium has focused on compliance with U.S.
Federal regulations - specifically Section 508 of the Rehabilitation Act of 1998. Tanium has conducted 3rd party accessibility
assessments over the course of product development for many years and has most recently completed certification against the WCAG
2.1 / VPAT 2.3 standards for all major product modules in summer 2021. In the recent testing the Tanium Console UI achieved supports
or partially supports for all applicable WCAG 2.1 criteria. Tanium can make available any VPAT reports on a module-by-module basis as
part of a larger solution planning process for any customer or prospect.
As new products and features are continuously delivered, Tanium will conduct testing to identify potential gaps in compliance with
accessibility guidelines. Tanium is committed to making best efforts to address any gaps quickly, as is feasible, given the severity of the
issue and scope of the changes. These objectives are factored into the ongoing delivery schedule of features and releases with our
existing resources.
Tanium welcomes customer input on making solutions accessible based on your Tanium modules and assistive technology
requirements. Accessibility requirements are important to the Tanium customer community and we are committed to prioritizing these
compliance efforts as part of our overall product roadmap. Tanium maintains transparency on our progress and milestones and
welcomes any further questions or discussion around this work. Contact your sales representative, email Tanium Support at
[email protected], or email [email protected] to make further inquiries.
Tanium is a trademark of Tanium, Inc. in the U.S. and other countries. Third-party trademarks mentioned are the property of their
respective owners.
© 2021 Tanium Inc. All rights reserved.
© 2021 Tanium Inc. All Rights Reserved Page 3
Table of contents
Tanium deployment overview 10
Client OS product support 11
Host system security exclusions 13
Tanium Core Platform folders 13
Tanium Core Platform system processes 14
Tanium binary file signer 15
Tanium solution folders 15
Tanium solution processes 15
API Gateway 17
Asset 17
Blob 18
Client Management 18
Comply 20
Connect 22
Deploy 22
Direct Connect 24
Discover 26
Endpoint Configuration 29
End-User Notifications 30
Enforce 31
Health Check 32
Impact 33
Integrity Monitor 33
Map 35
Patch 36
Performance 38
RDB service 40
© 2021 Tanium Inc. All Rights Reserved Page 4
Reporting 40
Reputation 40
Reveal 41
Risk 43
System User service 44
Threat Response 44
Trends 78
Tanium network ports 79
Tanium Appliance 79
Windows 81
Tanium Client 83
Tanium Core Platform port use details 83
Tanium Server 83
Inbound (Tanium Client to Tanium Server) 84
Rule summary 84
Details 84
Inbound (Tanium Console) 84
Rule summary 84
Details 84
Outbound (Tanium Server to Database Server) 84
Rule summary 84
Details 84
Outbound (Tanium Server to Module Server) 84
Rule summary 84
Details 84
Outbound (Tanium Server to Internet) 84
Rule summary 84
Details 85
Inbound/Outbound (active-active deployment) 85
Rule summary 85
© 2021 Tanium Inc. All Rights Reserved Page 5
Details 85
Tanium Module Server 85
Inbound (Tanium Server to Module Server) 85
Rule summary 85
Details 85
Outbound (Module Server to Internet) 85
Rule summary 85
Details 85
Outbound (solutions services to Tanium Server) 86
Rule summary 86
Details 86
Tanium Zone Server Hub 86
Outbound (Tanium Zone Server Hub to Zone Server) 86
Rule summary 86
Details 86
Tanium Zone Server 86
Inbound (Tanium Client to Zone Server) 86
Rule summary 86
Details 86
Inbound (Tanium Zone Server Hub to Zone Server) 87
Rule summary 87
Details 87
Tanium Client 87
Inbound/Outbound (Tanium Client to Client) 87
Rule summary 87
Details 87
Outbound (Tanium Client to Zone Server) 87
Rule summary 87
Details 87
Solution-specific port requirements 87
© 2021 Tanium Inc. All Rights Reserved Page 6
Internet URLs required 89
Securing Tanium Console, API, and Module Server access 90
Overview 90
Tanium Console and API 90
Module Server communication 91
SSL/TLS connection processes and setup tasks 92
CA-issued certificates 94
Certificate requirements 95
Example: Create a CSR and private key with OpenSSL 99
Tanium Appliance: Replace certificates 101
Obtain the new certificate and key 101
Install the new certificate and key 102
Re-register the remote Module Server with each Tanium Server 102
Windows: Replace certificates 103
Obtain the new certificate and key 103
Update the Tanium Server certificate and key files 104
Update the Tanium Server certificate and key files in a standalone (non-HA) deployment 104
Update the Tanium Server certificate and key files in an active-active deployment 104
Update the Module Server certificates and key files 106
Securing Tanium Server, Zone Server, and Tanium Client access 107
Overview of TLS in the Tanium Core Platform 107
Tanium Appliance: Set up TLS 110
Tanium Server 110
Tanium Zone Server 110
Configuration overview 110
File transfer methods 111
Add required SSH keys 111
Step 1: Generate a CSR 112
Step 2: Issue the Certificate 112
Step 3: Install the certificate and configure TLS settings 113
© 2021 Tanium Inc. All Rights Reserved Page 7
Windows: Set up TLS 113
Tanium Server 113
Configure TLS for outgoing connections 113
Require TLS for Incoming Connections 114
Version 7.4 or later 114
Version 7.3 or earlier 114
Regenerate the TLS certificate and key 114
Tanium Zone Server 115
Tanium Client: Configure TLS 118
Verify the TLS connections 120
Update the TLS configuration when you make changes to key pair 120
Tanium Core Platform settings 122
Tanium Appliance 122
Edit server settings 122
Tanium Server 123
Tanium Server TDownloader 125
Tanium Module Server 126
Module Server TDownloader 127
Tanium Zone Server 128
Windows 129
Tanium Server 130
Tanium Module Server 134
TDownloader 136
Zone Server 137
Proxy server settings 140
Types of proxy servers 140
TDownloader user context 141
Configure proxy settings with the Tanium Console 141
Tanium Appliance: Configure proxy settings 141
Windows: Configure proxy settings 143
© 2021 Tanium Inc. All Rights Reserved Page 8
Smart card authentication 146
Deployment requirements 146
Create a certificate 146
Extract the certificates 147
Create a new certificate file 150
Tanium Appliance: Configure CAC 151
Step 1: Install the certificate 151
Step 2: Add the required Tanium Server configuration settings 151
Windows: Configure CAC 155
Step 1: Copy the certificate to the Tanium Server installation directory 155
Step 2: Add Windows registry keys on Tanium Server host 155
Troubleshoot smart card authentication 159
Command-line interface 161
Tanium Appliance 161
Windows 161
Examples 162
Display help 162
Display config help 163
Example: List configuration settings 163
Example: Set configuration values 164
Example: Set configuration values 164
Example: Register the Module Server with the Tanium Server 165
Example: Configure global settings 166
Example: Add an admin user 166
Logs 168
Overview 168
Tanium Appliance 168
Windows 169
Action scheduler logs 169
Authentication logs 169
© 2021 Tanium Inc. All Rights Reserved Page 9
Database upgrade logs 169
HTTP connection logs 169
Installation logs 169
LDAP logs 170
Module plugin history logs 170
Package cache cleaner logs 170
PKI logs 170
RBAC logs 170
Server logs 171
Tanium Data Service logs 171
TDownloader logs 171
Rollover for Tanium Core Platform logs 171
Create a custom log 172
Create a custom log on the Appliance 175
Create a custom log on a platform server or client for Windows 176
Create a custom log on Tanium Client for macOS 176
Create a custom log on Tanium Client for Linux, Solaris, or AIX 176
Export Commodity Classification 178
Change log 179
© 2021 Tanium Inc. All Rights Reserved Page 10
Tanium deployment overviewThis guide describes reference information for the Tanium™ Core Platform and Tanium™ Clients. You can deploy the platform on any
of the following infrastructure types:
Tanium™ Appliance
The hardened physical or virtual Tanium Appliance is designed for the low-latency and high-throughput needs of the Tanium
Core Platform. For additional deployment information and procedures, see the Tanium Appliance Installation Guide.
Windows deployment
You can deploy the Tanium Core Platform servers on customer-provided Windows Server hardware. For additional
deployment information and procedures, see the Tanium Core Platform Deployment Guide for Windows.
Tanium™ as a Service (recommended)
You can deploy the Tanium Core Platform as a cloud-based service with no customer-provided infrastructure. For additional
deployment information and procedures, see the Tanium as a Service User Guide.
The Tanium Core Platform in an Appliance or Windows deployment includes the following server types:
l Tanium™ Server
l Tanium™ Module Server
l Tanium™ Zone Server
For additional information about these servers, see the Tanium Core Platform Deployment Guide for Windows: Overview.
For deployment information and additional reference information relating to the Tanium Client, see the Tanium Client Management
User Guide.
© 2021 Tanium Inc. All Rights Reserved Page 11
Client OS product supportTable 1 indicates the operating systems (OSs) that Tanium modules and shared services support for performing operations on
managed endpoints (Tanium Client host systems). To see detailed information about Tanium Client support for a particular module
or service, click the link in the Product column to go to the corresponding user guide. The table uses the following icons:
l : Full support
l : Partial support (click the Product link or contact Tanium Support at [email protected] for details)
l : No support
Client OS support does not apply to the following Tanium modules and shared services because they are server-side
solutions: API Gateway, Connect, Console, Health Check, Interact, Reputation, and Trends.
Tanium’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice
at Tanium’s sole discretion. Information regarding potential future products is intended to outline our general
product direction and it should not be relied on in making a purchasing decision. Information about potential future
products may not be incorporated into any contract. The information mentioned regarding potential future
products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. The
development, release, and timing of any future features or functionality described for our products remains at our
sole discretion.
Product Windows macOS Linux Solaris and AIX
Tanium Client
Asset
Client Management
Comply
Deploy
Discover
Endpoint Configuration
End-User Notifications
Enforce
Table 1: Tanium Client OS product support
© 2021 Tanium Inc. All Rights Reserved Page 12
Product Windows macOS Linux Solaris and AIX
Impact
Integrity Monitor
Map
Patch
Performance
Reveal
Risk
Threat Response
Table 1: Tanium Client OS product support (continued)
© 2021 Tanium Inc. All Rights Reserved Page 13
Host system security exclusionsIf security software is in use in the environment to monitor and block unknown host system processes, a security administrator must
create exclusions to allow the Tanium processes to run without interference. Typically, this means configuring the security software
to exclude the installation directories of the Tanium Client and (for Windows deployments) Tanium Core Platform servers from real-
time inspection. Configuring trusted exclusions also typically involves setting a policy to ignore input and output from Tanium
binaries. The configuration of these exclusions varies depending on AV software.
Tanium Core Platform servers do not require host system security exclusions in a Tanium Appliance deployment.
Tanium Clients on all operating systems (OSs) require host system security exclusions.
Tanium Core Platform foldersThe following table lists Tanium Core Platform folders that antivirus and other host-based security applications must exclude from
real-time scans. Include subfolders of these locations when you create the exception rules. The listed folder paths are the defaults. If
you changed the folder locations to non-default paths, create rules based on the actual locations.
Target Device OS Installation folder
¹ Tanium Server Windows 64-bit \Program Files\Tanium\Tanium Server
Tanium Module
Server
Windows 64-bit \Program Files\Tanium\Tanium Module Server
\Program Files\Tanium\Tanium Module Postgres
Tanium Zone Server,
Zone Server Hub
Windows 64-bit \Program Files (x86)\Tanium\Tanium ZoneServer
² Tanium Client
endpoints
Windows 32-bit \Program Files\Tanium\Tanium Client
Windows 64-bit \Program Files (x86)\Tanium\Tanium Client
macOS /Library/Tanium/TaniumClient
Linux, Solaris, AIX /opt/Tanium/TaniumClient
1 You might also have to exclude the Tanium Server Downloads directory if it was moved out of the installation directory using the instructions
in the KB article Relocate Downloads Directory.
2 For additional folder exclusions that are required during Tanium Client installation, see Tanium Client Management User Guide: Security
exclusions for Client Management.
Table 1: Security exclusions for Tanium Core Platform folders
© 2021 Tanium Inc. All Rights Reserved Page 14
Tanium Core Platform system processesThe following table lists Tanium Core Platform system processes that must be allowed (not blocked, quarantined, or otherwise
processed). The variables such as <Module Server> indicate the installation folder of the platform servers and Tanium Client.
Target Device OS Process
Tanium Server Windows <Tanium Server>\TaniumReceiver.exe
Tanium Module
Server
Windows <Module Server>\services\comply-service\_new_\src\utils\7z\7za.exe
<Module Server>\plugins\console\lib\7za.exe
<Module Server>\TaniumModuleServer.exe
<Module Server>\temp\content-management\ContentManagement.exe
<Module Server>\services\tanium-data-service\TaniumDataService.exe
Tanium Zone
Server,
Zone Server Hub
Windows <Zone Server>\TaniumZoneServer.exe
<Zone Server Hub>\TaniumZoneServer.exe
Tanium Client
endpoints
Windows, macOS,
Linux
<Tanium Client>/Tools/StdUtils folder or all the files that it contains, including:
l 7za.exe (Windows only)
l runasuser.exe (Windows only)
l runasuser64.exe (Windows only)
l TaniumExecWrapper.exe (Windows) or TaniumExecWrapper (macOS, Linux)
l TaniumFileInfo.exe (Windows only)
l TPowerShell.exe (Windows only)
l distribute-tools.sh (macOS, Linux only)
Windows <Tanium Client>\TaniumClient.exe
<Tanium Client>\TaniumCX.exe
macOS, Linux,
Solaris, AIX
<Tanium Client>/TaniumClient
<Tanium Client>/taniumclient
<Tanium Client>/TaniumCX
Table 1: Security exclusions for Tanium Core Platform processes
© 2021 Tanium Inc. All Rights Reserved Page 15
l If you use Microsoft Group Policy Objects (GPO) or other central management tools to manage host firewalls,
you might need to create rules to allow inbound and outbound TCP traffic across port 17472 on any
managed endpoints, including the Tanium Server.
l If running McAfee Host Intrusion Prevention System (HIPS), mark the Tanium Client as both Trusted forFirewall and Trusted for IPS, per McAfee KB71704.
l The Tanium Client on Windows uses the Windows Update offline scan file, Wsusscn2.cab, to assess
computers for installed or missing OS and application security patches. If your endpoint security solutions
scan archive files, refer to the Microsoft KB for information on how to configure those tools to interact
appropriately with the Wsusscn2.cab file.
Tanium binary file signerSome security products base exclusion rules on file signers. Tanium uses an extended validation (EV) code-signing certificate with
the following signers for the Tanium-generated binary files of Tanium Core Platform servers, Tanium Clients, and Tanium solutions
(modules and shared services). Tanium also uses this certificate to sign VBS and PS1 files within action packages:
Operatingsystem
Signer
Windows Files are signed by:
Subject: jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private
Organization/serialNumber=4332270, C=US, ST=CA, L=Emeryville, O=Tanium Inc., CN=Tanium
Inc.
macOS The following Apple developer ID is used to sign and notarize files:
Tanium Inc. (TZTPM3VTUU)
Table 2: Tanium binary file signers
Tanium solution foldersAs a rule, Tanium solutions are installed in subdirectories of the Tanium Module Server installation directory. This facilitates any
exclusion rules you must create: simply exclude the Module Server installation directory and its subdirectories. This requirement
applies only to a Module Server installed on Windows infrastructure.
Tanium solution processesThe following sections list additional processes on the Module Server (Windows infrastructure only) and Tanium Client (all OSs) that
you must configure as exclusions in security software to enable Tanium modules and shared services to work.
© 2021 Tanium Inc. All Rights Reserved Page 16
The following sections use variables (such as <Module Server>) to indicate the installation folder of a Tanium Core
Platform server or the Tanium Client.
l API Gateway on page 17
l Asset on page 17
l Blob on page 18
l Client Management on page 18
l Comply on page 20
l Connect on page 22
l Deploy on page 22
l Direct Connect on page 24
l Discover on page 26
l Endpoint Configuration on page 29
l End-User Notifications on page 30
l Enforce on page 31
l Health Check on page 32
l Impact on page 33
l Integrity Monitor on page 33
l Map on page 35
l Patch on page 36
l Performance on page 38
l RDB service on page 40
l Reporting on page 40
l Reputation on page 40
l Reveal on page 41
l Risk on page 43
l System User service on page 44
l Threat Response on page 44
l Trends on page 78
© 2021 Tanium Inc. All Rights Reserved Page 17
API Gateway
TargetDevice
Notes ExclusionType
Exclusion
Module
Server
Process <Module Server>\services\gateway-service\TaniumGatewayService.exe
API Gateway security exclusions
Asset
TargetDevice
Notes ExclusionType
Exclusion
Module
Server
Process <Module Server>\services\asset-service\node.exe
Process <Module Server>\services\asset-service\node_
modules\@tanium\postgresql\lib\win32\bin\postgres.exe
Process <Module Server>\services\asset-service\node_
modules\@tanium\postgresql\lib\win32\bin\pg_ctl.exe
Process <Module Server>\services\endpoint-configuration-
service\TaniumEndpointConfigService.exe
Windows
endpoints
For
integration
with Flexera
Process <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
Process <Tanium Client>\Tools\Asset\TaniumFileEvidence.exe
Process <Tanium Client>\extensions\TaniumSoftwareManager.dll
Process <Tanium Client>\extensions\TaniumSoftwareManager.dll.sig
macOS
endpoints
For
integration
with Flexera
Process <Tanium Client>/Tools/EPI/TaniumEndpointIndex
Process <Tanium Client>/Tools/Asset/TaniumFileEvidence
Process <Tanium Client>/extensions/libTaniumSoftwareManager.dylib
Process <Tanium Client>/extensions/libTaniumSoftwareManager.dylib.sig
Linux
endpoints
For
integration
with Flexera
Process <Tanium Client>/Tools/EPI/TaniumEndpointIndex
Process <Tanium Client>/Tools/Asset/TaniumFileEvidence
Process <Tanium Client>/extensions/libTaniumSoftwareManager.so
Process <Tanium Client>/extensions/libTaniumSoftwareManager.so.sig
Asset security exclusions
© 2021 Tanium Inc. All Rights Reserved Page 18
Blob
TargetDevice
Notes ExclusionType
Exclusion
Module
Server
Process <Module Server>\services\blob-service\TaniumBlobService.exe
Blob service security exclusions
Client Management
TargetDevice
Notes ExclusionType
Exclusion
Module
Server
Process <Module Server>\services\client-management-service\node.exe
Process <Module Server>\services\twsm-v1\twsm.exe
Windows
x86
endpoints
During client
installation
Process \Program Files\Tanium\TaniumClientBootstrap.exe
During client
installation
Process \Program Files\Tanium\SetupClient.exe
During client
installation
Process <Tanium Client>\SetupClient.exe
Process <Tanium Client>\TaniumClientExtensions.dll
Process <Tanium Client>\TaniumClientExtensions.dll.sig
Process <Tanium Client>\extensions\TaniumDEC.dll
Process <Tanium Client>\extensions\TaniumDEC.dll.sig
Process <Tanium Client>\TaniumCX.exe
Table 3: Client Management security exclusions
© 2021 Tanium Inc. All Rights Reserved Page 19
TargetDevice
Notes ExclusionType
Exclusion
Windows
x64
endpoints
During client
installation
Process \Program Files (x86)\Tanium\TaniumClientBootstrap.exe
During client
installation
Process \Program Files (x86)\Tanium\SetupClient.exe
During client
installation
Process <Tanium Client>\SetupClient.exe
Process <Tanium Client>\TaniumClientExtensions.dll
Process <Tanium Client>\TaniumClientExtensions.dll.sig
Process <Tanium Client>\extensions\TaniumDEC.dll
Process <Tanium Client>\extensions\TaniumDEC.dll.sig
Process <Tanium Client>\TaniumCX.exe
macOS
endpoints
During client
installation
Process /Library/Tanium/TaniumClientBootstrap
During client
installation
Process /Library/Tanium/SetupClient
During client
installation
Process <Tanium Client>/SetupClient
Process <Tanium Client>/libTaniumClientExtensions.dylib
Process <Tanium Client>/libTaniumClientExtensions.dylib.sig
Process <Tanium Client>/extensions/libTaniumDEC.dylib
Process <Tanium Client>/extensions/libTaniumDEC.dylib.sig
Process <Tanium Client>/TaniumCX
Table 3: Client Management security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 20
TargetDevice
Notes ExclusionType
Exclusion
Linux
endpoints
During client
installation
Process /opt/Tanium/TaniumClientBootstrap
During client
installation
Process /opt/Tanium/SetupClient
During client
installation
Process <Tanium Client>/SetupClient
Process <Tanium Client>/libTaniumClientExtensions.so
Process <Tanium Client>/libTaniumClientExtensions.so.sig
Process <Tanium Client>/extensions/libTaniumDEC.so
Process <Tanium Client>/extensions/libTaniumDEC.so.sig
Process <Tanium Client>/TaniumCX
Solaris and
AIX
endpoints
During client
installation
Process /opt/Tanium/TaniumClientBootstrap
During client
installation
Process /opt/Tanium/SetupClient
During client
installation
Process <Tanium Client>/SetupClient
Table 3: Client Management security exclusions (continued)
Comply
Target Device Notes ExclusionType
Exclusion
Module Server Process <Module Server>\services\comply-service\node.exe
Process <Module Server>\services\comply-service\node_
modules\ovalindex\build\bin\ovalindex.exe
Comply security exclusions
© 2021 Tanium Inc. All Rights Reserved Page 21
Target Device Notes ExclusionType
Exclusion
Windows endpoints Process <Tanium Client>\Tools\Comply\TaniumExecWrapper.exe
Environments
where Java
encryption is
disabled
Process <Tanium Client>\Tools\Comply\jre\bin\java.exe
Environments
where Java
encryption is
enabled
Process <Tanium Client>\Downloads\Action_*\jre\bin\java.exe
Process <Tanium Client>\Tools\Comply\7za.exe
Linux/macOS/AIX
endpoints
Process <Tanium Client>/Tools/Comply/TaniumExecWrapper
Environments
where Java
encryption is
disabled
Process <Tanium Client>/Tools/Comply/jre/bin/java
Environments
where Java
encryption is
enabled
Process <Tanium Client>/Downloads/Action_*/jre/bin/java
Process <Tanium Client>/Tools/Comply/7za
Process <Tanium Client>/Tools/Comply/xsltproc
Tanium scan
engine
Process <Tanium Client>/Tools/Comply/joval/Joval-Utilities.jar
CIS-CAT engine Process <Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.jar
Linux only Process <Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.sh
Windows only Process <Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.BAT
Comply security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 22
Target Device Notes ExclusionType
Exclusion
SCC engine -
Windows endpoints
Process <Tanium Client>\Tools\Comply\scc\cscc.exe
Process <Tanium Client>\Tools\Comply\scc\cscc32.exe
Process <Tanium Client>\Tools\Comply\scc\cscc64.exe
Process <Tanium Client>\Tools\Comply\scc\scc.exe
Process <Tanium Client>\Tools\Comply\scc\scc32.exe
Process <Tanium Client>\Tools\Comply\scc\scc64.exe
SCC engine -
Linux/macOS
endpoints
Process <Tanium Client>/Tools/Comply/scc/cscc
Process <Tanium Client>/Tools/Comply/scc/cscc.bin
Process <Tanium Client>/Tools/Comply/scc/scc
Process <Tanium Client>/Tools/Comply/scc/scc.bin
Comply security exclusions (continued)
Connect
TargetDevice
Notes Exclusion Type Exclusion
Module
Server
Process <Module Server>\services\connect-service\node.exe
Connect security exclusions
Deploy
For Windows endpoints, review and follow the Microsoft antivirus security exclusion recommendations for enterprise computers. For
more information, see Microsoft Support: Virus scanning recommendations for Enterprise computers that are running currently
supported versions of Windows (KB822158).
© 2021 Tanium Inc. All Rights Reserved Page 23
TargetDevice
Notes ExclusionType
Exclusion
Module
Server
Process <Module Server>\services\deploy-service\node.exe
Required when
Endpoint
Configuration is
installed
Process <Module Server>\services\endpoint-configuration-
service\TaniumEndpointConfigService.exe
Windows
endpoints
Required only
for
the Microsoft
Windows 10
Upgrade
packages
Folder C:\Deploy\Tanium
Process <Tanium Client>\Python27\TPython.exe
7.4.x clients Process <Tanium Client>\Python38\TPython.exe
7.4.x clients Folder <Tanium Client>\Python38
Process <Tanium Client>\Tools\Deploy\7za.exe
Process <Tanium Client>\Tools\SoftwareManagement\7za.exe
Process <Tanium Client>\TaniumCX.exe
Process <Tanium Client>\extensions\TaniumSoftwareManager.dll
Process <Tanium Client>\extensions\TaniumSoftwareManager.dll.sig
Folder %programdata%\Tanium
Deploy security exclusions
© 2021 Tanium Inc. All Rights Reserved Page 24
TargetDevice
Notes ExclusionType
Exclusion
Linux
endpoints
Process <Tanium Client>/python27/bin/pybin
7.2.x clients Process <Tanium Client>/python27/pybin
7.4.x clients Process <Tanium Client>/python38/python
Process <Tanium Client>/TaniumCX
Process <Tanium Client>/Tools/SoftwareManagement/data/software-
management.db
Process <Tanium Client>/Tools/SoftwareManagement/data/software-
management.db-wal
Process <Tanium Client>/Tools/SoftwareManagement/data/software-
management.dc-shm
Process <Tanium Client>/extensions/libTaniumSoftwareManager.so
Process <Tanium Client>/extensions/libTaniumSoftwareManager.so.sig
macOS
endpoints
Process <Tanium Client>/python27/bin/pybin
7.2.x clients Process <Tanium Client>/python27/pybin
7.4.x clients Process <Tanium Client>/python38/python
Process <Tanium Client>/TaniumCX
Process <Tanium Client>/extensions/libTaniumSoftwareManager.dylib
Process <Tanium Client>/extensions/libTaniumSoftwareManager.dylib.sig
Deploy security exclusions (continued)
Direct Connect
TargetDevice
Notes ExclusionType
Exclusion
Module
Server
Process <Module Server>\services\direct-connect-
service\TaniumDirectConnectService.exe
Process <Module Server>\services\endpoint-configuration-
service\TaniumEndpointConfigService.exe
Direct Connect security exclusions
© 2021 Tanium Inc. All Rights Reserved Page 25
TargetDevice
Notes ExclusionType
Exclusion
Zone Server Process <Tanium Installation Directory>\Tanium Direct Connect Zone
Proxy\node.exe
Windows
endpoints
Process <Tanium Client>\TaniumClientExtensions.dll
Process <Tanium Client>\TaniumClientExtensions.dll.sig
Process <Tanium Client>\extensions\TaniumDEC.dll
Process <Tanium Client>\extensions\TaniumDEC.dll.sig
7.2.x clients;
requires
SHA2 support
to allow
installation
Process <Tanium Client>\Python27\TPython.exe
7.4.x clients;
requires
SHA2 support
to allow
installation
Process <Tanium Client>\Python38\TPython.exe
Process <Tanium Client>\TaniumCX.exe
7.4.x clients Folder <Tanium Client>\Python38
macOS
endpoints
Process <Tanium Client>/libTaniumClientExtensions.dylib
Process <Tanium Client>/libTaniumClientExtensions.dylib.sig
Process <Tanium Client>/extensions/libTaniumDEC.dylib
Process <Tanium Client>/extensions/libTaniumDEC.dylib.sig
7.2.x clients Process <Tanium Client>/python27/bin/pybin
7.4.x clients Process <Tanium Client>/python38/bin/pybin
Process <Tanium Client>/TaniumCX
Direct Connect security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 26
TargetDevice
Notes ExclusionType
Exclusion
Linux
endpoints
Process <Tanium Client>/libTaniumClientExtensions.so
Process <Tanium Client>/libTaniumClientExtensions.so.sig
Process <Tanium Client>/extensions/libTaniumDEC.so
Process <Tanium Client>/extensions/libTaniumDEC.so.sig
7.2.x clients Process <Tanium Client>/python27/bin/pybin
7.4.x clients Process <Tanium Client>/python38/bin/pybin
Process <Tanium Client>/TaniumCX
Direct Connect security exclusions (continued)
Discover
TargetDevice
Notes ExclusionType
Exclusion
Module
Server
Process <Module Server>\services\discover-service\node.exe
Process <Module Server>\plugins\content\discover-proxy\proxyplugin.exe
Process <Module Server>\services\twsm-v1\twsm.exe
Process <Module Server>\services\endpoint-configuration-
service\TaniumEndpointConfigService.exe
Discover security exclusions
© 2021 Tanium Inc. All Rights Reserved Page 27
TargetDevice
Notes ExclusionType
Exclusion
Windows
endpoints
Process <Tanium Client>\TaniumCX.exe
Process <Tanium Client>\TaniumClientExtensions.dll
Process <Tanium Client>\TaniumClientExtensions.dll.sig
(Distributed
level 3,
distributed
level 4, and
satellite
profiles only)
Folder C:\Program Files\Npcap
(Distributed
level 3,
distributed
level 4, and
satellite
profiles only)
Process <Tanium Client>\Tools\Discover\nmap\nmap.exe
(Satellite
profiles only)
Process <Tanium Client>\extensions\TaniumDEC.dll
(Satellite
profiles only)
Process <Tanium Client>\extensions\TaniumDEC.dll.sig
(Satellite
profiles only)
Process <Tanium Client>\extensions\TaniumDiscover.dll
(Satellite
profiles only)
Process <Tanium Client>\extensions\TaniumDiscover.dll.sig
(Satellite
profiles only)
Process <Tanium Client>\extensions\TaniumExtras.dll
(Satellite
profiles only)
Process <Tanium Client>\extensions\TaniumExtrasDiscover.dll.sig
7.2.x clients1 Process <Tanium Client>\python27\TPython.exe
7.4.x clients1 Process <Tanium Client>\python38\TPython.exe
7.4.x clients Folder <Tanium Client>\python38
Discover security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 28
TargetDevice
Notes ExclusionType
Exclusion
Linux
endpoints
Process <Tanium Client>/TaniumCX
Process <Tanium Client>/libTaniumClientExtensions.so
Process <Tanium Client>/libTaniumClientExtensions.so.sig
(Distributed
level 3,
distributed
level 4, and
satellite
profiles only)
Process <Tanium Client>/Tools/Discover/nmap/nmap
(Satellite
profiles only)
Process <Tanium Client>/extensions/libTaniumDEC.so
(Satellite
profiles only)
Process <Tanium Client>/extensions/libTaniumDEC.so.sig
(Satellite
profiles only)
Process <Tanium Client>/extensions/libTaniumDiscover.so
(Satellite
profiles only)
Process <Tanium Client>/extensions/libTaniumDiscover.so.sig
(Satellite
profiles only)
Process <Tanium Client>/extensions/libTaniumExtras.so
(Satellite
profiles only)
Process <Tanium Client>/extensions/libTaniumExtras.so.sig
7.2.x clients Process <Tanium Client>/python27/python
7.4.x clients Process <Tanium Client>/python38/python
Discover security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 29
TargetDevice
Notes ExclusionType
Exclusion
macOS
endpoints
Process <Tanium Client>/TaniumCX
Process <Tanium Client>/libTaniumClientExtensions.dylib
Process <Tanium Client>/libTaniumClientExtensions.dylib.sig
(Distributed
level 3,
distributed
level 4, and
satellite
profiles only)
Process <Tanium Client>/Tools/Discover/nmap/nmap
(Satellite
profiles only)
Process <Tanium Client>/extensions/libTaniumDEC.dylib
(Satellite
profiles only)
Process <Tanium Client>/extensions/libTaniumDEC.dylib.sig
(Satellite
profiles only)
Process <Tanium Client>/extensions/libTaniumDiscover.dylib
(Satellite
profiles only)
Process <Tanium Client>/extensions/libTaniumDiscover.dylib.sig
(Satellite
profiles only)
Process <Tanium Client>/extensions/libTaniumExtras.dylib
(Satellite
profiles only)
Process <Tanium Client>/extensions/libTaniumExtras.dylib.sig
7.2.x clients Process <Tanium Client>/python27/python
7.4.x clients Process <Tanium Client>/python38/python
1 = TPython requires SHA2 support to allow installation.
Discover security exclusions (continued)
Endpoint Configuration
Target Device Notes ExclusionType
Exclusion
Module Server Process <Module Server>\services\endpoint-configuration-
service\TaniumEndpointConfigService.exe
Endpoint Configuration security exclusions
© 2021 Tanium Inc. All Rights Reserved Page 30
End-User Notifications
TargetDevice
Notes ExclusionType
Exclusion
Module
Server
Required when
Endpoint
Configuration is
installed
Process <Module Server>\temp\endpoint-configuration-
service\TaniumEndpointConfigService.exe
Process <Module Server>\services\end-user-notifications-service\node.exe
Process <Module Server>\services\twsm-v1\twsm.exe
Windows
endpoints
7.2.x clients Process <Tanium Client>\Python27\TPython.exe
7.4.x clients Process <Tanium Client>\Python38\TPython.exe
64-bit OS
versions
Process %programfiles(x86)%\Tanium\Tanium End User Notification
Tools\UserSessionProxy.exe
32-bit OS
versions
Process %programfiles%\Tanium\Tanium End User Notification
Tools\UserSessionProxy.exe
64-bit OS
versions
Process %programfiles(x86)%\Tanium\Tanium End User Notification
Tools\bin\end-user-notifications.exe
32-bit OS
versions
Process %programfiles%\Tanium\Tanium End User Notification Tools\bin\end-
user-notifications.exe
exclude from
on-access or
real-time scans
(64-bit OS
versions)
Folder %programfiles(x86)%\Tanium\Tanium End User Notification Tools
exclude from
on-access or
real-time scans
(32-bit OS
versions)
Folder %programfiles%\Tanium\Tanium End User Notification Tools
Folder %programdata%\Tanium
End-User Notifications security exclusions
© 2021 Tanium Inc. All Rights Reserved Page 31
TargetDevice
Notes ExclusionType
Exclusion
macOS
endpoints
7.2.x clients Process <Tanium Client>/python27/bin/pybin
7.4.x clients Process <Tanium Client>/python38/bin/pybin
Process /Library/Tanium/EndUserNotifications/bin/end-user-
notifications.app
Folder /Library/Tanium/EndUserNotifications
End-User Notifications security exclusions (continued)
Enforce
TargetDevice
Notes ExclusionType
Exclusion
Module
Server
Process <Module Server>\services\enforce-service\node.exe
Windows
x86
endpoints
File %SystemRoot%\System32\GroupPolicy\Machine\registry.pol
Process <Tanium Client>\Tools\StdUtils\7za.exe
Process <Tanium Client>\Tools\Enforce\devcon32.exe
Process <Tanium Client>\Tools\Enforce\LocalPolicyTool.exe
7.2.x
clients
Process <Tanium Client>\Python27\TPython.exe
7.4.x
clients
Process <Tanium Client>\Python38\TPython.exe
7.4.x
clients
Folder <Tanium Client>\Python38
Process <Tanium Client>\TaniumClient.exe
Process <Tanium Client>\TaniumCX.exe
Enforce security exclusions
© 2021 Tanium Inc. All Rights Reserved Page 32
TargetDevice
Notes ExclusionType
Exclusion
Windows
x64
endpoints
File %SystemRoot%\System32\GroupPolicy\Machine\registry.pol
Process <Tanium Client>\Tools\StdUtils\7za.exe
Process <Tanium Client>\Tools\Enforce\devcon64.exe
Process <Tanium Client>\Tools\Enforce\LocalPolicyTool.exe
7.2.x
clients
Process <Tanium Client>\Python27\TPython.exe
7.4.x
clients
Process <Tanium Client>\Python38\TPython.exe
7.4.x
clients
Folder <Tanium Client>\Python38
Process <Tanium Client>\TaniumClient.exe
Process <Tanium Client>\TaniumCX.exe
macOS and
Linux x86
and x64
endpoints
7.2.x
clients
Process <Tanium Client>/python27/python
Process <Tanium Client>/python27/bin/pybin
7.4.x
clients
Process <Tanium Client>/python38/python
Process <Tanium Client>/python38/bin/pybin
Process <Tanium Client>/TaniumClient
Process <Tanium Client>/TaniumCX
Enforce security exclusions (continued)
Health Check
TargetDevice
Notes Exclusion Type Exclusion
Module
Server
Process <Module Server>\services\health-service\node.exe
Process <Module Server>\services\health-service\twsm.exe
Health Check security exclusions
© 2021 Tanium Inc. All Rights Reserved Page 33
Impact
TargetDevice
Notes ExclusionType
Exclusion
Module
Server
Process <Module Server>\services\impact-service\TaniumImpactService.exe
Process <Module Server>\services\endpoint-configuration-
service\TaniumEndpointConfigService.exe
Windows
endpoints
Process <Tanium Client>\Python38\TPython.exe
Folder <Tanium Client>\Python38
Impact security exclusions
Integrity Monitor
TargetDevice
Notes ExclusionType
Process
Tanium
Module
Server
Process <Module Server>\services\integrity-monitor-service\node.exe
Process <Module Server>\services\endpoint-configuration-
service\TaniumEndpointConfigService.exe
Tanium
Zone Server
Process <Zone Server>\proxy\node.exe
Integrity Monitor security exclusions
© 2021 Tanium Inc. All Rights Reserved Page 34
TargetDevice
Notes ExclusionType
Process
Windows
x86 and x64
endpoints
Process <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe
Process <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
Process <Tanium Client>\Tools\IM\TaniumSQLiteQuery.exe
Process <Tanium Client>\Tools\IM\TaniumExecWrapper.exe
Process <Tanium Client>\extensions\TaniumRecorder.dll
Process <Tanium Client>\extensions\TaniumRecorder.dll.sig
Process <Tanium Client>\extensions\recorder\proc.bin
Process <Tanium Client>\extensions\recorder\recorder.db
Process <Tanium Client>\extensions\recorder\recorder.db-shm
Process <Tanium Client>\extensions\recorder\recorder.db-wal
Process <Tanium Client>\extensions\core\libTaniumPythonCx.dll
Process <Tanium Client>\extensions\core\libTaniumPythonCx.dll.sig
Process <Tanium Client>\TaniumClientExtensions.dll
Process <Tanium Client>\TaniumClientExtensions.dll.sig
7.2.x clients Process <Tanium Client>\Python27\TPython.exe
7.4.x clients Process <Tanium Client>\Python38\TPython.exe
7.4.x clients Folder <Tanium Client>\Python38
Process <Tanium Client>\TaniumCX.exe
Integrity Monitor security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 35
TargetDevice
Notes ExclusionType
Process
Linux x86
and x64
endpoints
Process <Tanium Client>/TaniumAuditPipe
Process <Tanium Client>/Tools/Trace/recorder
Process <Tanium Client>/Tools/EPI/TaniumEndpointIndex
Process <Tanium Client>/Tools/EPI/TaniumExecWrapper
Process <Tanium Client>/Tools/IM/TaniumExecWrapper
7.2.x clients Process <Tanium Client>/python27/python
7.2.x clients Process <Tanium Client>/python27/bin/pybin
7.4.x clients Process <Tanium Client>/python38/python
Process <Tanium Client>/libTaniumClientExtensions.so
Process <Tanium Client>/libTaniumClientExtensions.so.sig
Process <Tanium Client>/extensions/recorder/proc.bin
Process <Tanium Client>/extensions/recorder/recorder.db
Process <Tanium Client>/extensions/recorder/recorder.db-shm
Process <Tanium Client>/extensions/recorder/recorder.db-wal
Process <Tanium Client>/extensions/recorder/recorder.auditpipe
Process <Tanium Client>/extensions/core/libTaniumPythonCx.so
Process <Tanium Client>/extensions/core/libTaniumPythonCx.so.sig
Process <Tanium Client>/TaniumCX
Integrity Monitor security exclusions (continued)
Map
TargetDevice
Notes ExclusionType
Exclusion
Module
Server
Process <Module Server>\services\map-service\node.exe
Map security exclusions
© 2021 Tanium Inc. All Rights Reserved Page 36
TargetDevice
Notes ExclusionType
Exclusion
Process <Module Server>\services\endpoint-configuration-
service\TaniumEndpointConfigService.exe
Process <Module Server>\services\map-service\node_
modules\@tanium\postgresql\lib\win32\bin\postgres.exe
Process <Module Server>\services\map-service\node_
modules\@tanium\postgresql\lib\win32\bin\pg_ctl.exe
Windows
endpoints
7.2.x clients Process <Tanium Client>\Python27\TPython.exe
7.4.x clients Process <Tanium Client>\Python38\TPython.exe
7.4.x clients Folder <Tanium Client>\Python38
Process <Tanium Client>\TaniumCX.exe
macOS
endpoints
Process <Tanium Client>/TaniumCX
Linux
endpoints
7.2.x clients Process <Tanium Client>/python27/bin/pybin
7.4.x clients Process <Tanium Client>/python38/python
Process <Tanium Client>/TaniumCX
Map security exclusions (continued)
Patch
For Windows endpoints, review and follow the Microsoft antivirus security exclusion recommendations for enterprise computers. For
more information, see Microsoft Support: Virus scanning recommendations for Enterprise computers that are running currently
supported versions of Windows (KB822158).
TargetDevice
Notes ExclusionType
Exclusion
Module
Server
Process <Module Server>\services\patch-service\node.exe
required when
Endpoint
Configuration is
installed
Process <Module Server>\services\endpoint-configuration-
service\TaniumEndpointConfigService.exe
Patch security exclusions
© 2021 Tanium Inc. All Rights Reserved Page 37
TargetDevice
Notes ExclusionType
Exclusion
Windows
endpoints
Process <Tanium Client>\Patch\tanium-patch.min.vbs
Process <Tanium Client>\Patch\scans\Wsusscn2.cab
Process <Tanium Client>\Patch\tools\active-user-sessions.exe
Process <Tanium Client>\Patch\tools\run-patch-manager.min.vbs
Process <Tanium Client>\Patch\tools\TaniumExecWrapper.exe
Process <Tanium Client>\Patch\tools\TaniumFileInfo.exe
Process <Tanium Client>\Patch\tools\TaniumUpdateSearcher.exe
7.2.x clients Process <Tanium Client>\Python27\TPython.exe
7.2.x clients Folder <Tanium Client>\Python27
7.4.x clients Process <Tanium Client>\Python38\TPython.exe
7.4.x clients Folder <Tanium Client>\Python38
Process <Tanium Client>\TaniumCX.exe
Process <Tanium Client>\Tools\Patch\7za.exe
Process <Tanium Client>\Tools\Patch\TaniumExecWrapper.exe
Process <Tanium Client>\extensions\TaniumSoftwareManager.dll
Process <Tanium Client>\extensions\TaniumSoftwareManager.dll.sig
exclude from
on-access or
real-time scans
Folder <Tanium Client>
Patch security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 38
TargetDevice
Notes ExclusionType
Exclusion
Linux
endpoints
7.2.x clients Process <Tanium Client>/python27/bin/pybin
7.2.x clients Process <Tanium Client>/python27/python
7.4.x clients Process <Tanium Client>/python38/bin/pybin
7.4.x clients Process <Tanium Client>/python38/python
Process <Tanium Client>/Tools/Patch/TaniumExecWrapper
Process <Tanium Client>/extensions/libTaniumSoftwareManager.so
Process <Tanium Client>/extensions/libTaniumSoftwareManager.so.sig
macOS
endpoints
7.2.x clients Process <Tanium Client>/python27/bin/pybin
7.2.x clients Process <Tanium Client>/python27/python
7.4.x clients Process <Tanium Client>/python38/bin/pybin
7.4.x clients Process <Tanium Client>/python38/python
Process <Tanium Client>/Tools/Patch/TaniumExecWrapper
Process <Tanium Client>/extensions/libTaniumSoftwareManager.dylib
Process <Tanium Client>/extensions/libTaniumSoftwareManager.dylib.sig
Patch security exclusions (continued)
Performance
TargetDevice
Notes ExclusionType
Exclusion
Module
Server
Process <Module Server>\services\performance-service\node.exe
Process <Module Server>\services\event-service\twsm.exe
Process <Module Server>\services\endpoint-configuration-
service\TaniumEndpointConfigService.exe
Performance security exclusions
© 2021 Tanium Inc. All Rights Reserved Page 39
TargetDevice
Notes ExclusionType
Exclusion
Windows
(x86 and
x64)
endpoints
Process <Tanium Client>\TaniumClientExtensions.dll
Process <Tanium Client>\TaniumClientExtensions.dll.sig
Process <Tanium Client>\extensions\TaniumPerformance.dll
Process <Tanium Client>\extensions\TaniumPerformance.dll.sig
Process <Tanium Client>\Tools\Performance\TaniumTSDB.exe
7.2.x
clients1Process <Tanium Client>\Python27\TPython.exe
7.4.x
clients1Process <Tanium Client>\Python38\TPython.exe
7.4.x clients Folder <Tanium Client>\Python38
Process <Tanium Client>\TaniumCX.exe
Linux (x86
and x64)
endpoints
Process <Tanium Client>/libTaniumClientExtensions.so
Process <Tanium Client>/libTaniumClientExtensions.so.sig
Process <Tanium Client>/extensions/libTaniumPerformance.so
Process <Tanium Client>/extensions/libTaniumPerformance.so.sig
Process <Tanium Client>/Tools/Performance/TaniumTSDB
7.2.x clients Process <Tanium Client>/python27/bin/pybin
7.4.x clients Process <Tanium Client>/python38/bin/pybin
Process <Tanium Client>/TaniumCX
Performance security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 40
TargetDevice
Notes ExclusionType
Exclusion
macOS
endpoints
Process <Tanium Client>/libTaniumClientExtensions.dylib
Process <Tanium Client>/libTaniumClientExtensions.dylib.sig
Process <Tanium Client>/extensions/libTaniumPerformance.dylib
Process <Tanium Client>/extensions/libTaniumPerformance.dylib.sig
Process <Tanium Client>/Tools/Performance/TaniumTSDB
7.2.x clients Process <Tanium Client>/python27/bin/pybin
7.4.x client Process <Tanium Client>/python38/bin/pybin
Process <Tanium Client>/TaniumCX
1 = TPython requires SHA2 support to allow installation.
Performance security exclusions (continued)
RDB service
TargetDevice
Notes ExclusionType
Exclusion
Module
Server
Process <Module Server>\services\rdb-service\TaniumRdbService.exe
RDB service security exclusions
Reporting
TargetDevice
Notes ExclusionType
Exclusion
Module
Server
Process <Module Server>\services\reporting-service\TaniumReportingService.exe
Reporting security exclusions
Reputation
TargetDevice
Notes Exclusion Type Exclusion
Module
Server
Process <Module Server>\services\reputation-service\node.exe
Reputation security exclusions
© 2021 Tanium Inc. All Rights Reserved Page 41
Reveal
TargetDevice
Notes ExclusionType
Exclusion
Module
Server
Process <Module Server>\services\reveal-service\node.exe
Process <Module Server>\services\endpoint-configuration-
service\TaniumEndpointConfigService.exe
Windows
endpoints
Process <Tanium Client>\TaniumCX.exe
Process <Tanium Client>\TaniumClientExtensions.dll
Process <Tanium Client>\TaniumClientExtensions.dll.sig
Process <Tanium Client>\extensions\TaniumReveal.dll
Process <Tanium Client>\extensions\TaniumReveal.dll.sig
Process <Tanium Client>\extensions\TaniumDEC.dll
Process <Tanium Client>\extensions\TaniumDEC.dll.sig
Process <Tanium Client>\extensions\TaniumIndex.dll
Process <Tanium Client>\extensions\TaniumIndex.dll.sig
Process <Tanium Client>\extensions\core\TaniumPythonCx.dll
Process <Tanium Client>\extensions\core\TaniumPythonCx.dll.sig
7.2.x
clients, 1Process <Tanium Client>\python27\TPython.exe
7.4.x
clients, 1Process <Tanium Client>\python38\TPython.exe
7.4.x clients Folder <Tanium Client>\python38
Reveal security exclusions
© 2021 Tanium Inc. All Rights Reserved Page 42
TargetDevice
Notes ExclusionType
Exclusion
Linux
endpoints
Process <Tanium Client>/TaniumCX
Process <Tanium Client>/libTaniumClientExtensions.so
Process <Tanium Client>/libTaniumClientExtensions.so.sig
Process <Tanium Client>/extensions/libTaniumReveal.so
Process <Tanium Client>/extensions/libTaniumReveal.so.sig
Process <Tanium Client>/extensions/libTaniumDEC.so
Process <Tanium Client>/extensions/libTaniumDEC.so.sig
Process <Tanium Client>/extensions/libTaniumIndex.so
Process <Tanium Client>/extensions/libTaniumIndex.so.sig
Process <Tanium Client>/extensions/core/libTaniumPythonCx.so
Process <Tanium Client>/extensions/core/libTaniumPythonCx.so.sig
7.2.x clients Process <Tanium Client>/python27/python
7.4.x clients Process <Tanium Client>/python38/python
Reveal security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 43
TargetDevice
Notes ExclusionType
Exclusion
macOS
endpoints
Process <Tanium Client>/TaniumCX
Process <Tanium Client>/libTaniumClientExtensions.dylib
Process <Tanium Client>/libTaniumClientExtensions.dylib.sig
Process <Tanium Client>/extensions/libTaniumReveal.dylib
Process <Tanium Client>/extensions/libTaniumReveal.dylib.sig
Process <Tanium Client>/extensions/libTaniumDEC.dylib
Process <Tanium Client>/extensions/libTaniumDEC.dylib.sig
Process <Tanium Client>/extensions/libTaniumIndex.dylib
Process <Tanium Client>/extensions/libTaniumIndex.dylib.sig
Process <Tanium Client>/extensions/core/libTaniumPythonCx.dylib
Process <Tanium Client>/extensions/core/libTaniumPythonCx.dylib.sig
7.2.x clients Process <Tanium Client>/python27/python
7.4.x clients Process <Tanium Client>/python38/python
1 = TPython requires SHA2 support to allow installation.
Reveal security exclusions (continued)
Risk
Target Device Notes Exclusion Type Process
Windows endpoints Process <Tanium Client>\TaniumCX.exe
Process <Tanium Client>\extensions\TaniumRisk.dll
Linux endpoints Process <Tanium Client>/TaniumCX
Process <Tanium Client>/libTaniumRisk.so
macOS endpoints Process <Tanium Client>/TaniumCX
Process <Tanium Client>/libTaniumRisk.dylib
Risk security exclusions
© 2021 Tanium Inc. All Rights Reserved Page 44
System User service
TargetDevice
Notes ExclusionType
Exclusion
Module
Server
Process <Module Server>\services\system-user-
service\TaniumSystemUserService.exe
System User service security exclusions
Threat Response
TargetDevice
Notes ExclusionType
Exclusion
Tanium
Module
Server
Process <Module Server>\services\detect3-service\node.exe
Process <Module Server>\services\detect3-service\twsm.exe
Process <Module Server>\services\event-service\node.exe
Process <Module Server>\services\event-service\twsm.exe
Process <Module Server>\services\threat-response-service\node.exe
Process <Module Server>\services\twsm-v1\twsm.exe
Process <Module Server>\services\endpoint-configuration-
service\TaniumEndpointConfigService.exe
Tanium
Zone Server
Process <Zone Server>\proxy\node.exe
Threat Response security exclusions
© 2021 Tanium Inc. All Rights Reserved Page 45
TargetDevice
Notes ExclusionType
Exclusion
Windows
x86 and x64
endpoints
Process <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 46
TargetDevice
Notes ExclusionType
Exclusion
Process <Tanium Client>\Tools\IR\TaniumExecWrapper.exe
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 47
TargetDevice
Notes ExclusionType
Exclusion
Process <Tanium Client>\Tools\IR\TanFileInfo.exe
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 48
TargetDevice
Notes ExclusionType
Exclusion
Process <Tanium Client>\Tools\IR\TaniumFileInfo.exe
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 49
TargetDevice
Notes ExclusionType
Exclusion
Process <Tanium Client>\Tools\IR\TaniumHandle.exe
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 50
TargetDevice
Notes ExclusionType
Exclusion
Process <Tanium Client>\Tools\IR\TaniumListModules.exe
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 51
TargetDevice
Notes ExclusionType
Exclusion
Process <Tanium Client>\extensions\TaniumIndex.dll
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 52
TargetDevice
Notes ExclusionType
Exclusion
Process <Tanium Client>\extensions\TaniumIndex.dll.sig
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 53
TargetDevice
Notes ExclusionType
Exclusion
Process <Tanium Client>\Tools\recorder\TaniumRecorderCtl.exe
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 54
TargetDevice
Notes ExclusionType
Exclusion
Process <Tanium Client>\Tools\Detect3\TaniumDetectEngine.exe
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 55
TargetDevice
Notes ExclusionType
Exclusion
Process <Tanium Client>\extensions\TaniumRecorder.dll
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 56
TargetDevice
Notes ExclusionType
Exclusion
Process <Tanium Client>\extensions\TaniumRecorder.dll.sig
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 57
TargetDevice
Notes ExclusionType
Exclusion
Process <Tanium Client>\extensions\SupportCX.dll
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 58
TargetDevice
Notes ExclusionType
Exclusion
Process <Tanium Client>\extensions\SupportCX.dll.sig
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 59
TargetDevice
Notes ExclusionType
Exclusion
Process <Tanium Client>\extensions\recorder\proc.bin
Process <Tanium Client>\extensions\recorder\recorder.db
Process <Tanium Client>\extensions\recorder\recorder.db-shm
Process <Tanium Client>\extensions\recorder\recorder.db-wal
Process <Tanium Client>\extensions\TaniumThreatResponse.dll
Process <Tanium Client>\extensions\TaniumThreatResponse.dll.sig
Process <Tanium Client>\extensions\core\TaniumPythonCx.dll
Process <Tanium Client>\extensions\core\TaniumPythonCx.dll.sig
Folder <Tanium Client>\extensions\stream
Process <Tanium Client>\TaniumClientExtensions.dll
Process <Tanium Client>\TaniumClientExtensions.dll.sig
1 Process <Tanium Client>\Downloads\Action_*\TaniumFileTransfer.exe
1 Process <Tanium Client>\Downloads\Action_*\Winpmem.gb414603.exe
Process <Tanium Client>\Tools\IR\TaniumPersistenceAnalyzer.exe
Process <Tanium Client>\Tools\IR\PowerForensics\PowerForensics.dll
7.2.x
clients, 3Process <Tanium Client>\Python27\TPython.exe
7.4.x
clients, 3Process <Tanium Client>\Python38\TPython.exe
7.4.x
clients
Folder <Tanium Client>\Python38
Process <Tanium Client>\TaniumCX.exe
Process <Tanium Client>\extensions\TaniumDEC.dll
Process <Tanium Client>\extensions\TaniumDEC.dll.sig
Process C:\Windows\System32\drivers\TaniumRecorderDrv.sys
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 60
TargetDevice
Notes ExclusionType
Exclusion
Linux x86
and x64
endpoints
Process <Tanium Client>/TaniumAuditPipe
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 61
TargetDevice
Notes ExclusionType
Exclusion
Process <Tanium Client>/TaniumCX
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 62
TargetDevice
Notes ExclusionType
Exclusion
Process <Tanium Client>/Tools/EPI/TaniumExecWrapper
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 63
TargetDevice
Notes ExclusionType
Exclusion
Process <Tanium Client>/Tools/IR/TaniumExecWrapper
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 64
TargetDevice
Notes ExclusionType
Exclusion
Process <Tanium Client>/extensions/libTaniumIndex.so
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 65
TargetDevice
Notes ExclusionType
Exclusion
Process <Tanium Client>/extensions/libTaniumIndex.so.sig
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 66
TargetDevice
Notes ExclusionType
Exclusion
Process <Tanium Client>/Tools/Detect3/TaniumDetectEngine
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 67
TargetDevice
Notes ExclusionType
Exclusion
7.2.x
clients
Process <Tanium Client>/python27/python
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 68
TargetDevice
Notes ExclusionType
Exclusion
7.2.x
clients
Process <Tanium Client>/python27/bin/pybin
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 69
TargetDevice
Notes ExclusionType
Exclusion
7.4.x
clients
Process <Tanium Client>/python38/python
Process <Tanium Client>/libTaniumClientExtensions.so
Process <Tanium Client>/libTaniumClientExtensions.so.sig
Process <Tanium Client>/libSupportCX.so
Process <Tanium Client>/libSupportCX.so.sig
Process <Tanium Client>/extensions/libTaniumThreatResponse.so
Process <Tanium Client>/extensions/libTaniumThreatResponse.so.sig
Process <Tanium Client>/extensions/libTaniumRecorder.so
Process <Tanium Client>/extensions/libTaniumRecorder.so.sig
Process <Tanium Client>/extensions/recorder/proc.bin
Process <Tanium Client>/extensions/recorder/recorder.db
Process <Tanium Client>/extensions/recorder/recorder.db-shm
Process <Tanium Client>/extensions/recorder/recorder.db-wal
Process <Tanium Client>/extensions/recorder/recorder.auditpipe
Process <Tanium Client>/extensions/core/libTaniumPythonCx.so
Process <Tanium Client>/extensions/core/libTaniumPythonCx.so.sig
Process <Tanium Client>/extensions/libTaniumDEC.so
Process <Tanium Client>/extensions/libTaniumDEC.so.sig
Folder <Tanium Client>/extensions/stream
1,2 Process <Tanium Client>/Downloads/Action_*/surge-collect
1,2 File <Tanium Client>/Downloads/Action_*/surge.dat
1 Process <Tanium Client>/Downloads/Action_*/linpmem-*.bin
1 Process <Tanium Client>/Downloads/Action_*/taniumfiletransfer
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 70
TargetDevice
Notes ExclusionType
Exclusion
macOS
endpoints
Process <Tanium Client>/TaniumCX
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 71
TargetDevice
Notes ExclusionType
Exclusion
Process <Tanium Client>/Tools/EPI/TaniumExecWrapper
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 72
TargetDevice
Notes ExclusionType
Exclusion
Process <Tanium Client>/Tools/IR/TaniumExecWrapper
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 73
TargetDevice
Notes ExclusionType
Exclusion
Process <Tanium Client>/extensions/libTaniumIndex.dylib
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 74
TargetDevice
Notes ExclusionType
Exclusion
Process <Tanium Client>/extensions/libTaniumIndex.dylib.sig
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 75
TargetDevice
Notes ExclusionType
Exclusion
Process <Tanium Client>/Tools/Detect3/TaniumDetectEngine
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 76
TargetDevice
Notes ExclusionType
Exclusion
7.2.x
clients
Process <Tanium Client>/python27/python
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 77
TargetDevice
Notes ExclusionType
Exclusion
7.4.x
clients
Process <Tanium Client>/python38/python
Process <Tanium Client>/libTaniumClientExtensions.dylib
Process <Tanium Client>/libTaniumClientExtensions.dylib.sig
Process <Tanium Client>/extensions/libTaniumThreatResponse.dylib
Process <Tanium Client>/extensions/libTaniumThreatResponse.dylib.sig
Process <Tanium Client>/extensions/libTaniumRecorder.dylib
Process <Tanium Client>/extensions/libTaniumRecorder.dylib.sig
Process <Tanium Client>/extensions/recorder/proc.bin
Process <Tanium Client>/extensions/recorder/recorder.db
Process <Tanium Client>/extensions/recorder/recorder.db-shm
Process <Tanium Client>/extensions/recorder/recorder.db-wal
Process <Tanium Client>/extensions/recorder/recorder.auditpipe
Process <Tanium Client>/extensions/core/libTaniumPythonCx.dylib
Process <Tanium Client>/extensions/core/libTaniumPythonCx.dylib.sig
Folder <Tanium Client>/extensions/stream
Process <Tanium Client>/extensions/libTaniumDEC.dylib
Process <Tanium Client>/extensions/libTaniumDEC.dylib.sig
Process <Tanium Client>/extensions/libSupportCX.dylib
Process <Tanium Client>/extensions/libSupportCX.dylib.sig
1,2 Process <Tanium Client>/Downloads/Action_*/surge-collect
1,2 File <Tanium Client>/Downloads/Action_*/surge.dat
1 Process <Tanium Client>/Downloads/Action_*/osxpmem.app/osxpmem
Threat Response security exclusions (continued)
© 2021 Tanium Inc. All Rights Reserved Page 78
TargetDevice
Notes ExclusionType
Exclusion
1 Process <Tanium Client>/Downloads/Action_*/taniumfiletransfer
1 = Where * corresponds to the action ID or the version of linpmem.
2 = Exception is required if Volexity Surge is used for memory collection.
3 = TPython requires SHA2 support to allow installation.
Threat Response security exclusions (continued)
Trends
TargetDevice
Notes Exclusion Type Exclusion
Module
Server
Process <Module Server>\services\twsm-v1\twsm.exe
Process <Module Server>\services\trends\node_modules\@tanium
\postgresql\lib\win32\bin\postgres.exe
Process <Module Server>\services\trends\node_modules\@tanium
\postgresql\lib\win32\bin\pg_ctl.exe
Trends security exclusions
© 2021 Tanium Inc. All Rights Reserved Page 79
Tanium network portsNetwork port requirements for Tanium Core Platform servers depend on whether you have a Tanium Appliance on page 79 or
Windows on page 81 deployment. The Tanium Client on page 83 has its own port requirements. For details about the requirements
for each port, see Tanium Core Platform port use details on page 83.
Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-
based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups
instead of application objects or application groups.
Tanium ApplianceThe following table summarizes the Tanium processes and default values for ports used in Tanium Core Platform communication.
Source Destination Port Protocol Purpose
Tanium Clients Tanium Server 17472 TCP Client communication with the Tanium Server
Tanium Server Tanium Server 17472, 443,
8443
TCP Tanium Server cluster communication
Tanium Module Server Tanium Server 443, 8443 TCP Tanium Module Server communication to the Tanium Server
Console users Tanium Server 443, 8443 TCP Tanium Console communication with the Tanium Server
Tanium Server Tanium Module
Server
17477 TCP Tanium Module Server communication from Tanium Server
Tanium Zone Server Hub Tanium Zone
Server
17472 TCP Tanium Zone Server Hub communication with the Tanium Zone
Servers
Tanium Server,
Module Server
External servers 443, 80 TCP Tanium Server or Module Server communication with external
servers such as content.tanium.com
Network communication ports used by Tanium components
In addition, the installation and management of the appliance requires communication over common network service ports. The
following table shows the default ports for these services.
Source Destination Port Protocol Purpose
Tanium Servers
Tanium Module Servers
DNS servers 53 UDP, TCP DNS resolution for Tanium Servers and Tanium Module
Servers
Appliance network service ports
© 2021 Tanium Inc. All Rights Reserved Page 80
Source Destination Port Protocol Purpose
Tanium Servers Tanium Servers Not
applicable
IPsec ESP Protocol for data confidentiality and authentication in
Tanium Server cluster communications
Tanium Module Servers Tanium Module Servers Not
applicable
IPsec ESP Protocol for data confidentiality and authentication
during Tanium Module Server synchronization
Tanium Servers Tanium Servers 500, 4500 UDP IPsec IKE for setting up a secure channel in Tanium
Server cluster communications
Tanium Module Servers Tanium Module Servers 500, 4500 UDP IPsec IKE for setting up a secure channel during Tanium
Module Server synchronization
Tanium Servers LDAP servers 389, 636 TCP (Optional) External LDAP communications for Tanium
authentication
All Tanium Appliances NTP servers 123 UDP NTP time synchronization
Tanium Servers All Tanium Appliances 22 TCP SSH, SCP, SFTP communication for appliance array
management
Tanium administrator
workstations
All Tanium Appliances 22 TCP SSH, SCP, SFTP communication for appliance
management
SNMP servers Tanium Appliances 161 UDP (Optional) SNMP monitoring
Tanium Appliances Syslog servers 514 TCP, UDP (Optional) Syslog monitoring
Tanium administrator
workstations
Tanium Appliances 443, 5900 TCP (Physical appliances only) iDRAC communications1
Tanium Console user
workstations/browsers
content.tanium.com
update.microsoft.com
*.digicert.com
80, 443 TCP Download and install solutions to the Tanium Core
Platform
1 These ports need to be open only for the IP address of the dedicated iDRAC port (if applicable). The iDRAC port has an IP address that is different
from the TanOS network interfaces. See the Tanium Appliance Deployment Guide: Configure the iDRAC interface.
Appliance network service ports (continued)
The following figure illustrates how the Tanium Core Platform uses ports in an active-active deployment with Appliance
infrastructure.
Figure 1: Network communication ports
© 2021 Tanium Inc. All Rights Reserved Page 81
For more information about the port requirements of specific Tanium modules and shared services, see
Solution-specific port requirements.
WindowsThe following table summarizes the Tanium processes and default values for ports used in Tanium Core Platform communication:
Source Destination Port Protocol Purpose
Tanium Server,
Module Server
External servers 443, 80 TCP Tanium Server (TaniumReceiver.exe) or Module Server
(TaniumModuleServer.exe) communication with external servers
such as content.tanium.com
Tanium Server Tanium Server 443, 17472 TCP Communication between active-active Tanium Servers
Tanium Server Module Server 17477 TCP Tanium Server communication with the Module Server
Module Server Tanium Server 443 TCP Tanium Module Server communication with the Tanium Server
Network communication ports used by Tanium components
© 2021 Tanium Inc. All Rights Reserved Page 82
Source Destination Port Protocol Purpose
Tanium Server Tanium database 1433, 5432 TCP Tanium Server communication with the Tanium database: SQL server
(Sqlservr.exe) or PostgreSQL server (postgres.exe)
Zone Server Hub Zone Server* 17472 TCP Zone Server Hub (TaniumZoneServer.exe) communication with
the Zone Server (TaniumZoneServer.exe)
Tanium Clients Tanium Clients,
Tanium Server,
Zone Server*
17472 TCP Communication between Tanium Clients (TaniumClient.exe),
Communication between the clients and the Tanium Server or Zone
Server
Console/API users Tanium Server 443 TCP Tanium Console/API user workstation (browser) communication with
the Tanium Server
Console/API users External servers 443, 80 TCP Tanium Console/API user workstation (browser) communication with
external servers such as content.tanium.com
To improve the security of the Zone Server, configure separate ports for traffic from Zone Server Hubs and Tanium Clients. For
the steps, see Tanium Core Platform Deployment Guide for Windows: Configure ports for traffic from Zone Server Hubs and
Tanium Clients.
Network communication ports used by Tanium components (continued)
The following figure illustrates how the Tanium Core Platform uses ports in an active-active deployment with Windows
infrastructure:
© 2021 Tanium Inc. All Rights Reserved Page 83
Figure 2: Network communication ports
Tanium ClientYou can use the Tanium™ Client Management module to deploy any version of the Tanium Client. For the ports that Client
Management requires for communication, see Tanium Client Management User Guide: Network connectivity, ports, and firewalls.
Tanium Core Platform port use detailsThe following sections list details about ports that Tanium Core Platform components use, and indicate the default ports.
To change the default ports for platform servers, see Tanium Core Platform settings on page 122. To change the
default ports for Tanium Clients, see Tanium Client Management User Guide: Network connectivity, ports, and
firewalls.
Tanium Server
The Tanium Server acts as the central hub of communication in the Tanium environment. The server receives traffic that Tanium
Clients and the Tanium Console initiate. The server initiates connections to the Tanium database server as well as any Zone Servers.
© 2021 Tanium Inc. All Rights Reserved Page 84
INBOUND (TANIUM CLIENT TO TANIUM SERVER)
Rule summary
Allow traffic to TCP port 17472 on the Tanium Server from any endpoint to be managed on the internal network.
Details
The communication flow between Tanium Clients and the Tanium Server is counter-intuitive. For example, when you ask a question
through the Tanium Console, instead of the server initiating connections to clients, it is leader clients in each linear chain that
initiate connections to the Tanium Server. See Tanium Client Management User Guide: Client peering.
All Tanium Clients initiate connections to the Tanium Server when they register. During registration, each Client reports information
about itself to the server and receives configuration updates, such as changes to peer lists, from the server.
INBOUND (TANIUM CONSOLE)
Rule summary
Allow traffic from trusted hosts to TCP port 443 on the Tanium Server. An example of a trusted host is a system on a management
subnet address that is used for Tanium Console access.
Details
For security, TCP and SOAP communication to the Tanium Server is TLS-encrypted, so the Tanium Server installer configures the
server to listen for TCP and SOAP requests on port 443. If another installed application is listening on port 443, you can designate a
different port.
OUTBOUND (TANIUM SERVER TO DATABASE SERVER)
Rule summary
Allow traffic from the Tanium Server on TCP port 1433 or 5432 to the Tanium database server.
Details
The Tanium Server initiates connections to the Tanium database server on port 1433 (SQL Server) or 5432 (PostgreSQL).
OUTBOUND (TANIUM SERVER TO MODULE SERVER)
Rule summary
Allow traffic from the Tanium Server to TCP port 17477 on the Module Server.
Details
The Tanium Server initiates connections to the Module Server on port 17477.
OUTBOUND (TANIUM SERVER TO INTERNET)
Rule summary
Allow traffic from the Tanium Server to TCP destination ports 80 and 443 on the Internet.
© 2021 Tanium Inc. All Rights Reserved Page 85
Using port 443 is a security best practice because traffic on that port is encrypted through Hypertext Transfer
Protocol Secure (HTTPS) protocol.
Details
The Tanium Server initiates connections to https://content.tanium.com and http://*.digicert.com when importing
updates to Tanium Core Platform components and solutions. The server might also initiate connections to other Internet sites such
as https://update.microsoft.com for other operations. For details, see Internet URLs required on page 89.
INBOUND/OUTBOUND (ACTIVE-ACTIVE DEPLOYMENT)
Rule summary
Allow traffic between Tanium Servers in an active-active cluster on TCP port 17472.
Details
Any active-active cluster member might initiate a connection to the other member. Package files that are uploaded to one member
are synchronized to the other. In addition, each member passes Tanium messages, such as question answers, to the other cluster
member.
Tanium Module Server
INBOUND (TANIUM SERVER TO MODULE SERVER)
Rule summary
Allow traffic from the Tanium Server to TCP port 17477 on the Module Server.
Details
Check the documentation for the particular Tanium solutions that you plan to use to see whether they require additional inbound
ports. See Solution-specific port requirements on page 87.
OUTBOUND (MODULE SERVER TO INTERNET)
Rule summary
Allow traffic from the Module Server to destination TCP ports 80 and 443 on the Internet.
Using port 443 is a security best practice because traffic on that port is encrypted through the HTTPS protocol.
Details
The Module Server does not initiate connections. However, when a solution is imported, the Module Server might need to connect to
Tanium and other Internet locations to download required content, and the installed solution services might initiate connections.
Check the documentation for the particular solutions that you plan to use to see if they require additional outbound ports. See
Solution-specific port requirements on page 87.
© 2021 Tanium Inc. All Rights Reserved Page 86
OUTBOUND (SOLUTIONS SERVICES TO TANIUM SERVER)
Rule summary
Allow traffic from the Module Server to the following destination TCP ports on the Tanium Server:
l 443: Windows and Appliance deployments
l 8443: Appliance deployments only
Details
The Module Server does not initiate connections. However, a solution on the Module Server might initiate a connection to the
Tanium Server.
Tanium Zone Server Hub
OUTBOUND (TANIUM ZONE SERVER HUB TO ZONE SERVER)
Rule summary
Allow traffic from the Zone Server Hub to the destination TCP port 17472 on DMZ machines that host the Zone Servers. In an
Appliance deployment, the hub is always installed on the Tanium Server appliance. In a Windows deployment, the hub is usually
installed on the Tanium Server host but can also be installed on a dedicated host.
Details
If you are using the Zone Server to proxy traffic from managed endpoints on less trusted network segments to the Tanium Server on
the core network, then the Zone Server Hub must be able to connect to the Zone Servers in the DMZ. In Tanium Core Platform 7.3 or
earlier, the ZoneServerList.txt configuration file in the hub installation folder identifies the addresses of the destination Zone
Servers. In later releases, the hub-to-Zone Server mappings determine the destination Zone Servers: see Tanium Console User
Guide: Managing Zone Servers and hubs.
Tanium Zone Server
INBOUND (TANIUM CLIENT TO ZONE SERVER)
Rule summary
Allow traffic from any computer on the Internet to TCP port 17472 on the Zone Servers in the DMZ.
Details
Tanium Clients initiate connections to a Zone Server as if it were a Tanium Server.
© 2021 Tanium Inc. All Rights Reserved Page 87
INBOUND (TANIUM ZONE SERVER HUB TO ZONE SERVER)
Rule summary
Allow traffic from the Zone Server Hub to TCP port 17472 on the Zone Servers in the DMZ. In an Appliance deployment, the hub is
always installed on the Tanium Server appliance. In a Windows deployment, the hub is usually installed on the Tanium Server host
but can also be installed on a dedicated host.
Details
If you are using the Tanium Zone Server to proxy traffic from managed endpoints on less trusted network segments to the Tanium
Server on the core network, then the Tanium Zone Server Hub must be able to connect to the Zone Servers in the DMZ.
Tanium Client
INBOUND/OUTBOUND (TANIUM CLIENT TO CLIENT)
Rule summary
Allow traffic between Tanium Client peers on the TCP listening port 17472.
Details
In addition to the client-to-server TCP communication that occurs on port 17472, Tanium Clients also communicate with their peers
on port 17472. The default client peering settings ensure that clients form linear chains only within the boundaries of local area
networks (LANs). Therefore, you must allow bi-directional TCP communication on the listening port between clients that are in the
same LAN, but not necessarily between all clients across your enterprise wide area network (WAN). For details on client peering
settings, see Tanium Client Management User Guide: Configuring Tanium Client peering.
OUTBOUND (TANIUM CLIENT TO ZONE SERVER)
Rule summary
Allow traffic from any endpoint on the Internet to TCP port 17472 on the Zone Servers in the DMZ.
Details
In deployments with a Zone Server, a Tanium Client might connect to a Zone Server instead of a Tanium Server. The communication
requirements for these clients are identical to the Tanium Server-to-Tanium Client requirements.
Solution-specific port requirementsTo see additional port requirements that are specific to Tanium™ modules and shared services, click the following links to access the
associated user guides:
l API Gateway
l Asset
l Client Management
© 2021 Tanium Inc. All Rights Reserved Page 88
l Comply: No additional port requirements
l Connect
l Deploy
l Direct Connect
l Discover
l Endpoint Configuration
l End-User Notifications
l Enforce
l Health Check
l Impact
l Integrity Monitor: No additional port requirements
l Interact: No additional port requirements
l Map: No additional port requirements
l Patch: No additional port requirements
l Performance
l Reputation
l Reveal
l Risk
l Threat Response
l Trends
© 2021 Tanium Inc. All Rights Reserved Page 89
Internet URLs requiredDuring initial deployment and ongoing operations, the Tanium Server and the web browser that you use to access the Tanium
Console must be able to connect to https://content.tanium.com to import updates to Tanium Core Platform components
and modules.
The Tanium Server might need to connect to additional locations, based on the components you import. The following table lists
URLs that the Tanium Server accesses:
Import type Components URLs
Any Any
(Both the Tanium Server and the browser
that you use to access the Tanium
Console must connect to these URLs.)
l https://content.tanium.com
l (Tanium Appliance only) https://download.tanium.com:
This URL is required for Tanium Server upgrades.
l http://*.digicert.com: Module imports fails if the
Certificate Revocation List is blocked or inaccessible.
Content Tanium™ Asset module See Tanium Asset User Guide: Internet URLs.
Tanium™ Deploy module See Tanium Deploy User Guide: Internet URLs.
Tanium™ Discover module See Tanium Discover User Guide: Internet URLs.
Tanium™ Enforce module See Tanium Enforce User Guide: Internet URLs.
Tanium™ Health Check shared service See Tanium Health Check User Guide: Internet URLs.
Tanium™ Patch module See Tanium Patch User Guide: Internet URLs.
Tanium™ Reputation shared service See Tanium Reputation User Guide: Internet URLs.
Table 4: Internet URLs that the Tanium Server accesses
If your enterprise network uses SSL intercept technologies, such as man-in-the-middle (MITM) proxies, you must configure them so
that they do not prevent the Tanium Server and Tanium Module Server from downloading files from these locations.
If your enterprise security policy does not allow the Tanium Server to access these locations directly, you can use proxy servers. See
Proxy server settings on page 140.
You must also enable Tanium Clients to download files from Internet URLs to run certain sensors and packages. For
details, see Tanium Console User Guide: Managing allowed URLs.
© 2021 Tanium Inc. All Rights Reserved Page 90
Securing Tanium Console, API, and Module Serveraccess
OverviewTanium user and module operations require connections to the Tanium Servers, Module Server, and Tanium module services. The
Tanium Core Platform uses SSL/TLS certificates and keys to secure connections to the Tanium Server and Module Server (illustrated
in Figure 4). For example, when you use Tanium™ Patch to deploy patches to endpoints, the Tanium Core Platform establishes
connections in the following order:
1. User system (browser or CLI) to the Tanium Server (Tanium Console or API)
2. Tanium Server to Tanium Module Server
3. Module Server to Patch service
4. Patch service to Tanium Server
The Tanium Server and Module Server installers generate self-signed certificates. You can replace these with certificates issued by a
commercial certificate authority (CA) or your enterprise CA. As a best practice to facilitate troubleshooting, use the self-signed
certificates during initial installation and replace them with CA-issued certificates later. This practice enables you to separate
potential installation issues from TLS connection issues. Using a CA-issued certificate is highly recommended for Tanium Console
and API access but is optional for communication between the Tanium Server and Module Server.
Tanium Console and API access require user authentication through sign-in credentials, but not for securing the TLS
connection.
For details about the Tanium™ Protocol that secures communication among the Tanium Servers, Zone Server, Zone
Server Hub, and Tanium Clients, see Securing Tanium Server, Zone Server, and Tanium Client access on page 107.
To manage the keys that the Tanium Protocol uses, see Tanium Console User Guide: Managing Tanium keys.
To install the Tanium Server or Module Server, see Tanium Appliance Deployment Guide or Tanium Core Platform
Deployment Guide for Windows.
Tanium Console and API
Users access the Tanium Console or API on the Tanium Server to perform Tanium operations such as issuing questions or deploying
actions. The console and API communicate over Hypertext Transfer Protocol Secure (HTTPS), which uses SSL/TLS certificates and
keys to secure client-server connections. When a user accesses the Tanium Console or API, the user system is the client and the
Tanium Server is the server. To secure the connection, the Tanium Server presents its SOAPServer.crt certificate to prove its
identity to the client and uses its SOAPServer.key private key to complete the TLS handshake. For console or API access, clients
do not have to prove their identity to secure the connection. Figure 4 illustrates these processes.
© 2021 Tanium Inc. All Rights Reserved Page 91
When you install the Tanium Server on a Tanium Appliance, it generates a self-signed SOAPServer.crt certificate. When you
install the Tanium Server on a Windows server, you can choose between a self-signed certificate or (if one is available) a CA-issued
certificate. If you use a self-signed certificate, users see a certificate validation error when they access the Tanium Console or API.
The error occurs because the CA certificates on the user system cannot validate the self-signed certificate. The following figure
shows an example of such an error when users try to connect from a browser to the Tanium Console.
Figure 3: Certificate validation error
Even though browsers provide the option to access the Tanium Console despite the error, avoiding that option is a security best
practice. Therefore, Tanium highly recommends that you replace the self-signed SOAPServer.crt certificate with a CA-issued
certificate. If the Tanium Server is currently using a self-signed certificate, you can replace it at any time.
Module Server communication
When users use the Tanium Console or API to work with Tanium modules, the Tanium Server communicates with the Tanium
Module Server, the Module Server accesses the Tanium module services that it hosts (such as Patch), and the module services
communicate back with the Tanium Server (see Figure 4).
The Tanium Server and Module Server communicate over HTTPS, and both servers must prove their identities through certificates.
The Tanium Server presents SOAPServer.crt to prove its identity, while the Module Server presents ssl.crt. The servers use
the associated private keys (SOAPServer.key and ssl.key) to complete the TLS handshake that secures the connection. To
verify the Tanium Server identity, the Module Server checks that its trusted.crt file contains the SOAPServer.crt that the
Tanium Server presented. In an active-active deployment, trusted.crtmust contain the SOAPServer.crt of both Tanium
Servers. Tanium Servers also verify the Module Server identity by checking that their trusted-module-servers.crt file
contains the ssl.crt that the Module Server presented. The Module Server registration process generates trusted.crt on the
Module Server and trusted-module-servers.crt on the Tanium Server. The Module Server installation process generates
ssl.crt.
The Module Server opens a single HTTPS listener to route requests from the Tanium Server to Tanium module services, which listen
only on localhost. TLS termination occurs on the Module Server, which forwards the requests locally over non-TLS connections from
the HTTPS listener to the appropriate module service.
© 2021 Tanium Inc. All Rights Reserved Page 92
Module services connect to the Tanium Server over TLS and verify that the certificate that the Tanium Server presented during the
TLS handshake is included in the trusted.crt file on the Module Server. Because module services use the same API as Tanium
Console users, client certificate validation is not enforced.
Optionally, you can use CA-issued certificates to replace the server-generated, self-signed SOAPServer.crt and ssl.crt
certificates, but not the trusted.crt and trusted-module-servers.crt files. If you replace SOAPServer.crt or
ssl.crt, you must re-register the Module Server with the Tanium Server to regenerate the trusted.crt and
trusted-module-servers.crt files.
The following table summarizes the certificates and keys that the Tanium Core Platform uses for connections to the Module Server:
Location File Name Purpose
Module Server ssl.crt
ssl.key
HTTPS certificate and private key that the Module Server presents to secure
incoming connections from the Tanium Server or outgoing connections to
Tanium services.
trusted.crt Contains the SOAPServer.crt of the Tanium Servers with which the Module
Server has registered. The Module Server uses trusted.crt to validate
Tanium Server certificates.
Tanium Server SOAPServer.crt
SOAPServer.key
HTTPS certificate and private key that the Tanium Server presents to secure
outgoing connections to the Module Server or incoming connections from the
systems of Tanium Console users or Tanium API users.
trusted-module-servers.crt
(Tanium Core Platform 7.2 or later)
Contains the ssl.crt of the Module Server that has registered with the
Tanium Server. The Tanium Server uses trusted-module-servers.crt
to validate the Module Server certificate.
Table 5: Certificates and keys for Module Server connections
SSL/TLS connection processes and setup tasks
The following figure illustrates the components, processes, and setup tasks involved in securing connections to the Tanium Server
(Tanium Console or API) and Module Server.
© 2021 Tanium Inc. All Rights Reserved Page 93
Figure 4: SSL/TLS connections
The following processes correspond to the numbers in Figure 4.
1 Tanium Console/API access
When a user system connects to the Tanium Console or API, the Tanium Server presents its SOAPServer.crt certificate
to prove its identity to the user system. In Figure 4, the server uses a CA-issued version of SOAPServer.crt (number 2)
instead of a self-signed version. Therefore, the user system uses a CA certificate to validate SOAPServer.crt.
© 2021 Tanium Inc. All Rights Reserved Page 94
2 Replace self-signed certificate with CA-issued certificate
Generate a certificate signing request (CSR) and associated private key SOAPServer.key for the Tanium Server. You
submit the CSR to your CA, which uses a CA certificate and associated private key to digitally sign the requested certificate
(SOAPServer.crt). The CA signing certificate must also be present on the systems from which users access the Tanium
Console or API (number 1). The Tanium Server can then use the requested CA-issued certificate instead of a self-signed
certificate. Optionally, you can also request a CA-issued certificate to replace the Module Server certificate (ssl.crt).
For details, see CA-issued certificates on page 94.
3 Module Server registration
During a fresh installation of the Module Server, you must manually enable trust between it and the Tanium Server before
registration. The Module Server then registers with the Tanium Server and the servers generate the
trusted-module-servers.crt and trusted.crt files. For subsequent communication between the servers,
including during version upgrades, manually enabling trust is unnecessary because the servers automatically check
trusted-module-servers.crt and trusted.crt during their mutual identity verification (number 4).
The installation procedures in the following deployment guides include steps to manually enable trust for the server
certificates by verifying or entering certificate fingerprints (hash digests of certificate public keys): Tanium Appliance
Deployment Guide: Installing Tanium Module Server and Tanium Core Platform Deployment Guide for Windows: Installing
the Tanium Module Server.
4 Mutual identity verification
To establish a secure TLS connection, the Tanium Server and Module Server prove their identities to each other. During
the TLS handshake, the Tanium Server presents its SOAPServer.crt certificate to the Module Server, which verifies
that its trusted.crt file contains SOAPServer.crt. Also during the handshake, the Module Server presents its
ssl.crt certificate to the Tanium Server, which verifies that its trusted-module-servers.crt file contains
ssl.crt.
5 Module Server to Tanium module services
The Module Server opens a single HTTPS listener to route requests from the Tanium Server to Tanium module services,
which listen only on localhost. The Module Server forwards the requests locally over non-TLS connections from the HTTPS
listener to the appropriate module service.
6 Module services to the Tanium Server
Module services connect to the Tanium Server over TLS and verify that the certificate that the Tanium Server presented
during the TLS handshake is included in the trusted.crt file on the Module Server. Because module services use the
same API as Tanium Console users, client certificate validation is not enforced for this connection (in contrast with the
connection described in number 4).
CA-issued certificatesIf your organization prefers to use CA-issued certificates to secure connections among systems, you can replace the self-signed
certificates that the Tanium Server (SOAPServer.crt) and Module Server (ssl.crt) generated during installation. In an active-
active deployment, you can use the same CA-issued SOAPServer.crt (and associated private key) for both Tanium Servers as
© 2021 Tanium Inc. All Rights Reserved Page 95
long as the Subject Alternative Name in the certificate specifies both server names. Alternatively, you can use a distinct CA-issued
certificate for each Tanium Server.
Obtaining a CA-issued certificate involves submitting a CSR to the CA and generating an associated private key. In a Tanium
Appliance deployment, you must use a third-party tool such as OpenSSL (see Example: Create a CSR and private key with OpenSSL
on page 99) to generate the CSR and key on a non-Appliance system and then copy them to the Appliance (see Tanium
Appliance: Replace certificates on page 101). In a Windows deployment, you can use the Tanium™ KeyUtility program to generate
the CSR and key locally (see Windows: Replace certificates on page 103).
On Windows, you can also generate a CSR and key using Microsoft Management Console (MMC).
The CA uses a CA certificate and its associated private key to digitally sign the certificate that you requested. If a CA-issued certificate
replaces SOAPServer.crt on the Tanium Server, then the CA signing certificate must also be present on the systems from which
users access the Tanium Console or API. For console users, the CA signing certificate must be in the trusted certificates store of their
browsers. For API users, the CA signing certificate must be in the location specified in API calls, as shown in the --cacert <file
path> option in the following example:
$ curl -s --cacert <file path> -X POST --data-binary @<sign in>.json
https://localhost/api/v2/session/login
When you create the CSR, specify the options and X.509 attributes that ensure the CA returns a certificate that meets the following
requirements.
Certificate requirements
Work with your CA to obtain a certificate with the following specifications for the Tanium Server or Module Server:
© 2021 Tanium Inc. All Rights Reserved Page 96
l X.509 certificate with TLS Web Server Authentication and Client Authentication extended key usage
l Separate certificate and private key files. You must remove the passphrase from the key file.
l PEM format (Base64 encoded)
l Certificate signed with a SHA-256 hashing algorithm
l RSA 2048-bit key encryption
© 2021 Tanium Inc. All Rights Reserved Page 97
l Common Name (CN) that specifies the fully qualified domain name (FQDN) or IP address of the server.
© 2021 Tanium Inc. All Rights Reserved Page 98
l Subject Alternative Name that specifies the FQDNs or IP addresses of both Tanium Servers in an active-active deployment
where both servers use the same certificate. This is unnecessary if each server uses its own certificate.
© 2021 Tanium Inc. All Rights Reserved Page 99
Example: Create a CSR and private key with OpenSSL
The following example shows how to use OpenSSL to create a CSR. You can use vendor-provided web forms or any tool you prefer,
as long as the resulting certificate has the required attributes and a private key. This OpenSSL example uses a configuration file to
pass X.509 attributes to the openssl command. You can specify command-line options instead of using a configuration file.
If you deploy the Tanium Server and Module Server on Windows infrastructure, the security best practice is to use
the KeyUtility.exe program that is local to those servers instead of using a third-party tool to generate the CSR
and private key. Generating the key locally enables you to avoid copying it between systems.
1. Create a configuration file (tanium-openssl.cfg, in this example) with the following content. Change the bold values to
ones that are appropriate for your Tanium Servers.
In this example, both Tanium Servers in an active-active deployment use the same certificate and therefore
the subjectAltName section specify both servers for the DNS.1 and DNS.2 values.
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = Country Code
countryName_default = US
stateOrProvinceName = State or Province
stateOrProvinceName_default = CA
localityName = City
localityName_default = Emeryville
organizationName = Organization Name
organizationName_default = ExampleCorp
organizationalUnitName = Organizational Unit
organizationalUnitName_default = IT
© 2021 Tanium Inc. All Rights Reserved Page 100
commonName = Tanium Server FQDN
commonName_default = ts1.example.com
commonName_max = 64
[v3_req]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ts1.example.com
DNS.2 = ts2.example.com
2. Create a private key file to digitally sign the CSR:
openssl genrsa -out tanium.key 2048
3. Generate the CSR file. The following example specifies the configuration file and private key created in the previous steps:
openssl req -sha256 -new -out SOAPServer.csr -key tanium.key -config tanium-openssl.cfg
4. Open the generated file to confirm that the CSR was created. The following example shows a PEM-formatted CSR.
-----BEGIN CERTIFICATE REQUEST-----MIIC9DCCAdwCAQAwUzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRMwEQYDVQQHDApFbWVyeXZpbGxlMQswCQYDVQQLDAJJVDEVMBMGA1UEAwwMdHMudGFtLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApUekQ9Q2cdV4HejVI6KY+EgnUsZm2qbQUHoTsRjQV82BUdsybOqY7/I4haTCA5x0tZVPmBV358B6cIiOtWdV+dwp8UFX90iSAugYpop3KQ/Ke7ws4twZiyL+SVZyEwARpZM0aiqt4iExs5+Kw+F5uOvNlhj7F+csu8Q4VzWF+QsgrgMnSsNawZxGPvV9LghaEyow3oP+lmRN2LVrmy82tsmhml2+vOwipR4lyAkNXJS6nIf3BROXUxqFC0vgHDI2/ilX+2GM3MMGZNxPn5iCnxXzLm/yLTytWyLB/mb77Ts/Si8BenLzrZtEvsV+dqWKq6a428/iZD4FYp6+LMd4
© 2021 Tanium Inc. All Rights Reserved Page 101
gQIDAQABoFwwWgYJKoZIhvcNAQkOMU0wSzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDAxBgNVHREEKjAoghJzZXJ2ZXIxLmRvbWFpbi5jb22CEnNlcnZlcjIuZG9tYWluLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAC4ki2mTKzmrSAv/xW3L8FnJ8cUEzmfexQ/7N+XKGszUesAToBtVG1EHY2gSdA7gTR/OfUxZUrPJTx7oHWb9L/UgNB6gHeI2RuxwUOmbTcaSjcwdeKH+N+vEEnubMt/RzTun4Qk+CgQLws/jbGOsmcV2KoPJ4/2QMoxpnCHKyjc3HYaCvbYvT7UbFk9hNNfpl0djqxm0LRAi0uQqt5T0WmzIjxsVXY4ayF5bhwdCTLQT+e7ERqFStblBdfkIzxGOexUG96iQR4R8noN4qp/iNRFUTTiJPZ9aN84Ab494Q4BtYY2cIA2LWQfSrCVgzcXSdpPwDdb2w5b8p5wSA0/rdMw==-----END CERTIFICATE REQUEST-----
5. Save the private key to a secure location and submit the CSR to the CA. The submission process varies by CA. In some cases,
you submit a file; in other cases, you paste the contents of the file into an online form. In any case, be sure to communicate
the certificate requirements to your CA.
Use a secure protocol such as Secure Copy Protocol (SCP) or Secure File Transfer Protocol (SFTP) when you
need to copy the private key between systems; do not use Server Message Block (SMB) or File Transfer
Protocol (FTP). For security, after copying the key to the installation folder of the Tanium Core Platform server
that requires key, delete any other instance of it.
Tanium Appliance: Replace certificatesPerform the following steps to replace the current SOAPServer.crt and SOAPServer.key on the Tanium Server with a new,
CA-issued certificate and associated private key. In an active-active deployment, you can use the same certificate and key for both
Tanium Servers as long as the Subject Alternative Name in the certificate specifies both server names.
If you need to replace the current ssl.crt and ssl.key on the Module Server with a new, CA-issued certificate
and associated private key, contact Tanium Support at [email protected].
Obtain the new certificate and key
1. Use a tool such as OpenSSL to generate a CSR and new private key. When creating the CSR, specify the certificate options and
X.509 attributes described under Certificate requirements on page 95. For an example procedure, see Example: Create a CSR
and private key with OpenSSL on page 99.
2. Save the private key to a secure location on a system from which you can connect to the Tanium Servers through an SFTP
client.
When transferring the private key between systems, use a secure protocol such as SCP or SFTP; do not use
SMB or FTP.
© 2021 Tanium Inc. All Rights Reserved Page 102
3. Submit the CSR to the CA. The submission process varies by CA. In some cases, you submit a file; in other cases, you paste the
file contents into an online form. In any case, be sure to communicate the certificate requirements to your CA.
4. When the CA returns the new certificate, save it to the same location as the private key so that you can copy both files to the
Tanium Servers.
Install the new certificate and key
Install the new, CA-issued certificate and associated private key on the Tanium Server. In an active-active deployment, perform these
steps on each Tanium Server. Because the steps include stopping and restarting the servers, perform this task during a maintenance
window.
1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter 2 to go to the Tanium Operationsmenu.
3. Enter 4 to initiate the Install Custom SOAP Cert process.
4. Follow the prompts to install the certificate and key files that you uploaded:
a. Enter Yes at the prompt to proceed with the installation.
b. Select the certificate that you are importing, verify that the displayed certificate details are correct, and enter Yes at the
prompt.
c. Select the private key that you are importing.
The Appliance verifies that the key is valid and matches the certificate.
d. Enter Yes at the prompt to create a backup of the files in the /outgoing directory of the tancopy user.
The Tanium Appliance stops the Tanium Server service, installs the new certificate and key, and restarts the service.
e. If the Appliances are in an array, the last step is to re-register the Module Server: enter Yes at the prompt and enter the
password of the Tanium Console admin user.
Otherwise, if the Appliance is not in an array, press Enter to continue and perform the steps described in Re-register the
remote Module Server with each Tanium Server on page 102.
Re-register the remote Module Server with each Tanium Server
After you replace the certificate and private key on the Tanium Server, re-register the Module Server if you did not already do so in
the preceding task. In an active-active deployment, you must re-register with each Tanium Server. Because the steps include
stopping and restarting services, perform this task during a maintenance window.
1. Repeat the remote Module Server configuration steps to update the certificates that are used to validate SOAPServer.crt
and ssl.crt on each server: trusted.crt on the Module Server appliance and trusted-module-servers.crt on
the Tanium Server appliance. See the Tanium Appliance Deployment Guide: Configure the Tanium Server to use the remote
Module Server.
2. Restart all Tanium services on the Module Server appliance. See Tanium Appliance Deployment Guide: Start, stop, and restart
Tanium services.
© 2021 Tanium Inc. All Rights Reserved Page 103
Windows: Replace certificatesPerform the following steps to replace the current certificates and private keys used for connections to the Tanium Console, API, and
Module Server with new, CA-issued certificates and associated private keys. In an active-active deployment, you can use the same
certificate and key for both Tanium Servers as long as the Subject Alternative Name in the certificate specifies both server names.
The certificates and keys that the Tanium Server and Module Server use are not interchangeable. The Tanium Server
uses the SOAPServer.crt certificate and SOAPServer.key key. The Module Server uses the ssl.crt
certificate and ssl.key key.
Obtain the new certificate and key
You can use the Tanium KeyUtility.exe program instead of a third-party tool to generate the CSR and private key on whichever
server (Tanium Server or Module Server) needs them.
For better security, generate the key locally on the server to avoid copying it between systems.
You can also generate a CSR and key using Microsoft Management Console (MMC).
1. Sign in to the server that needs a new certificate and access the CLI as an administrator (see Windows on page 161).
2. Navigate to the server installation folder.
$ cd <Tanium/Module Server>
3. Use the KeyUtility.exe program to generate a CSR and private key.
The --hostname argument specifies the server FQDN or IP address. In an active-active deployment where both Tanium
Servers use the same certificate and key, specify both Tanium Servers with a comma separator
(ts1.example.com,ts2.example.com for example). Optionally, you can also generate a unique CSR and key for each
Tanium Server.
The --out argument specifies the output folder and files names of the CSR and key. The command automatically appends the
suffix (.csr or .key) to the file name. Use the file name SOAPServer on the Tanium Server or ssl on the Module Server to
avoid having to rename the files later. To avoid overwriting the current key, be sure to specify an output folder that is not the
server installation folder.
$ KeyUtility selfsign --export-csr --hostname <server FQDN/IP address> --out <output folder
path><file name>
The command creates three files in the specified output folder: <filename>.csr, <filename>.key, and
<filename>.crt. The command automatically uses the key to sign <filename>.csr. The <filename>.crt file is a
self-signed certificate that you use only if you do not need a CA-issued certificate.
© 2021 Tanium Inc. All Rights Reserved Page 104
4. Submit the CSR to the CA. The submission process varies by CA. In some cases, you submit a file; in other cases, you paste the
file contents into an online form. In any case, be sure to communicate the certificate requirements to your CA.
5. When the CA returns the new certificate file, save it to a temporary location from where you can later copy the file to the
installation folder of the Tanium Server or Module Server.
Update the Tanium Server certificate and key files
Because you must restart servers during this task, perform it during a maintenance window.
UPDATE THE TANIUM SERVER CERTIFICATE AND KEY FILES IN A STANDALONE (NON-HA) DEPLOYMENT
1. On the Tanium Server, back up the existing SOAPServer.crt certificate and SOAPServer.key private key in case you
later want to revert your changes.
2. Stop the Tanium Server service: open the Windows Services application, right-click Tanium Server, and select Stop.
3. Copy the new certificate and key files to the server installation folder to replace the existing files.
For security, delete any instance of the key that is not in the installation folder after you copy the key there.
4. Start the Tanium Server service: open the Windows Services application, right-click Tanium Server, and select Start.
If you plan to update the Module Server certificates and keys, skip to Update the Module Server certificates and key files on
page 106. Otherwise, perform the remaining steps.
5. Sign in to the Module Server and re-register it with the Tanium Server to regenerate the trusted.crt and
trusted-module-servers.crt files. You can re-register by re-running the Module Server installer (see Tanium Core
Platform Deployment Guide for Windows: Installing the Tanium Module Server) or by using the Module Server CLI as follows.
Specifying the port is necessary only if the Tanium Console does not use the standard port (443). Specify the user name and
password of a Tanium Console administrator.
cmd-prompt>TaniumModuleServer register <Tanium Server FQDN>:<port>
Enter administrator username: <user name>
Enter password for user '<user name>': <password>
Successfully completed registration.
6. On the Module Server, perform one of the following steps to restart the services for the Tanium Module Server and all
Tanium solutions:
l Reboot the Module Server. All the services automatically restart during the reboot process.
l Open the Windows Services application and, for each Tanium service, right-click the service name and select Restart.
7. Restart the Tanium Server service: on the Tanium Server, open the Windows Services application, right-click Tanium Server,and select Restart.
UPDATE THE TANIUM SERVER CERTIFICATE AND KEY FILES IN AN ACTIVE-ACTIVE DEPLOYMENT
Perform these steps on one Tanium Server at a time. The steps in this example start on the primary Tanium Server.
© 2021 Tanium Inc. All Rights Reserved Page 105
1. On the primary Tanium Server, back up the existing SOAPServer.crt certificate and SOAPServer.key private key in case
you later want to revert your changes.
2. Stop the Tanium Server service: open the Windows Services application, right-click Tanium Server, and select Stop.
3. Copy the new certificate and key files to the server installation folder to replace the existing files.
For security, delete any instance of the key that is not in the installation folder after you copy the key there.
4. Start the Tanium Server service: open the Windows Services application, right-click Tanium Server, and select Start.
5. On the secondary Tanium Server, stop the Tanium Server service.
6. Replace the existing certificate and key in the installation folder of the secondary Tanium Server:
l If each Tanium Server requires a unique certificate and key, copy the files from the temporary folder where you stored
them.
l If both Tanium Servers use the same certificate and key, copy the files from the primary Tanium Server.
Use a secure protocol such as SCP or SFTP to copy the key between systems; do not use SMB or FTP.
7. On the secondary Tanium Server, start the Tanium Server service.
If you plan to update the Module Server certificates and keys, skip to Update the Module Server certificates and key files on
page 106. Otherwise, perform the remaining steps.
8. Sign in to the Module Server and re-register it with each Tanium Server to regenerate the trusted.crt and
trusted-module-servers.crt files. You can re-register by re-running the Module Server installer (see Tanium Core
Platform Deployment Guide for Windows: Installing the Tanium Module Server), but only for the primary Tanium Server. You
can use the Module Server CLI as follows to re-register with either Tanium Server. Specifying the port is necessary only if the
Tanium Console does not use the standard port (443). Specify the user name and password of a Tanium Console
administrator.
cmd-prompt>TaniumModuleServer register <Tanium Server FQDN>:<port>
Enter administrator username: <user name>
Enter password for user '<user name>': <password>
Successfully completed registration.
9. On the Module Server, perform one of the following steps to restart the services for the Tanium Module Server and all
Tanium solutions:
l Reboot the Module Server. All the services automatically restart during the reboot process.
l Open the Windows Services application and, for each Tanium service, right-click the service name and select Restart.
10. Restart the Tanium Server service: on each Tanium Server, open the Windows Services application, right-click TaniumServer, and select Restart.
© 2021 Tanium Inc. All Rights Reserved Page 106
Update the Module Server certificates and key files
Because this task involves stopping and starting the Module Server, perform the steps during a maintenance window.
The Tanium Server service must be running on each Tanium Server when you perform the step to re-register the
Module Server.
1. On the Module Server, back up the existing ssl.crt certificate and ssl.key private key in case you later want to revert
your changes.
2. Stop the services for the Tanium Module Server and all Tanium solutions (modules and shared services): open the Windows
Services application and, for each service, right-click the service name and select Stop.
3. Copy the new certificate and key files to the Module Server installation folder to replace the existing files.
For security, delete any instance of the key that is not in the installation folder after you copy the key there.
4. Re-register the Module Server with each Tanium Server to regenerate the trusted.crt and
trusted-module-servers.crt files. You can re-register by re-running the Module Server installer, but only for the
primary Tanium Server in an active-active deployment or for a standalone Tanium Server. You can use the Module Server CLI
as follows to re-register with any Tanium Server in an active-active or standalone deployment. Specifying the port is necessary
only if the Tanium Console does not use the standard port (443). Specify the user name and password of a Tanium Console
administrator.
cmd-prompt>TaniumModuleServer register <Tanium Server FQDN>:<port>
Enter administrator username: <user name>
Enter password for user '<user name>': <password>
Successfully completed registration.
5. On the Module Server, perform one of the following steps to restart the services for the Tanium Module Server and all
Tanium solutions:
l Reboot the Module Server. All the services automatically restart during the reboot process.
l Open the Windows Services application and, for each Tanium service, right-click the service name and select Restart.
6. Restart the Tanium Server service: on each Tanium Server, open the Windows Services application, right-click TaniumServer, and select Restart.
© 2021 Tanium Inc. All Rights Reserved Page 107
Securing Tanium Server, Zone Server, andTanium Client access
Overview of TLS in the Tanium Core PlatformTanium Core Platform 7.2 or later uses the following protocols for communication among platform components:
l Tanium Protocol: This application protocol is proprietary to Tanium and uses TLS 1.2 to encrypt communication. You
cannot use network devices such as firewalls to decrypt and inspect Tanium Protocol traffic.
l Hypertext Transfer Protocol Secure (HTTPS): The Tanium Core Platform uses TLS 1.2 to encrypt HTTPS communication
among platform components. The components negotiate the TLS version for HTTPS connections with external servers but
enforce TLS 1.2 as the minimum version.
The following table lists the connections among Tanium Core Platform components and the protocol that each connection uses. The
numbers correspond to the connections in Figure 5.
Connection Protocol
1 Tanium Console or API user systems to Tanium Servers HTTPS
2 Tanium Console or API user systems to external servers (such as
content.tanium.com)
HTTPS
3 (Windows only) Tanium Servers to Tanium database in deployments where the
database is not on the Tanium Server host
By default, communication is over TCP/IP
without encryption, but configuring encryption is
a best practice. Consult your database
administrator.
4 Tanium Servers to Tanium Module Server HTTPS
5 Module Server to external servers HTTPS
6 Tanium Server to Tanium Server in an active-active deployment Tanium Protocol *
* Tanium Appliances use IPsec to secure Tanium
database traffic and Lightweight Directory
Access Protocol (LDAP) synchronization traffic.
7 Tanium Servers to external servers HTTPS
Table 6: TLS communication in the Tanium Core Platform
© 2021 Tanium Inc. All Rights Reserved Page 108
Connection Protocol
8 Tanium Servers to Zone Server Hub
Figure 5 shows the Zone Server Hub installed on a host that is separate from the
Tanium Server hosts to illustrate that the connection is encrypted. However, in
most deployments, you install the hubs on the same hosts as the Tanium Servers.
Tanium Protocol
9 Zone Server Hub to Zone Server Tanium Protocol
10 Tanium Clients (external) to Zone Server Tanium Protocol
11 Tanium Clients (internal) to Tanium Servers Tanium Protocol
12 Tanium Client to Tanium Client (external and internal) Tanium Protocol *
* Applies only to Tanium Client 7.4 or later.
Table 6: TLS communication in the Tanium Core Platform (continued)
Figure 5: TLS communication in the Tanium Core Platform
To manage the certificates and keys that the Tanium Core Platform uses for HTTPS traffic, see Securing Tanium
Console, API, and Module Server access on page 90.
The Tanium Core Platform supports TLS for additional connections that various Tanium modules and shared
services require. For details, see the user guides for your Tanium products at docs.tanium.com.
TLS communication starts when a TLS client initiates a TLS handshake to establish a secure connection with a server. The following
are examples in the context of the Tanium Core Platform:
© 2021 Tanium Inc. All Rights Reserved Page 109
l The Zone Server acts as a client when registering with the Tanium Server.
l The Tanium Client acts as a client when registering with the Zone Server or Tanium Server.
l A Tanium Server acts as a client when performing active-active synchronization with another Tanium Server.
During the TLS handshake, the client and server generate a shared, unique session key, which they use to secure communication for
the duration of their session. You can configure TLS as optional for certain versions of Tanium Core Platform servers and Tanium
Clients, as listed in Table 7. If the handshake fails and TLS is optional, the client and server attempt a non-TLS (unencrypted)
connection instead. If the handshake fails and TLS is configured as required, the client and server cannot connect.
Tanium Core Platform 7.2 or later supports the following cipher suites for creating keys and encrypting information in TLS
communication:
l ECDHE-ECDSA-AES256-GCM-SHA384
l ECDHE-RSA-AES256-GCM-SHA384
l ECDHE-ECDSA-CHACHA20-POLY1305
l ECDHE-RSA-CHACHA20-POLY1305
l ECDHE-ECDSA-AES128-GCM-SHA256
l ECDHE-RSA-AES128-GCM-SHA256
l ECDHE-ECDSA-AES256-SHA384
l ECDHE-RSA-AES256-SHA384
l ECDHE-ECDSA-AES128-SHA256
l ECDHE-RSA-AES128-SHA256
Contact Tanium Support at [email protected] and consult your network security team before modifying the TLS configuration.
Whether TLS is available and required depends on the Tanium Core Platform version, components, and infrastructure:
Version Tanium Server, Zone Server, Zone Server Hub Tanium Clients
7.4 or later After a fresh installation or upgrade, TLS is required and you
cannot disable it.
After a fresh installation or upgrade, TLS is required by default.
Table 7: TLS options and defaults
© 2021 Tanium Inc. All Rights Reserved Page 110
Version Tanium Server, Zone Server, Zone Server Hub Tanium Clients
7.2 or 7.3 Whether TLS is enabled depends on the infrastructure in which
you deploy the Tanium Core Platform:
l Windows deployment: TLS is disabled by default and
enabling it is optional.
l Tanium Appliance deployment: TLS is enabled by default
on the Tanium Server and disabling it is optional for
incoming connections. TLS is disabled by default on the
Zone Server and Zone Server Hub, and enabling it is
optional.
TLS communication is disabled by default and enabling it is
optional.
7.1 or
earlier
Encryption for inter-server communication requires a third-
party binary or other external dependencies.
Not applicable
Table 7: TLS options and defaults (continued)
The following sections describe how to set up TLS for Tanium Core Platform components that use the Tanium Protocol. For
additional details and procedures related to the digital keys for Tanium Protocol traffic, see Tanium Console User Guide: Managing
Tanium keys.
Tanium Appliance: Set up TLS
Tanium Server
When you install the Tanium Server role (see Installing an individual Tanium Server), TLS is enabled by default. TLS is required for
incoming connections in Tanium Core Platform 7.4 or later but not in earlier versions. If you want to require TLS for incoming
connections in version 7.2 or 7.3, go to the Tanium Operationsmenu and use the Configuration Settingsmenu to change the
values. For details, see Tanium Core Platform settings on page 122.
Tanium Zone Server
When you install the Tanium Zone Server role or Zone Server Hub add-on role, TLS is enabled by default in Tanium Core Platform 7.4
but not in earlier versions. Perform the following procedures to configure TLS in version 7.2 or 7.3.
CONFIGURATION OVERVIEW
Configuring Tanium Zone Server encryption is a three-step process:
1. On the Zone Server, generate a TLS certificate signing request (CSR): Step 1: Generate a CSR on page 112.
2. On the Tanium Server, issue and sign the TLS certificate: Step 2: Issue the Certificate on page 112.
3. On the Zone Server, add the certificate and key files and configure default values for TLS settings: Step 3: Install the certificate
and configure TLS settings on page 113.
To change the default values, go to the Tanium Operationsmenu and use the Configuration Settingsmenu to change the values.
© 2021 Tanium Inc. All Rights Reserved Page 111
FILE TRANSFER METHODS
TanOS 1.5 and later provide menus that enable the following methods for copying the CSR, certificate, and key files:
l Copy and paste between TanOS menus on the Zone Server appliance and Tanium Server appliance. This method is
convenient if you can open SSH terminal sessions to each appliance. If you use this method, skip to Step 1: Generate a CSR
on page 112.
l Menu-driven SFTP between the Zone Server appliance and Tanium Server appliance. This method requires SFTP connectivity
from the Zone Server to the Tanium Server. You must copy the public key for the user tanadmin on the first appliance to the
authorized key store for the tancopy user on the second appliance, and vice versa.
ADD REQUIRED SSH KEYS
1. Start an SSH terminal session on both the Tanium Server appliance and the Zone Server appliance so that you can copy and
paste between them.
2. Copy the tanadmin key from the first appliance to the authorized key store for the tancopy user on the second appliance.
a. On the first appliance:
i. From the tanadminmenu, enter C to go to the User Administrationmenu.
ii. Enter 3 to go to the SSH Key Managementmenu.
iii. Enter the line number for tanadmin to display the key management menu for this user.
iv. Enter 2 to display the public key.
v. Copy the contents of the public key to the clipboard.
b. On the second appliance:
i. From the tanadminmenu, enter C to go to the User Administrationmenu.
ii. Enter 3 to go to the SSH Key Managementmenu.
iii. Enter the line number for the tancopy user.
iv. Enter 3 to go to the Authorized Keysmenu.
v. Enter 2 and follow the prompts to paste the contents of the tanadmin user public key file.
3. Copy the tanadmin key from the second appliance to the authorized key store for the tancopy user on the first appliance.
a. On the second appliance:
i. Return to the SSH Key Managementmenu.
ii. Enter the line number for tanadmin to display the key management menu for this user.
iii. Enter 2 to display the public key.
iv. Copy the contents of the public key to the clipboard.
© 2021 Tanium Inc. All Rights Reserved Page 112
b. On the first appliance:
i. Return to the SSH Key Managementmenu.
ii. Enter the line number for the tancopy user.
iii. Enter 3 to go to the Authorized Keysmenu.
iv. Enter 2 and follow the prompts to paste the contents of the tanadmin user public key file.
STEP 1: GENERATE A CSR
1. Sign in to the Zone Server appliance as the user tanadmin.
2. Enter 2 to go to the Tanium Operationsmenu.
3. Enter Z to go to the Zone Server Configurationmenu.
4. Enter 1 and follow the prompts to generate the CSR. Be sure to copy the text to the clipboard or specify the settings for the
SFTP connection to the Tanium Server.
STEP 2: ISSUE THE CERTIFICATE
The option for the Zone Server Configuration menu only appears if the Zone Server Hub add-on is installed on the
Tanium Server appliance.
1. Sign in to the Tanium Server appliance as the user tanadmin.
2. Enter 2 to go to the Tanium Operationsmenu.
3. Enter Z to go to the Zone Server Configurationmenu.
4. Enter 2 to go to the Import Cert Requestmenu.
5. Enter 1 to import the CSR or 2 to paste the text.
The Tanium Server validates the CSR, generates and signs the reporting.crt certificate file, copies the certificate contents
to the screen, and copies the file to the /outgoing directory.
6. Follow the prompts to prepare for Step 3:
l Copy the certificate text if you plan to paste it in the next step.
l Use SFTP to copy reporting.crt from the Tanium Server /outgoing directory to your management computer
and then copy it again to the Zone Server /incoming directory if you cannot establish an SFTP connection from the
Zone Server to the Tanium Server.
l If you set up SSH keys and can establish an SFTP connection from the Zone Server to the Tanium Server, do nothing.
You can import the certificate file from the Tanium Server /outgoing directory automatically in Step 3: Install the
certificate and configure TLS settings on page 113.
© 2021 Tanium Inc. All Rights Reserved Page 113
STEP 3: INSTALL THE CERTIFICATE AND CONFIGURE TLS SETTINGS
1. Sign in to the Zone Server appliance as the user tanadmin.
2. Enter 2 to go to the Tanium Operationsmenu.
3. Enter Z to go to the Zone Server Operationsmenu.
4. Enter 3 to display the Import Signed Certificatemenu.
5. Use the menu to import the certificate:
l Enter 1 to import reporting.crt if you copied it to the Zone Server /incoming directory.
l Enter 2 to paste the text.
l Enter 3 to pull it from the Tanium Server /outgoing directory.
The Zone Server installs the certificate and configures default settings. To change the default values, go to the TaniumOperationsmenu and use the Configuration Settingsmenu to change the values. For details, see Tanium Core Platform
settings on page 122.
Windows: Set up TLS
Tanium Server
The Tanium Server installer generates the TLS public and private keys that are used to set up TLS for connections between Tanium
Servers in an active-active deployment and between Tanium Clients and the Tanium Server.
CONFIGURE TLS FOR OUTGOING CONNECTIONS
In Tanium Core Platform 7.4 or later, TLS is automatically set up and required for outgoing connections between Tanium Servers in
an active-active deployment, and you cannot disable it.
In version 7.3 or 7.2, add or edit the setting ReportingTLSMode in the Windows registry to enable or disable TLS. The data type is
REG_DWORD and the value is a number. The following values are possible:
l 0 (TLS not used): TLS is disabled. This is the default value for servers installed on a Windows system.
l 1 (TLS required): If a TLS handshake fails, the connection fails.
l 2 (TLS optional): The server tries to connect over TLS. If the TLS connection fails, the server tries a non-TLS connection.
You can use the command-line interface (CLI) to add the registry setting:
> cd <Tanium_Server_installation_folder>
> TaniumReceiver config set ReportingTLSMode <value>
© 2021 Tanium Inc. All Rights Reserved Page 114
REQUIRE TLS FOR INCOMING CONNECTIONS
Optionally, you can configure TLS as required or optional for incoming connections on the Tanium Server. The Tanium Server
version determines which setting you configure.
Version 7.4 or later
From the Tanium Console Main menu, go to Administration > Configuration > Platform Settings, and configure the following
settings for connections from Tanium Clients to the Tanium Server.
These settings also apply to connections from Tanium Clients to the Zone Server if you deploy one.
l require_client_tls_314_flag: Specify one of the following values:
o 0 (default): The Tanium Server allows both TLS and non-TLS connections from Tanium Clients.
o 1: The Tanium Server allows connections from Tanium Clients only if TLS is used. Do not set the value to 1 until you
are sure that all Tanium Clients that have been deployed are configured to use TLS and you are ready to deploy the
Tanium Client to new endpoints with TLS configured before initial registration.
l require_client_tls_315_flag: Specify one of the following values:
o 1 (default): The Tanium Server allows connections from Tanium Clients 7.4 or later only if TLS is used. Tanium
strongly recommends that you leave the value at 1.
o 0: The Tanium Server allows both TLS and non-TLS connections from Tanium Clients 7.4 or later. Contact Tanium
Support at [email protected] before setting the value to 0.
Version 7.3 or earlier
In the Windows registry, specifying one of the following values for the setting RequireIncomingEncryption:
l 0: TLS is not required.
l 1: TLS is required. Do not specify 1 until you are sure that all Tanium Clients that have been deployed are configured to use
TLS and you are ready to deploy the Tanium Client to new endpoints with TLS configured before initial registration.
REGENERATE THE TLS CERTIFICATE AND KEY
You can regenerate the TLS certificate and private key on the Tanium Server when necessary. For example, if the Tanium root keys
(tanium.pub and tanium.pvk) have changed, you must change all subordinate certificates and keys, including the TLS
certificate and key.
In Tanium Core Platform 7.4 or later, you can use the Tanium Console to rotate the root keys, and doing so automatically rotates all
subordinate keys, including the TLS keys. You can also configure the rotation schedule for subordinate keys. For details, see Tanium
Console User Guide: Managing Tanium keys.
In Tanium Core Platform 7.3 or 7.2, use the KeyUtility.exe tool to regenerate the certificate (reporting.crt) and private
key (reporting.pvk) as follows. In an active-active deployment, repeat these steps on each Tanium Server.
© 2021 Tanium Inc. All Rights Reserved Page 115
1. Access the Tanium Server CLI.
2. Navigate to the Tanium Server installation directory, where the KeyUtility.exe tool resides.
cmd-prompt>cd <Tanium Server>
3. Generate the new private key and a certificate signing request (CSR).
Syntax
cmd-prompt>keyutility reporting-tls-request [<reporting.pvk>] [<out>]
Example
cmd-prompt>keyutility reporting-tls-request reporting.pvk reporting.csrGenerating key: 'reporting.pvk' Successfully generated certificate signingrequest: 'reporting.csr'
4. Issue a new certificate based on the reporting.csr file and sign the certificate with the Tanium Server private key.
Syntax
cmd-prompt>keyutility reporting-tls-issue <reporting.csr> <out> [<tanium.pvk>]
Example
cmd-prompt>keyutility reporting-tls-issue reporting.csrc:\Tanium\reporting.crt tanium.pvkSuccessfully issued new certificate: 'c:\Tanium\reporting.crt'
5. Replace the old TLS certificate and private key with the new certificate and key in the Tanium Server installation folder
(default) or in the folder that the ReportingTLSCertPath and ReportingTLSKeyPath registry settings specify. For
details, see Table 8.
Tanium Zone Server
Tanium Core Platform 7.4 or later automatically enables TLS for Zone Server connections. In version 7.3 or 7.2, you must generate a
TLS certificate (reporting.crt) and private key (reporting.pvk) and configure settings to enable TLS:
1. Access the Zone Server CLI.
2. Navigate to the Zone Server installation directory, where the KeyUtility.exe tool resides.
cmd-prompt>cd <Zone Server>
3. Generate the private key and CSR (reporting.csr).
Example
© 2021 Tanium Inc. All Rights Reserved Page 116
cmd-prompt>keyutility reporting-tls-request reporting.pvk reporting.csrGenerating key: 'reporting.pvk' Successfully generated certificate signingrequest: 'reporting.csr'
4. Replace the old private key by copying the new key to the Zone Server installation folder (default) or the folder that the
ReportingTLSKeyPath setting specifies. For details, see Table 8.
5. Copy reporting.csr to the Tanium Server installation folder.
6. Access the Tanium Server CLI, issue a new certificate based on the reporting.csr file, and sign it with the Tanium Server
private key (tanium.pvk). For the new Zone Server certificate, specify an output folder that is not the folder where the
Tanium Server stores its own reporting.crt certificate; otherwise, the Zone Server certificate overwrites the Tanium
Server certificate.
Example
cmd-prompt>keyutility reporting-tls-issue reporting.csrc:\Tanium\reporting.crt tanium.pvkSuccessfully issued new certificate: 'c:\Tanium\reporting.crt'
7. Replace the old TLS certificate by copying the new certificate to the Zone Server installation folder (default) or the folder that
the ReportingTLSCertPath setting specifies. For details, see Table 8.
8. Configure the settings described in Table 8 on the Zone Server, Zone Server Hub, and Tanium Server host computers. You can
find the settings in the Windows Registry:
Tanium Server HKLM\Software\Wow6432Node\Tanium\Tanium Server
Zone Server or Zone Server Hub HKLM\Software\Wow6432Node\Tanium\Tanium ZoneServer
Setting Type Guideline
ReportingTLSMode REG_
DWORD
Configures TLS for outgoing connections that the server initiates. On a Tanium Server,
configure this option if you want to enable TLS for the Tanium Server to Zone Server Hub
segment, if applicable. On a Zone Server Hub, configure this option if you want to enable
TLS for the Zone Server Hub to Zone Server segment.
l 0 (TLS not used): TLS is disabled. This is the default value for servers installed on a
Windows system.
l 1 (TLS required): If a TLS handshake fails, the connection fails.
l 2 (TLS optional): The server tries to connect over TLS. If the TLS connection fails, the
server tries a non-TLS connection.
If you will use TLS, initially setting the value to 2 is a best practice. After you confirm that the
servers establish TLS connections reliably, setting the value to 1 enforces the best security.
Table 8: Tanium Core Platform server TLS settings
© 2021 Tanium Inc. All Rights Reserved Page 117
Setting Type Guideline
ReportingTLSCertPath REG_SZ For inbound connections, set the path to the reporting.crt file. For example:
l Program Files\Tanium\Tanium Server\reporting.crt
l Program Files(x86)\Tanium\Tanium Zone Server\reporting.crt
This setting must be present only if the path to the certificate differs from the server
installation path (the value of the Path key).
You can rename the certificate file if you want, but the file name and this entry must match.
Keeping the default name (reporting.crt) is a best practice to facilitate communication
and troubleshooting.
ReportingTLSKeyPath REG_SZ For inbound connections, set the path to the reporting.pvk file. For example:
l Program Files\Tanium\Tanium Server\reporting.pvk
l Program Files(x86)\Tanium\Tanium Zone Server\reporting.pvk
The Tanium Server installer adds this entry, but the Zone Server installer does not. This
setting must be present.
The key file name you specify for the path must match the actual key file. Keeping the default
name (reporting.pvk) is a best practice to facilitate communication and troubleshooting.
ReportingTLSKeyPasswordFile REG_SZ This setting applies only to hardware security modules. For details, contact Tanium Support
RequireIncomingEncryption REG_
DWORD
Setting for inbound connections from Tanium Clients 7.2 or later to Tanium Core Platform
servers 7.3 or earlier.
l 0: TLS is not required
l 1: TLS is required
When RequireIncomingEncryption is set to 1, only TLS connection
requests are processed, so only Tanium Clients that have TLS enabled can
register and be managed. Do not set this to 1 until you are sure all Tanium
Clients that have been deployed are configured to use TLS
(ReportingTLSMode is 1 or ReportingTLSMode is 2), and you are ready to
deploy Tanium Client to new endpoints with TLS configured before initial
registration.
Table 8: Tanium Core Platform server TLS settings (continued)
© 2021 Tanium Inc. All Rights Reserved Page 118
The KeyUtility.exe program has online help:
cmd-prompt>keyutility reporting-tls-issue --help
Usage: KeyUtility reporting-tls-rissue <reporting.csr> <out> [<tanium.pvk>]
Issue a reporting TLS certificate.
Options:
--root-key arg (=tanium.pvk) Path to tanium root private key
--csr arg (=reporting.csr) Path to certificate signing request to
issue a certificate for
-o [ --out ] arg (=reporting.crt) Output path for generated certificate.
--expiration arg (=3650) Certificate expiration in days
Tanium Client: Configure TLSWhether TLS is enabled or disabled by default, depends on the Tanium Client version:
l Version 7.4 or later: After a fresh installation or upgrade, TLS is enabled and required by default. Tanium strongly
recommends that you use these default settings.
l Version 7.2: TLS communication is disabled by default and enabling it is optional.
Perform the following steps to enable or disable TLS on Tanium Clients:
1. From the Main menu, go to Administration > Configuration > Client Status.
2. In the Filter by Registration section, select Registered using TLS and Registered unencrypted if they are not already
enabled.
The Using TLS column indicates which Tanium Clients have TLS enabled or disabled.
3. From the Main menu, go to Administration > Configuration > Platform Settings and configure TLS settings for the Tanium
Clients as described in Table 9.
On the Tanium Client endpoint, the setting names have the prefix Server_ (for example, Server_ReportingTLSMode). Thisprefix indicates that the Tanium Client received the settings from platform settings on the Tanium Server during registration,
and future registration updates might change the settings. In some cases, you might want a Tanium Client to use settings that
differ from the Tanium Server platform settings. For example, you might release a feature such as TLS to your Tanium Clients
in stages. To override the Tanium Server platform settings, add the settings without the Server_ prefix to the Windows registry
entries or Tanium Client settings database on the client endpoints. For example, if you add the ReportingTLSMode setting to
a Tanium Client, it overrides the Server_ReportingTLSMode setting.
It takes two to six hours (the randomized client-reset interval) for clients to register and receive the updated
settings.
© 2021 Tanium Inc. All Rights Reserved Page 119
Setting Guideline
TLSMode This setting applies to Tanium Client 7.4 or later and specifies whether TLS is required for connections
between Tanium Clients and connections between Tanium Clients and the Tanium Server or Zone
Server.
l 0 (TLS not used): TLS is disabled.
l 1 (TLS required): If a TLS handshake fails, the Tanium Client cannot communicate with other clients
or the servers. This is the default value.
ReportingTLSMode This setting applies to Tanium Client 7.2. Set the mode for TLS connections from the Tanium Client to
the Tanium Server or Zone Server.
l 0 (TLS not used): TLS is disabled. This is the default value.
l 1 (TLS required): If a TLS handshake fails, the Tanium Client cannot register or communicate with
the Tanium Server or Zone Server.
l 2 (TLS optional): The Tanium Client tries to connect over TLS. If the TLS connection fails, the Tanium
Client tries a non-TLS connection.
If you will use TLS, initially setting the value to 2 is a best practice. After you confirm that Tanium Clients
establish TLS connections reliably, setting the value to 1 will enforce the best security.
OptionalTLSMinAttemptCount This setting applies to Tanium Client 7.2 and only when ReportingTLSMode is set to 2 (optional). It
specifies the number of times to attempt TLS before falling back to non-TLS. The range is 1 to 100 and
the default is 3.
OptionalTLSBackoffIntervalSeconds This setting applies to Tanium Client 7.2 and only when ReportingTLSMode is set to 2 (optional). It
specifies the number of seconds to wait before retrying TLS again after failing
OptionalTLSMinAttemptCount times. This interval doubles after each series of failed attempts. The range
is 1 to 86400 and the default is 1)
OptionalTLSMaxBackoffSeconds This setting applies to Tanium Client 7.2 and only when ReportingTLSMode is set to 2 (optional). It
specifies the maximum back off interval. The range is 1 to 86400 and the default is 3600.
Table 9: Tanium Client TLS settings configured in platform settings
© 2021 Tanium Inc. All Rights Reserved Page 120
Verify the TLS connections1. Verify whether Tanium Clients used TLS to connect with the Tanium Server or Zone Server when the clients last
registered: from the Main menu, go to Administration > Configuration > Client Status and check the Using TLS column.
2. (Tanium Core Platform 7.3 or earlier) Access the Tanium Server Info page to confirm that TLS is enabled for the server
segments. To access the page, go to https://<Tanium Server FQDN>/info and sign in with a user account that has
the Administrator reserved role, such as the tanium user created during installation.
Update the TLS configuration when you make changes to key pairThe process for updating the TLS configuration when you make changes to the Tanium root keys depends on the Tanium Core
Platform version:
© 2021 Tanium Inc. All Rights Reserved Page 121
l Version 7.4 or later: When you add or revoke Tanium root keys, the Tanium Server automatically propagates the changes to
all subordinate keys on the platform servers and Tanium Clients (see Tanium Console User Guide: Managing Tanium keys).
l Version 7.3 or earlier: You use the Tanium Server private key (tanium.pvk) to sign the TLS reporting certificate
(reporting.crt). Therefore, if you update the Tanium Server public-private key pair, you must regenerate the
reporting.crt and reporting.pvk files used in the TLS implementation.
© 2021 Tanium Inc. All Rights Reserved Page 122
Tanium Core Platform settingsYou configure the host system settings of most Tanium Core Platform servers during installation. When troubleshooting an issue,
Tanium Support might ask you to review or confirm these settings, but rarely asks you to change them. If Support does ask you to
change settings, you can change many of them through the Tanium Console in Tanium Core Platform 7.4 or later (see Tanium
Console User Guide: Managing platform settings). The following sections describe how to configure the settings through means
other than the console.
You can contact Tanium Support at [email protected].
Tanium ApplianceThe following table lists the configuration database locations for settings that you configure when installing Tanium Core Platform
servers. You can use TanOS menus to add, delete, or modify settings with guidance from Tanium Support ([email protected]).
Component DB location
Tanium Server /opt/Tanium/TaniumServer/server.db
Module Server /opt/Tanium/TaniumModuleServer/server.db
Zone Server /opt/Tanium/TaniumZoneServer/zoneserver.db
TDownloader /opt/Tanium/TaniumServer/tdownloader.db
/opt/Tanium/TaniumModuleServer/tdownloader.db
Table 10: Configuration database locations for Tanium Core Platform server settings
Edit server settings
1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter 2 to go to the Tanium Operationsmenu.
3. Enter 2 to go to the Configuration Settingsmenu.
4. Use the menu to view and edit settings for Tanium Core Platform servers.
© 2021 Tanium Inc. All Rights Reserved Page 123
Tanium Server
Settings Guidelines
AddressMask Hexadecimal value of a subnet CIDR that delineates the clients that belong to a chain.
Do not change this setting unless your Tanium Support instructs you to do so.
AllowedHubs The Zone Server Hub that is allowed to connect to this Tanium Server. The Zone Server Hub is collocated on the
Tanium Server appliance and this setting has the value 127.0.0.1.
AuthPluginTimeoutSeconds The default is 60.
AuthenticationPlugin String that specifies the Pluggable Authentication Module (PAM).
ConsoleSettingsJSON Path to the Tanium Console settings file.
LogPath The location for Tanium Server logs. The default is /opt/Tanium/TaniumServer/Logs.
LogVerbosityLevel Specify one of the following decimal values for the log verbosity level:
l 0: Logging disabled.
l 1: Normal log level.
l 41: Recommended during troubleshooting.
l >= 91: Most detailed log level. Enable for short periods of time only.
ModuleServer Module Server IP address.
ModuleServerPort Module Server port. The default is 17477.
PKIDatabasePassword You must manually add this setting to prevent unauthorized access to the pki.db file, which contains the
Tanium Server root keys, message-signing keys, and TLS keys. Set the Value Type to protected and specify a
password to encrypt the pki.db file. The file is in the Tanium Server installation folder and a copy resides in
the /backups subfolder. For details about these keys, see Tanium Console User Guide: Managing Tanium keys.
ReportingTLSCertPath Setting for inbound connections. Path to the TLS certificate that was created upon installation. This certificate is
used in TLS connections initiated by the Tanium Client, the Tanium Zone Server Hub, or the Tanium Zone
Server.
ReportingTLSKeyPath Setting for inbound connections. Path to the private key file used in TLS connections. This setting must be
present to enable TLS.
Table 11: Tanium Server settings
© 2021 Tanium Inc. All Rights Reserved Page 124
Settings Guidelines
ReportingTLSMode Configures TLS for outgoing connections that the Tanium Server initiates. The possible values are:
l 0 (TLS not used)
l 1 (TLS required)
l 2 (TLS optional)
Tanium Server appliances use an IPSec tunnel instead of TLS to secure Tanium database and
appliance LDAP synchronization traffic. The servers use TLS to secure all other communication
between them.
RequireIncomingEncryption Setting for inbound connections. Implicitly set to 0 by default. To set a different value, you must add the setting.
l 0 (TLS not required)
l 1 (TLS required)
Important: When RequireIncomingEncryption is set to 1, only TLS connection requests are processed, so only
Tanium Clients that have TLS enabled are able to register and be managed. Do not set this to 1 until you are
sure all Tanium Clients that have been deployed are configured to use TLS (ReportingTLSMode=1 or
ReportingTLSMode=2), and you are ready to deploy Tanium Client to new endpoints with TLS configured prior to
initial registration.
ServerPort Tanium Server port. The server listens for Tanium Clients on this port. The default is 17472. Do not change the
ServerPort setting in the TaniumServer.ini configuration file; instead, use the Tanium Operations > Change
Tanium Port menu.
ServerSOAPPort Tanium Console and SOAP API port. The default is 8443. Port 443 redirects to this 8443.
SQLConnectionString Database server connection information. The following are examples:
l MSSQL: SQL1\SQLEXPRESS@tanium
l PostgreSQL: postgres:localhost@dbname=postgres port=5432
l TanOS: postgres:<TanOS_IP_Address>@user=postgres dbname=tanium
For PostgreSQL, see the PostgreSQL documentation for the supported keywords, such as dbname, port, and
user.
If you change this setting, you must restart the Tanium Server.
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-
AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
Table 11: Tanium Server settings (continued)
© 2021 Tanium Inc. All Rights Reserved Page 125
Settings Guidelines
SSLHonorCipherOrder The default is 1.
TrustedCertPath Path to the certificate file used for secure connections to the Tanium Console port.
Version Tanium Server version number.
Table 11: Tanium Server settings (continued)
Tanium Server TDownloader
Settings Guidelines
BypassCRLCheckHostList Use this setting to list servers that the Tanium Server can trust without checking a certificate revocation list (CRL).
The Tanium Server performs a CRL check on all servers that are not in this list, and does not download files from a
server that fails the check. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square
brackets (for example, [2001:db8::1]).
BypassProxyHostList Must be set with a comma-separated list of FQDN or IP addresses that specify all Tanium Servers and the Module
Server, 127.0.0.1, and localhost. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
Specify literal values. Tanium Core Platform 7.0.314.6242 and later supports wildcards.
Enhancements have been made in recent releases to automatically bypass the proxy server for
these host addresses:
7.0.314.6573+ — Automatically bypass 127.0.0.1 and localhost.
7.1.314.3204+ — Automatically bypass 127.0.0.1 and localhost.
7.2.314.3181+ — Automatically bypass Tanium Server, 127.0.0.1, and localhost.
7.3.314.2866+ — Automatically bypass Tanium Server, 127.0.0.1, and localhost.
LogVerbosityLevel Specify one of the following decimal values for the log verbosity level:
l 0: Logging disabled.
l 1: Normal log level.
l 41: Recommended during troubleshooting.
l >= 91: Most detailed log level. Enable for short periods of time only.
ProxyServer IP address of the proxy server.
By default, TDownloader resolves the proxy server address as an IPv4 address. If the proxy server
has an IPv6 address, you must enter it within brackets (for example, [2001:db8::1]) and
configure the TDownloader setting ForceIPV6 to 1.
Table 12: Tanium Server TDownloader (TDL) settings
© 2021 Tanium Inc. All Rights Reserved Page 126
Settings Guidelines
ProxyPort Proxy server listening port.
ProxyType The options are Basic, NTLM, or None.
ProxyUserid For a proxy server that requires authentication, enter the user ID to establish the connection with the proxy server.
ProxyPassword For a proxy server that requires authentication, enter the password of the ProxyUserid user to establish the
connection with the proxy server.
TrustedCertPath Path to the Transport Layer Security (TLS) certificate authority (CA) bundle of trusted certificates.
TrustedHostList By default, the Tanium Server validates the SSL/TLS certificate of remote servers when establishing connections to
them (such as for downloading files). To bypass certificate validation for specific servers, enter their FQDN or IP
address. Tanium Core Platform 7.0.314.6242 and later support wildcards. You must enter IPv6 addresses within
square brackets (for example, [2001:db8::1]).
In an active-active deployment, you do not need to add the Tanium Servers to the list. The servers automatically
trust each other, as well as traffic from 127.0.0.1 or localhost.
Contact Tanium Support before modifying this setting.
ForceIPV6 Add this setting manually if you need it, but only with guidance from Tanium Support ([email protected]). In
deployments where traffic between Tanium Core Platform servers and the Internet traverses a proxy server,
TDownloader resolves the proxy address as an IPv4 address by default. If the proxy server has an IPv6 address, add
the ForceIPV6 setting with a value of 1.
Table 12: Tanium Server TDownloader (TDL) settings (continued)
Tanium Module Server
Settings Guidelines
LogVerbosityLevel Specify one of the following decimal values for the log verbosity level:
l 0: Logging disabled.
l 1: Normal log level.
l 41: Recommended during troubleshooting.
l >= 91: Most detailed log level. Enable for short periods of time only.
ServerPort Module Server port. The default is 17477.
Version Tanium Module Server version number.
Table 13: Module Server settings
© 2021 Tanium Inc. All Rights Reserved Page 127
Module Server TDownloader
Settings Guidelines
BypassCRLCheckHostList Use this setting to list servers that the Tanium Server can trust without checking a certificate revocation list (CRL).
The Tanium Server performs a CRL check on all servers that are not in this list, and does not download files from a
server that fails the check. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square
brackets (for example, [2001:db8::1]).
BypassProxyHostList Must be set with a comma-separated list of FQDN or IP addresses that specify all Tanium Servers and the Module
Server, 127.0.0.1, and localhost. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
Specify literal values. Tanium Core Platform 7.0.314.6242 and later supports wildcards.
Enhancements have been made in recent releases to automatically bypass the proxy server for
these host addresses:
7.0.314.6573+ — Automatically bypass 127.0.0.1 and localhost.
7.1.314.3204+ — Automatically bypass 127.0.0.1 and localhost.
7.2.314.3181+ — Automatically bypass Tanium Server, 127.0.0.1, and localhost.
7.3.314.2866+ — Automatically bypass Tanium Server, 127.0.0.1, and localhost.
LogVerbosityLevel Specify one of the following decimal values for the log verbosity level:
l 0: Logging disabled.
l 1: Normal log level.
l 41: Recommended during troubleshooting.
l >= 91: Most detailed log level. Enable for short periods of time only.
ProxyServer IP address of the proxy server.
By default, TDownloader resolves the proxy server address as an IPv4 address. If the proxy server
has an IPv6 address, you must enter it within brackets (for example, [2001:db8::1]) and
configure the TDownloader setting ForceIPV6 to 1.
ProxyPort Proxy server listening port.
ProxyType The options are Basic, NTLM, or None.
ProxyUserid For a proxy server that requires authentication, enter the user ID to establish the connection with the proxy server.
ProxyPassword For a proxy server that requires authentication, enter the password of the ProxyUserid user to establish the
connection with the proxy server.
TrustedCertPath Path to the Transport Layer Security (TLS) certificate authority (CA) bundle of trusted certificates.
Table 14: Module Server TDownloader settings
© 2021 Tanium Inc. All Rights Reserved Page 128
Settings Guidelines
TrustedHostList By default, the Module Server validates the SSL/TLS certificate of remote servers when establishing connections to
them (such as for downloading module software updates). To bypass certificate validation for specific servers,
enter their FQDN or IP address. Tanium Core Platform 7.0.314.6242 and later support wildcards. You must enter
IPv6 addresses within square brackets (for example, [2001:db8::1]).
Contact Tanium Support before modifying this setting.
ForceIPV6 Add this setting manually if you need it, but only with guidance from your Tanium Support ([email protected]).
In deployments where traffic between Tanium Core Platform servers and the Internet traverses a proxy server,
TDownloader resolves the proxy address as an IPv4 address by default. If the proxy server has an IPv6 address, add
the ForceIPV6 setting with a value of 1.
Table 14: Module Server TDownloader settings (continued)
Tanium Zone Server
Settings Guidelines
AllowedHubs Enter a comma-separated list of IP addresses of Zone Server Hubs that are authorized to communicate with this
Zone Server.
EnforceAllowedHubs Set the value to 1.
HubPriorityList This setting applies only to Tanium Core Platform 7.4 or later. The setting specifies the FQDN or IP address of the
preferred Zone Server Hub for sending Tanium Client content (such as sensor definitions, configuration
information, and action package files) to the Zone Server. As long as that hub is available, the Zone Server does
not receive content from any other hub. If the preferred hub goes down, the Zone Server fails over to receiving
content from any other available hub.
LogVerbosityLevel Specify one of the following decimal values for the log verbosity level:
l 0: Logging disabled.
l 1: Normal log level.
l 41: Recommended during troubleshooting.
l >= 91: Most detailed log level. Enable for short periods of time only.
ReportingTLSCertPath Setting for inbound connections. Path to the TLS certificate. This certificate is used in TLS connections that the
Tanium Client initiated.
ReportingTLSKeyPath Setting for inbound connections. Path to the private key file used in TLS connections. This setting must be
present to enable TLS.
Table 15: Zone Server settings
© 2021 Tanium Inc. All Rights Reserved Page 129
Settings Guidelines
ReportingTLSMode Configures TLS for outgoing connections that the server initiates. On a Zone Server Hub, you configure this
option to enable TLS for the Zone Server Hub to Zone Server segment. Automatically set to 2 when you
complete the Zone Server TLS setup.
l 0 (TLS not used)
l 1 (TLS required)
l 2 (TLS optional)
RequireIncomingEncryption Setting for inbound connections. Automatically set to 0 when you complete the Zone Server TLS setup.
l 0 (TLS not required)
l 1 (TLS required)
Important: When RequireIncomingEncryption is set to 1, only TLS connection requests are processed, so only
Tanium Clients that have TLS enabled are able to register and be managed. Do not set this to 1 until you are
sure all Tanium Clients that have been deployed are configured to use TLS (ReportingTLSMode=1 or
ReportingTLSMode=2), and you are ready to deploy Tanium Client to new endpoints with TLS configured prior to
initial registration.
ServerName This setting is deprecated. Do not specify a value.
ServerPort Tanium Server Port. The default is 17472.
Version Tanium Zone Server version number.
ZoneHubFlag 0 if not the hub; 1 if the hub.
Table 15: Zone Server settings (continued)
WindowsThe following table lists the Windows Registry locations for settings that you configure when installing Tanium Core Platform
servers. To view or edit the settings, use the Command-line interface on page 161.
Component Windows Registry location
Tanium Server HKLM\Software\Wow6432Node\Tanium\Tanium Server
Module Server HKLM\Software\Wow6432Node\Tanium\Tanium Module Server
Zone Server
Zone Server Hub
HKLM\Software\Wow6432Node\Tanium\Tanium ZoneServer
TDownloader HKLM\Software\Wow6432Node\Tanium\Downloader
Table 16: Windows registry locations
© 2021 Tanium Inc. All Rights Reserved Page 130
Tanium Server
Name Windows Registry Type Data
AddressMask REG_DWORD Hexadecimal value of a subnet CIDR that delineates the IPv4 clients that
belong to a linear chain. Do not change this registry value unless your Tanium
Support instructs you to do so.
AddressPrefixIPv6 REG_DWORD IPv6 prefix represented as a decimal number between 0 and 128 inclusive that
delineates the clients belonging to a linear chain. The default 0 specifies no
peering. Contact Tanium Support at [email protected] to determine the
optimum value for peering in IPv6 networks. Tanium Core Platform 7.3 and
later.
AllowedHubs REG_SZ Enter a comma-separated list of Zone Server Hubs that are authorized to
communicate with this Tanium Server. Specify the hubs by FQDN or IP
address. You must enter IPv6 addresses within square brackets (for example,
[2001:db8::1]). Note that you can configure the AllowLocalHubs key as an
exception to the AllowedHubs list.
AllowLocalHubs REG_DWORD By default, this key is not present in the registry but has a value of 1, which
enables any local Zone Server Hub to communicate with the Tanium Server
regardless of the AllowedHubs setting. Add this registry key manually if you
need it, but only with guidance from your Tanium Support. Setting the value
to 0 allows local Zone Server Hubs to communicate with the Tanium Server
only if they are listed in AllowedHubs.
BypassCRLCheckHostList REG_SZ Servers that the Tanium Server trusts without checking a certificate
revocation list (CRL). The Tanium Server performs a CRL check on all servers
that are not in this list, and does not download files from a server that fails
the check. Specify the servers by FQDN or IP address. You must enter IPv6
addresses within square brackets (for example, [2001:db8::1]).
Table 17: Tanium Server settings
© 2021 Tanium Inc. All Rights Reserved Page 131
Name Windows Registry Type Data
BypassProxyHostList REG_SZ Hosts that bypass the proxy server. For example, do not use a proxy server for
traffic between Tanium Servers in an active-active cluster.
A proxy server can cause problems with other traffic to a destination Tanium
Server. For example, a package configuration can specify file URIs that are
local to the Tanium Server to download content. It is important to bypass the
proxy server for these URIs, or else the download will fail.
Enter the exceptions as FQDNs or IP addresses. You must enter IPv6 addresses
within square brackets (such as [2001:db8::1]. In most cases, the exceptions
you need to specify are localhost, 127.0.0.1 (IPv4), [::1] (IPv6), and
all Tanium Server FQDNs and IP addresses. For example:
ts1.example.com, ts2.example.com,localhost,127.0.0.1,
[::1],10.10.10.11,10.10.10.15
Specify literal values. Tanium Core Platform 7.0.314.6242 and later supports
wildcards.
ConsoleSettingsJSON REG_SZ Path to the console settings file.
DBUserDomain REG_SZ The domain for the service account that connects to the database server.
Specified when you completed the installation wizard.
DBUserName REG_SZ User name for the service account that connects to the database server.
Specified when you completed the installation wizard.
EnforceAllowedHubs REG_DWORD The default value 1 specifies that the Tanium Server enforces the
AllowedHubs setting: only Zone Server Hubs listed in AllowedHubs can
communicate with the Tanium Server. The value 0 enables any Zone Server
Hub to communicate with the Tanium Server regardless of the AllowedHubs
setting.
LogPath REG_SZ Path to Tanium Server logs.
LogVerbosityLevel REG_DWORD Specify one of the following decimal values for the logging level:
l 0: Logging disabled.
l 1: Log level during normal operation.
l 41: Best practice log level during troubleshooting.
l 91 or higher: Enable the most detailed log levels for short periods of time
only.
ModuleServer REG_SZ FQDN of the Module Server.
Table 17: Tanium Server settings (continued)
© 2021 Tanium Inc. All Rights Reserved Page 132
Name Windows Registry Type Data
ModuleServerPort REG_DWORD Module Server Port. The default is 17477.
Path REG_SZ Installation path.
PGDLLPath REG_SZ Path to the PostgreSQL Server libraries.
PGRoot REG_SZ Path to the Postgres installation directory.
PKIDatabasePassword REG_SZ You must manually add this setting to prevent unauthorized access to the
pki.db file, which contains the Tanium Server root keys, message-signing
keys, and TLS keys. Set the Value Type to protected and specify a password
to encrypt the pki.db file. The file is in the Tanium Server installation folder
and a copy resides in the /backups subfolder. For details about these keys,
see Tanium Console User Guide: Managing Tanium keys.
ProxyPassword REG_SZ For a basic proxy server that requires authentication, this setting is the
account password used when establishing a connection with the proxy server.
The password is stored in clear text within the registry.
This setting does not apply NTLM proxies, which use the credentials of the
user context that runs the Tanium Server service.
ProxyPort REG_SZ Proxy server listening port.
ProxyType REG_SZ Basic or NTLM.
ProxyServer REG_SZ IP address of the proxy server. By default, the Tanium Downloader
(TDownloader) service that manages downloads for the Tanium Server and
Tanium Module Server resolves the ProxyServer address as an IPv4 address. If
the proxy server has an IPv6 address, you must enter it within brackets (for
example, [2001:db8::1]) and, on Windows systems, configure the
Tanium Downloader registry with a ForceIPV6 key set to 1.
ProxyUserid REG_SZ For a basic proxy server that requires authentication, this setting is the
account username used when establishing a connection with the proxy server.
The password is stored in clear text within the registry.
This setting does not apply NTLM proxies, which use the credentials of the
user context that runs the Tanium Server service.
PythonPath REG_SZ Deprecated setting that is no longer used.
ServerName REG_SZ The network adapter binding that the Tanium Server uses to listen for IPv4
client registrations. The default value 0.0.0.0 indicates binding to all network
adapters. Do not change this registry value unless Tanium Support instructs
you to do so.
Table 17: Tanium Server settings (continued)
© 2021 Tanium Inc. All Rights Reserved Page 133
Name Windows Registry Type Data
ServerNameIPv6 REG_SZ Add this registry key manually if you need it, but only with guidance from
Tanium Support. By default, the key is hidden and has a value of [::], which
indicates that the Tanium Server binds to all network adapters to listen for
IPv6 client registrations. To bind to a specific network adapter, add the key
and enter the IPv6 address of the adapter within square brackets (for
example, [2001:db8::1]).
ServerPort REG_DWORD Tanium Server Port. The server listens for Tanium Clients on this port.
Specified when you completed the installation wizard. The default is 17472.
ServerSOAPPort REG_DWORD Tanium Console and SOAP API port. Specified when you complete the
installation wizard. The default is 443.
SQLConnectionString REG_SZ Database server connection information. The following are examples:
l MSSQL: SQL1\SQLEXPRESS@tanium
l PostgreSQL: postgres:localhost@dbname=postgres
port=5432
l TanOS: postgres:<TanOS_IP_Address>@user=postgres
dbname=tanium
For PostgreSQL, see the PostgreSQL documentation for the supported
keywords, such as dbname, port, and user.
If you change this setting, you must restart the Tanium
Server: see Tanium Console User Guide: Manage the
Tanium Server service.
TrustedCertPath REG_SZ Path to the certificate file used for secure connections to the Tanium Console
port. The certificate is selected when you completed the installation wizard.
Table 17: Tanium Server settings (continued)
© 2021 Tanium Inc. All Rights Reserved Page 134
Name Windows Registry Type Data
TrustedHostList REG_SZ By default, the Tanium Server validates the SSL/TLS certificate of remote
servers when establishing connections to them (such as for downloading
files). To bypass certificate validation for specific servers, enter their FQDN or
IP address. Tanium Core Platform 7.0.314.6242 and later support wildcards.
You must enter IPv6 addresses within square brackets (for example,
[2001:db8::1]).
In an active-active deployment, you do not need to add the Tanium Servers to
the list. The servers automatically trust each other, as well as traffic from
127.0.0.1 or localhost.
Contact Tanium Support before modifying this setting.
Version REG_SZ Tanium Server version number.
Table 17: Tanium Server settings (continued)
Tanium Module Server
Name Type Data
LogVerbosityLevel REG_DWORD Specify one of the following decimal values for the log verbosity level:
l 0: Logging disabled.
l 1: Log level during normal operation.
l 41: Best practice log level during troubleshooting.
l 91 or higher: Enable the most detailed log levels for short periods of time
only.
Path REG_SZ Installation path.
PythonPath REG_SZ Deprecated setting that is no longer used.
ServerName REG_SZ The network adapter binding that the Tanium Module Server uses to listen for
IPv4 connections. The default value 0.0.0.0 indicates binding to all network
adapters.
ServerNameIPv6 REG_SZ Tanium Core Platform 7.3 and later. You must add this registry key manually if
you need it, but only with guidance from Tanium Support. By default, the key
is hidden and has a value of [::], which indicates that the Tanium Module
Server binds to all network adapters to listen for IPv6 connections. To bind to
a specific network adapter, add the key and enter the IPv6 address of the
adapter within square brackets (for example, [2001:db8::1]).
Table 18: Module Server settings
© 2021 Tanium Inc. All Rights Reserved Page 135
Name Type Data
ServerPort REG_DWORD Tanium Module Server port. The default is 17477.
Version REG_SZ Tanium Module Server version number.
Table 18: Module Server settings (continued)
The Module Server host computer has a registry entry for the Tanium Server:
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Tanium\Tanium Server
The settings in this registry entry are for the proxy server configuration.
Name Type Data
BypassCRLCheckHostList REG_SZ Servers that the Tanium Server trusts without checking a certificate
revocation list (CRL). The Tanium Server performs a CRL check on all servers
that are not in this list, and does not download files from a server that fails
the check. Specify the servers by FQDN or IP address. You must enter IPv6
addresses within square brackets (for example, [2001:db8::1]).
BypassProxyHostList REG_SZ Hosts that bypass the proxy server. For example, do not use a proxy server for
traffic between Tanium Servers in an active-active cluster.
A proxy server can cause problems with other traffic to a destination Tanium
Server. For example, a package configuration can specify file URIs that are
local to the Tanium Server to download content. It is important to bypass the
proxy server for these URIs, or else the download will fail.
Enter the exceptions as FQDNs or IP addresses. You must enter IPv6 addresses
within square brackets (such as [2001:db8::1]. In most cases, the exceptions
you need to specify are localhost, 127.0.0.1 (IPv4), [::1] (IPv6), and
all Tanium Server FQDNs and IP addresses. For example:
ts1.example.com, ts2.example.com,localhost,127.0.0.1,
[::1],10.10.10.11,10.10.10.15
Specify literal values. Tanium Core Platform 7.0.314.6242 and later supports
wildcards.
ProxyPassword REG_SZ For a basic proxy server that requires authentication, this setting is the
account password used when establishing a connection with the proxy server.
The password is stored in clear text within the registry.
This setting does not apply NTLM proxies, which use the credentials of the
user context that runs the Tanium Server service.
ProxyPort REG_SZ Proxy server listening port.
ProxyType REG_SZ Basic or NTLM.
Table 19: Proxy server settings on the Module Server
© 2021 Tanium Inc. All Rights Reserved Page 136
Name Type Data
ProxyServer REG_SZ IP address of the proxy server. By default, the Tanium Downloader
(TDownloader) service that manages downloads for the Tanium Server and
Tanium Module Server resolves the ProxyServer address as an IPv4 address. If
the proxy server has an IPv6 address, you must enter it within brackets (for
example, [2001:db8::1]) and, on Windows systems, configure the
Tanium Downloader registry with a ForceIPV6 key set to 1.
ProxyUserid REG_SZ For a basic proxy server that requires authentication, this setting is the
account username used when establishing a connection with the proxy server.
The password is stored in clear text within the registry.
This setting does not apply NTLM proxies, which use the credentials of the
user context that runs the Tanium Server service.
TrustedHostList REG_SZ By default, the Module Server validates the SSL/TLS certificate of remote
servers when establishing connections to them (such as for downloading
module software updates). To bypass certificate validation for specific
servers, enter their FQDN or IP address. Tanium Core Platform 7.0.314.6242
and later support wildcards. You must enter IPv6 addresses within square
brackets (for example, [2001:db8::1]).
Contact Tanium Support before modifying this setting.
Table 19: Proxy server settings on the Module Server (continued)
TDownloader
The Tanium Downloader (TDownloader) entry is used for log verbosity level and IPv6 support.
Name Type Data
LogVerbosityLevel REG_DWORD Specify one of the following decimal values for the log verbosity level:
l 0: Logging disabled.
l 1: Log level during normal operation.
l 41: Best practice log level during troubleshooting.
l 91 or higher: Enable the most detailed log levels for short periods of time
only.
Table 20: TDownloader settings
© 2021 Tanium Inc. All Rights Reserved Page 137
Name Type Data
ForceIPV6 REG_DWORD Tanium Core Platform 7.3 and later. Add this registry key manually if you need
it, but only with guidance from Tanium Support. In deployments where traffic
between Tanium Core Platform servers and the Internet traverses a proxy
server, TDownloader resolves the proxy address as an IPv4 address by default.
If the proxy server has an IPv6 address, add the ForceIPV6 key and set its value
to 1.
Table 20: TDownloader settings (continued)
Zone Server
Name Type Data
AllowedHubs REG_SZ Enter a comma-separated list of Zone Server Hubs that are authorized to
communicate with this Zone Server. Specify the hubs by FQDN or IP address.
You must enter IPv6 addresses within square brackets (for example,
[2001:db8::1]).
EnableFileCache REG_SZ This setting applies only to Tanium Core Platform 7.4 or later. If you installed
the Zone Server Hub on a dedicated host instead of on the Tanium Server, set
the value to 1 to enable the hub to cache package files for actions and files
requested through the Tanium Client API. The hub provides these resources to
the Zone Server without having to re-request them from the Tanium Server. To
limit the cache size, set the hub_hot_cache_limit_in_MB.
In Tanium Core Platform 7.4 or later, the hub cache is
disabled by default (value is 0) because the hub is typically
installed on the Tanium Server, which has its own cache.
EnforceAllowedHubs REG_DWORD The default value 1 specifies that the Zone Server enforces the AllowedHubs
setting: only Zone Server Hubs listed in AllowedHubs can communicate with
the Zone Server. The value 0 enables any Zone Server Hub to communicate
with the Zone Server regardless of the AllowedHubs setting.
Table 21: Zone Server settings
© 2021 Tanium Inc. All Rights Reserved Page 138
Name Type Data
hub_hot_cache_limit_in_
MB
This setting applies only if the Zone Server Hub is installed on a dedicated host
instead of on the Tanium Server. The hub uses its cache to forward Tanium
Client content to the Zone Server without having to re-request the content
from the Tanium Server. The content includes package files for actions and
files requested through the Tanium Client API. Use the hub_hot_cache_
limit_in_MB setting to limit the cache size. As a best practice, set the limit
to whichever is the lesser value between 200GB and 60% of available disk
space on the drive where the hub is installed.
In Tanium Core Platform 7.4 or later, the hub cache is
disabled by default and therefore uses no disk space. If you
enable the cache by setting the EnableFileCache value
to 1, the default hub_hot_cache_limit_in_MB value is
0 (20% disk space). Do not enable the hub cache if the hub
is installed on the Tanium Server, which uses its own cache.
HubPriorityList REG_SZ This setting applies only to Tanium Core Platform 7.4 or later. The setting
specifies the FQDN or IP address of the preferred Zone Server Hub for sending
Tanium Client content (such as sensor definitions, configuration information,
and action package files) to the Zone Server. As long as that hub is available,
the Zone Server does not receive content from any other hub. If the preferred
hub goes down, the Zone Server fails over to receiving content from any other
available hub. Typically you use this setting for active-active deployments that
have pairs of Zone Servers and hubs, where each hub connects to each Zone
Server. In active-active deployments, adding the HubPriorityList is a best
practice to ensure that each Zone Server receive content from its closest hub.
Configuring this setting also optimizes hub usage by ensuring that each hub
serves one Zone Server instead of one hub servicing both servers.
LogPath REG_SZ Path to Tanium Zone Server logs.
LogVerbosityLevel REG_DWORD Specify one of the following decimal values for the log verbosity level:
l 0: Logging disabled.
l 1: Log level during normal operation.
l 41: Best practice log level during troubleshooting.
l 91 or higher: Enable the most detailed log levels for short periods of time
only.
Path REG_SZ Installation path.
Table 21: Zone Server settings (continued)
© 2021 Tanium Inc. All Rights Reserved Page 139
Name Type Data
ServerName REG_SZ This setting is deprecated. Do not specify a value.
ServerPort REG_DWORD Tanium Server Port. Specified when you completed the installation wizard. The
default is 17472.
ServiceUserDomain REG_SZ The Zone Server Windows service runs in the context of a service account. This
entry contains the domain specified during installation.
ServiceUserName REG_SZ The Zone Server Windows service runs in the context of a service account. This
entry contains the user name specified during installation.
Version REG_SZ Tanium Zone Server version number.
ZoneHubFlag REG_DWORD The value indicates whether this Zone Server instance is (1) or is not (0) a Zone
Server Hub.
zs_hot_cache_limit_in_MB The Zone Server caches content that it provides to Tanium Clients without
having to re-request the content from the Tanium Server. The content includes
package files for actions and files requested through the Tanium Client API.
Use the zs_hot_cache_limit_in_MB setting to limit the cache size.
Set the limit to whichever is the lesser value between 200GB
and 60% of available disk space on the drive where the Zone
Server is installed.
Table 21: Zone Server settings (continued)
© 2021 Tanium Inc. All Rights Reserved Page 140
Proxy server settingsSome organizations use proxy servers for traffic between internal servers and the Internet. If your organization uses proxies and its
security policy does not allow Tanium Core Platform servers to access Internet locations directly, you can configure access through
the proxies. The Tanium Server connects to the Internet to download content updates from Tanium and to download necessary files
from other trusted suppliers. The Tanium Module Server connects to the Internet to download module software updates from
Tanium. Individual Tanium modules might also have requirements to access the Internet.
The Tanium Server and Module Server use the Tanium Downloader (TDownloader) utility to securely download files. To configure
access through proxies, configure TDownloader settings on both servers.
To configure Tanium Client 7.4 or later to connect through a Hypertext Transfer Protocol Secure (HTTPS) proxy server to the Tanium
Server or Tanium Zone Server, see Tanium Client Management User Guide: Connect through an HTTPS proxy server.
For a list of sites that Tanium Core Platform servers access, see Internet URLs required on page 89.
A destination server might have its own requirements, such as certificate authentication or user authentication. For
information about configuring advanced options for these requirements, see Tanium Support KB: TDownloader.
Figure 6: Tanium deployment with proxy server
Types of proxy serversThe Tanium Core Platform supports two types of proxies:
© 2021 Tanium Inc. All Rights Reserved Page 141
l Basic: A strictly IP address-based proxy server allows a specified list of servers to traverse the proxy and access the network
or Internet. Add the IP addresses or fully qualified domain names of the Tanium Server and Module Server to the access list
of the proxy server. If the proxy server requires authentication, configure the account ID and password.
l NTLM: If the proxy server is set up to use Microsoft NT LAN Manager (NTLM), and you configure the Tanium Server service to
run in the context of a service account that has sufficient permissions to traverse the proxy server, you do not have to
configure an account ID and password.
TDownloader user contextFor Tanium™ Appliance deployments, TDownloader runs in the context of the tanium service account user.
For Tanium deployments on customer-provided Windows Infrastructure, TDownloader runs in the context of the Tanium Server
service account user that was specified during installation.
Configure proxy settings with the Tanium ConsoleIn most cases, use the Tanium Console to configure proxy settings unless you must configure the settings before you can access the
console. See the Tanium Console User Guide: Configuring proxy server settings.
Tanium Appliance: Configure proxy settingsIn most cases, use the Tanium Console to configure proxy settings. In some circumstances, you might need to configure proxy
settings before you have access to the Tanium Console. If necessary, you can configure proxy settings on the Tanium Server or
Module Server host.
The proxy server configuration is stored in configuration files on the Tanium Server. Active-active Tanium Servers do
not automatically synchronize the configuration files. If you change these settings in active-active deployments, be
sure to perform the procedure on both Tanium Servers in the cluster.
1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter 2 to go to the Tanium Operationsmenu.
3. Enter 2 to go to the Configuration Settingsmenu.
4. Enter 2 to go to the Tanium Server TDL Settingsmenu or enter 5 to go to the Module Server TDL Settingsmenu.
5. Use the menu to edit proxy server settings.
© 2021 Tanium Inc. All Rights Reserved Page 142
Settings Guidelines
BypassCRLCheckHostList Use this setting to list servers that the Tanium Server can trust without checking a certificate revocation list (CRL).
The Tanium Server performs a CRL check on all servers that are not in this list, and does not download files from a
server that fails the check. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square
brackets (for example, [2001:db8::1]).
BypassProxyHostList Must be set with a comma-separated list of FQDN or IP addresses that specify all Tanium Servers and the Module
Server, 127.0.0.1, and localhost. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
Specify literal values. Tanium Core Platform 7.0.314.6242 and later supports wildcards.
Enhancements have been made in recent releases to automatically bypass the proxy server for
these host addresses:
7.0.314.6573+ — Automatically bypass 127.0.0.1 and localhost.
7.1.314.3204+ — Automatically bypass 127.0.0.1 and localhost.
7.2.314.3181+ — Automatically bypass Tanium Server, 127.0.0.1, and localhost.
7.3.314.2866+ — Automatically bypass Tanium Server, 127.0.0.1, and localhost.
LogVerbosityLevel Specify one of the following decimal values for the log verbosity level:
l 0: Logging disabled.
l 1: Normal log level.
l 41: Recommended during troubleshooting.
l >= 91: Most detailed log level. Enable for short periods of time only.
ProxyServer IP address of the proxy server.
By default, TDownloader resolves the proxy server address as an IPv4 address. If the proxy server
has an IPv6 address, you must enter it within brackets (for example, [2001:db8::1]) and
configure the TDownloader setting ForceIPV6 to 1.
ProxyPort Proxy server listening port.
ProxyType The options are Basic, NTLM, or None.
ProxyUserid For a proxy server that requires authentication, enter the user ID to establish the connection with the proxy server.
ProxyPassword For a proxy server that requires authentication, enter the password of the ProxyUserid user to establish the
connection with the proxy server.
TrustedCertPath Path to the Transport Layer Security (TLS) certificate authority (CA) bundle of trusted certificates.
Table 22: Tanium Server TDownloader (TDL) settings
© 2021 Tanium Inc. All Rights Reserved Page 143
Settings Guidelines
TrustedHostList By default, the Tanium Server validates the SSL/TLS certificate of remote servers when establishing connections to
them (such as for downloading files). To bypass certificate validation for specific servers, enter their FQDN or IP
address. Tanium Core Platform 7.0.314.6242 and later support wildcards. You must enter IPv6 addresses within
square brackets (for example, [2001:db8::1]).
In an active-active deployment, you do not need to add the Tanium Servers to the list. The servers automatically
trust each other, as well as traffic from 127.0.0.1 or localhost.
Contact Tanium Support before modifying this setting.
ForceIPV6 Add this setting manually if you need it, but only with guidance from Tanium Support ([email protected]). In
deployments where traffic between Tanium Core Platform servers and the Internet traverses a proxy server,
TDownloader resolves the proxy address as an IPv4 address by default. If the proxy server has an IPv6 address, add
the ForceIPV6 setting with a value of 1.
Table 22: Tanium Server TDownloader (TDL) settings (continued)
Windows: Configure proxy settingsIn most cases, use the Tanium Console to configure proxy settings. In some circumstances, you might need to configure proxy
settings before you have access to the Tanium Console. If necessary, you can configure proxy settings on the Tanium Server or
Module Server host.
The proxy server configuration is stored in configuration files on the Tanium Server. Tanium Servers do not
automatically synchronize the configuration files among active-active peers. If you change these settings in active-
active deployments, be sure to perform the procedure on both Tanium Servers.
The Windows Registry entry for proxy server settings is found in the following location for on the Tanium Server host and Tanium
Module Server host:
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Tanium\Tanium Server
Name Type Data
BypassCRLCheckHostList REG_SZ Use this setting to list servers that the Tanium Server can trust without
checking a certificate revocation list (CRL). The Tanium Server performs a CRL
check on all servers that are not in this list, and does not download files from
a server that fails the check. Specify the servers by FQDN or IP address. You
must enter IPv6 addresses within square brackets (for example,
[2001:db8::1]).
Table 23: TDownloader settings
© 2021 Tanium Inc. All Rights Reserved Page 144
Name Type Data
BypassProxyHostList REG_SZ Must be set with a comma-separated list of FQDN or IP addresses that specify
all Tanium Servers and the Module Server, 127.0.0.1, and localhost. You must
enter IPv6 addresses within square brackets (for example,
[2001:db8::1]).. Specify literal values. Tanium Core Platform 7.0.314.6242
and later supports wildcards.
Note: Enhancements have been made in recent releases to automatically
bypass the proxy server for these host addresses:
7.0.314.6573+ — Automatically bypass 127.0.0.1 and localhost.
7.1.314.3204+ — Automatically bypass 127.0.0.1 and localhost.
7.2.314.3181+ — Automatically bypass Tanium Server, 127.0.0.1, and
localhost.
7.3.314.2866+ — Automatically bypass Tanium Server, 127.0.0.1, and
localhost.
ProxyServer REG_SZ IP address of the proxy server.
Note: By default, TDownloader resolves the proxy server address as an IPv4
address. If the proxy server has an IPv6 address, you must enter it within
brackets (for example, [2001:db8::1]) and configure the TDownloader
setting ForceIPV6 to 1.
ProxyPort REG_SZ Proxy server listening port.
ProxyType REG_SZ The options are Basic, NTLM, or None.
ProxyUserid REG_SZ For a proxy server that requires authentication, enter the user ID to establish
the connection with the proxy server.
ProxyPassword REG_SZ The corresponding password.
TrustedHostList REG_SZ By default, the Tanium Server validates the SSL/TLS certificate of remote
servers when establishing connections to them (such as for downloading
files). To bypass certificate validation for specific servers, enter their FQDN or
IP address. Tanium Core Platform 7.0.314.6242 and later support wildcards.
You must enter IPv6 addresses within square brackets (for example,
[2001:db8::1]).
In an active-active deployment, you do not need to add the Tanium Servers to
the list. The servers automatically trust each other, as well as traffic from
127.0.0.1 or localhost.
Contact Tanium Support before modifying this setting.
Table 23: TDownloader settings (continued)
© 2021 Tanium Inc. All Rights Reserved Page 145
By default, TDownloader resolves a proxy server hostname as an IPv4 address. Tanium Core Platform 7.3 and later support IPv6. If
necessary, you can override the default by adding a setting to the TDownloader registry in the following location:
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Tanium\Downloader
Name Type Data
LogVerbosityLevel REG_DWORD Specify one of the following decimal values for the log verbosity level:
l 0: Logging disabled.
l 1: Log level during normal operation.
l 41: Best practice log level during troubleshooting.
l 91 or higher: Enable the most detailed log levels for short periods of time
only.
ForceIPV6 REG_DWORD Add this registry key manually if you need it, but first contact Tanium Support
at [email protected] for guidance. By default, TDownloader resolves the
proxy server address as an IPv4 address. If the proxy server has an IPv6
address, add the ForceIPV6 key and set its value to 1.
Table 24: TDownloader Registry Key setting
© 2021 Tanium Inc. All Rights Reserved Page 146
Smart card authenticationThe Tanium™ Console supports smart card authentication. A smart card is physical credential that has a microchip and data, such as
secure certificates and keys. Smart cards are also known as common access cards (CAC) and personal identity verification
(PIV) cards. Endpoint systems are set up with smart card readers, and end users use their smart card to authenticate and gain
access.
Deployment requirementsWhen smart card authentication is enabled, the Tanium Server and Tanium Module server must reside on separate hosts. All
authentication to the Tanium Console requires smart cards unless the authentication request is from one of the following sources:
l The system hosting the Tanium Server through the local loopback address (127.0.0.1 for IPv4 or [::1] for IPv6).
l The Module Server connection to the Tanium Server.
Consequently, any additional integrations that you want to automate must reside on one of the two hosts. The following are some
examples:
l SSRS plugin
l Microsoft Excel plugin (unless using the version that supports smart card authentication)
l Tanium™ Connect for Lightweight Directory Access Protocol (LDAP) synchronization
l PyTan
l Thrid-party security operations center (SOC) websites that query Tanium for data
An air gap deployment with smart card authentication has additional caveats:
l Links to content that is hosted on the Tanium Server must use the local loopback address. This is because
the TDownloader service that downloads content to the Tanium Server cannot present a certificate.
l Links to Tanium module or shared service imports use both the local loopback address (for the workbench)
and the Tanium Module Server fully qualified domain name (FQDN) for the portion of the solution installed
on the Module Server.
Create a certificateSmart card authentication for Tanium Console access depends on the public key infrastructure (PKI) of your organization. You can
get started if you have a client certificate that is signed by the root certificate authority (CA) certificate for the domain where the
Tanium Server is deployed. Make sure the certificate has the Proves your identity to a remote computer attribute.
© 2021 Tanium Inc. All Rights Reserved Page 147
Figure 7: Proves your identity to a remote computer
Perform the following procedures to create a new certificate file from certificates that you extract from the client certificate. Usually,
you need to extract only the root certificate. If this does not work, you might also need to add intermediate certificates to the
certificate chain.
Extract the certificates
1. Get a copy of a client certificate file that is signed by the root CA certificate for the domain. See Figure 7.
2. On a Windows endpoint, double-click the certificate file to open it in the Windows Certificate Snap-In.
3. On the Certification Path tab, select the root certificate. In this example, DigiCert is the root certificate.
© 2021 Tanium Inc. All Rights Reserved Page 148
4. Go to the Details tab and click Copy to File to display the Certificate Export Wizard.
5. Select Base-64 encoded X.509 (.CER).
6. Select a folder and specify a file name such as example1.cer.
7. Review the settings and click Finish to save the certificate.
© 2021 Tanium Inc. All Rights Reserved Page 149
8. If your deployment has intermediate CA certificates, repeat these steps to extract them. Go to the Certification Path tab and
select the next certificate in the chain. In the following example, DigiCert SHA2 High Assurance Server CA is the next certificate.
Export this certificate with a name such as example2.cer.
© 2021 Tanium Inc. All Rights Reserved Page 150
Create a new certificate file
1. Create a file named cac.pem.
2. Copy and paste in the contents of each certificate in the chain into the file.
© 2021 Tanium Inc. All Rights Reserved Page 151
l Each section of the certificate file must start with -----BEGIN CERTIFICATE----- and end with
-----END CERTIFICATE-----.
l There must be only one carriage return between each certificate in the chain.
l There must be no extra white spaces or carriage returns at the beginning or end of the file.
l The preceding example shows the root certificate last, which is a convention that Tanium Support
uses.
3. Save the file.
Tanium Appliance: Configure CAC
Add your CAC account user name (EDIPI) as a Tanium Administrator before enabling CAC.
Step 1: Install the certificate
Upload and install the certificate:
1. Use SFTP to copy the certificate file (PEM format) to the /incoming directory on the Tanium Server appliance.
2. Sign in to the TanOS console as a user with the tanadmin role.
3. Enter 2 to go to the Tanium Operationsmenu.
4. Enter 9 and follow the prompts to import and install the CAC certificate file.
Step 2: Add the required Tanium Server configuration settings
1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter 2 to go to the Tanium Operationsmenu.
3. Enter 2 to go to the Configuration Settingsmenu.
4. Enter 1 to go to the Tanium Server Config Settingsmenu.
5. Use the menu to add Tanium Server settings as described in Table 25.
6. Restart the Tanium Server service. For more information, see Tanium Appliance Deployment Guide: Start, stop, and restart
Tanium services.
You can now sign in to the Tanium Console with your CAC.
The following table summarizes the settings you must add to enable CAC.
© 2021 Tanium Inc. All Rights Reserved Page 152
Setting Names Guidelines
ForceSOAPSSLClientCert Optional. If the registry value does not exist (but
other CAC/PIV registry values do exist), or is set
to a value of 1, CAC/PIV authentication
becomes mandatory.
Note: The design supports the value 0 to turn
off client certificate authentication and use the
console sign in credentials instead. However,
the current implementation to support the
value 0 is not finished. At this time, the value
should only be set to 1.
ClientCertificateAuthField Optional. If it is not defined, certificate
authentication matches on the Subject field.
Specify a value for this key if you want to match
on a different attribute. Many organizations use
X509v3 Subject Alternative Name.
Example:
X509v3 Subject Alternative Name
Note: X509v3 is typically hidden when displayed
in Windows. Note that X509v3 is case sensitive.
ClientCertificateAuthRegex Optional. If it is not defined, the default regular
expression (regex) is used to match the user
identifier. The default is .*CN=(.*)$.
The following expression is
the best practice to match
any Subject Alternative Name
entry:
.*:\s(\d+)@.*
ClientCertificateAuth Defines the location of the certificate file to use
for authentication, such as:
/opt/Tanium/TaniumServer/cac.pem
Note: The path name is case sensitive.
Table 25: Enable CAC settings
© 2021 Tanium Inc. All Rights Reserved Page 153
Setting Names Guidelines
TrustedHostList Do not remove any values. Instead, append
127.0.0.1 (for IPv4) and [::1] (for IPv6) so
that TDownloader can add local packages to
the Tanium Server with CAC/PIV enabled.
CACTrustedAddresses Defines which endpoints to exempt from CAC
authentication requirements. These systems
will not require a CAC/PIV certificate to
authenticate and will work for all Tanium
assets.
Specify the Tanium Server and Tanium Module
Server. Specify additional addresses to exempt
any other trusted systems and components.
In an active-active deployment, you must
configure this setting on both Tanium Servers
to prevent errors with TDownloader.
cac_ldap_server_url Optional. If it is defined, requires that Tanium
validate every CAC/PIV authentication attempt
with LDAP to determine the state of the account
that is signing in. Because this does not use the
Windows authentication subsystem, the service
account running Tanium must have the
privileges to look up accounts through a direct
LDAP query.
Use the following syntax, where LDAPmust be
uppercase:
LDAP://<LDAP FQDN>
If multiple domains are in use, specify a global
catalog in the syntax GC://<domain>.
It is highly recommended that
you also use Tanium Connect
to align LDAP users and
security groups with roles in
Tanium.
Table 25: Enable CAC settings (continued)
© 2021 Tanium Inc. All Rights Reserved Page 154
Setting Names Guidelines
CertLDAPQueryField Optional. If it is defined, it specifies an LDAP
user naming attribute. If it is not defined, the
default attribute is used. Valid values are:
l userPrincipalName — The sign in
name for the user.
l sAMAccountName — A sign in name that
supports previous version of Windows.
CertLDAPCertField Optional. Add this setting in conjunction with
the cac_ldap_server_url setting. This setting
specifies a secondary attribute to query within
the X509 certificate. Usually, this value is
expected to match ClientCertificateAuthField
with a value of X509v3 Subject
Alternative Name.
If it is not defined, certificate authentication
matches on the Subject attribute.
X509v3 is typically hidden
when displayed in Windows.
The string X509v3 is case
sensitive.
CertLDAPCertFieldRegex Optional. Add this attribute in conjunction with
the cac_ldap_server_url setting. This setting
specifies a regular expression that accounts for
the User Principal Name (UPN) Suffix when a
secondary LDAP lookup occurs. This is
necessary because LDAP synchronization
matches UPN without the UPN Suffix.
If it is not defined, whatever is returned in the
user naming attribute is used.
The following example is most commonly used.
It returns the full UPN:
.*\:\s*([^@]+@.*)$
The following example returns just the numeric
value from the UPN:
([^@]+)@.*$
Table 25: Enable CAC settings (continued)
© 2021 Tanium Inc. All Rights Reserved Page 155
To disable CAC authentication, remove the CAC settings and then restart the Tanium Server service.
Windows: Configure CAC
Step 1: Copy the certificate to the Tanium Server installation directory
Copy the file to the Tanium Server installation directory, which by default is \Program Files\Tanium\Tanium Server.
Step 2: Add Windows registry keys on Tanium Server host
1. Add Windows registry key entries as described in the following tables.
2. Open the Windows Services program, right-click the Tanium Server service, and select Restart.
Location HKLM\Software\Wow6432Node\Tanium\Tanium Server
Value ForceSOAPSSLClientCert
Value Type REG_DWORD
Valid Range 0 or 1
Default Value 1
Guidelines Optional. If the registry value does not exist (but other CAC/PIV registry values do exist), or is set to a value of 1,
CAC/PIV authentication becomes mandatory.
The design supports the value 0 to turn off client certificate authentication and use the Tanium
Console sign in credentials instead. However, the current implementation to support the value 0
is not finished. At this time, set the value only to 1.
Table 26: Enable smart card authentication
Location HKLM\Software\Wow6432Node\Tanium\Tanium Server
Value ClientCertificateAuthField
Value Type REG_SZ
Valid Range Any valid certificate field.
Default Value Subject
Table 27: Certificate attribute to be matched
© 2021 Tanium Inc. All Rights Reserved Page 156
Guidelines Optional. If it is not defined, certificate authentication matches on the Subject field.
Specify a value for this key if you want to match on a different attribute. Many organizations use X509v3
Subject Alternative Name.
Note: X509v3 is typically hidden when displayed in Windows. Note that the string X509v3 is case sensitive.
Table 27: Certificate attribute to be matched (continued)
Location HKLM\Software\Wow6432Node\Tanium\Tanium Server
Value ClientCertificateAuthRegex
Value Type REG_SZ
Valid Range Any valid regular expression.
Default Value .*CN=(.*)$
Guidelines Optional. If it is not defined, the default regular expression is used to match the user's identifier.
Use the following expression to match any Subject Alternative Name entry: .*:\s
(\d+\.?\w?)@.*
Table 28: Regular expression to match
Location HKLM\Software\Wow6432Node\Tanium\Tanium Server
Value ClientCertificateAuth
Value Type REG_SZ
Valid Range Any valid certificate file.
Default Value None
Guidelines Defines the location of the certificate file to use for authentication, such as D:\Program
Files\Tanium\Tanium Server\cac.pem.
The path name is case sensitive.
Table 29: Location of the smart card certificate file
Location HKLM\Software\Wow6432Node\Tanium\Tanium Server
Value TrustedHostList
Table 30: Add 127.0.0.1 and [::1] to the TrustedHostList entry
© 2021 Tanium Inc. All Rights Reserved Page 157
Value Type REG_SZ
Valid Range A comma-separated list of IP addresses or FQDNs for the Tanium Server, Module Server, and Tanium database
server host computers. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
Default Value None
Guidelines Do not remove any values. Instead, append 127.0.0.1 (for IPv4) and [::1] (for IPv6) so that TDownloader can
add local packages to the Tanium Server with CAC/PIV enabled.
Table 30: Add 127.0.0.1 and [::1] to the TrustedHostList entry (continued)
Location HKLM\Software\Wow6432Node\Tanium\Tanium Server
Value CACTrustedAddresses
Value Type REG_SZ
Valid Range A comma-separated list of FQDNs.
Default Value None
Guidelines Defines which endpoints to exempt from CAC authentication requirements. These systems do not require a CAC/PIV
certificate to authenticate and work for all Tanium assets.
Specify the Tanium Server and Module Server. In an active-active deployment, configure this setting on both Tanium
Servers to prevent TDownloader errors. Specify additional addresses to exempt any other trusted systems and
components.
Table 31: Define trusted systems and components
Location HKLM\Software\Wow6432Node\Tanium\Tanium Server
Value cac_ldap_server_url
Value Type REG_SZ
Valid Range A valid LDAP server.
Default Value None
Table 32: (Optional) LDAP server
© 2021 Tanium Inc. All Rights Reserved Page 158
Guidelines Optional. If it is defined, requires that Tanium validate every CAC/PIV authentication attempt with LDAP to
determine the state of the account that is signing in. Because this does not use the Windows authentication
subsystem, the service account running Tanium must have the permissions to look up accounts through a direct
LDAP query.
Use the following syntax, where LDAPmust be uppercase: LDAP://<LDAP FQDN>
If multiple domains are in use, specify a global catalog. It must use the syntax GC://<domain>.
It is highly recommended that you also use Tanium Connect to align LDAP users and security
groups with roles in Tanium.
Table 32: (Optional) LDAP server (continued)
Location HKLM\Software\Wow6432Node\Tanium\Tanium Server
Value CertLDAPQueryField
Value Type REG_SZ
Valid Range userPrincipalName or sAMAccountName
Default Value userPrincipalName
Guidelines Optional. If it is defined, it specifies an LDAP user naming attribute. If it is not defined, the default attribute is used.
The valid values are:
l userPrincipalName — The sign in name for the user.
l sAMAccountName — A sign in name that supports previous version of Windows.
Table 33: (Optional) LDAP query
Location HKLM\Software\Wow6432Node\Tanium\Tanium Server
Value CertLDAPCertField
Value Type REG_SZ
Valid Range
Default Value Subject
Table 34: (Optional) LDAP secondary lookup
© 2021 Tanium Inc. All Rights Reserved Page 159
Guidelines Optional. Add this setting in conjunction with the cac_ldap_server_url setting. This setting specifies a secondary
attribute to query within the X509 certificate. Usually, this value is expected to match ClientCertificateAuthField
with a value of X509v3 Subject Alternative Name.
If it is not defined, certificate authentication matches on the Subject attribute.
X509v3 is typically hidden when displayed in Windows. The string X509v3 is case sensitive.
Table 34: (Optional) LDAP secondary lookup (continued)
Location HKLM\Software\Wow6432Node\Tanium\Tanium Server
Value CertLDAPCertFieldRegex
Value Type REG_SZ
Valid Range Any valid regular expression.
Default Value None
Guidelines Optional. Add this attribute in conjunction with the cac_ldap_server_url setting. This setting specifies a regular
expression that accounts for the UPN Suffix when a secondary LDAP lookup occurs. This is necessary because LDAP
synchronization matches UPN without the UPN Suffix.
If it is not defined, whatever is returned in the user naming attribute would be used.
The following example is most commonly used. It returns the full UPN:
.*\:\s*([^@]+@.*)$
The following example returns just the numeric value from the UPN:
([^@]+)@.*$
Table 35: (Optional) LDAP regex
Troubleshoot smart card authenticationl Check the configuration for typos, such as extra spaces or letter case errors.
l Test whether the system works with just the required registry keys. Then enable and test optional settings, such as the LDAP
integration settings.
l In an active-active deployment, configure the CACTrustedAddresses value with entries for each Tanium Server and the
Module Server to avoid TDownloader errors during package synchronization.
l Set the logging level to 41 or higher on the Tanium Server and Module Server to record the following events. See Tanium
Console User Guide: Configure server logging levels. If you configure a custom log that records only these events, use
.*Client Certificate auth.* as the filter regex. See Create a custom log on page 172.
© 2021 Tanium Inc. All Rights Reserved Page 160
o If ClientCertificateMatchField is set and does not match:
n No regex match:
Client Certificate auth logon denied, match failed
n Field used for regex not found in the CA certificate:
Client Certificate auth logon denied, match property not present
o If ClientCertificateMatchField passes or is empty, the user is extracted using the ClientCertificateAuthField and
ClientCertificateAuthRegex:
n If ClientCertificateAuthRegex is not matched:
Client Certificate auth logon denied, regex not matched
n If ClientCertificateAuthField is not found:
Client Certificate auth logon denied, field not found
n If the the regex matches and the field is found but the name is not valid:
Client Certificate auth logon denied, unknown user
o Any other error or information message also starts with:
Client Certificate auth
© 2021 Tanium Inc. All Rights Reserved Page 161
Command-line interfaceIn Tanium Core Platform 7.1.314.2924 or later, you can configure platform server settings through a command-line interface (CLI).
Version 7.3.314.3431 or later is required to use the CLI for configuring platform settings.
Contact Tanium Support for guidance ([email protected]) before you create, edit, or delete platform settings.
Tanium ApplianceFor Tanium Appliance deployments, you can use the TanOS menu to read and write the configuration. In rare cases, you might be
granted shell access to troubleshoot an issue. The CLI programs are installed in the following locations.
Component CLI program location
Tanium Server /opt/Tanium/TaniumServer/TaniumServer
Module Server /opt/Tanium/TaniumModuleServer/TaniumModuleServer
Zone Server /opt/Tanium/TaniumZoneServer/ZoneServer
TDownloader /opt/Tanium/TaniumServer/TaniumTDownloader
/opt/Tanium/TaniumModuleServer/TaniumTDownloader
Table 36: CLI directories for Appliance deployment
For details about the TanOS CLI, see Tanium Appliance Deployment Guide: TanOS command line interface.
WindowsFor Windows deployments, the Windows Registry is still the canonical source of configuration. You can use the CLI if you need to get
or set the configuration using a program.
Component CLI program location
Tanium Server Program Files\Tanium\TaniumReceiver.exe
Module Server Program Files\Tanium\TaniumModuleServer.exe
Zone Server Program Files (x86)\Tanium\Tanium Zone Server\TaniumZoneServer.exe
TDownloader Program Files\Tanium\Tanium Server\TDownloader.exe
Program Files\Tanium\Tanium Module Server\TDownloader.exe
Table 37: CLI directories for Windows deployment
© 2021 Tanium Inc. All Rights Reserved Page 162
If necessary, elevate permissions to open the command prompt as administrator.
ExamplesThe following examples show how to use the CLI.
Display help
TaniumReceiver --help
Usage: TaniumReceiver [options] <command> [<args>]
General Options:
-h [ --help ] Print this help message
-v [ --version ] Print the version
--verbose Verbose output
Service Options:
-i Install the service
-u Uninstall the service
-s Start the service
-e Stop the service
Internal Tanium Options - DO NOT USE:
-d Run without daemonizing
© 2021 Tanium Inc. All Rights Reserved Page 163
Commands:
config Manage configuration
clean-downloads Clean the downloads catalog
database Manages a database
global-settings Manages global settings
license Manages Deployment License
pki Manages PKI
python-auth-plugin Run a python authentication plugin - DO NOT USE
server-registrations Manages server registration requests
test-hsm Test an HSM configuration
trust-module-certs Add trusted Module Server certificates
For help on a specific command run `TaniumReceiver COMMAND -h`
Display config help
cmd-prompt>TaniumReceiver config --help
Usage: TaniumReceiver config <action> [<key>] [<value>]
Actions:
config list List all keys and non-protected values
config list-protected List all keys and values
config get <key> Print non-protected config value
config get-protected <key> Print config value
config set <key> <value> Set config value and try to guess type
config set-string <key> <value> Set string value
config set-protected <key> <value> Set protected string value
config set-number <key> <value> Set numeric value (in decimal or hex notation)
config remove <key> Remove config value
Example: List configuration settings
When displaying the current settings, note that the CLI output displays (protected) instead of the actual value for settings that
are designated as protected, which means they are sensitive in the security sense.
cmd-prompt>TaniumReceiver config list
Keys:
- AddressMask: 16777215
- ConsoleSettingsJSON: C:\Program Files\Tanium\Tanium Server\http\config\console.json
- DBUserDomain: tam.local
© 2021 Tanium Inc. All Rights Reserved Page 164
- DBUserName: taniumsvc
- LogPath: C:\Program Files\Tanium\Tanium Server\Logs
- LogVerbosityLevel: 1
- Logs:
- Logs.MiniDumpMessages:
- Logs.MiniDumpMessages.FilterRegex: .*Begin MiniDumper.*
- Logs.MiniDumpMessages.LogVerbosityLevel: 1
- ModuleServer: tms1.tam.local,TMS1.tam.local:17477
- ModuleServerPort: 17477
- PGDLLPath: C:\Program Files\Tanium\Tanium Server\postgres\bin
- PKIDatabasePassword: (protected)
- PGRoot: C:\Program Files\Tanium\Tanium Server\postgres
- Path: C:\Program Files\Tanium\Tanium Server
- ProxyPassword: (protected)
- ProxyPort:
- ProxyServer:
- ProxyType: NONE
- ProxyUserid:
- SQLConnectionString: postgres:localhost@dbname=postgres port=5432
- ServerName: 0.0.0.0
- ServerPort: 17472
- ServerSOAPPort: 443
- TrustedCertPath: C:\Program Files\Tanium\Tanium Server\Certs\installedcacert.crt
- TrustedHostList: ts1.tam.local
- TrustedModuleServerCertsPath: C:\Program Files\Tanium\Tanium Server\trusted-module-servers.crt
- Version: 7.3.314.4283
Example: Set configuration values
cmd-prompt>TaniumReceiver config set BypassProxyHostList
ts1.example.com,ts2.example.com,localhost,127.0.0.1,10.10.10.11,10.10.10
.15
cmd-prompt>TaniumReceiver config get BypassProxyHostList
ts1.example.com,ts2.example.com,localhost,127.0.0.1,10.10.10.11,10.10.10.15
Example: Set configuration values
cmd-prompt>TDownloader config set ProxyServer 10.10.10.10
cmd-prompt>TDownloader config get ProxyServer
© 2021 Tanium Inc. All Rights Reserved Page 165
10.10.10.10
Example: Register the Module Server with the Tanium Server
On the Module Server host computer, use the CLI to register with a Tanium Server. Specify a Tanium Console administrator user
name and password.
Registration involves copying files between the Module Server and the Tanium Server. Both servers must be
reachable when you issue the registration command or the command fails.
After registering the Module Server, you must restart the services for the Tanium Module Server and all Tanium
modules and shared services. On the Module Server, open the Windows Services application and, for each service,
right-click the service name and select Restart.
cmd-prompt>TaniumModuleServer register -h
Usage: TaniumModuleServer register <server> [opts]
--server arg Tanium Server hostname (optionally including
port)
--address arg (=TMS1.tam.local) DNS name or IP that the Tanium Server should
use to connect to this Module Server
--timeout arg (=120) Registration timeout in seconds
--user arg Administrator username
--pass arg Administrator password (leave blank for
interactive prompt)
--pass-file arg Administrator password protected file
--trusted-fingerprint arg Trust the given server certificate
fingerprint
--json-out arg JSON file to output results to
cmd-prompt>TaniumModuleServer register ts2.tam.local
Enter administrator username: TaniumAdmin
Enter password for user 'TaniumAdmin':
Successfully completed registration.
If the Tanium Console has been configured to use a non-standard port, you must specify the port number, as shown in the following
example.
© 2021 Tanium Inc. All Rights Reserved Page 166
cmd-prompt>TaniumModuleServer register ts2.tam.local:8443
Enter administrator username: TaniumAdmin
Enter password for user 'TaniumAdmin':
Successfully completed registration.
cmd-prompt>
If the Tanium Console is not listening on 443 and you do not specify the port in the registration command, the registration results in
failure with the message:
Failed to register module server. Failed to authenticate for registration.SSLClientConnection has failed to complete request.
Example: Configure global settings
cmd-prompt>TaniumReceiver global-settings -h
Usage: TaniumReceiver global-settings list|list-all|get|set|set-string|set-numbe
r|set-flags|unset-flags|remove
-c [ --command ] arg Command to run:
list
list-all
get <setting>
set <setting> <value>
set-string <setting> <value>
set-number <setting> <value>
set-flags <setting> [public|hidden|read-only|server...]
unset-flags <setting> [public|hidden|read-only|server ...]
remove <setting>
cmd-prompt>TaniumReceiver global-settings set ReportingTLSMode 0
Example: Add an admin user
cmd-prompt>TaniumReceiver database -h
Usage: TaniumReceiver database create|upgrade|create-admin-user
-c [ --command ] arg Command to run:
© 2021 Tanium Inc. All Rights Reserved Page 167
create
upgrade
create-admin-user [username] [domain]
sqlserver2postgre outputfile
cmd-prompt>TaniumReceiver database create-admin-user admin-recover tam.local
© 2021 Tanium Inc. All Rights Reserved Page 168
Logs
OverviewTanium Core Platform servers and Tanium Clients generate several predefined logs that you can use to diagnose issues and
unexpected behavior. You can also configure custom logs that copy specific content from the predefined logs based on a filter: see
Create a custom log on page 172. The logging level determines how much detail logs record. The following logging levels are best
practices for specific use cases:
l 0: Logging disabled.
l 1: Normal (default) logging level.
l 41: Best practice value during troubleshooting.
l 91 or higher: Most detailed logging level. Because this level consumes the most resources, enable it for short periods only.
To change the logging level through the Tanium Console for the Tanium Server and Tanium Module Server, see Tanium Console User
Guide: Configure server logging levels. You can also change the logging level for platform servers by configuring the
LogVerbosityLevel settings (see Tanium Core Platform settings on page 122) through the CLI on Windows on page 161 or through
the TanOS menus on the Tanium Appliance on page 122. To change the logging level of custom logs, see Create a custom log on
page 172.
For information about Tanium Client logs, see Tanium Client Management User Guide: Troubleshooting.
Tanium ApplianceThe Tanium Appliance supports the following log features:
l Heath Check report: see Tanium Appliance Deployment Guide: Run the Health Check
l Tanium Core Platform logs: see Tanium Appliance Deployment Guide: Review Tanium Core Platform logs. These are similar
to the platform logs that you see in a Windows on page 169 deployment.
l Tanium module logs: see Tanium Appliance Deployment Guide: Review Tanium solution module logs
l TanOS partition sync log: see Tanium Appliance Deployment Guide: View the TanOS partition sync log
l TanOS upgrade log: see Tanium Appliance Deployment Guide: View the TanOS upgrade log
l Tanium Support Gatherer logs: see Tanium Appliance Deployment Guide: Run Tanium Support Gatherer
l Tanium Platform Analyzer (TPAN): see Tanium Health Check User Guide: Generating reports
l System activity report (SAR): see Tanium Appliance Deployment Guide: Use the Performance Monitoring menu
l Syslog forwarding: see Tanium Appliance Deployment Guide: Configuring syslog
l SNMP walk: see Tanium Appliance Deployment Guide: Configuring SNMP
© 2021 Tanium Inc. All Rights Reserved Page 169
WindowsTo view Tanium Core Platform logs, you require access to the platform server hosts. In the following log file locations, variables such
as <Tanium Server> represent the server installation directories.
Action scheduler logs
l Content: Records events and issues that relate to scheduled actions. For example, the logs record information about why
the Tanium Server did or did not deploy the actions. If you set the logging level to 1 (default) or 41, the server generates the
logs only if errors occurred (such as actions failing to deploy). To record additional details for normal (successful) operations
of scheduled actions, set the logging level to 91.
l Location and file name: <Tanium Server>\Logs\action-scheduler<#>.txt
Authentication logs
l Content: Records user access to the Tanium Console or API through all authentication methods.
l Location and file name: <Tanium Server>\Logs\auth<#>.txt
Database upgrade logs
l Content: Record actions that the Tanium Server installer performs on Tanium database schemas when you upgrade the
Tanium Core Platform.
l Location and file name: <Tanium Server>\Logs\database-upgrade<#>.txt
HTTP connection logs
HTTP connection logs are available in Tanium Core Platform 7.3 or later.
l Content: Records attempts to connect to the Tanium Server. For example, the logs record registration attempts by Tanium
Clients or the Zone Server.
l Location and file name: <Tanium Server>\Logs\http-access<#>.txt
Installation logs
l Content: Records actions that the installer for a Tanium Core Platform server performs during installations and upgrades. If
you encounter issues with your installation, examine the logs to see which actions completed successfully and which failed.
Each time you run the installer, it appends the actions for that execution to the end of the file instead of rolling over the file.
l Location and file name:
o Tanium Server: <Tanium Server>\Install.txt
o Tanium Module Server: <Module Server>\Install.txt
o Tanium Zone Server: <Zone Server>\Install.txt
© 2021 Tanium Inc. All Rights Reserved Page 170
LDAP logs
l Content: Records LDAP synchronization and authentication events for interactions between the Tanium Server and LDAP
servers.
l Location and file name: <Tanium Server>\Logs\ldap<#>.txt
Module plugin history logs
Module plugin history logs are available in Tanium Core Platform 7.3 or later.
l Content: Records plugin executions. A plugin is an extension to a Tanium Core Platform component or solution module.
Plugin operations are usually transparent to users. However, Tanium Support might instruct you to review plugin details
when troubleshooting unexpected behavior (contact [email protected]).
l Location and file name:
o Tanium Server: <Tanium Server>\Logs\module-history<#>.txt
o Tanium Module Server: <Module Server>\Logs\module-history<#>.txt
Package cache cleaner logs
l Content: Records which package files the Tanium Server removed from the shard cache because the packages no longer
exist, the files expired, or the server replaced the files with updated versions.
l Location and file name: <Tanium Server>\Logs\package-cleaner<#>.txt
PKI logs
PKI logs are available in Tanium Core Platform 7.4 or later.
l Content: Records events related to the use of digital keys when Tanium Core Platform components prove their identity to
each other. The logs also record events related to trust approvals and denials among Tanium Servers, Zone Servers, and
Zone Server Hubs.
l Location and file name:
o Tanium Server: <Tanium Server>\Logs\pki<#>.txt
o Tanium Module Server: <Module Server>\Logs\pki<#>.txt
o Tanium Zone Server: <Zone Server>\Logs\pki<#>.txt
o Tanium Zone Server Hub (if the hub is not on the Tanium Server): <Zone_Server_Hub_installation_folder>\Logs\pki<#>.txt
RBAC logs
l Content: Records events related to Tanium role-based access control (RBAC). For example, when the Tanium Server denies
users access to a resource, the logs indicate which required permissions are missing in the user roles.
l Location and file name: <Tanium Server>\Logs\rbac<#>.txt
© 2021 Tanium Inc. All Rights Reserved Page 171
Server logs
l Content: These are the main logs for each Tanium Core Platform server, and record all events that the other log types do
not capture.
l Location and file name:
o Tanium Server: <Tanium Server>\Logs\log<#>.txt
o Tanium Module Server: <Module Server>\Logs\log<#>.txt
o Tanium Zone Server: <Zone Server>\Logs\log<#>.txt
Tanium Data Service logs
l Content: Records operations related to collecting results for sensors that are registered for automatic collection. For each
question that the Tanium Server issues to collect sensor results, the log has an entry that indicates the issue date-time, the
question ID (Harvesting qid), and information about each sensor in the question.
l Location and file name: <Module Server>\services\tanium-data-files\tanium-data.log<#>.txt
TDownloader logs
l Content: History of the actions that the TDownloader service performs when it downloads files from Tanium and other
Internet locations. The logs include proxy server connection status events when applicable. The TDownloader logs might
help you troubleshoot when importing Tanium content packs and solution modules or downloading updates to package
files.
l Location and file name:
o Tanium Server: <Tanium Server>\TDL_Logs\log<#>.txt
o Tanium Module Server: <Module Server>\TDL_Logs\log<#>.txt
Rollover for Tanium Core Platform logsTo clear space for new logs, Tanium Core Platform servers roll over and compress existing logs when they exceed the maximum log
size (10 MB) and maximum number of logs. The maximum number of log files varies by log type and format. By default, custom log
types have a maximum of 10 plain text logs and 10 ZIP logs.
Log File Name Plain Text ZIP
action-scheduler<#>.txt 10 10
authlog<#>.txt 10 10
database-upgrade<#>.txt 10 10
Table 38: Number of log files
© 2021 Tanium Inc. All Rights Reserved Page 172
Log File Name Plain Text ZIP
download-catalog-cleaner<#>.txt 10 10
http-access<#>.txt 2 3
ldap<#>.txt 10 10
log<#>.txt (main server log for each Tanium Core Platform server) 10 10
log<#>.txt (TDownloader log) 10 0
module-history<#>.txt 2 3
package-cleaner<#>.txt 10 10
pki<#>.txt 10 10
rbac<#>.txt 10 10
Table 38: Number of log files (continued)
The rollover process is as follows, where <log_type#>.txt is the log file name (such as log0.txt):
Plain text logs
When the first log file <log_type>0.txt reaches 10 MB in size, it is renamed <log_type>1.txt and a new <log_
type>0.txt is created. When <log_type>0.txt again reaches 10 MB, <log_type>1.txt is renamed <log_
type>2.txt, <log_type>0.txt is again renamed <log_type>1.txt, and <log_type>0.txt is again recreated.
The process of rolling logs whenever <log_type>0.txt reaches 10 MB continues until the maximum number of plain-text
logs exist. For example, each Tanium Core Platform server log has a maximum of 10 plain-text logs: log0.txt to
log9.txt.
ZIP logs
After recording the maximum number of plain-text logs, the oldest log is compressed. For example, log9.txt is saved as
log10.zip. When <log_type>0.txt again reaches 10 MB, the file name of the first ZIP log is incremented (for example,
log10.zip becomes log11.zip and the oldest plain-text log is again compressed and replaces the first ZIP log. The ZIP
file rollover process continues until the maximum number of ZIP files exist. For example, each Tanium Core Platform server
log has a maximum of 10 ZIP files: log10.zip to log19.zip. When <log_type>0.txt reaches 10 MB again after that,
the first ZIP log is created again (such as log10.zip) but the oldest ZIP log (such as log19.zip) is not renamed and is
effectively dropped because the second oldest ZIP file replaces it (for example, log18.zip becomes the new log19.zip).
Create a custom logIf you want to troubleshoot only specific information in predefined Tanium logs, you can configure a Tanium Core Platform server or
Tanium Client to filter the logs based on a regular expression and to copy the matching content to a custom log. Custom logs are
especially useful if you set a high logging level for the predefined logs such that they roll over too quickly and record too much
information for you to easily find specific issues. You can create as many custom logs as necessary and base each one on a different
© 2021 Tanium Inc. All Rights Reserved Page 173
filter. After you configure a new log type, the platform server or client creates a custom log file upon recording an event in a
predefined log that matches the regular expression. Thereafter, whenever the predefined logs record additional events that match
the filter, the server or client copies those records to the custom log.
Log filtering can consume significant resources on a server or client, especially if you set a high logging level.
Therefore, the best practice is to remove custom logs after you finish a troubleshooting session. For more
information, see the logging level setting in Table 39.
The following procedures describe how to configure custom logs using the TanOS console (Appliance) or using the CLI command
executables and options listed in Table 39 (Tanium Clients or platform servers on Windows).
Executable/Option Description
<executable> The Tanium Client and Tanium Core Platform servers use the following executables for
running CLI commands. The executables reside in the server or client installation
directory.
l Tanium Server: TaniumReceiver
l Module Server: TaniumModuleServer
l Zone Server or Zone Serve Hub: TaniumZoneServer
l Tanium Client: TaniumClient
<log prefix> The log file prefix. The server or client automatically appends a number to the prefix and
adds the suffix (.txt) upon generating the log. For example, if you enter
CompletedRegistrations as the prefix for a custom client log, the first file that the
client generates for that log type is CompletedRegistrations0.txt.
Table 39: CLI command executables and options for custom logs
© 2021 Tanium Inc. All Rights Reserved Page 174
Executable/Option Description
<filter regex> The regular expression to use for filtering the predefined logs. The server or client copies
log entries that match the filter to the custom log.
The filter applies only to log messages, not to thread names, thread
IDs, or timestamps.
The following are examples of useful filter expressions for Tanium Server logs:
l .*Begin MiniDumper.* records messages about application crashes.
l .*Failing to sync sensors.* identifies sensor synchronization failures.
l .*msg=NoMaxAgeFound.* records instances where the Tanium Server issues a
question that uses deleted sensors.
l .*Client Certificate auth.* records authentication messages relating to
Tanium Client certificates. This is useful for troubleshooting smart card (common
access card) authentication issues. See Troubleshoot smart card authentication on
page 159.
The following are examples of useful filter expressions for Tanium Server or Zone Server
logs:
l .*Begin registration.* identifies Tanium Clients that are trying to register.
l .*Registration complete.* identifies clients that successfully registered.
<logging level> The logging level of the custom log. For details, see Overview on page 168.
Higher logging levels consume more resources on the server or client.
If different custom log types have different levels, the server or client
generates all log types at the highest level that is set for any custom
log type. This ensures that filter matching applies to all log messages
at the highest configured level. However, in this case, each log file still
contains only the level of detail that corresponds to the level you set
for its log type. For example, you might set the logging level to 1 for
predefined logs on the Tanium Server and set the level to 91 for a
custom log. In this case, the server generates log messages at level 91
for all log types and the custom log contains messages at level 91, but
the predefined logs contain messages only at level 1.
Table 39: CLI command executables and options for custom logs (continued)
© 2021 Tanium Inc. All Rights Reserved Page 175
Create a custom log on the Appliance
1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter 2 to go to the Tanium Operationsmenu.
3. Enter 2 to go to the Configuration Settingsmenu.
4. Enter 1 to go to the Tanium Server Config Settingsmenu.
5. For each log setting (LogVerbosityLevel, LogPrefix, and FilterRegex), enter A to add the setting and then enter its value. Table
39 describes the settings. For the <log subject>, specify any text string to identify the purpose of the log.
l Logs.<log subject>.LogVerbosityLevel
l Logs.<log subject>.LogPrefix
l Logs.<log subject>.FilterRegex
For example, if the log is for troubleshooting common access card (CAC) authentication, you might specify the following
values:
l Logs.CAC.LogVerbosityLevel = 41
l Logs.CAC.LogPrefix = CACAuthLog
l Logs.CAC.FilterRegex = .*Client Certificate auth.*
To review the log after the Appliance generates messages that match the filter:
1. Sign in to the TanOS console as a user with the tanadmin role.
2. Enter B to go to the Appliance Maintenancemenu.
3. Enter 5 to go to the Shell Keysmenu.
4. Enter O and enter yes at the prompt to open a read-only (RO) shell.
5. Go to the Logs directory:
cd /opt/Tanium/TaniumServer/Logs
6. List the directory contents:
ls -la
The following is an example of the output, including the custom log CACAuthLog:
total 1264drwxr-x---. 2 tanium tanium 4096 Nov 16 21:24 .drwxr-x---. 20 tanium tanium 4096 Nov 16 22:15 ..-rw-r-----. 1 tanium tanium 685 Nov 16 21:28 CACAuthLog0.txt-rw-r-----. 1 tanium tanium 2805 Oct 26 19:39 auth0.txt-rw-r-----. 1 tanium tanium 322930 Oct 26 18:41 database-upgrade0.txt
© 2021 Tanium Inc. All Rights Reserved Page 176
-rw-r-----. 1 tanium tanium 857760 Nov 16 19:36 http-access0.txt-rw-r-----. 1 tanium tanium 31873 Nov 16 20:01 log0.txt
-rw-r-----. 1 tanium tanium 27082 Nov 16 19:36 module-history0.txt-rw-r-----. 1 tanium tanium 17223 Nov 16 19:33 package-cleaner0.txt-rw-r-----. 1 tanium tanium 3300 Oct 26 18:46 pki0.txt
7. Display the custom log contents using standard UNIX commands such asmore, cat, or tail:
more CACAuthLog0.txt
8. When you finish viewing the log contents, enter exit to close the shell.
Create a custom log on a platform server or client for Windows
Perform the following steps using the command executables and options listed in Table 39 to create a custom log on a Tanium Core
Platform server or Tanium Client that is installed on a Windows host.
1. Sign in to the host system of the platform server or Tanium Client.
2. Open the Command Prompt and navigate (cd) to the server or client installation directory.
3. Configure a regular expression for the custom log.
<executable> config set Logs.<log prefix>.FilterRegex "<filter regex>"
4. (Optional) Set the logging level of the custom log. If you skip this step, the default level is 1.
<executable> config set Logs.<log prefix>.LogVerbosityLevel <logging level>
Create a custom log on Tanium Client for macOS
Perform the following steps using the command options listed in Table 39 to create a custom log on a managed macOS endpoint.
The variable <Tanium Client> is the Tanium Client installation directory.
1. Sign in to the endpoint that hosts the Tanium Client.
2. Open the Terminal program.
3. Configure a regular expression for the custom log.
sudo <Tanium Client>/TaniumClient config set Logs.<log prefix>.FilterRegex "<filter regex>"
4. (Optional) Set the logging level of the custom log. If you skip this step, the default level is 1.
sudo <Tanium Client>/TaniumClient config set Logs.<log prefix>.LogVerbosityLevel <logging level>
Create a custom log on Tanium Client for Linux, Solaris, or AIX
Perform the following steps using the command options listed in Table 39 to create a custom log on a managed Linux, Solaris, or AIX
endpoint. The variable <Tanium Client> is the Tanium Client installation directory.
© 2021 Tanium Inc. All Rights Reserved Page 177
1. Sign in to the endpoint that hosts the Tanium Client.
2. Configure a regular expression for the custom log.
sudo <Tanium Client>/TaniumClient config set Logs.<log prefix>.FilterRegex "<filter regex>"
3. (Optional) Set the logging level of the custom log. If you skip this step, the default level is 1.
sudo <Tanium Client>/TaniumClient config set Logs.<log prefix>.LogVerbosityLevel <logging level>
© 2021 Tanium Inc. All Rights Reserved Page 178
Export Commodity ClassificationThe Export Commodity Classification Automated Tracking System (CCATS) number for Tanium is G172792. The Export Control
Classification Numbers (ECCNs) for Tanium products are:
Product ECCN License Exception Authorized for Export (See DefinitionsList Below)
Tanium Client software 5D992.c No License Required
("NLR")
All countries, except Embargoed Countries and
the Crimea Region of Ukraine
Tanium Server software 5D002.c.1 ENC/(b)(1) All countries, except Embargoed Countries and
the Crimea Region of Ukraine
Tanium Module Server software 5D002.c.1 ENC/(b)(1) All countries, except Embargoed Countries and
the Crimea Region of Ukraine
Table 40: Export Commodity Classification
Tanium prohibits software and hardware (both physical and virtual) installations in certain countries. To find out
whether a particular country is on the prohibited list, please contact Tanium Support at [email protected].
© 2021 Tanium Inc. All Rights Reserved Page 179
Change log
Date Revision Summary
December 9, 2021 Updated security exclusions for DOC-3317.
December 3, 2021 Added security exclusions for System User service and RDB. Updated the Appliance network diagram and
table. Updated for PLATDOCS-1049.
December 1, 2021 Added custom logs topic.
November 30, 2021 Links to On Prem topics in Risk and API Gateway guides.
November 16, 2021 Updated for PLATDOCS-1072.
November 9, 2021 Added links to Tanium API Gateway User Guide.
November 5, 2021 Updated fore DOC-3264 and DOC-3261.
November 4, 2021 Added Risk module (TaaS only) to topics that link to all Tanium solutions.
November 1, 2021 Updated platform version numbers to 7.5.2.3503
October 26, 2021 Released Console 3.0 and Platform 7.5.2 to Ring 4.
October 19, 2021 Updated for DOC-3212 and DOC-3215.
September 30, 2021 Updated for DOC-3086, DOC-3139, and DOC-3186.
September 28, 2021 Updated for DOC-3142.
September 16, 2021 Updated for DOC-3139, DOC-3142, and PLATDOCS-695.
September 13, 2021 Released Console 3.0.54 and Platform 7.5.2.3474 to Ring 2.
September 9, 2021 Updated for DOC-3086, DOC-3075, DOC-2983, DOC-3074, DOC-3090, DOC-2640.
August 31, 2021 Updated for DOC-3011.
August 25, 2021 Updated for PLATDOCS-1026, DOC-2934, DOC-2845, and DOC-2959.
August 19, 2021 Updated for DOC-2999 and PLATDOCS-426.
August 17, 2021 Updated for DOC-2746.
August 6, 2021 Updated for DOC-2947 and PLATDOCS-1014.
July 30, 2021 Updated for DOC-2847, DOC-2935, and DOC-2925.
July 27, 2021 Added security exclusions for Tanium Gateway Service and Tanium Reporting Service.
© 2021 Tanium Inc. All Rights Reserved Page 180
Date Revision Summary
July 15, 2021 Updated for DOC-2884.
July 13, 2021 Updated for PLATDOCS-971.
June 29, 2021 Released Platform 7.4.6.1038.
June 28, 2021 Updated for DOC-1789, DOC-2646, DOC-2807, PLATDOCS-802
June 11, 2021 Updated for DOC-2745, DOC-2738, DOC-2572, and DOC-2782.
May 7, 2021 Updated for DOC-2622.
April 22, 2021 Updated for DOC-2617.
April 21, 2021 Republished for Documentation site redesign.
April 13, 2021 Released Platform 7.4.5.1200.
April 6, 2021 Released Console 2.1 to Ring 2.
March 4, 2021 Updated for DOC-2423, DOC-2453, DOC-2388, DOC-2417, PLAT-10037.
February 9, 2021 Released Platform 7.4.4.1362.
February 8, 2021 Updated table numbering.
January 28, 2021 Updated title page to show Tanium logo.
January 20, 2021 Added Internet URLs for Enforce.
December 23, 2020 Updated for PLATDOCS-482, PLATDOCS-735, PLATDOCS-741, COMPLIANCE-5137.
December 8, 2020 Updated for PLATDOCS-271, PLATDOCS-493, PLATDOCS-689
November 20, 2020 Updated for DOC-2194, DOC-2170.
November 2, 2020 Released Tanium Core Platform 7.4.4.1250.
October 29, 2020 Updated for PLATDOCS-614.
October 27, 2020 Removed taas-only condition from references to the Impact module.
October 13, 2020 Released Platform 7.4.4.1226.
October 9, 2020 Added Enforce (TaaS only) to the OS Support matrix and Security Exclusions.
July 16, 2020 Republished for Platform 7.4.3.1242 and Console 1.4.3.0135.
June 30, 2020 Republished for TaaS GA release.
© 2021 Tanium Inc. All Rights Reserved Page 181
Date Revision Summary
June 16, 2020 Republished for Platform 7.4.3 release.
May 14, 2020 Updated for Interact 2.1.5.
May 12, 2020 Updated security exclusions for Deploy, Patch, Protect, Asset, Client Management, Integrity Monitor, and IR.
April 15, 2020 Updated for PLATDOCS-501: KeyUtility arguments.
April 3, 2020 Updated security exclusions for Deploy and Patch.
April 2, 2020 Updated security exclusions for Patch and updated content pack names (Default Content and Core Content).
March 31, 2020 Updated for PLATDOCS-406 (Tanium Client Management GA release) and support for Tanium Client
7.2.314.3632)
March 19, 2020 Updated for PLATDOCS-494, DOC-1384, DOC-1454.
March 13, 2020 Updated for PLATDOCS-492.
March 11, 2020 Updated for PLATDOCS-437.
February 25, 2020 Released 7.4.2 (common module import feature).
February 11, 2020 Updated security exceptions for 7.4.
February 6, 2020 Released 7.4 GA for the Tanium Client.
January 28, 2020 Released 7.4 GA for Tanium Core Platform servers.
December 4, 2019 Updated for DOC-1326.
November 18, 2019 Corrected the order of links to the module processes in the Security Exclusions topic.
November 15, 2019 Republished for 7.4 Limited Availability release.
November 12, 2019 Updated for DOC-1293, DOC-1274, DOC-1272, DOC-1222, DOC-1276.
October 15, 2019 Added security exclusions for the Performance module.
October 9, 2019 Updated for PLATDOCS-346, PLATDOCS-343, PLATDOCS-315, PLATDOCS-357, DOC-1170, DOC-1113, DOC-940,
DOC-1199, DOC-1253.
September 20, 2019 Updated for DOC-1242.
August 20, 2019 Updated for PLATDOCS-300.
July 17, 2019 Updated the Host Security Exclusions topic and added list of links (to module guides) in the Tanium Network
Ports topic.
July 2, 2019 Updated for 7.3-Next.
© 2021 Tanium Inc. All Rights Reserved Page 182
Date Revision Summary
May 21, 2019 Updated appliance TLS procedures for Zone Server and added a note to SOAP certificate replacement
procedures to restart module services after redoing the Module Server registration.
April 19, 2019 Moved Internet URL list to a separate topic.
April 16, 2019 Initial release.