Tanium™ CorePlatformDeployment ReferenceGuide

Tanium™ Core Platform DeploymentReference GuideVersion: All

December 09, 2021

© 2021 Tanium Inc. All Rights Reserved Page 2

The information in this document is subject to change without notice. Further, the information provided in this document is provided “as

is” and is believed to be accurate, but is presented without any warranty of any kind, express or implied, except as provided in Tanium’s

customer sales terms and conditions. Unless so otherwise provided, Tanium assumes no liability whatsoever, and in no event shall

Tanium or its suppliers be liable for any indirect, special, consequential, or incidental damages, including without limitation, lost profits

or loss or damage to data arising out of the use or inability to use this document, even if Tanium Inc. has been advised of the possibility

of such damages.

Any IP addresses used in this document are not intended to be actual addresses. Any examples, command display output, network

topology diagrams, and other figures included in this document are shown for illustrative purposes only. Any use of actual IP addresses

in illustrative content is unintentional and coincidental.

Please visit https://docs.tanium.com for the most current Tanium product documentation.

This documentation may provide access to or information about content, products (including hardware and software), and services

provided by third parties (“Third Party Items”). With respect to such Third Party Items, Tanium Inc. and its affiliates (i) are not

responsible for such items, and expressly disclaim all warranties and liability of any kind related to such Third Party Items and (ii) will

not be responsible for any loss, costs, or damages incurred due to your access to or use of such Third Party Items unless expressly set

forth otherwise in an applicable agreement between you and Tanium.

Further, this documentation does not require or contemplate the use of or combination with Tanium products with any particular Third

Party Items and neither Tanium nor its affiliates shall have any responsibility for any infringement of intellectual property rights caused

by any such combination. You, and not Tanium, are responsible for determining that any combination of Third Party Items with Tanium

products is appropriate and will not cause infringement of any third party intellectual property rights.

Tanium is committed to the highest accessibility standards for our products. To date, Tanium has focused on compliance with U.S.

Federal regulations - specifically Section 508 of the Rehabilitation Act of 1998. Tanium has conducted 3rd party accessibility

assessments over the course of product development for many years and has most recently completed certification against the WCAG

2.1 / VPAT 2.3 standards for all major product modules in summer 2021. In the recent testing the Tanium Console UI achieved supports

or partially supports for all applicable WCAG 2.1 criteria. Tanium can make available any VPAT reports on a module-by-module basis as

part of a larger solution planning process for any customer or prospect.

As new products and features are continuously delivered, Tanium will conduct testing to identify potential gaps in compliance with

accessibility guidelines. Tanium is committed to making best efforts to address any gaps quickly, as is feasible, given the severity of the

issue and scope of the changes. These objectives are factored into the ongoing delivery schedule of features and releases with our

existing resources.

Tanium welcomes customer input on making solutions accessible based on your Tanium modules and assistive technology

requirements. Accessibility requirements are important to the Tanium customer community and we are committed to prioritizing these

compliance efforts as part of our overall product roadmap. Tanium maintains transparency on our progress and milestones and

welcomes any further questions or discussion around this work. Contact your sales representative, email Tanium Support at

[email protected], or email [email protected] to make further inquiries.

Tanium is a trademark of Tanium, Inc. in the U.S. and other countries. Third-party trademarks mentioned are the property of their

respective owners.

© 2021 Tanium Inc. All rights reserved.


Table of contents

Tanium deployment overview 10

Client OS product support 11

Host system security exclusions 13

Tanium Core Platform folders 13

Tanium Core Platform system processes 14

Tanium binary file signer 15

Tanium solution folders 15

Tanium solution processes 15

API Gateway 17

Asset 17

Blob 18

Client Management 18

Comply 20

Connect 22

Deploy 22

Direct Connect 24

Discover 26

Endpoint Configuration 29

End-User Notifications 30

Enforce 31

Health Check 32

Impact 33

Integrity Monitor 33

Map 35

Patch 36

Performance 38

RDB service 40


Reporting 40

Reputation 40

Reveal 41

Risk 43

System User service 44

Threat Response 44

Trends 78

Tanium network ports 79

Tanium Appliance 79

Windows 81

Tanium Client 83

Tanium Core Platform port use details 83

Tanium Server 83

Inbound (Tanium Client to Tanium Server) 84

Rule summary 84

Details 84

Inbound (Tanium Console) 84

Rule summary 84

Details 84

Outbound (Tanium Server to Database Server) 84

Rule summary 84

Details 84

Outbound (Tanium Server to Module Server) 84

Rule summary 84

Details 84

Outbound (Tanium Server to Internet) 84

Rule summary 84

Details 85

Inbound/Outbound (active-active deployment) 85

Rule summary 85


Details 85

Tanium Module Server 85

Inbound (Tanium Server to Module Server) 85

Rule summary 85

Details 85

Outbound (Module Server to Internet) 85

Rule summary 85

Details 85

Outbound (solutions services to Tanium Server) 86

Rule summary 86

Details 86

Tanium Zone Server Hub 86

Outbound (Tanium Zone Server Hub to Zone Server) 86

Rule summary 86

Details 86

Tanium Zone Server 86

Inbound (Tanium Client to Zone Server) 86

Rule summary 86

Details 86

Inbound (Tanium Zone Server Hub to Zone Server) 87

Rule summary 87

Details 87

Tanium Client 87

Inbound/Outbound (Tanium Client to Client) 87

Rule summary 87

Details 87

Outbound (Tanium Client to Zone Server) 87

Rule summary 87

Details 87

Solution-specific port requirements 87


Internet URLs required 89

Securing Tanium Console, API, and Module Server access 90

Overview 90

Tanium Console and API 90

Module Server communication 91

SSL/TLS connection processes and setup tasks 92

CA-issued certificates 94

Certificate requirements 95

Example: Create a CSR and private key with OpenSSL 99

Tanium Appliance: Replace certificates 101

Obtain the new certificate and key 101

Install the new certificate and key 102

Re-register the remote Module Server with each Tanium Server 102

Windows: Replace certificates 103

Obtain the new certificate and key 103

Update the Tanium Server certificate and key files 104

Update the Tanium Server certificate and key files in a standalone (non-HA) deployment 104

Update the Tanium Server certificate and key files in an active-active deployment 104

Update the Module Server certificates and key files 106

Securing Tanium Server, Zone Server, and Tanium Client access 107

Overview of TLS in the Tanium Core Platform 107

Tanium Appliance: Set up TLS 110

Tanium Server 110


Configuration overview 110

File transfer methods 111

Add required SSH keys 111

Step 1: Generate a CSR 112

Step 2: Issue the Certificate 112

Step 3: Install the certificate and configure TLS settings 113


Windows: Set up TLS 113

Tanium Server 113

Configure TLS for outgoing connections 113

Require TLS for Incoming Connections 114

Version 7.4 or later 114

Version 7.3 or earlier 114

Regenerate the TLS certificate and key 114


Tanium Client: Configure TLS 118

Verify the TLS connections 120

Update the TLS configuration when you make changes to key pair 120

Tanium Core Platform settings 122

Tanium Appliance 122

Edit server settings 122

Tanium Server 123

Tanium Server TDownloader 125


Module Server TDownloader 127


Windows 129

Tanium Server 130


TDownloader 136

Zone Server 137

Proxy server settings 140

Types of proxy servers 140

TDownloader user context 141

Configure proxy settings with the Tanium Console 141

Tanium Appliance: Configure proxy settings 141

Windows: Configure proxy settings 143


Smart card authentication 146

Deployment requirements 146

Create a certificate 146

Extract the certificates 147

Create a new certificate file 150

Tanium Appliance: Configure CAC 151

Step 1: Install the certificate 151

Step 2: Add the required Tanium Server configuration settings 151

Windows: Configure CAC 155

Step 1: Copy the certificate to the Tanium Server installation directory 155

Step 2: Add Windows registry keys on Tanium Server host 155

Troubleshoot smart card authentication 159

Command-line interface 161


Windows 161

Examples 162

Display help 162

Display config help 163

Example: List configuration settings 163

Example: Set configuration values 164

Example: Set configuration values 164

Example: Register the Module Server with the Tanium Server 165

Example: Configure global settings 166

Example: Add an admin user 166

Logs 168

Overview 168


Windows 169

Action scheduler logs 169

Authentication logs 169


Database upgrade logs 169

HTTP connection logs 169

Installation logs 169

LDAP logs 170

Module plugin history logs 170

Package cache cleaner logs 170

PKI logs 170

RBAC logs 170

Server logs 171

Tanium Data Service logs 171

TDownloader logs 171

Rollover for Tanium Core Platform logs 171

Create a custom log 172

Create a custom log on the Appliance 175

Create a custom log on a platform server or client for Windows 176

Create a custom log on Tanium Client for macOS 176

Create a custom log on Tanium Client for Linux, Solaris, or AIX 176

Export Commodity Classification 178

Change log 179


Tanium deployment overviewThis guide describes reference information for the Tanium™ Core Platform and Tanium™ Clients. You can deploy the platform on any

of the following infrastructure types:

Tanium™ Appliance

The hardened physical or virtual Tanium Appliance is designed for the low-latency and high-throughput needs of the Tanium

Core Platform. For additional deployment information and procedures, see the Tanium Appliance Installation Guide.

Windows deployment

You can deploy the Tanium Core Platform servers on customer-provided Windows Server hardware. For additional

deployment information and procedures, see the Tanium Core Platform Deployment Guide for Windows.

Tanium™ as a Service (recommended)

You can deploy the Tanium Core Platform as a cloud-based service with no customer-provided infrastructure. For additional

deployment information and procedures, see the Tanium as a Service User Guide.

The Tanium Core Platform in an Appliance or Windows deployment includes the following server types:

l Tanium™ Server

l Tanium™ Module Server

l Tanium™ Zone Server

For additional information about these servers, see the Tanium Core Platform Deployment Guide for Windows: Overview.

For deployment information and additional reference information relating to the Tanium Client, see the Tanium Client Management

User Guide.

https://docs.tanium.com/appliance/appliance/overview.html

https://docs.tanium.com/platform_install/platform_install/index.html

https://docs.tanium.com/taas/taas/index.html


https://docs.tanium.com/client/client/index.html

https://docs.tanium.com/client/client/index.html


Client OS product supportTable 1 indicates the operating systems (OSs) that Tanium modules and shared services support for performing operations on

managed endpoints (Tanium Client host systems). To see detailed information about Tanium Client support for a particular module

or service, click the link in the Product column to go to the corresponding user guide. The table uses the following icons:

l : Full support

l : Partial support (click the Product link or contact Tanium Support at [email protected] for details)

l : No support

Client OS support does not apply to the following Tanium modules and shared services because they are server-side

solutions: API Gateway, Connect, Console, Health Check, Interact, Reputation, and Trends.

Tanium’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice

at Tanium’s sole discretion. Information regarding potential future products is intended to outline our general

product direction and it should not be relied on in making a purchasing decision. Information about potential future

products may not be incorporated into any contract. The information mentioned regarding potential future

products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. The

development, release, and timing of any future features or functionality described for our products remains at our

sole discretion.

Product Windows macOS Linux Solaris and AIX

Tanium Client

Asset

Client Management

Comply

Deploy

Discover

Endpoint Configuration

End-User Notifications

Enforce

Table 1: Tanium Client OS product support

mailto:[email protected]

https://docs.tanium.com/client/client/requirements.html#Client_host_system_requirements

https://docs.tanium.com/asset/asset/requirements.html#endpoints

https://docs.tanium.com/client/client/requirements.html#Client_host_system_requirements

https://docs.tanium.com/comply/comply/requirements.html#endpoints

https://docs.tanium.com/deploy/deploy/requirements.html#endpoints

https://docs.tanium.com/discover/discover/requirements.html#endpoints

https://docs.tanium.com/endpoint_configuration/endpoint_configuration/requirements.html#endpoints

https://docs.tanium.com/end-user_notifications/end-user_notifications/requirements.html#endpoints

https://docs.tanium.com/enforce/enforce/requirements.html#endpoints


Product Windows macOS Linux Solaris and AIX

Impact

Integrity Monitor

Map

Patch

Performance

Reveal

Risk

Threat Response

Table 1: Tanium Client OS product support (continued)

https://docs.tanium.com/impact/impact/requirements.html#endpoints

https://docs.tanium.com/integrity_monitor/integrity_monitor/requirements.html#Endpoint

https://docs.tanium.com/map/map/requirements.html#endpoints

https://docs.tanium.com/patch/patch/requirements.html#endpoints

https://docs.tanium.com/performance/performance/requirements.html#endpoints

https://docs.tanium.com/reveal/reveal/requirements.html#endpoints

https://docs.tanium.com/risk/risk/requirements.html#endpoints

https://docs.tanium.com/threat_response/threat_response/requirements.html#Endpoint_hardware_requirements


Host system security exclusionsIf security software is in use in the environment to monitor and block unknown host system processes, a security administrator must

create exclusions to allow the Tanium processes to run without interference. Typically, this means configuring the security software

to exclude the installation directories of the Tanium Client and (for Windows deployments) Tanium Core Platform servers from real-

time inspection. Configuring trusted exclusions also typically involves setting a policy to ignore input and output from Tanium

binaries. The configuration of these exclusions varies depending on AV software.

Tanium Core Platform servers do not require host system security exclusions in a Tanium Appliance deployment.

Tanium Clients on all operating systems (OSs) require host system security exclusions.

Tanium Core Platform foldersThe following table lists Tanium Core Platform folders that antivirus and other host-based security applications must exclude from

real-time scans. Include subfolders of these locations when you create the exception rules. The listed folder paths are the defaults. If

you changed the folder locations to non-default paths, create rules based on the actual locations.

Target Device OS Installation folder

¹ Tanium Server Windows 64-bit \Program Files\Tanium\Tanium Server

Tanium Module

Server

Windows 64-bit \Program Files\Tanium\Tanium Module Server

\Program Files\Tanium\Tanium Module Postgres

Tanium Zone Server,

Zone Server Hub

Windows 64-bit \Program Files (x86)\Tanium\Tanium ZoneServer

² Tanium Client

endpoints

Windows 32-bit \Program Files\Tanium\Tanium Client

Windows 64-bit \Program Files (x86)\Tanium\Tanium Client

macOS /Library/Tanium/TaniumClient

Linux, Solaris, AIX /opt/Tanium/TaniumClient

1 You might also have to exclude the Tanium Server Downloads directory if it was moved out of the installation directory using the instructions

in the KB article Relocate Downloads Directory.

2 For additional folder exclusions that are required during Tanium Client installation, see Tanium Client Management User Guide: Security

exclusions for Client Management.

Table 1: Security exclusions for Tanium Core Platform folders

https://tanium.zendesk.com/hc/en-us/articles/230527988-Relocate-Downloads-Directory

https://docs.tanium.com/client/client/requirements.html#client_management_exclusions

https://docs.tanium.com/client/client/requirements.html#client_management_exclusions


Tanium Core Platform system processesThe following table lists Tanium Core Platform system processes that must be allowed (not blocked, quarantined, or otherwise

processed). The variables such as <Module Server> indicate the installation folder of the platform servers and Tanium Client.

Target Device OS Process

Tanium Server Windows <Tanium Server>\TaniumReceiver.exe

Tanium Module

Server

Windows <Module Server>\services\comply-service\_new_\src\utils\7z\7za.exe

<Module Server>\plugins\console\lib\7za.exe

<Module Server>\TaniumModuleServer.exe

<Module Server>\temp\content-management\ContentManagement.exe

<Module Server>\services\tanium-data-service\TaniumDataService.exe

Tanium Zone

Server,

Zone Server Hub

Windows <Zone Server>\TaniumZoneServer.exe

<Zone Server Hub>\TaniumZoneServer.exe

Tanium Client

endpoints

Windows, macOS,

Linux

<Tanium Client>/Tools/StdUtils folder or all the files that it contains, including:

l 7za.exe (Windows only)

l runasuser.exe (Windows only)

l runasuser64.exe (Windows only)

l TaniumExecWrapper.exe (Windows) or TaniumExecWrapper (macOS, Linux)

l TaniumFileInfo.exe (Windows only)

l TPowerShell.exe (Windows only)

l distribute-tools.sh (macOS, Linux only)

Windows <Tanium Client>\TaniumClient.exe

<Tanium Client>\TaniumCX.exe

macOS, Linux,

Solaris, AIX

<Tanium Client>/TaniumClient

<Tanium Client>/taniumclient

<Tanium Client>/TaniumCX

Table 1: Security exclusions for Tanium Core Platform processes


l If you use Microsoft Group Policy Objects (GPO) or other central management tools to manage host firewalls,

you might need to create rules to allow inbound and outbound TCP traffic across port 17472 on any

managed endpoints, including the Tanium Server.

l If running McAfee Host Intrusion Prevention System (HIPS), mark the Tanium Client as both Trusted forFirewall and Trusted for IPS, per McAfee KB71704.

l The Tanium Client on Windows uses the Windows Update offline scan file, Wsusscn2.cab, to assess

computers for installed or missing OS and application security patches. If your endpoint security solutions

scan archive files, refer to the Microsoft KB for information on how to configure those tools to interact

appropriately with the Wsusscn2.cab file.

Tanium binary file signerSome security products base exclusion rules on file signers. Tanium uses an extended validation (EV) code-signing certificate with

the following signers for the Tanium-generated binary files of Tanium Core Platform servers, Tanium Clients, and Tanium solutions

(modules and shared services). Tanium also uses this certificate to sign VBS and PS1 files within action packages:

Operatingsystem

Signer

Windows Files are signed by:

Subject: jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private

Organization/serialNumber=4332270, C=US, ST=CA, L=Emeryville, O=Tanium Inc., CN=Tanium

Inc.

macOS The following Apple developer ID is used to sign and notarize files:

Tanium Inc. (TZTPM3VTUU)

Table 2: Tanium binary file signers

Tanium solution foldersAs a rule, Tanium solutions are installed in subdirectories of the Tanium Module Server installation directory. This facilitates any

exclusion rules you must create: simply exclude the Module Server installation directory and its subdirectories. This requirement

applies only to a Module Server installed on Windows infrastructure.

Tanium solution processesThe following sections list additional processes on the Module Server (Windows infrastructure only) and Tanium Client (all OSs) that

you must configure as exclusions in security software to enable Tanium modules and shared services to work.

https://kc.mcafee.com/corporate/index?page=content&id=KB71704

https://support.microsoft.com/en-us/kb/900638


The following sections use variables (such as <Module Server>) to indicate the installation folder of a Tanium Core

Platform server or the Tanium Client.

l API Gateway on page 17

l Asset on page 17

l Blob on page 18

l Client Management on page 18

l Comply on page 20

l Connect on page 22

l Deploy on page 22

l Direct Connect on page 24

l Discover on page 26

l Endpoint Configuration on page 29

l End-User Notifications on page 30

l Enforce on page 31

l Health Check on page 32

l Impact on page 33

l Integrity Monitor on page 33

l Map on page 35

l Patch on page 36

l Performance on page 38

l RDB service on page 40

l Reporting on page 40

l Reputation on page 40

l Reveal on page 41

l Risk on page 43

l System User service on page 44

l Threat Response on page 44

l Trends on page 78


API Gateway

TargetDevice

Notes ExclusionType

Exclusion

Module

Server

Process <Module Server>\services\gateway-service\TaniumGatewayService.exe

API Gateway security exclusions

Asset

TargetDevice

Notes ExclusionType

Exclusion

Module

Server

Process <Module Server>\services\asset-service\node.exe

Process <Module Server>\services\asset-service\node_

modules\@tanium\postgresql\lib\win32\bin\postgres.exe

Process <Module Server>\services\asset-service\node_

modules\@tanium\postgresql\lib\win32\bin\pg_ctl.exe

Process <Module Server>\services\endpoint-configuration-

service\TaniumEndpointConfigService.exe

Windows

endpoints

For

integration

with Flexera

Process <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe

Process <Tanium Client>\Tools\Asset\TaniumFileEvidence.exe

Process <Tanium Client>\extensions\TaniumSoftwareManager.dll

Process <Tanium Client>\extensions\TaniumSoftwareManager.dll.sig

macOS

endpoints

For

integration

with Flexera

Process <Tanium Client>/Tools/EPI/TaniumEndpointIndex

Process <Tanium Client>/Tools/Asset/TaniumFileEvidence

Process <Tanium Client>/extensions/libTaniumSoftwareManager.dylib

Process <Tanium Client>/extensions/libTaniumSoftwareManager.dylib.sig

Linux

endpoints

For

integration

with Flexera


Process <Tanium Client>/Tools/Asset/TaniumFileEvidence

Process <Tanium Client>/extensions/libTaniumSoftwareManager.so

Process <Tanium Client>/extensions/libTaniumSoftwareManager.so.sig

Asset security exclusions


Blob

TargetDevice

Notes ExclusionType

Exclusion

Module

Server

Process <Module Server>\services\blob-service\TaniumBlobService.exe

Blob service security exclusions

Client Management

TargetDevice

Notes ExclusionType

Exclusion

Module

Server

Process <Module Server>\services\client-management-service\node.exe

Process <Module Server>\services\twsm-v1\twsm.exe

Windows

x86

endpoints

During client

installation

Process \Program Files\Tanium\TaniumClientBootstrap.exe

During client

installation

Process \Program Files\Tanium\SetupClient.exe

During client

installation

Process <Tanium Client>\SetupClient.exe

Process <Tanium Client>\TaniumClientExtensions.dll

Process <Tanium Client>\TaniumClientExtensions.dll.sig

Process <Tanium Client>\extensions\TaniumDEC.dll

Process <Tanium Client>\extensions\TaniumDEC.dll.sig

Process <Tanium Client>\TaniumCX.exe

Table 3: Client Management security exclusions


TargetDevice

Notes ExclusionType

Exclusion

Windows

x64

endpoints

During client

installation

Process \Program Files (x86)\Tanium\TaniumClientBootstrap.exe

During client

installation

Process \Program Files (x86)\Tanium\SetupClient.exe

During client

installation

Process <Tanium Client>\SetupClient.exe






macOS

endpoints

During client

installation

Process /Library/Tanium/TaniumClientBootstrap

During client

installation

Process /Library/Tanium/SetupClient

During client

installation

Process <Tanium Client>/SetupClient

Process <Tanium Client>/libTaniumClientExtensions.dylib

Process <Tanium Client>/libTaniumClientExtensions.dylib.sig

Process <Tanium Client>/extensions/libTaniumDEC.dylib

Process <Tanium Client>/extensions/libTaniumDEC.dylib.sig

Process <Tanium Client>/TaniumCX

Table 3: Client Management security exclusions (continued)


TargetDevice

Notes ExclusionType

Exclusion

Linux

endpoints

During client

installation

Process /opt/Tanium/TaniumClientBootstrap

During client

installation

Process /opt/Tanium/SetupClient

During client

installation


Process <Tanium Client>/libTaniumClientExtensions.so

Process <Tanium Client>/libTaniumClientExtensions.so.sig

Process <Tanium Client>/extensions/libTaniumDEC.so

Process <Tanium Client>/extensions/libTaniumDEC.so.sig


Solaris and

AIX

endpoints

During client

installation

Process /opt/Tanium/TaniumClientBootstrap

During client

installation

Process /opt/Tanium/SetupClient

During client

installation


Table 3: Client Management security exclusions (continued)

Comply

Target Device Notes ExclusionType

Exclusion

Module Server Process <Module Server>\services\comply-service\node.exe

Process <Module Server>\services\comply-service\node_

modules\ovalindex\build\bin\ovalindex.exe

Comply security exclusions



Exclusion

Windows endpoints Process <Tanium Client>\Tools\Comply\TaniumExecWrapper.exe

Environments

where Java

encryption is

disabled

Process <Tanium Client>\Tools\Comply\jre\bin\java.exe

Environments

where Java

encryption is

enabled

Process <Tanium Client>\Downloads\Action_*\jre\bin\java.exe

Process <Tanium Client>\Tools\Comply\7za.exe

Linux/macOS/AIX

endpoints

Process <Tanium Client>/Tools/Comply/TaniumExecWrapper

Environments

where Java

encryption is

disabled

Process <Tanium Client>/Tools/Comply/jre/bin/java

Environments

where Java

encryption is

enabled

Process <Tanium Client>/Downloads/Action_*/jre/bin/java

Process <Tanium Client>/Tools/Comply/7za

Process <Tanium Client>/Tools/Comply/xsltproc

Tanium scan

engine

Process <Tanium Client>/Tools/Comply/joval/Joval-Utilities.jar

CIS-CAT engine Process <Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.jar

Linux only Process <Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.sh

Windows only Process <Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.BAT

Comply security exclusions (continued)



Exclusion

SCC engine -

Windows endpoints

Process <Tanium Client>\Tools\Comply\scc\cscc.exe

Process <Tanium Client>\Tools\Comply\scc\cscc32.exe

Process <Tanium Client>\Tools\Comply\scc\cscc64.exe

Process <Tanium Client>\Tools\Comply\scc\scc.exe

Process <Tanium Client>\Tools\Comply\scc\scc32.exe

Process <Tanium Client>\Tools\Comply\scc\scc64.exe

SCC engine -

Linux/macOS

endpoints

Process <Tanium Client>/Tools/Comply/scc/cscc

Process <Tanium Client>/Tools/Comply/scc/cscc.bin

Process <Tanium Client>/Tools/Comply/scc/scc

Process <Tanium Client>/Tools/Comply/scc/scc.bin

Comply security exclusions (continued)

Connect

TargetDevice

Notes Exclusion Type Exclusion

Module

Server

Process <Module Server>\services\connect-service\node.exe

Connect security exclusions

Deploy

For Windows endpoints, review and follow the Microsoft antivirus security exclusion recommendations for enterprise computers. For

more information, see Microsoft Support: Virus scanning recommendations for Enterprise computers that are running currently

supported versions of Windows (KB822158).

https://support.microsoft.com/en-us/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-currently-supported-versions-of-windows-kb822158-c067a732-f24a-9079-d240-3733e39b40bc



TargetDevice

Notes ExclusionType

Exclusion

Module

Server

Process <Module Server>\services\deploy-service\node.exe

Required when

Endpoint

Configuration is

installed



Windows

endpoints

Required only

for

the Microsoft

Windows 10

Upgrade

packages

Folder C:\Deploy\Tanium

Process <Tanium Client>\Python27\TPython.exe

7.4.x clients Process <Tanium Client>\Python38\TPython.exe

7.4.x clients Folder <Tanium Client>\Python38

Process <Tanium Client>\Tools\Deploy\7za.exe

Process <Tanium Client>\Tools\SoftwareManagement\7za.exe




Folder %programdata%\Tanium

Deploy security exclusions


TargetDevice

Notes ExclusionType

Exclusion

Linux

endpoints

Process <Tanium Client>/python27/bin/pybin

7.2.x clients Process <Tanium Client>/python27/pybin

7.4.x clients Process <Tanium Client>/python38/python


Process <Tanium Client>/Tools/SoftwareManagement/data/software-

management.db


management.db-wal


management.dc-shm



macOS

endpoints


7.2.x clients Process <Tanium Client>/python27/pybin





Deploy security exclusions (continued)

Direct Connect

TargetDevice

Notes ExclusionType

Exclusion

Module

Server

Process <Module Server>\services\direct-connect-

service\TaniumDirectConnectService.exe



Direct Connect security exclusions


TargetDevice

Notes ExclusionType

Exclusion

Zone Server Process <Tanium Installation Directory>\Tanium Direct Connect Zone

Proxy\node.exe

Windows

endpoints





7.2.x clients;

requires

SHA2 support

to allow

installation


7.4.x clients;

requires

SHA2 support

to allow

installation




macOS

endpoints





7.2.x clients Process <Tanium Client>/python27/bin/pybin



Direct Connect security exclusions (continued)


TargetDevice

Notes ExclusionType

Exclusion

Linux

endpoints








Direct Connect security exclusions (continued)

Discover

TargetDevice

Notes ExclusionType

Exclusion

Module

Server

Process <Module Server>\services\discover-service\node.exe

Process <Module Server>\plugins\content\discover-proxy\proxyplugin.exe




Discover security exclusions


TargetDevice

Notes ExclusionType

Exclusion

Windows

endpoints




(Distributed

level 3,

distributed

level 4, and

satellite

profiles only)

Folder C:\Program Files\Npcap

(Distributed

level 3,

distributed

level 4, and

satellite

profiles only)

Process <Tanium Client>\Tools\Discover\nmap\nmap.exe

(Satellite

profiles only)


(Satellite

profiles only)


(Satellite

profiles only)

Process <Tanium Client>\extensions\TaniumDiscover.dll

(Satellite

profiles only)

Process <Tanium Client>\extensions\TaniumDiscover.dll.sig

(Satellite

profiles only)

Process <Tanium Client>\extensions\TaniumExtras.dll

(Satellite

profiles only)

Process <Tanium Client>\extensions\TaniumExtrasDiscover.dll.sig

7.2.x clients1 Process <Tanium Client>\python27\TPython.exe

7.4.x clients1 Process <Tanium Client>\python38\TPython.exe

7.4.x clients Folder <Tanium Client>\python38

Discover security exclusions (continued)


TargetDevice

Notes ExclusionType

Exclusion

Linux

endpoints




(Distributed

level 3,

distributed

level 4, and

satellite

profiles only)

Process <Tanium Client>/Tools/Discover/nmap/nmap

(Satellite

profiles only)


(Satellite

profiles only)


(Satellite

profiles only)

Process <Tanium Client>/extensions/libTaniumDiscover.so

(Satellite

profiles only)

Process <Tanium Client>/extensions/libTaniumDiscover.so.sig

(Satellite

profiles only)

Process <Tanium Client>/extensions/libTaniumExtras.so

(Satellite

profiles only)

Process <Tanium Client>/extensions/libTaniumExtras.so.sig





TargetDevice

Notes ExclusionType

Exclusion

macOS

endpoints




(Distributed

level 3,

distributed

level 4, and

satellite

profiles only)

Process <Tanium Client>/Tools/Discover/nmap/nmap

(Satellite

profiles only)


(Satellite

profiles only)


(Satellite

profiles only)

Process <Tanium Client>/extensions/libTaniumDiscover.dylib

(Satellite

profiles only)

Process <Tanium Client>/extensions/libTaniumDiscover.dylib.sig

(Satellite

profiles only)

Process <Tanium Client>/extensions/libTaniumExtras.dylib

(Satellite

profiles only)

Process <Tanium Client>/extensions/libTaniumExtras.dylib.sig



1 = TPython requires SHA2 support to allow installation.


Endpoint Configuration


Exclusion

Module Server Process <Module Server>\services\endpoint-configuration-


Endpoint Configuration security exclusions


End-User Notifications

TargetDevice

Notes ExclusionType

Exclusion

Module

Server

Required when

Endpoint

Configuration is

installed

Process <Module Server>\temp\endpoint-configuration-


Process <Module Server>\services\end-user-notifications-service\node.exe


Windows

endpoints



64-bit OS

versions

Process %programfiles(x86)%\Tanium\Tanium End User Notification

Tools\UserSessionProxy.exe

32-bit OS

versions

Process %programfiles%\Tanium\Tanium End User Notification

Tools\UserSessionProxy.exe

64-bit OS

versions

Process %programfiles(x86)%\Tanium\Tanium End User Notification

Tools\bin\end-user-notifications.exe

32-bit OS

versions

Process %programfiles%\Tanium\Tanium End User Notification Tools\bin\end-

user-notifications.exe

exclude from

on-access or

real-time scans

(64-bit OS

versions)

Folder %programfiles(x86)%\Tanium\Tanium End User Notification Tools

exclude from

on-access or

real-time scans

(32-bit OS

versions)

Folder %programfiles%\Tanium\Tanium End User Notification Tools

Folder %programdata%\Tanium

End-User Notifications security exclusions


TargetDevice

Notes ExclusionType

Exclusion

macOS

endpoints



Process /Library/Tanium/EndUserNotifications/bin/end-user-

notifications.app

Folder /Library/Tanium/EndUserNotifications

End-User Notifications security exclusions (continued)

Enforce

TargetDevice

Notes ExclusionType

Exclusion

Module

Server

Process <Module Server>\services\enforce-service\node.exe

Windows

x86

endpoints

File %SystemRoot%\System32\GroupPolicy\Machine\registry.pol

Process <Tanium Client>\Tools\StdUtils\7za.exe

Process <Tanium Client>\Tools\Enforce\devcon32.exe

Process <Tanium Client>\Tools\Enforce\LocalPolicyTool.exe

7.2.x

clients


7.4.x

clients


7.4.x

clients

Folder <Tanium Client>\Python38

Process <Tanium Client>\TaniumClient.exe


Enforce security exclusions


TargetDevice

Notes ExclusionType

Exclusion

Windows

x64

endpoints

File %SystemRoot%\System32\GroupPolicy\Machine\registry.pol

Process <Tanium Client>\Tools\StdUtils\7za.exe

Process <Tanium Client>\Tools\Enforce\devcon64.exe

Process <Tanium Client>\Tools\Enforce\LocalPolicyTool.exe

7.2.x

clients


7.4.x

clients


7.4.x

clients


Process <Tanium Client>\TaniumClient.exe


macOS and

Linux x86

and x64

endpoints

7.2.x

clients

Process <Tanium Client>/python27/python


7.4.x

clients



Process <Tanium Client>/TaniumClient


Enforce security exclusions (continued)

Health Check

TargetDevice


Module

Server

Process <Module Server>\services\health-service\node.exe

Process <Module Server>\services\health-service\twsm.exe

Health Check security exclusions


Impact

TargetDevice

Notes ExclusionType

Exclusion

Module

Server

Process <Module Server>\services\impact-service\TaniumImpactService.exe



Windows

endpoints



Impact security exclusions

Integrity Monitor

TargetDevice

Notes ExclusionType

Process

Tanium

Module

Server

Process <Module Server>\services\integrity-monitor-service\node.exe



Tanium

Zone Server

Process <Zone Server>\proxy\node.exe

Integrity Monitor security exclusions


TargetDevice

Notes ExclusionType

Process

Windows

x86 and x64

endpoints

Process <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe

Process <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe

Process <Tanium Client>\Tools\IM\TaniumSQLiteQuery.exe

Process <Tanium Client>\Tools\IM\TaniumExecWrapper.exe

Process <Tanium Client>\extensions\TaniumRecorder.dll

Process <Tanium Client>\extensions\TaniumRecorder.dll.sig

Process <Tanium Client>\extensions\recorder\proc.bin

Process <Tanium Client>\extensions\recorder\recorder.db

Process <Tanium Client>\extensions\recorder\recorder.db-shm

Process <Tanium Client>\extensions\recorder\recorder.db-wal

Process <Tanium Client>\extensions\core\libTaniumPythonCx.dll

Process <Tanium Client>\extensions\core\libTaniumPythonCx.dll.sig







Integrity Monitor security exclusions (continued)


TargetDevice

Notes ExclusionType

Process

Linux x86

and x64

endpoints

Process <Tanium Client>/TaniumAuditPipe

Process <Tanium Client>/Tools/Trace/recorder


Process <Tanium Client>/Tools/EPI/TaniumExecWrapper

Process <Tanium Client>/Tools/IM/TaniumExecWrapper






Process <Tanium Client>/extensions/recorder/proc.bin

Process <Tanium Client>/extensions/recorder/recorder.db

Process <Tanium Client>/extensions/recorder/recorder.db-shm

Process <Tanium Client>/extensions/recorder/recorder.db-wal

Process <Tanium Client>/extensions/recorder/recorder.auditpipe

Process <Tanium Client>/extensions/core/libTaniumPythonCx.so

Process <Tanium Client>/extensions/core/libTaniumPythonCx.so.sig


Integrity Monitor security exclusions (continued)

Map

TargetDevice

Notes ExclusionType

Exclusion

Module

Server

Process <Module Server>\services\map-service\node.exe

Map security exclusions


TargetDevice

Notes ExclusionType

Exclusion



Process <Module Server>\services\map-service\node_

modules\@tanium\postgresql\lib\win32\bin\postgres.exe

Process <Module Server>\services\map-service\node_

modules\@tanium\postgresql\lib\win32\bin\pg_ctl.exe

Windows

endpoints





macOS

endpoints


Linux

endpoints




Map security exclusions (continued)

Patch

For Windows endpoints, review and follow the Microsoft antivirus security exclusion recommendations for enterprise computers. For

more information, see Microsoft Support: Virus scanning recommendations for Enterprise computers that are running currently

supported versions of Windows (KB822158).

TargetDevice

Notes ExclusionType

Exclusion

Module

Server

Process <Module Server>\services\patch-service\node.exe

required when

Endpoint

Configuration is

installed



Patch security exclusions




TargetDevice

Notes ExclusionType

Exclusion

Windows

endpoints

Process <Tanium Client>\Patch\tanium-patch.min.vbs

Process <Tanium Client>\Patch\scans\Wsusscn2.cab

Process <Tanium Client>\Patch\tools\active-user-sessions.exe

Process <Tanium Client>\Patch\tools\run-patch-manager.min.vbs

Process <Tanium Client>\Patch\tools\TaniumExecWrapper.exe

Process <Tanium Client>\Patch\tools\TaniumFileInfo.exe

Process <Tanium Client>\Patch\tools\TaniumUpdateSearcher.exe






Process <Tanium Client>\Tools\Patch\7za.exe

Process <Tanium Client>\Tools\Patch\TaniumExecWrapper.exe



exclude from

on-access or

real-time scans

Folder <Tanium Client>

Patch security exclusions (continued)


TargetDevice

Notes ExclusionType

Exclusion

Linux

endpoints





Process <Tanium Client>/Tools/Patch/TaniumExecWrapper



macOS

endpoints





Process <Tanium Client>/Tools/Patch/TaniumExecWrapper



Patch security exclusions (continued)

Performance

TargetDevice

Notes ExclusionType

Exclusion

Module

Server

Process <Module Server>\services\performance-service\node.exe

Process <Module Server>\services\event-service\twsm.exe



Performance security exclusions


TargetDevice

Notes ExclusionType

Exclusion

Windows

(x86 and

x64)

endpoints



Process <Tanium Client>\extensions\TaniumPerformance.dll

Process <Tanium Client>\extensions\TaniumPerformance.dll.sig

Process <Tanium Client>\Tools\Performance\TaniumTSDB.exe

7.2.x

clients1Process <Tanium Client>\Python27\TPython.exe

7.4.x

clients1Process <Tanium Client>\Python38\TPython.exe



Linux (x86

and x64)

endpoints



Process <Tanium Client>/extensions/libTaniumPerformance.so

Process <Tanium Client>/extensions/libTaniumPerformance.so.sig

Process <Tanium Client>/Tools/Performance/TaniumTSDB




Performance security exclusions (continued)


TargetDevice

Notes ExclusionType

Exclusion

macOS

endpoints



Process <Tanium Client>/extensions/libTaniumPerformance.dylib

Process <Tanium Client>/extensions/libTaniumPerformance.dylib.sig

Process <Tanium Client>/Tools/Performance/TaniumTSDB


7.4.x client Process <Tanium Client>/python38/bin/pybin



Performance security exclusions (continued)

RDB service

TargetDevice

Notes ExclusionType

Exclusion

Module

Server

Process <Module Server>\services\rdb-service\TaniumRdbService.exe

RDB service security exclusions

Reporting

TargetDevice

Notes ExclusionType

Exclusion

Module

Server

Process <Module Server>\services\reporting-service\TaniumReportingService.exe

Reporting security exclusions

Reputation

TargetDevice


Module

Server

Process <Module Server>\services\reputation-service\node.exe

Reputation security exclusions


Reveal

TargetDevice

Notes ExclusionType

Exclusion

Module

Server

Process <Module Server>\services\reveal-service\node.exe



Windows

endpoints




Process <Tanium Client>\extensions\TaniumReveal.dll

Process <Tanium Client>\extensions\TaniumReveal.dll.sig



Process <Tanium Client>\extensions\TaniumIndex.dll

Process <Tanium Client>\extensions\TaniumIndex.dll.sig

Process <Tanium Client>\extensions\core\TaniumPythonCx.dll

Process <Tanium Client>\extensions\core\TaniumPythonCx.dll.sig

7.2.x

clients, 1Process <Tanium Client>\python27\TPython.exe

7.4.x

clients, 1Process <Tanium Client>\python38\TPython.exe

7.4.x clients Folder <Tanium Client>\python38

Reveal security exclusions


TargetDevice

Notes ExclusionType

Exclusion

Linux

endpoints




Process <Tanium Client>/extensions/libTaniumReveal.so

Process <Tanium Client>/extensions/libTaniumReveal.so.sig



Process <Tanium Client>/extensions/libTaniumIndex.so

Process <Tanium Client>/extensions/libTaniumIndex.so.sig





Reveal security exclusions (continued)


TargetDevice

Notes ExclusionType

Exclusion

macOS

endpoints




Process <Tanium Client>/extensions/libTaniumReveal.dylib

Process <Tanium Client>/extensions/libTaniumReveal.dylib.sig



Process <Tanium Client>/extensions/libTaniumIndex.dylib

Process <Tanium Client>/extensions/libTaniumIndex.dylib.sig

Process <Tanium Client>/extensions/core/libTaniumPythonCx.dylib

Process <Tanium Client>/extensions/core/libTaniumPythonCx.dylib.sig




Reveal security exclusions (continued)

Risk

Target Device Notes Exclusion Type Process

Windows endpoints Process <Tanium Client>\TaniumCX.exe

Process <Tanium Client>\extensions\TaniumRisk.dll

Linux endpoints Process <Tanium Client>/TaniumCX

Process <Tanium Client>/libTaniumRisk.so

macOS endpoints Process <Tanium Client>/TaniumCX

Process <Tanium Client>/libTaniumRisk.dylib

Risk security exclusions


System User service

TargetDevice

Notes ExclusionType

Exclusion

Module

Server

Process <Module Server>\services\system-user-

service\TaniumSystemUserService.exe

System User service security exclusions

Threat Response

TargetDevice

Notes ExclusionType

Exclusion

Tanium

Module

Server

Process <Module Server>\services\detect3-service\node.exe

Process <Module Server>\services\detect3-service\twsm.exe

Process <Module Server>\services\event-service\node.exe

Process <Module Server>\services\event-service\twsm.exe

Process <Module Server>\services\threat-response-service\node.exe




Tanium

Zone Server

Process <Zone Server>\proxy\node.exe

Threat Response security exclusions


TargetDevice

Notes ExclusionType

Exclusion

Windows

x86 and x64

endpoints

Process <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe

Threat Response security exclusions (continued)


TargetDevice

Notes ExclusionType

Exclusion

Process <Tanium Client>\Tools\IR\TaniumExecWrapper.exe



TargetDevice

Notes ExclusionType

Exclusion

Process <Tanium Client>\Tools\IR\TanFileInfo.exe



TargetDevice

Notes ExclusionType

Exclusion

Process <Tanium Client>\Tools\IR\TaniumFileInfo.exe



TargetDevice

Notes ExclusionType

Exclusion

Process <Tanium Client>\Tools\IR\TaniumHandle.exe



TargetDevice

Notes ExclusionType

Exclusion

Process <Tanium Client>\Tools\IR\TaniumListModules.exe



TargetDevice

Notes ExclusionType

Exclusion

Process <Tanium Client>\extensions\TaniumIndex.dll



TargetDevice

Notes ExclusionType

Exclusion

Process <Tanium Client>\extensions\TaniumIndex.dll.sig



TargetDevice

Notes ExclusionType

Exclusion

Process <Tanium Client>\Tools\recorder\TaniumRecorderCtl.exe



TargetDevice

Notes ExclusionType

Exclusion

Process <Tanium Client>\Tools\Detect3\TaniumDetectEngine.exe



TargetDevice

Notes ExclusionType

Exclusion

Process <Tanium Client>\extensions\TaniumRecorder.dll



TargetDevice

Notes ExclusionType

Exclusion

Process <Tanium Client>\extensions\TaniumRecorder.dll.sig



TargetDevice

Notes ExclusionType

Exclusion

Process <Tanium Client>\extensions\SupportCX.dll



TargetDevice

Notes ExclusionType

Exclusion

Process <Tanium Client>\extensions\SupportCX.dll.sig



TargetDevice

Notes ExclusionType

Exclusion

Process <Tanium Client>\extensions\recorder\proc.bin

Process <Tanium Client>\extensions\recorder\recorder.db

Process <Tanium Client>\extensions\recorder\recorder.db-shm

Process <Tanium Client>\extensions\recorder\recorder.db-wal

Process <Tanium Client>\extensions\TaniumThreatResponse.dll

Process <Tanium Client>\extensions\TaniumThreatResponse.dll.sig

Process <Tanium Client>\extensions\core\TaniumPythonCx.dll

Process <Tanium Client>\extensions\core\TaniumPythonCx.dll.sig

Folder <Tanium Client>\extensions\stream



1 Process <Tanium Client>\Downloads\Action_*\TaniumFileTransfer.exe

1 Process <Tanium Client>\Downloads\Action_*\Winpmem.gb414603.exe

Process <Tanium Client>\Tools\IR\TaniumPersistenceAnalyzer.exe

Process <Tanium Client>\Tools\IR\PowerForensics\PowerForensics.dll

7.2.x

clients, 3Process <Tanium Client>\Python27\TPython.exe

7.4.x

clients, 3Process <Tanium Client>\Python38\TPython.exe

7.4.x

clients





Process C:\Windows\System32\drivers\TaniumRecorderDrv.sys



TargetDevice

Notes ExclusionType

Exclusion

Linux x86

and x64

endpoints

Process <Tanium Client>/TaniumAuditPipe



TargetDevice

Notes ExclusionType

Exclusion




TargetDevice

Notes ExclusionType

Exclusion




TargetDevice

Notes ExclusionType

Exclusion

Process <Tanium Client>/Tools/IR/TaniumExecWrapper



TargetDevice

Notes ExclusionType

Exclusion

Process <Tanium Client>/extensions/libTaniumIndex.so



TargetDevice

Notes ExclusionType

Exclusion

Process <Tanium Client>/extensions/libTaniumIndex.so.sig



TargetDevice

Notes ExclusionType

Exclusion

Process <Tanium Client>/Tools/Detect3/TaniumDetectEngine



TargetDevice

Notes ExclusionType

Exclusion

7.2.x

clients




TargetDevice

Notes ExclusionType

Exclusion

7.2.x

clients




TargetDevice

Notes ExclusionType

Exclusion

7.4.x

clients




Process <Tanium Client>/libSupportCX.so

Process <Tanium Client>/libSupportCX.so.sig

Process <Tanium Client>/extensions/libTaniumThreatResponse.so

Process <Tanium Client>/extensions/libTaniumThreatResponse.so.sig

Process <Tanium Client>/extensions/libTaniumRecorder.so

Process <Tanium Client>/extensions/libTaniumRecorder.so.sig










Folder <Tanium Client>/extensions/stream

1,2 Process <Tanium Client>/Downloads/Action_*/surge-collect

1,2 File <Tanium Client>/Downloads/Action_*/surge.dat

1 Process <Tanium Client>/Downloads/Action_*/linpmem-*.bin

1 Process <Tanium Client>/Downloads/Action_*/taniumfiletransfer



TargetDevice

Notes ExclusionType

Exclusion

macOS

endpoints




TargetDevice

Notes ExclusionType

Exclusion




TargetDevice

Notes ExclusionType

Exclusion

Process <Tanium Client>/Tools/IR/TaniumExecWrapper



TargetDevice

Notes ExclusionType

Exclusion

Process <Tanium Client>/extensions/libTaniumIndex.dylib



TargetDevice

Notes ExclusionType

Exclusion

Process <Tanium Client>/extensions/libTaniumIndex.dylib.sig



TargetDevice

Notes ExclusionType

Exclusion

Process <Tanium Client>/Tools/Detect3/TaniumDetectEngine



TargetDevice

Notes ExclusionType

Exclusion

7.2.x

clients




TargetDevice

Notes ExclusionType

Exclusion

7.4.x

clients




Process <Tanium Client>/extensions/libTaniumThreatResponse.dylib

Process <Tanium Client>/extensions/libTaniumThreatResponse.dylib.sig

Process <Tanium Client>/extensions/libTaniumRecorder.dylib

Process <Tanium Client>/extensions/libTaniumRecorder.dylib.sig






Process <Tanium Client>/extensions/core/libTaniumPythonCx.dylib

Process <Tanium Client>/extensions/core/libTaniumPythonCx.dylib.sig

Folder <Tanium Client>/extensions/stream



Process <Tanium Client>/extensions/libSupportCX.dylib

Process <Tanium Client>/extensions/libSupportCX.dylib.sig

1,2 Process <Tanium Client>/Downloads/Action_*/surge-collect

1,2 File <Tanium Client>/Downloads/Action_*/surge.dat

1 Process <Tanium Client>/Downloads/Action_*/osxpmem.app/osxpmem



TargetDevice

Notes ExclusionType

Exclusion

1 Process <Tanium Client>/Downloads/Action_*/taniumfiletransfer

1 = Where * corresponds to the action ID or the version of linpmem.

2 = Exception is required if Volexity Surge is used for memory collection.



Trends

TargetDevice


Module

Server


Process <Module Server>\services\trends\node_modules\@tanium

\postgresql\lib\win32\bin\postgres.exe

Process <Module Server>\services\trends\node_modules\@tanium

\postgresql\lib\win32\bin\pg_ctl.exe

Trends security exclusions


Tanium network portsNetwork port requirements for Tanium Core Platform servers depend on whether you have a Tanium Appliance on page 79 or

Windows on page 81 deployment. The Tanium Client on page 83 has its own port requirements. For details about the requirements

for each port, see Tanium Core Platform port use details on page 83.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-

based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups

instead of application objects or application groups.

Tanium ApplianceThe following table summarizes the Tanium processes and default values for ports used in Tanium Core Platform communication.

Source Destination Port Protocol Purpose

Tanium Clients Tanium Server 17472 TCP Client communication with the Tanium Server

Tanium Server Tanium Server 17472, 443,

8443

TCP Tanium Server cluster communication

Tanium Module Server Tanium Server 443, 8443 TCP Tanium Module Server communication to the Tanium Server

Console users Tanium Server 443, 8443 TCP Tanium Console communication with the Tanium Server

Tanium Server Tanium Module

Server

17477 TCP Tanium Module Server communication from Tanium Server

Tanium Zone Server Hub Tanium Zone

Server

17472 TCP Tanium Zone Server Hub communication with the Tanium Zone

Servers

Tanium Server,

Module Server

External servers 443, 80 TCP Tanium Server or Module Server communication with external

servers such as content.tanium.com

Network communication ports used by Tanium components

In addition, the installation and management of the appliance requires communication over common network service ports. The

following table shows the default ports for these services.


Tanium Servers

Tanium Module Servers

DNS servers 53 UDP, TCP DNS resolution for Tanium Servers and Tanium Module

Servers

Appliance network service ports



Tanium Servers Tanium Servers Not

applicable

IPsec ESP Protocol for data confidentiality and authentication in

Tanium Server cluster communications

Tanium Module Servers Tanium Module Servers Not

applicable

IPsec ESP Protocol for data confidentiality and authentication

during Tanium Module Server synchronization

Tanium Servers Tanium Servers 500, 4500 UDP IPsec IKE for setting up a secure channel in Tanium

Server cluster communications

Tanium Module Servers Tanium Module Servers 500, 4500 UDP IPsec IKE for setting up a secure channel during Tanium

Module Server synchronization

Tanium Servers LDAP servers 389, 636 TCP (Optional) External LDAP communications for Tanium

authentication

All Tanium Appliances NTP servers 123 UDP NTP time synchronization

Tanium Servers All Tanium Appliances 22 TCP SSH, SCP, SFTP communication for appliance array

management

Tanium administrator

workstations

All Tanium Appliances 22 TCP SSH, SCP, SFTP communication for appliance

management

SNMP servers Tanium Appliances 161 UDP (Optional) SNMP monitoring

Tanium Appliances Syslog servers 514 TCP, UDP (Optional) Syslog monitoring

Tanium administrator

workstations

Tanium Appliances 443, 5900 TCP (Physical appliances only) iDRAC communications1

Tanium Console user

workstations/browsers

content.tanium.com

update.microsoft.com

*.digicert.com

80, 443 TCP Download and install solutions to the Tanium Core

Platform

1 These ports need to be open only for the IP address of the dedicated iDRAC port (if applicable). The iDRAC port has an IP address that is different

from the TanOS network interfaces. See the Tanium Appliance Deployment Guide: Configure the iDRAC interface.

Appliance network service ports (continued)

The following figure illustrates how the Tanium Core Platform uses ports in an active-active deployment with Appliance

infrastructure.

Figure 1: Network communication ports

https://docs.tanium.com/appliance/appliance/appliance_configuration_menu.html#iDrac


For more information about the port requirements of specific Tanium modules and shared services, see

Solution-specific port requirements.

WindowsThe following table summarizes the Tanium processes and default values for ports used in Tanium Core Platform communication:


Tanium Server,

Module Server

External servers 443, 80 TCP Tanium Server (TaniumReceiver.exe) or Module Server

(TaniumModuleServer.exe) communication with external servers

such as content.tanium.com

Tanium Server Tanium Server 443, 17472 TCP Communication between active-active Tanium Servers

Tanium Server Module Server 17477 TCP Tanium Server communication with the Module Server

Module Server Tanium Server 443 TCP Tanium Module Server communication with the Tanium Server

Network communication ports used by Tanium components

https://docs.tanium.com/platform_deployment_reference/platform_deployment_reference/network_ports.html#ports_module_requirements



Tanium Server Tanium database 1433, 5432 TCP Tanium Server communication with the Tanium database: SQL server

(Sqlservr.exe) or PostgreSQL server (postgres.exe)

Zone Server Hub Zone Server* 17472 TCP Zone Server Hub (TaniumZoneServer.exe) communication with

the Zone Server (TaniumZoneServer.exe)

Tanium Clients Tanium Clients,

Tanium Server,

Zone Server*

17472 TCP Communication between Tanium Clients (TaniumClient.exe),

Communication between the clients and the Tanium Server or Zone

Server

Console/API users Tanium Server 443 TCP Tanium Console/API user workstation (browser) communication with

the Tanium Server

Console/API users External servers 443, 80 TCP Tanium Console/API user workstation (browser) communication with

external servers such as content.tanium.com

To improve the security of the Zone Server, configure separate ports for traffic from Zone Server Hubs and Tanium Clients. For

the steps, see Tanium Core Platform Deployment Guide for Windows: Configure ports for traffic from Zone Server Hubs and

Tanium Clients.

Network communication ports used by Tanium components (continued)

The following figure illustrates how the Tanium Core Platform uses ports in an active-active deployment with Windows

infrastructure:

https://docs.tanium.com/platform_install/platform_install/installing_tanium_zone_server.html#ZS_separate_ports

https://docs.tanium.com/platform_install/platform_install/installing_tanium_zone_server.html#ZS_separate_ports


Figure 2: Network communication ports

Tanium ClientYou can use the Tanium™ Client Management module to deploy any version of the Tanium Client. For the ports that Client

Management requires for communication, see Tanium Client Management User Guide: Network connectivity, ports, and firewalls.

Tanium Core Platform port use detailsThe following sections list details about ports that Tanium Core Platform components use, and indicate the default ports.

To change the default ports for platform servers, see Tanium Core Platform settings on page 122. To change the

default ports for Tanium Clients, see Tanium Client Management User Guide: Network connectivity, ports, and

firewalls.

Tanium Server

The Tanium Server acts as the central hub of communication in the Tanium environment. The server receives traffic that Tanium

Clients and the Tanium Console initiate. The server initiates connections to the Tanium database server as well as any Zone Servers.

https://docs.tanium.com/client/client/requirements.html#Network_connectivity_and_firewall




INBOUND (TANIUM CLIENT TO TANIUM SERVER)

Rule summary

Allow traffic to TCP port 17472 on the Tanium Server from any endpoint to be managed on the internal network.

Details

The communication flow between Tanium Clients and the Tanium Server is counter-intuitive. For example, when you ask a question

through the Tanium Console, instead of the server initiating connections to clients, it is leader clients in each linear chain that

initiate connections to the Tanium Server. See Tanium Client Management User Guide: Client peering.

All Tanium Clients initiate connections to the Tanium Server when they register. During registration, each Client reports information

about itself to the server and receives configuration updates, such as changes to peer lists, from the server.

INBOUND (TANIUM CONSOLE)

Rule summary

Allow traffic from trusted hosts to TCP port 443 on the Tanium Server. An example of a trusted host is a system on a management

subnet address that is used for Tanium Console access.

Details

For security, TCP and SOAP communication to the Tanium Server is TLS-encrypted, so the Tanium Server installer configures the

server to listen for TCP and SOAP requests on port 443. If another installed application is listening on port 443, you can designate a

different port.

OUTBOUND (TANIUM SERVER TO DATABASE SERVER)

Rule summary

Allow traffic from the Tanium Server on TCP port 1433 or 5432 to the Tanium database server.

Details

The Tanium Server initiates connections to the Tanium database server on port 1433 (SQL Server) or 5432 (PostgreSQL).

OUTBOUND (TANIUM SERVER TO MODULE SERVER)

Rule summary

Allow traffic from the Tanium Server to TCP port 17477 on the Module Server.

Details

The Tanium Server initiates connections to the Module Server on port 17477.

OUTBOUND (TANIUM SERVER TO INTERNET)

Rule summary

Allow traffic from the Tanium Server to TCP destination ports 80 and 443 on the Internet.

https://docs.tanium.com/client/client/client_concepts.html#Client_peering


Using port 443 is a security best practice because traffic on that port is encrypted through Hypertext Transfer

Protocol Secure (HTTPS) protocol.

Details

The Tanium Server initiates connections to https://content.tanium.com and http://*.digicert.com when importing

updates to Tanium Core Platform components and solutions. The server might also initiate connections to other Internet sites such

as https://update.microsoft.com for other operations. For details, see Internet URLs required on page 89.

INBOUND/OUTBOUND (ACTIVE-ACTIVE DEPLOYMENT)

Rule summary

Allow traffic between Tanium Servers in an active-active cluster on TCP port 17472.

Details

Any active-active cluster member might initiate a connection to the other member. Package files that are uploaded to one member

are synchronized to the other. In addition, each member passes Tanium messages, such as question answers, to the other cluster

member.

Tanium Module Server

INBOUND (TANIUM SERVER TO MODULE SERVER)

Rule summary

Allow traffic from the Tanium Server to TCP port 17477 on the Module Server.

Details

Check the documentation for the particular Tanium solutions that you plan to use to see whether they require additional inbound

ports. See Solution-specific port requirements on page 87.

OUTBOUND (MODULE SERVER TO INTERNET)

Rule summary

Allow traffic from the Module Server to destination TCP ports 80 and 443 on the Internet.

Using port 443 is a security best practice because traffic on that port is encrypted through the HTTPS protocol.

Details

The Module Server does not initiate connections. However, when a solution is imported, the Module Server might need to connect to

Tanium and other Internet locations to download required content, and the installed solution services might initiate connections.

Check the documentation for the particular solutions that you plan to use to see if they require additional outbound ports. See

Solution-specific port requirements on page 87.


OUTBOUND (SOLUTIONS SERVICES TO TANIUM SERVER)

Rule summary

Allow traffic from the Module Server to the following destination TCP ports on the Tanium Server:

l 443: Windows and Appliance deployments

l 8443: Appliance deployments only

Details

The Module Server does not initiate connections. However, a solution on the Module Server might initiate a connection to the

Tanium Server.

Tanium Zone Server Hub

OUTBOUND (TANIUM ZONE SERVER HUB TO ZONE SERVER)

Rule summary

Allow traffic from the Zone Server Hub to the destination TCP port 17472 on DMZ machines that host the Zone Servers. In an

Appliance deployment, the hub is always installed on the Tanium Server appliance. In a Windows deployment, the hub is usually

installed on the Tanium Server host but can also be installed on a dedicated host.

Details

If you are using the Zone Server to proxy traffic from managed endpoints on less trusted network segments to the Tanium Server on

the core network, then the Zone Server Hub must be able to connect to the Zone Servers in the DMZ. In Tanium Core Platform 7.3 or

earlier, the ZoneServerList.txt configuration file in the hub installation folder identifies the addresses of the destination Zone

Servers. In later releases, the hub-to-Zone Server mappings determine the destination Zone Servers: see Tanium Console User

Guide: Managing Zone Servers and hubs.

Tanium Zone Server

INBOUND (TANIUM CLIENT TO ZONE SERVER)

Rule summary

Allow traffic from any computer on the Internet to TCP port 17472 on the Zone Servers in the DMZ.

Details

Tanium Clients initiate connections to a Zone Server as if it were a Tanium Server.

https://docs.tanium.com/platform_user/platform_user/console_trust_ZS.html

https://docs.tanium.com/platform_user/platform_user/console_trust_ZS.html


INBOUND (TANIUM ZONE SERVER HUB TO ZONE SERVER)

Rule summary

Allow traffic from the Zone Server Hub to TCP port 17472 on the Zone Servers in the DMZ. In an Appliance deployment, the hub is

always installed on the Tanium Server appliance. In a Windows deployment, the hub is usually installed on the Tanium Server host

but can also be installed on a dedicated host.

Details

If you are using the Tanium Zone Server to proxy traffic from managed endpoints on less trusted network segments to the Tanium

Server on the core network, then the Tanium Zone Server Hub must be able to connect to the Zone Servers in the DMZ.

Tanium Client

INBOUND/OUTBOUND (TANIUM CLIENT TO CLIENT)

Rule summary

Allow traffic between Tanium Client peers on the TCP listening port 17472.

Details

In addition to the client-to-server TCP communication that occurs on port 17472, Tanium Clients also communicate with their peers

on port 17472. The default client peering settings ensure that clients form linear chains only within the boundaries of local area

networks (LANs). Therefore, you must allow bi-directional TCP communication on the listening port between clients that are in the

same LAN, but not necessarily between all clients across your enterprise wide area network (WAN). For details on client peering

settings, see Tanium Client Management User Guide: Configuring Tanium Client peering.

OUTBOUND (TANIUM CLIENT TO ZONE SERVER)

Rule summary

Allow traffic from any endpoint on the Internet to TCP port 17472 on the Zone Servers in the DMZ.

Details

In deployments with a Zone Server, a Tanium Client might connect to a Zone Server instead of a Tanium Server. The communication

requirements for these clients are identical to the Tanium Server-to-Tanium Client requirements.

Solution-specific port requirementsTo see additional port requirements that are specific to Tanium™ modules and shared services, click the following links to access the

associated user guides:

l API Gateway

l Asset

l Client Management

https://docs.tanium.com/client/client/client_peering.html

https://docs.tanium.com/api_gateway/api_gateway/requirements.html#security

https://docs.tanium.com/asset/asset/requirements.html#security



l Comply: No additional port requirements

l Connect

l Deploy

l Direct Connect

l Discover

l Endpoint Configuration

l End-User Notifications

l Enforce

l Health Check

l Impact

l Integrity Monitor: No additional port requirements

l Interact: No additional port requirements

l Map: No additional port requirements

l Patch: No additional port requirements

l Performance

l Reputation

l Reveal

l Risk

l Threat Response

l Trends

https://docs.tanium.com/connect/connect/requirements.html#security

https://docs.tanium.com/deploy/deploy/requirements.html#security

https://docs.tanium.com/direct_connect/direct_connect/requirements.html#security

https://docs.tanium.com/discover/discover/requirements.html#security

https://docs.tanium.com/endpoint_configuration/endpoint_configuration/requirements.html#security

https://docs.tanium.com/end-user_notifications/end-user_notifications/requirements.html#security

https://docs.tanium.com/enforce/enforce/requirements.html#security

https://docs.tanium.com/health_check/health_check/requirements.html#security

https://docs.tanium.com/impact/impact/requirements.html#security

https://docs.tanium.com/performance/performance/requirements.html#security

https://docs.tanium.com/reputation/reputation/requirements.html#security

https://docs.tanium.com/reveal/reveal/requirements.html#security

https://docs.tanium.com/risk/risk/requirements.html#security

https://docs.tanium.com/threat_response/threat_response/requirements.html#Host_and_network_security_requirements

https://docs.tanium.com/trends/trends/requirements.html#security


Internet URLs requiredDuring initial deployment and ongoing operations, the Tanium Server and the web browser that you use to access the Tanium

Console must be able to connect to https://content.tanium.com to import updates to Tanium Core Platform components

and modules.

The Tanium Server might need to connect to additional locations, based on the components you import. The following table lists

URLs that the Tanium Server accesses:

Import type Components URLs

Any Any

(Both the Tanium Server and the browser

that you use to access the Tanium

Console must connect to these URLs.)

l https://content.tanium.com

l (Tanium Appliance only) https://download.tanium.com:

This URL is required for Tanium Server upgrades.

l http://*.digicert.com: Module imports fails if the

Certificate Revocation List is blocked or inaccessible.

Content Tanium™ Asset module See Tanium Asset User Guide: Internet URLs.

Tanium™ Deploy module See Tanium Deploy User Guide: Internet URLs.

Tanium™ Discover module See Tanium Discover User Guide: Internet URLs.

Tanium™ Enforce module See Tanium Enforce User Guide: Internet URLs.

Tanium™ Health Check shared service See Tanium Health Check User Guide: Internet URLs.

Tanium™ Patch module See Tanium Patch User Guide: Internet URLs.

Tanium™ Reputation shared service See Tanium Reputation User Guide: Internet URLs.

Table 4: Internet URLs that the Tanium Server accesses

If your enterprise network uses SSL intercept technologies, such as man-in-the-middle (MITM) proxies, you must configure them so

that they do not prevent the Tanium Server and Tanium Module Server from downloading files from these locations.

If your enterprise security policy does not allow the Tanium Server to access these locations directly, you can use proxy servers. See

Proxy server settings on page 140.

You must also enable Tanium Clients to download files from Internet URLs to run certain sensors and packages. For

details, see Tanium Console User Guide: Managing allowed URLs.

https://docs.tanium.com/asset/asset/requirements.html#security

https://docs.tanium.com/deploy/deploy/requirements.html#internetURLs

https://docs.tanium.com/discover/discover/requirements.html#security

https://docs.tanium.com/enforce/enforce/requirements.html#internetURLs

https://docs.tanium.com/health_check/health_check/requirements.html#internetURLs

https://docs.tanium.com/patch/patch/requirements.html#internetURLs

https://docs.tanium.com/reputation/reputation/requirements.html#security

https://docs.tanium.com/platform_user/platform_user/console_allowed_URLs.html


Securing Tanium Console, API, and Module Serveraccess

OverviewTanium user and module operations require connections to the Tanium Servers, Module Server, and Tanium module services. The

Tanium Core Platform uses SSL/TLS certificates and keys to secure connections to the Tanium Server and Module Server (illustrated

in Figure 4). For example, when you use Tanium™ Patch to deploy patches to endpoints, the Tanium Core Platform establishes

connections in the following order:

1. User system (browser or CLI) to the Tanium Server (Tanium Console or API)

2. Tanium Server to Tanium Module Server

3. Module Server to Patch service

4. Patch service to Tanium Server

The Tanium Server and Module Server installers generate self-signed certificates. You can replace these with certificates issued by a

commercial certificate authority (CA) or your enterprise CA. As a best practice to facilitate troubleshooting, use the self-signed

certificates during initial installation and replace them with CA-issued certificates later. This practice enables you to separate

potential installation issues from TLS connection issues. Using a CA-issued certificate is highly recommended for Tanium Console

and API access but is optional for communication between the Tanium Server and Module Server.

Tanium Console and API access require user authentication through sign-in credentials, but not for securing the TLS

connection.

For details about the Tanium™ Protocol that secures communication among the Tanium Servers, Zone Server, Zone

Server Hub, and Tanium Clients, see Securing Tanium Server, Zone Server, and Tanium Client access on page 107.

To manage the keys that the Tanium Protocol uses, see Tanium Console User Guide: Managing Tanium keys.

To install the Tanium Server or Module Server, see Tanium Appliance Deployment Guide or Tanium Core Platform

Deployment Guide for Windows.

Tanium Console and API

Users access the Tanium Console or API on the Tanium Server to perform Tanium operations such as issuing questions or deploying

actions. The console and API communicate over Hypertext Transfer Protocol Secure (HTTPS), which uses SSL/TLS certificates and

keys to secure client-server connections. When a user accesses the Tanium Console or API, the user system is the client and the

Tanium Server is the server. To secure the connection, the Tanium Server presents its SOAPServer.crt certificate to prove its

identity to the client and uses its SOAPServer.key private key to complete the TLS handshake. For console or API access, clients

do not have to prove their identity to secure the connection. Figure 4 illustrates these processes.

https://docs.tanium.com/platform_user/platform_user/console_keys_management.html

https://docs.tanium.com/appliance/appliance/index.html




When you install the Tanium Server on a Tanium Appliance, it generates a self-signed SOAPServer.crt certificate. When you

install the Tanium Server on a Windows server, you can choose between a self-signed certificate or (if one is available) a CA-issued

certificate. If you use a self-signed certificate, users see a certificate validation error when they access the Tanium Console or API.

The error occurs because the CA certificates on the user system cannot validate the self-signed certificate. The following figure

shows an example of such an error when users try to connect from a browser to the Tanium Console.

Figure 3: Certificate validation error

Even though browsers provide the option to access the Tanium Console despite the error, avoiding that option is a security best

practice. Therefore, Tanium highly recommends that you replace the self-signed SOAPServer.crt certificate with a CA-issued

certificate. If the Tanium Server is currently using a self-signed certificate, you can replace it at any time.

Module Server communication

When users use the Tanium Console or API to work with Tanium modules, the Tanium Server communicates with the Tanium

Module Server, the Module Server accesses the Tanium module services that it hosts (such as Patch), and the module services

communicate back with the Tanium Server (see Figure 4).

The Tanium Server and Module Server communicate over HTTPS, and both servers must prove their identities through certificates.

The Tanium Server presents SOAPServer.crt to prove its identity, while the Module Server presents ssl.crt. The servers use

the associated private keys (SOAPServer.key and ssl.key) to complete the TLS handshake that secures the connection. To

verify the Tanium Server identity, the Module Server checks that its trusted.crt file contains the SOAPServer.crt that the

Tanium Server presented. In an active-active deployment, trusted.crtmust contain the SOAPServer.crt of both Tanium

Servers. Tanium Servers also verify the Module Server identity by checking that their trusted-module-servers.crt file

contains the ssl.crt that the Module Server presented. The Module Server registration process generates trusted.crt on the

Module Server and trusted-module-servers.crt on the Tanium Server. The Module Server installation process generates

ssl.crt.

The Module Server opens a single HTTPS listener to route requests from the Tanium Server to Tanium module services, which listen

only on localhost. TLS termination occurs on the Module Server, which forwards the requests locally over non-TLS connections from

the HTTPS listener to the appropriate module service.


Module services connect to the Tanium Server over TLS and verify that the certificate that the Tanium Server presented during the

TLS handshake is included in the trusted.crt file on the Module Server. Because module services use the same API as Tanium

Console users, client certificate validation is not enforced.

Optionally, you can use CA-issued certificates to replace the server-generated, self-signed SOAPServer.crt and ssl.crt

certificates, but not the trusted.crt and trusted-module-servers.crt files. If you replace SOAPServer.crt or

ssl.crt, you must re-register the Module Server with the Tanium Server to regenerate the trusted.crt and

trusted-module-servers.crt files.

The following table summarizes the certificates and keys that the Tanium Core Platform uses for connections to the Module Server:

Location File Name Purpose

Module Server ssl.crt

ssl.key

HTTPS certificate and private key that the Module Server presents to secure

incoming connections from the Tanium Server or outgoing connections to

Tanium services.

trusted.crt Contains the SOAPServer.crt of the Tanium Servers with which the Module

Server has registered. The Module Server uses trusted.crt to validate

Tanium Server certificates.

Tanium Server SOAPServer.crt

SOAPServer.key

HTTPS certificate and private key that the Tanium Server presents to secure

outgoing connections to the Module Server or incoming connections from the

systems of Tanium Console users or Tanium API users.

trusted-module-servers.crt

(Tanium Core Platform 7.2 or later)

Contains the ssl.crt of the Module Server that has registered with the

Tanium Server. The Tanium Server uses trusted-module-servers.crt

to validate the Module Server certificate.

Table 5: Certificates and keys for Module Server connections

SSL/TLS connection processes and setup tasks

The following figure illustrates the components, processes, and setup tasks involved in securing connections to the Tanium Server

(Tanium Console or API) and Module Server.


Figure 4: SSL/TLS connections

The following processes correspond to the numbers in Figure 4.

1 Tanium Console/API access

When a user system connects to the Tanium Console or API, the Tanium Server presents its SOAPServer.crt certificate

to prove its identity to the user system. In Figure 4, the server uses a CA-issued version of SOAPServer.crt (number 2)

instead of a self-signed version. Therefore, the user system uses a CA certificate to validate SOAPServer.crt.


2 Replace self-signed certificate with CA-issued certificate

Generate a certificate signing request (CSR) and associated private key SOAPServer.key for the Tanium Server. You

submit the CSR to your CA, which uses a CA certificate and associated private key to digitally sign the requested certificate

(SOAPServer.crt). The CA signing certificate must also be present on the systems from which users access the Tanium

Console or API (number 1). The Tanium Server can then use the requested CA-issued certificate instead of a self-signed

certificate. Optionally, you can also request a CA-issued certificate to replace the Module Server certificate (ssl.crt).

For details, see CA-issued certificates on page 94.

3 Module Server registration

During a fresh installation of the Module Server, you must manually enable trust between it and the Tanium Server before

registration. The Module Server then registers with the Tanium Server and the servers generate the

trusted-module-servers.crt and trusted.crt files. For subsequent communication between the servers,

including during version upgrades, manually enabling trust is unnecessary because the servers automatically check

trusted-module-servers.crt and trusted.crt during their mutual identity verification (number 4).

The installation procedures in the following deployment guides include steps to manually enable trust for the server

certificates by verifying or entering certificate fingerprints (hash digests of certificate public keys): Tanium Appliance

Deployment Guide: Installing Tanium Module Server and Tanium Core Platform Deployment Guide for Windows: Installing

the Tanium Module Server.

4 Mutual identity verification

To establish a secure TLS connection, the Tanium Server and Module Server prove their identities to each other. During

the TLS handshake, the Tanium Server presents its SOAPServer.crt certificate to the Module Server, which verifies

that its trusted.crt file contains SOAPServer.crt. Also during the handshake, the Module Server presents its

ssl.crt certificate to the Tanium Server, which verifies that its trusted-module-servers.crt file contains

ssl.crt.

5 Module Server to Tanium module services

The Module Server opens a single HTTPS listener to route requests from the Tanium Server to Tanium module services,

which listen only on localhost. The Module Server forwards the requests locally over non-TLS connections from the HTTPS

listener to the appropriate module service.

6 Module services to the Tanium Server

Module services connect to the Tanium Server over TLS and verify that the certificate that the Tanium Server presented

during the TLS handshake is included in the trusted.crt file on the Module Server. Because module services use the

same API as Tanium Console users, client certificate validation is not enforced for this connection (in contrast with the

connection described in number 4).

CA-issued certificatesIf your organization prefers to use CA-issued certificates to secure connections among systems, you can replace the self-signed

certificates that the Tanium Server (SOAPServer.crt) and Module Server (ssl.crt) generated during installation. In an active-

active deployment, you can use the same CA-issued SOAPServer.crt (and associated private key) for both Tanium Servers as

https://docs.tanium.com/appliance/appliance/tanium_module_server.html

https://docs.tanium.com/appliance/appliance/tanium_module_server.html

https://docs.tanium.com/platform_install/platform_install/installing_tanium_module_server.html#trust_TS_certificate

https://docs.tanium.com/platform_install/platform_install/installing_tanium_module_server.html#trust_TS_certificate


long as the Subject Alternative Name in the certificate specifies both server names. Alternatively, you can use a distinct CA-issued

certificate for each Tanium Server.

Obtaining a CA-issued certificate involves submitting a CSR to the CA and generating an associated private key. In a Tanium

Appliance deployment, you must use a third-party tool such as OpenSSL (see Example: Create a CSR and private key with OpenSSL

on page 99) to generate the CSR and key on a non-Appliance system and then copy them to the Appliance (see Tanium

Appliance: Replace certificates on page 101). In a Windows deployment, you can use the Tanium™ KeyUtility program to generate

the CSR and key locally (see Windows: Replace certificates on page 103).

On Windows, you can also generate a CSR and key using Microsoft Management Console (MMC).

The CA uses a CA certificate and its associated private key to digitally sign the certificate that you requested. If a CA-issued certificate

replaces SOAPServer.crt on the Tanium Server, then the CA signing certificate must also be present on the systems from which

users access the Tanium Console or API. For console users, the CA signing certificate must be in the trusted certificates store of their

browsers. For API users, the CA signing certificate must be in the location specified in API calls, as shown in the --cacert <file

path> option in the following example:

$ curl -s --cacert <file path> -X POST --data-binary @<sign in>.json

https://localhost/api/v2/session/login

When you create the CSR, specify the options and X.509 attributes that ensure the CA returns a certificate that meets the following

requirements.

Certificate requirements

Work with your CA to obtain a certificate with the following specifications for the Tanium Server or Module Server:

https://social.technet.microsoft.com/wiki/contents/articles/10377.create-a-certificate-request-using-microsoft-management-console-mmc.aspx


l X.509 certificate with TLS Web Server Authentication and Client Authentication extended key usage

l Separate certificate and private key files. You must remove the passphrase from the key file.

l PEM format (Base64 encoded)

l Certificate signed with a SHA-256 hashing algorithm

l RSA 2048-bit key encryption


l Common Name (CN) that specifies the fully qualified domain name (FQDN) or IP address of the server.


l Subject Alternative Name that specifies the FQDNs or IP addresses of both Tanium Servers in an active-active deployment

where both servers use the same certificate. This is unnecessary if each server uses its own certificate.


Example: Create a CSR and private key with OpenSSL

The following example shows how to use OpenSSL to create a CSR. You can use vendor-provided web forms or any tool you prefer,

as long as the resulting certificate has the required attributes and a private key. This OpenSSL example uses a configuration file to

pass X.509 attributes to the openssl command. You can specify command-line options instead of using a configuration file.

If you deploy the Tanium Server and Module Server on Windows infrastructure, the security best practice is to use

the KeyUtility.exe program that is local to those servers instead of using a third-party tool to generate the CSR

and private key. Generating the key locally enables you to avoid copying it between systems.

1. Create a configuration file (tanium-openssl.cfg, in this example) with the following content. Change the bold values to

ones that are appropriate for your Tanium Servers.

In this example, both Tanium Servers in an active-active deployment use the same certificate and therefore

the subjectAltName section specify both servers for the DNS.1 and DNS.2 values.

[req]

distinguished_name = req_distinguished_name

req_extensions = v3_req

[req_distinguished_name]

countryName = Country Code

countryName_default = US

stateOrProvinceName = State or Province

stateOrProvinceName_default = CA

localityName = City

localityName_default = Emeryville

organizationName = Organization Name

organizationName_default = ExampleCorp

organizationalUnitName = Organizational Unit

organizationalUnitName_default = IT

https://www.ssl.com/country-codes/


commonName = Tanium Server FQDN

commonName_default = ts1.example.com

commonName_max = 64

[v3_req]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment

extendedKeyUsage = serverAuth,clientAuth

subjectAltName = @alt_names

[alt_names]

DNS.1 = ts1.example.com

DNS.2 = ts2.example.com

2. Create a private key file to digitally sign the CSR:

openssl genrsa -out tanium.key 2048

3. Generate the CSR file. The following example specifies the configuration file and private key created in the previous steps:

openssl req -sha256 -new -out SOAPServer.csr -key tanium.key -config tanium-openssl.cfg

4. Open the generated file to confirm that the CSR was created. The following example shows a PEM-formatted CSR.

-----BEGIN CERTIFICATE REQUEST-----MIIC9DCCAdwCAQAwUzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRMwEQYDVQQHDApFbWVyeXZpbGxlMQswCQYDVQQLDAJJVDEVMBMGA1UEAwwMdHMudGFtLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApUekQ9Q2cdV4HejVI6KY+EgnUsZm2qbQUHoTsRjQV82BUdsybOqY7/I4haTCA5x0tZVPmBV358B6cIiOtWdV+dwp8UFX90iSAugYpop3KQ/Ke7ws4twZiyL+SVZyEwARpZM0aiqt4iExs5+Kw+F5uOvNlhj7F+csu8Q4VzWF+QsgrgMnSsNawZxGPvV9LghaEyow3oP+lmRN2LVrmy82tsmhml2+vOwipR4lyAkNXJS6nIf3BROXUxqFC0vgHDI2/ilX+2GM3MMGZNxPn5iCnxXzLm/yLTytWyLB/mb77Ts/Si8BenLzrZtEvsV+dqWKq6a428/iZD4FYp6+LMd4


gQIDAQABoFwwWgYJKoZIhvcNAQkOMU0wSzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDAxBgNVHREEKjAoghJzZXJ2ZXIxLmRvbWFpbi5jb22CEnNlcnZlcjIuZG9tYWluLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAC4ki2mTKzmrSAv/xW3L8FnJ8cUEzmfexQ/7N+XKGszUesAToBtVG1EHY2gSdA7gTR/OfUxZUrPJTx7oHWb9L/UgNB6gHeI2RuxwUOmbTcaSjcwdeKH+N+vEEnubMt/RzTun4Qk+CgQLws/jbGOsmcV2KoPJ4/2QMoxpnCHKyjc3HYaCvbYvT7UbFk9hNNfpl0djqxm0LRAi0uQqt5T0WmzIjxsVXY4ayF5bhwdCTLQT+e7ERqFStblBdfkIzxGOexUG96iQR4R8noN4qp/iNRFUTTiJPZ9aN84Ab494Q4BtYY2cIA2LWQfSrCVgzcXSdpPwDdb2w5b8p5wSA0/rdMw==-----END CERTIFICATE REQUEST-----

5. Save the private key to a secure location and submit the CSR to the CA. The submission process varies by CA. In some cases,

you submit a file; in other cases, you paste the contents of the file into an online form. In any case, be sure to communicate

the certificate requirements to your CA.

Use a secure protocol such as Secure Copy Protocol (SCP) or Secure File Transfer Protocol (SFTP) when you

need to copy the private key between systems; do not use Server Message Block (SMB) or File Transfer

Protocol (FTP). For security, after copying the key to the installation folder of the Tanium Core Platform server

that requires key, delete any other instance of it.

Tanium Appliance: Replace certificatesPerform the following steps to replace the current SOAPServer.crt and SOAPServer.key on the Tanium Server with a new,

CA-issued certificate and associated private key. In an active-active deployment, you can use the same certificate and key for both

Tanium Servers as long as the Subject Alternative Name in the certificate specifies both server names.

If you need to replace the current ssl.crt and ssl.key on the Module Server with a new, CA-issued certificate

and associated private key, contact Tanium Support at [email protected].

Obtain the new certificate and key

1. Use a tool such as OpenSSL to generate a CSR and new private key. When creating the CSR, specify the certificate options and

X.509 attributes described under Certificate requirements on page 95. For an example procedure, see Example: Create a CSR

and private key with OpenSSL on page 99.

2. Save the private key to a secure location on a system from which you can connect to the Tanium Servers through an SFTP

client.

When transferring the private key between systems, use a secure protocol such as SCP or SFTP; do not use

SMB or FTP.



3. Submit the CSR to the CA. The submission process varies by CA. In some cases, you submit a file; in other cases, you paste the

file contents into an online form. In any case, be sure to communicate the certificate requirements to your CA.

4. When the CA returns the new certificate, save it to the same location as the private key so that you can copy both files to the

Tanium Servers.

Install the new certificate and key

Install the new, CA-issued certificate and associated private key on the Tanium Server. In an active-active deployment, perform these

steps on each Tanium Server. Because the steps include stopping and restarting the servers, perform this task during a maintenance

window.

1. Sign in to the TanOS console as a user with the tanadmin role.

2. Enter 2 to go to the Tanium Operationsmenu.

3. Enter 4 to initiate the Install Custom SOAP Cert process.

4. Follow the prompts to install the certificate and key files that you uploaded:

a. Enter Yes at the prompt to proceed with the installation.

b. Select the certificate that you are importing, verify that the displayed certificate details are correct, and enter Yes at the

prompt.

c. Select the private key that you are importing.

The Appliance verifies that the key is valid and matches the certificate.

d. Enter Yes at the prompt to create a backup of the files in the /outgoing directory of the tancopy user.

The Tanium Appliance stops the Tanium Server service, installs the new certificate and key, and restarts the service.

e. If the Appliances are in an array, the last step is to re-register the Module Server: enter Yes at the prompt and enter the

password of the Tanium Console admin user.

Otherwise, if the Appliance is not in an array, press Enter to continue and perform the steps described in Re-register the

remote Module Server with each Tanium Server on page 102.

Re-register the remote Module Server with each Tanium Server

After you replace the certificate and private key on the Tanium Server, re-register the Module Server if you did not already do so in

the preceding task. In an active-active deployment, you must re-register with each Tanium Server. Because the steps include

stopping and restarting services, perform this task during a maintenance window.

1. Repeat the remote Module Server configuration steps to update the certificates that are used to validate SOAPServer.crt

and ssl.crt on each server: trusted.crt on the Module Server appliance and trusted-module-servers.crt on

the Tanium Server appliance. See the Tanium Appliance Deployment Guide: Configure the Tanium Server to use the remote

Module Server.

2. Restart all Tanium services on the Module Server appliance. See Tanium Appliance Deployment Guide: Start, stop, and restart

Tanium services.

https://docs.tanium.com/appliance/appliance/tanium_module_server.html#configure_remote_Module_Server

https://docs.tanium.com/appliance/appliance/tanium_module_server.html#configure_remote_Module_Server

https://docs.tanium.com/appliance/appliance/tanium_operations_menu.html#tanium_service_control



Windows: Replace certificatesPerform the following steps to replace the current certificates and private keys used for connections to the Tanium Console, API, and

Module Server with new, CA-issued certificates and associated private keys. In an active-active deployment, you can use the same

certificate and key for both Tanium Servers as long as the Subject Alternative Name in the certificate specifies both server names.

The certificates and keys that the Tanium Server and Module Server use are not interchangeable. The Tanium Server

uses the SOAPServer.crt certificate and SOAPServer.key key. The Module Server uses the ssl.crt

certificate and ssl.key key.

Obtain the new certificate and key

You can use the Tanium KeyUtility.exe program instead of a third-party tool to generate the CSR and private key on whichever

server (Tanium Server or Module Server) needs them.

For better security, generate the key locally on the server to avoid copying it between systems.

You can also generate a CSR and key using Microsoft Management Console (MMC).

1. Sign in to the server that needs a new certificate and access the CLI as an administrator (see Windows on page 161).

2. Navigate to the server installation folder.

$ cd <Tanium/Module Server>

3. Use the KeyUtility.exe program to generate a CSR and private key.

The --hostname argument specifies the server FQDN or IP address. In an active-active deployment where both Tanium

Servers use the same certificate and key, specify both Tanium Servers with a comma separator

(ts1.example.com,ts2.example.com for example). Optionally, you can also generate a unique CSR and key for each

Tanium Server.

The --out argument specifies the output folder and files names of the CSR and key. The command automatically appends the

suffix (.csr or .key) to the file name. Use the file name SOAPServer on the Tanium Server or ssl on the Module Server to

avoid having to rename the files later. To avoid overwriting the current key, be sure to specify an output folder that is not the

server installation folder.

$ KeyUtility selfsign --export-csr --hostname <server FQDN/IP address> --out <output folder

path><file name>

The command creates three files in the specified output folder: <filename>.csr, <filename>.key, and

<filename>.crt. The command automatically uses the key to sign <filename>.csr. The <filename>.crt file is a

self-signed certificate that you use only if you do not need a CA-issued certificate.

https://social.technet.microsoft.com/wiki/contents/articles/10377.create-a-certificate-request-using-microsoft-management-console-mmc.aspx


4. Submit the CSR to the CA. The submission process varies by CA. In some cases, you submit a file; in other cases, you paste the

file contents into an online form. In any case, be sure to communicate the certificate requirements to your CA.

5. When the CA returns the new certificate file, save it to a temporary location from where you can later copy the file to the

installation folder of the Tanium Server or Module Server.

Update the Tanium Server certificate and key files

Because you must restart servers during this task, perform it during a maintenance window.

UPDATE THE TANIUM SERVER CERTIFICATE AND KEY FILES IN A STANDALONE (NON-HA) DEPLOYMENT

1. On the Tanium Server, back up the existing SOAPServer.crt certificate and SOAPServer.key private key in case you

later want to revert your changes.

2. Stop the Tanium Server service: open the Windows Services application, right-click Tanium Server, and select Stop.

3. Copy the new certificate and key files to the server installation folder to replace the existing files.

For security, delete any instance of the key that is not in the installation folder after you copy the key there.

4. Start the Tanium Server service: open the Windows Services application, right-click Tanium Server, and select Start.

If you plan to update the Module Server certificates and keys, skip to Update the Module Server certificates and key files on

page 106. Otherwise, perform the remaining steps.

5. Sign in to the Module Server and re-register it with the Tanium Server to regenerate the trusted.crt and

trusted-module-servers.crt files. You can re-register by re-running the Module Server installer (see Tanium Core

Platform Deployment Guide for Windows: Installing the Tanium Module Server) or by using the Module Server CLI as follows.

Specifying the port is necessary only if the Tanium Console does not use the standard port (443). Specify the user name and

password of a Tanium Console administrator.

cmd-prompt>TaniumModuleServer register <Tanium Server FQDN>:<port>

Enter administrator username: <user name>

Enter password for user '<user name>': <password>

Successfully completed registration.

6. On the Module Server, perform one of the following steps to restart the services for the Tanium Module Server and all

Tanium solutions:

l Reboot the Module Server. All the services automatically restart during the reboot process.

l Open the Windows Services application and, for each Tanium service, right-click the service name and select Restart.

7. Restart the Tanium Server service: on the Tanium Server, open the Windows Services application, right-click Tanium Server,and select Restart.

UPDATE THE TANIUM SERVER CERTIFICATE AND KEY FILES IN AN ACTIVE-ACTIVE DEPLOYMENT

Perform these steps on one Tanium Server at a time. The steps in this example start on the primary Tanium Server.

https://docs.tanium.com/platform_install/platform_install/installing_tanium_module_server.html



1. On the primary Tanium Server, back up the existing SOAPServer.crt certificate and SOAPServer.key private key in case

you later want to revert your changes.

2. Stop the Tanium Server service: open the Windows Services application, right-click Tanium Server, and select Stop.

3. Copy the new certificate and key files to the server installation folder to replace the existing files.


4. Start the Tanium Server service: open the Windows Services application, right-click Tanium Server, and select Start.

5. On the secondary Tanium Server, stop the Tanium Server service.

6. Replace the existing certificate and key in the installation folder of the secondary Tanium Server:

l If each Tanium Server requires a unique certificate and key, copy the files from the temporary folder where you stored

them.

l If both Tanium Servers use the same certificate and key, copy the files from the primary Tanium Server.

Use a secure protocol such as SCP or SFTP to copy the key between systems; do not use SMB or FTP.

7. On the secondary Tanium Server, start the Tanium Server service.

If you plan to update the Module Server certificates and keys, skip to Update the Module Server certificates and key files on

page 106. Otherwise, perform the remaining steps.

8. Sign in to the Module Server and re-register it with each Tanium Server to regenerate the trusted.crt and

trusted-module-servers.crt files. You can re-register by re-running the Module Server installer (see Tanium Core

Platform Deployment Guide for Windows: Installing the Tanium Module Server), but only for the primary Tanium Server. You

can use the Module Server CLI as follows to re-register with either Tanium Server. Specifying the port is necessary only if the

Tanium Console does not use the standard port (443). Specify the user name and password of a Tanium Console

administrator.






Tanium solutions:



10. Restart the Tanium Server service: on each Tanium Server, open the Windows Services application, right-click TaniumServer, and select Restart.




Update the Module Server certificates and key files

Because this task involves stopping and starting the Module Server, perform the steps during a maintenance window.

The Tanium Server service must be running on each Tanium Server when you perform the step to re-register the

Module Server.

1. On the Module Server, back up the existing ssl.crt certificate and ssl.key private key in case you later want to revert

your changes.

2. Stop the services for the Tanium Module Server and all Tanium solutions (modules and shared services): open the Windows

Services application and, for each service, right-click the service name and select Stop.

3. Copy the new certificate and key files to the Module Server installation folder to replace the existing files.


4. Re-register the Module Server with each Tanium Server to regenerate the trusted.crt and

trusted-module-servers.crt files. You can re-register by re-running the Module Server installer, but only for the

primary Tanium Server in an active-active deployment or for a standalone Tanium Server. You can use the Module Server CLI

as follows to re-register with any Tanium Server in an active-active or standalone deployment. Specifying the port is necessary

only if the Tanium Console does not use the standard port (443). Specify the user name and password of a Tanium Console

administrator.






Tanium solutions:



6. Restart the Tanium Server service: on each Tanium Server, open the Windows Services application, right-click TaniumServer, and select Restart.


Securing Tanium Server, Zone Server, andTanium Client access

Overview of TLS in the Tanium Core PlatformTanium Core Platform 7.2 or later uses the following protocols for communication among platform components:

l Tanium Protocol: This application protocol is proprietary to Tanium and uses TLS 1.2 to encrypt communication. You

cannot use network devices such as firewalls to decrypt and inspect Tanium Protocol traffic.

l Hypertext Transfer Protocol Secure (HTTPS): The Tanium Core Platform uses TLS 1.2 to encrypt HTTPS communication

among platform components. The components negotiate the TLS version for HTTPS connections with external servers but

enforce TLS 1.2 as the minimum version.

The following table lists the connections among Tanium Core Platform components and the protocol that each connection uses. The

numbers correspond to the connections in Figure 5.

Connection Protocol

1 Tanium Console or API user systems to Tanium Servers HTTPS

2 Tanium Console or API user systems to external servers (such as

content.tanium.com)

HTTPS

3 (Windows only) Tanium Servers to Tanium database in deployments where the

database is not on the Tanium Server host

By default, communication is over TCP/IP

without encryption, but configuring encryption is

a best practice. Consult your database

administrator.

4 Tanium Servers to Tanium Module Server HTTPS

5 Module Server to external servers HTTPS

6 Tanium Server to Tanium Server in an active-active deployment Tanium Protocol *

* Tanium Appliances use IPsec to secure Tanium

database traffic and Lightweight Directory

Access Protocol (LDAP) synchronization traffic.

7 Tanium Servers to external servers HTTPS

Table 6: TLS communication in the Tanium Core Platform


Connection Protocol

8 Tanium Servers to Zone Server Hub

Figure 5 shows the Zone Server Hub installed on a host that is separate from the

Tanium Server hosts to illustrate that the connection is encrypted. However, in

most deployments, you install the hubs on the same hosts as the Tanium Servers.

Tanium Protocol

9 Zone Server Hub to Zone Server Tanium Protocol

10 Tanium Clients (external) to Zone Server Tanium Protocol

11 Tanium Clients (internal) to Tanium Servers Tanium Protocol

12 Tanium Client to Tanium Client (external and internal) Tanium Protocol *

* Applies only to Tanium Client 7.4 or later.

Table 6: TLS communication in the Tanium Core Platform (continued)

Figure 5: TLS communication in the Tanium Core Platform

To manage the certificates and keys that the Tanium Core Platform uses for HTTPS traffic, see Securing Tanium

Console, API, and Module Server access on page 90.

The Tanium Core Platform supports TLS for additional connections that various Tanium modules and shared

services require. For details, see the user guides for your Tanium products at docs.tanium.com.

TLS communication starts when a TLS client initiates a TLS handshake to establish a secure connection with a server. The following

are examples in the context of the Tanium Core Platform:

https://docs.tanium.com/


l The Zone Server acts as a client when registering with the Tanium Server.

l The Tanium Client acts as a client when registering with the Zone Server or Tanium Server.

l A Tanium Server acts as a client when performing active-active synchronization with another Tanium Server.

During the TLS handshake, the client and server generate a shared, unique session key, which they use to secure communication for

the duration of their session. You can configure TLS as optional for certain versions of Tanium Core Platform servers and Tanium

Clients, as listed in Table 7. If the handshake fails and TLS is optional, the client and server attempt a non-TLS (unencrypted)

connection instead. If the handshake fails and TLS is configured as required, the client and server cannot connect.

Tanium Core Platform 7.2 or later supports the following cipher suites for creating keys and encrypting information in TLS

communication:

l ECDHE-ECDSA-AES256-GCM-SHA384

l ECDHE-RSA-AES256-GCM-SHA384

l ECDHE-ECDSA-CHACHA20-POLY1305

l ECDHE-RSA-CHACHA20-POLY1305

l ECDHE-ECDSA-AES128-GCM-SHA256

l ECDHE-RSA-AES128-GCM-SHA256

l ECDHE-ECDSA-AES256-SHA384

l ECDHE-RSA-AES256-SHA384

l ECDHE-ECDSA-AES128-SHA256

l ECDHE-RSA-AES128-SHA256

Contact Tanium Support at [email protected] and consult your network security team before modifying the TLS configuration.

Whether TLS is available and required depends on the Tanium Core Platform version, components, and infrastructure:

Version Tanium Server, Zone Server, Zone Server Hub Tanium Clients

7.4 or later After a fresh installation or upgrade, TLS is required and you

cannot disable it.

After a fresh installation or upgrade, TLS is required by default.

Table 7: TLS options and defaults



Version Tanium Server, Zone Server, Zone Server Hub Tanium Clients

7.2 or 7.3 Whether TLS is enabled depends on the infrastructure in which

you deploy the Tanium Core Platform:

l Windows deployment: TLS is disabled by default and

enabling it is optional.

l Tanium Appliance deployment: TLS is enabled by default

on the Tanium Server and disabling it is optional for

incoming connections. TLS is disabled by default on the

Zone Server and Zone Server Hub, and enabling it is

optional.

TLS communication is disabled by default and enabling it is

optional.

7.1 or

earlier

Encryption for inter-server communication requires a third-

party binary or other external dependencies.

Not applicable

Table 7: TLS options and defaults (continued)

The following sections describe how to set up TLS for Tanium Core Platform components that use the Tanium Protocol. For

additional details and procedures related to the digital keys for Tanium Protocol traffic, see Tanium Console User Guide: Managing

Tanium keys.

Tanium Appliance: Set up TLS

Tanium Server

When you install the Tanium Server role (see Installing an individual Tanium Server), TLS is enabled by default. TLS is required for

incoming connections in Tanium Core Platform 7.4 or later but not in earlier versions. If you want to require TLS for incoming

connections in version 7.2 or 7.3, go to the Tanium Operationsmenu and use the Configuration Settingsmenu to change the

values. For details, see Tanium Core Platform settings on page 122.

Tanium Zone Server

When you install the Tanium Zone Server role or Zone Server Hub add-on role, TLS is enabled by default in Tanium Core Platform 7.4

but not in earlier versions. Perform the following procedures to configure TLS in version 7.2 or 7.3.

CONFIGURATION OVERVIEW

Configuring Tanium Zone Server encryption is a three-step process:

1. On the Zone Server, generate a TLS certificate signing request (CSR): Step 1: Generate a CSR on page 112.

2. On the Tanium Server, issue and sign the TLS certificate: Step 2: Issue the Certificate on page 112.

3. On the Zone Server, add the certificate and key files and configure default values for TLS settings: Step 3: Install the certificate

and configure TLS settings on page 113.

To change the default values, go to the Tanium Operationsmenu and use the Configuration Settingsmenu to change the values.



https://docs.tanium.com/appliance/appliance/tanium_server.html


FILE TRANSFER METHODS

TanOS 1.5 and later provide menus that enable the following methods for copying the CSR, certificate, and key files:

l Copy and paste between TanOS menus on the Zone Server appliance and Tanium Server appliance. This method is

convenient if you can open SSH terminal sessions to each appliance. If you use this method, skip to Step 1: Generate a CSR

on page 112.

l Menu-driven SFTP between the Zone Server appliance and Tanium Server appliance. This method requires SFTP connectivity

from the Zone Server to the Tanium Server. You must copy the public key for the user tanadmin on the first appliance to the

authorized key store for the tancopy user on the second appliance, and vice versa.

ADD REQUIRED SSH KEYS

1. Start an SSH terminal session on both the Tanium Server appliance and the Zone Server appliance so that you can copy and

paste between them.

2. Copy the tanadmin key from the first appliance to the authorized key store for the tancopy user on the second appliance.

a. On the first appliance:

i. From the tanadminmenu, enter C to go to the User Administrationmenu.

ii. Enter 3 to go to the SSH Key Managementmenu.

iii. Enter the line number for tanadmin to display the key management menu for this user.

iv. Enter 2 to display the public key.

v. Copy the contents of the public key to the clipboard.

b. On the second appliance:

i. From the tanadminmenu, enter C to go to the User Administrationmenu.

ii. Enter 3 to go to the SSH Key Managementmenu.

iii. Enter the line number for the tancopy user.

iv. Enter 3 to go to the Authorized Keysmenu.

v. Enter 2 and follow the prompts to paste the contents of the tanadmin user public key file.

3. Copy the tanadmin key from the second appliance to the authorized key store for the tancopy user on the first appliance.

a. On the second appliance:

i. Return to the SSH Key Managementmenu.

ii. Enter the line number for tanadmin to display the key management menu for this user.

iii. Enter 2 to display the public key.

iv. Copy the contents of the public key to the clipboard.


b. On the first appliance:

i. Return to the SSH Key Managementmenu.

ii. Enter the line number for the tancopy user.

iii. Enter 3 to go to the Authorized Keysmenu.

iv. Enter 2 and follow the prompts to paste the contents of the tanadmin user public key file.

STEP 1: GENERATE A CSR

1. Sign in to the Zone Server appliance as the user tanadmin.


3. Enter Z to go to the Zone Server Configurationmenu.

4. Enter 1 and follow the prompts to generate the CSR. Be sure to copy the text to the clipboard or specify the settings for the

SFTP connection to the Tanium Server.

STEP 2: ISSUE THE CERTIFICATE

The option for the Zone Server Configuration menu only appears if the Zone Server Hub add-on is installed on the

Tanium Server appliance.

1. Sign in to the Tanium Server appliance as the user tanadmin.


3. Enter Z to go to the Zone Server Configurationmenu.

4. Enter 2 to go to the Import Cert Requestmenu.

5. Enter 1 to import the CSR or 2 to paste the text.

The Tanium Server validates the CSR, generates and signs the reporting.crt certificate file, copies the certificate contents

to the screen, and copies the file to the /outgoing directory.

6. Follow the prompts to prepare for Step 3:

l Copy the certificate text if you plan to paste it in the next step.

l Use SFTP to copy reporting.crt from the Tanium Server /outgoing directory to your management computer

and then copy it again to the Zone Server /incoming directory if you cannot establish an SFTP connection from the

Zone Server to the Tanium Server.

l If you set up SSH keys and can establish an SFTP connection from the Zone Server to the Tanium Server, do nothing.

You can import the certificate file from the Tanium Server /outgoing directory automatically in Step 3: Install the

certificate and configure TLS settings on page 113.


STEP 3: INSTALL THE CERTIFICATE AND CONFIGURE TLS SETTINGS

1. Sign in to the Zone Server appliance as the user tanadmin.


3. Enter Z to go to the Zone Server Operationsmenu.

4. Enter 3 to display the Import Signed Certificatemenu.

5. Use the menu to import the certificate:

l Enter 1 to import reporting.crt if you copied it to the Zone Server /incoming directory.

l Enter 2 to paste the text.

l Enter 3 to pull it from the Tanium Server /outgoing directory.

The Zone Server installs the certificate and configures default settings. To change the default values, go to the TaniumOperationsmenu and use the Configuration Settingsmenu to change the values. For details, see Tanium Core Platform

settings on page 122.

Windows: Set up TLS

Tanium Server

The Tanium Server installer generates the TLS public and private keys that are used to set up TLS for connections between Tanium

Servers in an active-active deployment and between Tanium Clients and the Tanium Server.

CONFIGURE TLS FOR OUTGOING CONNECTIONS

In Tanium Core Platform 7.4 or later, TLS is automatically set up and required for outgoing connections between Tanium Servers in

an active-active deployment, and you cannot disable it.

In version 7.3 or 7.2, add or edit the setting ReportingTLSMode in the Windows registry to enable or disable TLS. The data type is

REG_DWORD and the value is a number. The following values are possible:

l 0 (TLS not used): TLS is disabled. This is the default value for servers installed on a Windows system.

l 1 (TLS required): If a TLS handshake fails, the connection fails.

l 2 (TLS optional): The server tries to connect over TLS. If the TLS connection fails, the server tries a non-TLS connection.

You can use the command-line interface (CLI) to add the registry setting:

> cd <Tanium_Server_installation_folder>

> TaniumReceiver config set ReportingTLSMode <value>


REQUIRE TLS FOR INCOMING CONNECTIONS

Optionally, you can configure TLS as required or optional for incoming connections on the Tanium Server. The Tanium Server

version determines which setting you configure.

Version 7.4 or later

From the Tanium Console Main menu, go to Administration > Configuration > Platform Settings, and configure the following

settings for connections from Tanium Clients to the Tanium Server.

These settings also apply to connections from Tanium Clients to the Zone Server if you deploy one.

l require_client_tls_314_flag: Specify one of the following values:

o 0 (default): The Tanium Server allows both TLS and non-TLS connections from Tanium Clients.

o 1: The Tanium Server allows connections from Tanium Clients only if TLS is used. Do not set the value to 1 until you

are sure that all Tanium Clients that have been deployed are configured to use TLS and you are ready to deploy the

Tanium Client to new endpoints with TLS configured before initial registration.

l require_client_tls_315_flag: Specify one of the following values:

o 1 (default): The Tanium Server allows connections from Tanium Clients 7.4 or later only if TLS is used. Tanium

strongly recommends that you leave the value at 1.

o 0: The Tanium Server allows both TLS and non-TLS connections from Tanium Clients 7.4 or later. Contact Tanium

Support at [email protected] before setting the value to 0.

Version 7.3 or earlier

In the Windows registry, specifying one of the following values for the setting RequireIncomingEncryption:

l 0: TLS is not required.

l 1: TLS is required. Do not specify 1 until you are sure that all Tanium Clients that have been deployed are configured to use

TLS and you are ready to deploy the Tanium Client to new endpoints with TLS configured before initial registration.

REGENERATE THE TLS CERTIFICATE AND KEY

You can regenerate the TLS certificate and private key on the Tanium Server when necessary. For example, if the Tanium root keys

(tanium.pub and tanium.pvk) have changed, you must change all subordinate certificates and keys, including the TLS

certificate and key.

In Tanium Core Platform 7.4 or later, you can use the Tanium Console to rotate the root keys, and doing so automatically rotates all

subordinate keys, including the TLS keys. You can also configure the rotation schedule for subordinate keys. For details, see Tanium

Console User Guide: Managing Tanium keys.

In Tanium Core Platform 7.3 or 7.2, use the KeyUtility.exe tool to regenerate the certificate (reporting.crt) and private

key (reporting.pvk) as follows. In an active-active deployment, repeat these steps on each Tanium Server.





1. Access the Tanium Server CLI.

2. Navigate to the Tanium Server installation directory, where the KeyUtility.exe tool resides.

cmd-prompt>cd <Tanium Server>

3. Generate the new private key and a certificate signing request (CSR).

Syntax

cmd-prompt>keyutility reporting-tls-request [<reporting.pvk>] [<out>]

Example

cmd-prompt>keyutility reporting-tls-request reporting.pvk reporting.csrGenerating key: 'reporting.pvk' Successfully generated certificate signingrequest: 'reporting.csr'

4. Issue a new certificate based on the reporting.csr file and sign the certificate with the Tanium Server private key.

Syntax

cmd-prompt>keyutility reporting-tls-issue <reporting.csr> <out> [<tanium.pvk>]

Example

cmd-prompt>keyutility reporting-tls-issue reporting.csrc:\Tanium\reporting.crt tanium.pvkSuccessfully issued new certificate: 'c:\Tanium\reporting.crt'

5. Replace the old TLS certificate and private key with the new certificate and key in the Tanium Server installation folder

(default) or in the folder that the ReportingTLSCertPath and ReportingTLSKeyPath registry settings specify. For

details, see Table 8.

Tanium Zone Server

Tanium Core Platform 7.4 or later automatically enables TLS for Zone Server connections. In version 7.3 or 7.2, you must generate a

TLS certificate (reporting.crt) and private key (reporting.pvk) and configure settings to enable TLS:

1. Access the Zone Server CLI.

2. Navigate to the Zone Server installation directory, where the KeyUtility.exe tool resides.

cmd-prompt>cd <Zone Server>

3. Generate the private key and CSR (reporting.csr).

Example


cmd-prompt>keyutility reporting-tls-request reporting.pvk reporting.csrGenerating key: 'reporting.pvk' Successfully generated certificate signingrequest: 'reporting.csr'

4. Replace the old private key by copying the new key to the Zone Server installation folder (default) or the folder that the

ReportingTLSKeyPath setting specifies. For details, see Table 8.

5. Copy reporting.csr to the Tanium Server installation folder.

6. Access the Tanium Server CLI, issue a new certificate based on the reporting.csr file, and sign it with the Tanium Server

private key (tanium.pvk). For the new Zone Server certificate, specify an output folder that is not the folder where the

Tanium Server stores its own reporting.crt certificate; otherwise, the Zone Server certificate overwrites the Tanium

Server certificate.

Example

cmd-prompt>keyutility reporting-tls-issue reporting.csrc:\Tanium\reporting.crt tanium.pvkSuccessfully issued new certificate: 'c:\Tanium\reporting.crt'

7. Replace the old TLS certificate by copying the new certificate to the Zone Server installation folder (default) or the folder that

the ReportingTLSCertPath setting specifies. For details, see Table 8.

8. Configure the settings described in Table 8 on the Zone Server, Zone Server Hub, and Tanium Server host computers. You can

find the settings in the Windows Registry:

Tanium Server HKLM\Software\Wow6432Node\Tanium\Tanium Server

Zone Server or Zone Server Hub HKLM\Software\Wow6432Node\Tanium\Tanium ZoneServer

Setting Type Guideline

ReportingTLSMode REG_

DWORD

Configures TLS for outgoing connections that the server initiates. On a Tanium Server,

configure this option if you want to enable TLS for the Tanium Server to Zone Server Hub

segment, if applicable. On a Zone Server Hub, configure this option if you want to enable

TLS for the Zone Server Hub to Zone Server segment.

l 0 (TLS not used): TLS is disabled. This is the default value for servers installed on a

Windows system.

l 1 (TLS required): If a TLS handshake fails, the connection fails.

l 2 (TLS optional): The server tries to connect over TLS. If the TLS connection fails, the

server tries a non-TLS connection.

If you will use TLS, initially setting the value to 2 is a best practice. After you confirm that the

servers establish TLS connections reliably, setting the value to 1 enforces the best security.

Table 8: Tanium Core Platform server TLS settings


Setting Type Guideline

ReportingTLSCertPath REG_SZ For inbound connections, set the path to the reporting.crt file. For example:

l Program Files\Tanium\Tanium Server\reporting.crt

l Program Files(x86)\Tanium\Tanium Zone Server\reporting.crt

This setting must be present only if the path to the certificate differs from the server

installation path (the value of the Path key).

You can rename the certificate file if you want, but the file name and this entry must match.

Keeping the default name (reporting.crt) is a best practice to facilitate communication

and troubleshooting.

ReportingTLSKeyPath REG_SZ For inbound connections, set the path to the reporting.pvk file. For example:

l Program Files\Tanium\Tanium Server\reporting.pvk

l Program Files(x86)\Tanium\Tanium Zone Server\reporting.pvk

The Tanium Server installer adds this entry, but the Zone Server installer does not. This

setting must be present.

The key file name you specify for the path must match the actual key file. Keeping the default

name (reporting.pvk) is a best practice to facilitate communication and troubleshooting.

ReportingTLSKeyPasswordFile REG_SZ This setting applies only to hardware security modules. For details, contact Tanium Support

at [email protected].

RequireIncomingEncryption REG_

DWORD

Setting for inbound connections from Tanium Clients 7.2 or later to Tanium Core Platform

servers 7.3 or earlier.

l 0: TLS is not required

l 1: TLS is required

When RequireIncomingEncryption is set to 1, only TLS connection

requests are processed, so only Tanium Clients that have TLS enabled can

register and be managed. Do not set this to 1 until you are sure all Tanium

Clients that have been deployed are configured to use TLS

(ReportingTLSMode is 1 or ReportingTLSMode is 2), and you are ready to

deploy Tanium Client to new endpoints with TLS configured before initial

registration.

Table 8: Tanium Core Platform server TLS settings (continued)



The KeyUtility.exe program has online help:

cmd-prompt>keyutility reporting-tls-issue --help

Usage: KeyUtility reporting-tls-rissue <reporting.csr> <out> [<tanium.pvk>]

Issue a reporting TLS certificate.

Options:

--root-key arg (=tanium.pvk) Path to tanium root private key

--csr arg (=reporting.csr) Path to certificate signing request to

issue a certificate for

-o [ --out ] arg (=reporting.crt) Output path for generated certificate.

--expiration arg (=3650) Certificate expiration in days

Tanium Client: Configure TLSWhether TLS is enabled or disabled by default, depends on the Tanium Client version:

l Version 7.4 or later: After a fresh installation or upgrade, TLS is enabled and required by default. Tanium strongly

recommends that you use these default settings.

l Version 7.2: TLS communication is disabled by default and enabling it is optional.

Perform the following steps to enable or disable TLS on Tanium Clients:

1. From the Main menu, go to Administration > Configuration > Client Status.

2. In the Filter by Registration section, select Registered using TLS and Registered unencrypted if they are not already

enabled.

The Using TLS column indicates which Tanium Clients have TLS enabled or disabled.

3. From the Main menu, go to Administration > Configuration > Platform Settings and configure TLS settings for the Tanium

Clients as described in Table 9.

On the Tanium Client endpoint, the setting names have the prefix Server_ (for example, Server_ReportingTLSMode). Thisprefix indicates that the Tanium Client received the settings from platform settings on the Tanium Server during registration,

and future registration updates might change the settings. In some cases, you might want a Tanium Client to use settings that

differ from the Tanium Server platform settings. For example, you might release a feature such as TLS to your Tanium Clients

in stages. To override the Tanium Server platform settings, add the settings without the Server_ prefix to the Windows registry

entries or Tanium Client settings database on the client endpoints. For example, if you add the ReportingTLSMode setting to

a Tanium Client, it overrides the Server_ReportingTLSMode setting.

It takes two to six hours (the randomized client-reset interval) for clients to register and receive the updated

settings.


Setting Guideline

TLSMode This setting applies to Tanium Client 7.4 or later and specifies whether TLS is required for connections

between Tanium Clients and connections between Tanium Clients and the Tanium Server or Zone

Server.

l 0 (TLS not used): TLS is disabled.

l 1 (TLS required): If a TLS handshake fails, the Tanium Client cannot communicate with other clients

or the servers. This is the default value.

ReportingTLSMode This setting applies to Tanium Client 7.2. Set the mode for TLS connections from the Tanium Client to

the Tanium Server or Zone Server.

l 0 (TLS not used): TLS is disabled. This is the default value.

l 1 (TLS required): If a TLS handshake fails, the Tanium Client cannot register or communicate with

the Tanium Server or Zone Server.

l 2 (TLS optional): The Tanium Client tries to connect over TLS. If the TLS connection fails, the Tanium

Client tries a non-TLS connection.

If you will use TLS, initially setting the value to 2 is a best practice. After you confirm that Tanium Clients

establish TLS connections reliably, setting the value to 1 will enforce the best security.

OptionalTLSMinAttemptCount This setting applies to Tanium Client 7.2 and only when ReportingTLSMode is set to 2 (optional). It

specifies the number of times to attempt TLS before falling back to non-TLS. The range is 1 to 100 and

the default is 3.

OptionalTLSBackoffIntervalSeconds This setting applies to Tanium Client 7.2 and only when ReportingTLSMode is set to 2 (optional). It

specifies the number of seconds to wait before retrying TLS again after failing

OptionalTLSMinAttemptCount times. This interval doubles after each series of failed attempts. The range

is 1 to 86400 and the default is 1)

OptionalTLSMaxBackoffSeconds This setting applies to Tanium Client 7.2 and only when ReportingTLSMode is set to 2 (optional). It

specifies the maximum back off interval. The range is 1 to 86400 and the default is 3600.

Table 9: Tanium Client TLS settings configured in platform settings


Verify the TLS connections1. Verify whether Tanium Clients used TLS to connect with the Tanium Server or Zone Server when the clients last

registered: from the Main menu, go to Administration > Configuration > Client Status and check the Using TLS column.

2. (Tanium Core Platform 7.3 or earlier) Access the Tanium Server Info page to confirm that TLS is enabled for the server

segments. To access the page, go to https://<Tanium Server FQDN>/info and sign in with a user account that has

the Administrator reserved role, such as the tanium user created during installation.

Update the TLS configuration when you make changes to key pairThe process for updating the TLS configuration when you make changes to the Tanium root keys depends on the Tanium Core

Platform version:


l Version 7.4 or later: When you add or revoke Tanium root keys, the Tanium Server automatically propagates the changes to

all subordinate keys on the platform servers and Tanium Clients (see Tanium Console User Guide: Managing Tanium keys).

l Version 7.3 or earlier: You use the Tanium Server private key (tanium.pvk) to sign the TLS reporting certificate

(reporting.crt). Therefore, if you update the Tanium Server public-private key pair, you must regenerate the

reporting.crt and reporting.pvk files used in the TLS implementation.



Tanium Core Platform settingsYou configure the host system settings of most Tanium Core Platform servers during installation. When troubleshooting an issue,

Tanium Support might ask you to review or confirm these settings, but rarely asks you to change them. If Support does ask you to

change settings, you can change many of them through the Tanium Console in Tanium Core Platform 7.4 or later (see Tanium

Console User Guide: Managing platform settings). The following sections describe how to configure the settings through means

other than the console.

You can contact Tanium Support at [email protected].

Tanium ApplianceThe following table lists the configuration database locations for settings that you configure when installing Tanium Core Platform

servers. You can use TanOS menus to add, delete, or modify settings with guidance from Tanium Support ([email protected]).

Component DB location

Tanium Server /opt/Tanium/TaniumServer/server.db

Module Server /opt/Tanium/TaniumModuleServer/server.db

Zone Server /opt/Tanium/TaniumZoneServer/zoneserver.db

TDownloader /opt/Tanium/TaniumServer/tdownloader.db

/opt/Tanium/TaniumModuleServer/tdownloader.db

Table 10: Configuration database locations for Tanium Core Platform server settings

Edit server settings



3. Enter 2 to go to the Configuration Settingsmenu.

4. Use the menu to view and edit settings for Tanium Core Platform servers.

https://docs.tanium.com/platform_user/platform_user/console_platform_settings.html

https://docs.tanium.com/platform_user/platform_user/console_platform_settings.html




Tanium Server

Settings Guidelines

AddressMask Hexadecimal value of a subnet CIDR that delineates the clients that belong to a chain.

Do not change this setting unless your Tanium Support instructs you to do so.

AllowedHubs The Zone Server Hub that is allowed to connect to this Tanium Server. The Zone Server Hub is collocated on the

Tanium Server appliance and this setting has the value 127.0.0.1.

AuthPluginTimeoutSeconds The default is 60.

AuthenticationPlugin String that specifies the Pluggable Authentication Module (PAM).

ConsoleSettingsJSON Path to the Tanium Console settings file.

LogPath The location for Tanium Server logs. The default is /opt/Tanium/TaniumServer/Logs.

LogVerbosityLevel Specify one of the following decimal values for the log verbosity level:

l 0: Logging disabled.

l 1: Normal log level.

l 41: Recommended during troubleshooting.

l >= 91: Most detailed log level. Enable for short periods of time only.

ModuleServer Module Server IP address.

ModuleServerPort Module Server port. The default is 17477.

PKIDatabasePassword You must manually add this setting to prevent unauthorized access to the pki.db file, which contains the

Tanium Server root keys, message-signing keys, and TLS keys. Set the Value Type to protected and specify a

password to encrypt the pki.db file. The file is in the Tanium Server installation folder and a copy resides in

the /backups subfolder. For details about these keys, see Tanium Console User Guide: Managing Tanium keys.

ReportingTLSCertPath Setting for inbound connections. Path to the TLS certificate that was created upon installation. This certificate is

used in TLS connections initiated by the Tanium Client, the Tanium Zone Server Hub, or the Tanium Zone

Server.

ReportingTLSKeyPath Setting for inbound connections. Path to the private key file used in TLS connections. This setting must be

present to enable TLS.

Table 11: Tanium Server settings



Settings Guidelines

ReportingTLSMode Configures TLS for outgoing connections that the Tanium Server initiates. The possible values are:

l 0 (TLS not used)

l 1 (TLS required)

l 2 (TLS optional)

Tanium Server appliances use an IPSec tunnel instead of TLS to secure Tanium database and

appliance LDAP synchronization traffic. The servers use TLS to secure all other communication

between them.

RequireIncomingEncryption Setting for inbound connections. Implicitly set to 0 by default. To set a different value, you must add the setting.

l 0 (TLS not required)

l 1 (TLS required)

Important: When RequireIncomingEncryption is set to 1, only TLS connection requests are processed, so only

Tanium Clients that have TLS enabled are able to register and be managed. Do not set this to 1 until you are

sure all Tanium Clients that have been deployed are configured to use TLS (ReportingTLSMode=1 or

ReportingTLSMode=2), and you are ready to deploy Tanium Client to new endpoints with TLS configured prior to

initial registration.

ServerPort Tanium Server port. The server listens for Tanium Clients on this port. The default is 17472. Do not change the

ServerPort setting in the TaniumServer.ini configuration file; instead, use the Tanium Operations > Change

Tanium Port menu.

ServerSOAPPort Tanium Console and SOAP API port. The default is 8443. Port 443 redirects to this 8443.

SQLConnectionString Database server connection information. The following are examples:

l MSSQL: SQL1\SQLEXPRESS@tanium

l PostgreSQL: postgres:localhost@dbname=postgres port=5432

l TanOS: postgres:<TanOS_IP_Address>@user=postgres dbname=tanium

For PostgreSQL, see the PostgreSQL documentation for the supported keywords, such as dbname, port, and

user.

If you change this setting, you must restart the Tanium Server.

SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-

AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK

Table 11: Tanium Server settings (continued)

https://www.postgresql.org/docs/9.3/libpq-connect.html#LIBPQ-PARAMKEYWORDS


Settings Guidelines

SSLHonorCipherOrder The default is 1.

TrustedCertPath Path to the certificate file used for secure connections to the Tanium Console port.

Version Tanium Server version number.


Tanium Server TDownloader

Settings Guidelines

BypassCRLCheckHostList Use this setting to list servers that the Tanium Server can trust without checking a certificate revocation list (CRL).

The Tanium Server performs a CRL check on all servers that are not in this list, and does not download files from a

server that fails the check. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square

brackets (for example, [2001:db8::1]).

BypassProxyHostList Must be set with a comma-separated list of FQDN or IP addresses that specify all Tanium Servers and the Module

Server, 127.0.0.1, and localhost. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).

Specify literal values. Tanium Core Platform 7.0.314.6242 and later supports wildcards.

Enhancements have been made in recent releases to automatically bypass the proxy server for

these host addresses:

7.0.314.6573+ — Automatically bypass 127.0.0.1 and localhost.


7.2.314.3181+ — Automatically bypass Tanium Server, 127.0.0.1, and localhost.







ProxyServer IP address of the proxy server.

By default, TDownloader resolves the proxy server address as an IPv4 address. If the proxy server

has an IPv6 address, you must enter it within brackets (for example, [2001:db8::1]) and

configure the TDownloader setting ForceIPV6 to 1.

Table 12: Tanium Server TDownloader (TDL) settings


Settings Guidelines

ProxyPort Proxy server listening port.

ProxyType The options are Basic, NTLM, or None.

ProxyUserid For a proxy server that requires authentication, enter the user ID to establish the connection with the proxy server.

ProxyPassword For a proxy server that requires authentication, enter the password of the ProxyUserid user to establish the

connection with the proxy server.

TrustedCertPath Path to the Transport Layer Security (TLS) certificate authority (CA) bundle of trusted certificates.

TrustedHostList By default, the Tanium Server validates the SSL/TLS certificate of remote servers when establishing connections to

them (such as for downloading files). To bypass certificate validation for specific servers, enter their FQDN or IP

address. Tanium Core Platform 7.0.314.6242 and later support wildcards. You must enter IPv6 addresses within

square brackets (for example, [2001:db8::1]).

In an active-active deployment, you do not need to add the Tanium Servers to the list. The servers automatically

trust each other, as well as traffic from 127.0.0.1 or localhost.

Contact Tanium Support before modifying this setting.

ForceIPV6 Add this setting manually if you need it, but only with guidance from Tanium Support ([email protected]). In

deployments where traffic between Tanium Core Platform servers and the Internet traverses a proxy server,

TDownloader resolves the proxy address as an IPv4 address by default. If the proxy server has an IPv6 address, add

the ForceIPV6 setting with a value of 1.

Table 12: Tanium Server TDownloader (TDL) settings (continued)


Settings Guidelines






ServerPort Module Server port. The default is 17477.

Version Tanium Module Server version number.

Table 13: Module Server settings

https://docs.tanium.com/platform_user/platform_user/troubleshooting.html#support



Module Server TDownloader

Settings Guidelines





























Table 14: Module Server TDownloader settings


Settings Guidelines

TrustedHostList By default, the Module Server validates the SSL/TLS certificate of remote servers when establishing connections to

them (such as for downloading module software updates). To bypass certificate validation for specific servers,

enter their FQDN or IP address. Tanium Core Platform 7.0.314.6242 and later support wildcards. You must enter

IPv6 addresses within square brackets (for example, [2001:db8::1]).


ForceIPV6 Add this setting manually if you need it, but only with guidance from your Tanium Support ([email protected]).

In deployments where traffic between Tanium Core Platform servers and the Internet traverses a proxy server,



Table 14: Module Server TDownloader settings (continued)

Tanium Zone Server

Settings Guidelines

AllowedHubs Enter a comma-separated list of IP addresses of Zone Server Hubs that are authorized to communicate with this

Zone Server.

EnforceAllowedHubs Set the value to 1.

HubPriorityList This setting applies only to Tanium Core Platform 7.4 or later. The setting specifies the FQDN or IP address of the

preferred Zone Server Hub for sending Tanium Client content (such as sensor definitions, configuration

information, and action package files) to the Zone Server. As long as that hub is available, the Zone Server does

not receive content from any other hub. If the preferred hub goes down, the Zone Server fails over to receiving

content from any other available hub.






ReportingTLSCertPath Setting for inbound connections. Path to the TLS certificate. This certificate is used in TLS connections that the

Tanium Client initiated.

ReportingTLSKeyPath Setting for inbound connections. Path to the private key file used in TLS connections. This setting must be

present to enable TLS.

Table 15: Zone Server settings




Settings Guidelines

ReportingTLSMode Configures TLS for outgoing connections that the server initiates. On a Zone Server Hub, you configure this

option to enable TLS for the Zone Server Hub to Zone Server segment. Automatically set to 2 when you

complete the Zone Server TLS setup.

l 0 (TLS not used)

l 1 (TLS required)

l 2 (TLS optional)

RequireIncomingEncryption Setting for inbound connections. Automatically set to 0 when you complete the Zone Server TLS setup.

l 0 (TLS not required)

l 1 (TLS required)

Important: When RequireIncomingEncryption is set to 1, only TLS connection requests are processed, so only

Tanium Clients that have TLS enabled are able to register and be managed. Do not set this to 1 until you are

sure all Tanium Clients that have been deployed are configured to use TLS (ReportingTLSMode=1 or

ReportingTLSMode=2), and you are ready to deploy Tanium Client to new endpoints with TLS configured prior to

initial registration.

ServerName This setting is deprecated. Do not specify a value.

ServerPort Tanium Server Port. The default is 17472.

Version Tanium Zone Server version number.

ZoneHubFlag 0 if not the hub; 1 if the hub.

Table 15: Zone Server settings (continued)

WindowsThe following table lists the Windows Registry locations for settings that you configure when installing Tanium Core Platform

servers. To view or edit the settings, use the Command-line interface on page 161.

Component Windows Registry location

Tanium Server HKLM\Software\Wow6432Node\Tanium\Tanium Server

Module Server HKLM\Software\Wow6432Node\Tanium\Tanium Module Server

Zone Server

Zone Server Hub

HKLM\Software\Wow6432Node\Tanium\Tanium ZoneServer

TDownloader HKLM\Software\Wow6432Node\Tanium\Downloader

Table 16: Windows registry locations


Tanium Server

Name Windows Registry Type Data

AddressMask REG_DWORD Hexadecimal value of a subnet CIDR that delineates the IPv4 clients that

belong to a linear chain. Do not change this registry value unless your Tanium

Support instructs you to do so.

AddressPrefixIPv6 REG_DWORD IPv6 prefix represented as a decimal number between 0 and 128 inclusive that

delineates the clients belonging to a linear chain. The default 0 specifies no

peering. Contact Tanium Support at [email protected] to determine the

optimum value for peering in IPv6 networks. Tanium Core Platform 7.3 and

later.

AllowedHubs REG_SZ Enter a comma-separated list of Zone Server Hubs that are authorized to

communicate with this Tanium Server. Specify the hubs by FQDN or IP

address. You must enter IPv6 addresses within square brackets (for example,

[2001:db8::1]). Note that you can configure the AllowLocalHubs key as an

exception to the AllowedHubs list.

AllowLocalHubs REG_DWORD By default, this key is not present in the registry but has a value of 1, which

enables any local Zone Server Hub to communicate with the Tanium Server

regardless of the AllowedHubs setting. Add this registry key manually if you

need it, but only with guidance from your Tanium Support. Setting the value

to 0 allows local Zone Server Hubs to communicate with the Tanium Server

only if they are listed in AllowedHubs.

BypassCRLCheckHostList REG_SZ Servers that the Tanium Server trusts without checking a certificate

revocation list (CRL). The Tanium Server performs a CRL check on all servers

that are not in this list, and does not download files from a server that fails

the check. Specify the servers by FQDN or IP address. You must enter IPv6

addresses within square brackets (for example, [2001:db8::1]).

Table 17: Tanium Server settings




BypassProxyHostList REG_SZ Hosts that bypass the proxy server. For example, do not use a proxy server for

traffic between Tanium Servers in an active-active cluster.

A proxy server can cause problems with other traffic to a destination Tanium

Server. For example, a package configuration can specify file URIs that are

local to the Tanium Server to download content. It is important to bypass the

proxy server for these URIs, or else the download will fail.

Enter the exceptions as FQDNs or IP addresses. You must enter IPv6 addresses

within square brackets (such as [2001:db8::1]. In most cases, the exceptions

you need to specify are localhost, 127.0.0.1 (IPv4), [::1] (IPv6), and

all Tanium Server FQDNs and IP addresses. For example:

ts1.example.com, ts2.example.com,localhost,127.0.0.1,

[::1],10.10.10.11,10.10.10.15

Specify literal values. Tanium Core Platform 7.0.314.6242 and later supports

wildcards.

ConsoleSettingsJSON REG_SZ Path to the console settings file.

DBUserDomain REG_SZ The domain for the service account that connects to the database server.

Specified when you completed the installation wizard.

DBUserName REG_SZ User name for the service account that connects to the database server.

Specified when you completed the installation wizard.

EnforceAllowedHubs REG_DWORD The default value 1 specifies that the Tanium Server enforces the

AllowedHubs setting: only Zone Server Hubs listed in AllowedHubs can

communicate with the Tanium Server. The value 0 enables any Zone Server

Hub to communicate with the Tanium Server regardless of the AllowedHubs

setting.

LogPath REG_SZ Path to Tanium Server logs.

LogVerbosityLevel REG_DWORD Specify one of the following decimal values for the logging level:


l 1: Log level during normal operation.

l 41: Best practice log level during troubleshooting.

l 91 or higher: Enable the most detailed log levels for short periods of time

only.

ModuleServer REG_SZ FQDN of the Module Server.




ModuleServerPort REG_DWORD Module Server Port. The default is 17477.

Path REG_SZ Installation path.

PGDLLPath REG_SZ Path to the PostgreSQL Server libraries.

PGRoot REG_SZ Path to the Postgres installation directory.

PKIDatabasePassword REG_SZ You must manually add this setting to prevent unauthorized access to the

pki.db file, which contains the Tanium Server root keys, message-signing

keys, and TLS keys. Set the Value Type to protected and specify a password

to encrypt the pki.db file. The file is in the Tanium Server installation folder

and a copy resides in the /backups subfolder. For details about these keys,

see Tanium Console User Guide: Managing Tanium keys.

ProxyPassword REG_SZ For a basic proxy server that requires authentication, this setting is the

account password used when establishing a connection with the proxy server.

The password is stored in clear text within the registry.

This setting does not apply NTLM proxies, which use the credentials of the

user context that runs the Tanium Server service.

ProxyPort REG_SZ Proxy server listening port.

ProxyType REG_SZ Basic or NTLM.

ProxyServer REG_SZ IP address of the proxy server. By default, the Tanium Downloader

(TDownloader) service that manages downloads for the Tanium Server and

Tanium Module Server resolves the ProxyServer address as an IPv4 address. If

the proxy server has an IPv6 address, you must enter it within brackets (for

example, [2001:db8::1]) and, on Windows systems, configure the

Tanium Downloader registry with a ForceIPV6 key set to 1.

ProxyUserid REG_SZ For a basic proxy server that requires authentication, this setting is the

account username used when establishing a connection with the proxy server.




PythonPath REG_SZ Deprecated setting that is no longer used.

ServerName REG_SZ The network adapter binding that the Tanium Server uses to listen for IPv4

client registrations. The default value 0.0.0.0 indicates binding to all network

adapters. Do not change this registry value unless Tanium Support instructs

you to do so.





ServerNameIPv6 REG_SZ Add this registry key manually if you need it, but only with guidance from

Tanium Support. By default, the key is hidden and has a value of [::], which

indicates that the Tanium Server binds to all network adapters to listen for

IPv6 client registrations. To bind to a specific network adapter, add the key

and enter the IPv6 address of the adapter within square brackets (for

example, [2001:db8::1]).

ServerPort REG_DWORD Tanium Server Port. The server listens for Tanium Clients on this port.

Specified when you completed the installation wizard. The default is 17472.

ServerSOAPPort REG_DWORD Tanium Console and SOAP API port. Specified when you complete the

installation wizard. The default is 443.

SQLConnectionString REG_SZ Database server connection information. The following are examples:

l MSSQL: SQL1\SQLEXPRESS@tanium

l PostgreSQL: postgres:localhost@dbname=postgres

port=5432

l TanOS: postgres:<TanOS_IP_Address>@user=postgres

dbname=tanium

For PostgreSQL, see the PostgreSQL documentation for the supported

keywords, such as dbname, port, and user.

If you change this setting, you must restart the Tanium

Server: see Tanium Console User Guide: Manage the

Tanium Server service.

TrustedCertPath REG_SZ Path to the certificate file used for secure connections to the Tanium Console

port. The certificate is selected when you completed the installation wizard.


https://www.postgresql.org/docs/9.3/libpq-connect.html#LIBPQ-PARAMKEYWORDS

https://docs.tanium.com/platform_user/platform_user/troubleshooting.html#TS_service

https://docs.tanium.com/platform_user/platform_user/troubleshooting.html#TS_service



TrustedHostList REG_SZ By default, the Tanium Server validates the SSL/TLS certificate of remote

servers when establishing connections to them (such as for downloading

files). To bypass certificate validation for specific servers, enter their FQDN or

IP address. Tanium Core Platform 7.0.314.6242 and later support wildcards.

You must enter IPv6 addresses within square brackets (for example,

[2001:db8::1]).

In an active-active deployment, you do not need to add the Tanium Servers to

the list. The servers automatically trust each other, as well as traffic from

127.0.0.1 or localhost.


Version REG_SZ Tanium Server version number.



Name Type Data

LogVerbosityLevel REG_DWORD Specify one of the following decimal values for the log verbosity level:





only.


PythonPath REG_SZ Deprecated setting that is no longer used.

ServerName REG_SZ The network adapter binding that the Tanium Module Server uses to listen for

IPv4 connections. The default value 0.0.0.0 indicates binding to all network

adapters.

ServerNameIPv6 REG_SZ Tanium Core Platform 7.3 and later. You must add this registry key manually if

you need it, but only with guidance from Tanium Support. By default, the key

is hidden and has a value of [::], which indicates that the Tanium Module

Server binds to all network adapters to listen for IPv6 connections. To bind to

a specific network adapter, add the key and enter the IPv6 address of the

adapter within square brackets (for example, [2001:db8::1]).

Table 18: Module Server settings



Name Type Data

ServerPort REG_DWORD Tanium Module Server port. The default is 17477.

Version REG_SZ Tanium Module Server version number.

Table 18: Module Server settings (continued)

The Module Server host computer has a registry entry for the Tanium Server:

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Tanium\Tanium Server

The settings in this registry entry are for the proxy server configuration.

Name Type Data

BypassCRLCheckHostList REG_SZ Servers that the Tanium Server trusts without checking a certificate

revocation list (CRL). The Tanium Server performs a CRL check on all servers

that are not in this list, and does not download files from a server that fails

the check. Specify the servers by FQDN or IP address. You must enter IPv6

addresses within square brackets (for example, [2001:db8::1]).

BypassProxyHostList REG_SZ Hosts that bypass the proxy server. For example, do not use a proxy server for

traffic between Tanium Servers in an active-active cluster.

A proxy server can cause problems with other traffic to a destination Tanium

Server. For example, a package configuration can specify file URIs that are

local to the Tanium Server to download content. It is important to bypass the

proxy server for these URIs, or else the download will fail.

Enter the exceptions as FQDNs or IP addresses. You must enter IPv6 addresses

within square brackets (such as [2001:db8::1]. In most cases, the exceptions

you need to specify are localhost, 127.0.0.1 (IPv4), [::1] (IPv6), and

all Tanium Server FQDNs and IP addresses. For example:

ts1.example.com, ts2.example.com,localhost,127.0.0.1,

[::1],10.10.10.11,10.10.10.15

Specify literal values. Tanium Core Platform 7.0.314.6242 and later supports

wildcards.

ProxyPassword REG_SZ For a basic proxy server that requires authentication, this setting is the

account password used when establishing a connection with the proxy server.





ProxyType REG_SZ Basic or NTLM.

Table 19: Proxy server settings on the Module Server


Name Type Data

ProxyServer REG_SZ IP address of the proxy server. By default, the Tanium Downloader

(TDownloader) service that manages downloads for the Tanium Server and

Tanium Module Server resolves the ProxyServer address as an IPv4 address. If

the proxy server has an IPv6 address, you must enter it within brackets (for

example, [2001:db8::1]) and, on Windows systems, configure the

Tanium Downloader registry with a ForceIPV6 key set to 1.

ProxyUserid REG_SZ For a basic proxy server that requires authentication, this setting is the

account username used when establishing a connection with the proxy server.




TrustedHostList REG_SZ By default, the Module Server validates the SSL/TLS certificate of remote


module software updates). To bypass certificate validation for specific

servers, enter their FQDN or IP address. Tanium Core Platform 7.0.314.6242

and later support wildcards. You must enter IPv6 addresses within square



Table 19: Proxy server settings on the Module Server (continued)

TDownloader

The Tanium Downloader (TDownloader) entry is used for log verbosity level and IPv6 support.

Name Type Data






only.

Table 20: TDownloader settings



Name Type Data

ForceIPV6 REG_DWORD Tanium Core Platform 7.3 and later. Add this registry key manually if you need

it, but only with guidance from Tanium Support. In deployments where traffic

between Tanium Core Platform servers and the Internet traverses a proxy

server, TDownloader resolves the proxy address as an IPv4 address by default.

If the proxy server has an IPv6 address, add the ForceIPV6 key and set its value

to 1.

Table 20: TDownloader settings (continued)

Zone Server

Name Type Data

AllowedHubs REG_SZ Enter a comma-separated list of Zone Server Hubs that are authorized to

communicate with this Zone Server. Specify the hubs by FQDN or IP address.


[2001:db8::1]).

EnableFileCache REG_SZ This setting applies only to Tanium Core Platform 7.4 or later. If you installed

the Zone Server Hub on a dedicated host instead of on the Tanium Server, set

the value to 1 to enable the hub to cache package files for actions and files

requested through the Tanium Client API. The hub provides these resources to

the Zone Server without having to re-request them from the Tanium Server. To

limit the cache size, set the hub_hot_cache_limit_in_MB.

In Tanium Core Platform 7.4 or later, the hub cache is

disabled by default (value is 0) because the hub is typically

installed on the Tanium Server, which has its own cache.

EnforceAllowedHubs REG_DWORD The default value 1 specifies that the Zone Server enforces the AllowedHubs

setting: only Zone Server Hubs listed in AllowedHubs can communicate with

the Zone Server. The value 0 enables any Zone Server Hub to communicate

with the Zone Server regardless of the AllowedHubs setting.

Table 21: Zone Server settings


Name Type Data

hub_hot_cache_limit_in_

MB

This setting applies only if the Zone Server Hub is installed on a dedicated host

instead of on the Tanium Server. The hub uses its cache to forward Tanium

Client content to the Zone Server without having to re-request the content

from the Tanium Server. The content includes package files for actions and

files requested through the Tanium Client API. Use the hub_hot_cache_

limit_in_MB setting to limit the cache size. As a best practice, set the limit

to whichever is the lesser value between 200GB and 60% of available disk

space on the drive where the hub is installed.

In Tanium Core Platform 7.4 or later, the hub cache is

disabled by default and therefore uses no disk space. If you

enable the cache by setting the EnableFileCache value

to 1, the default hub_hot_cache_limit_in_MB value is

0 (20% disk space). Do not enable the hub cache if the hub

is installed on the Tanium Server, which uses its own cache.

HubPriorityList REG_SZ This setting applies only to Tanium Core Platform 7.4 or later. The setting

specifies the FQDN or IP address of the preferred Zone Server Hub for sending

Tanium Client content (such as sensor definitions, configuration information,

and action package files) to the Zone Server. As long as that hub is available,

the Zone Server does not receive content from any other hub. If the preferred

hub goes down, the Zone Server fails over to receiving content from any other

available hub. Typically you use this setting for active-active deployments that

have pairs of Zone Servers and hubs, where each hub connects to each Zone

Server. In active-active deployments, adding the HubPriorityList is a best

practice to ensure that each Zone Server receive content from its closest hub.

Configuring this setting also optimizes hub usage by ensuring that each hub

serves one Zone Server instead of one hub servicing both servers.

LogPath REG_SZ Path to Tanium Zone Server logs.






only.




Name Type Data

ServerName REG_SZ This setting is deprecated. Do not specify a value.

ServerPort REG_DWORD Tanium Server Port. Specified when you completed the installation wizard. The

default is 17472.

ServiceUserDomain REG_SZ The Zone Server Windows service runs in the context of a service account. This

entry contains the domain specified during installation.

ServiceUserName REG_SZ The Zone Server Windows service runs in the context of a service account. This

entry contains the user name specified during installation.

Version REG_SZ Tanium Zone Server version number.

ZoneHubFlag REG_DWORD The value indicates whether this Zone Server instance is (1) or is not (0) a Zone

Server Hub.

zs_hot_cache_limit_in_MB The Zone Server caches content that it provides to Tanium Clients without

having to re-request the content from the Tanium Server. The content includes

package files for actions and files requested through the Tanium Client API.

Use the zs_hot_cache_limit_in_MB setting to limit the cache size.

Set the limit to whichever is the lesser value between 200GB

and 60% of available disk space on the drive where the Zone

Server is installed.



Proxy server settingsSome organizations use proxy servers for traffic between internal servers and the Internet. If your organization uses proxies and its

security policy does not allow Tanium Core Platform servers to access Internet locations directly, you can configure access through

the proxies. The Tanium Server connects to the Internet to download content updates from Tanium and to download necessary files

from other trusted suppliers. The Tanium Module Server connects to the Internet to download module software updates from

Tanium. Individual Tanium modules might also have requirements to access the Internet.

The Tanium Server and Module Server use the Tanium Downloader (TDownloader) utility to securely download files. To configure

access through proxies, configure TDownloader settings on both servers.

To configure Tanium Client 7.4 or later to connect through a Hypertext Transfer Protocol Secure (HTTPS) proxy server to the Tanium

Server or Tanium Zone Server, see Tanium Client Management User Guide: Connect through an HTTPS proxy server.

For a list of sites that Tanium Core Platform servers access, see Internet URLs required on page 89.

A destination server might have its own requirements, such as certificate authentication or user authentication. For

information about configuring advanced options for these requirements, see Tanium Support KB: TDownloader.

Figure 6: Tanium deployment with proxy server

Types of proxy serversThe Tanium Core Platform supports two types of proxies:

https://docs.tanium.com/client/client/platform_connections.html#proxy_connection_settings

https://tanium.zendesk.com/hc/en-us/articles/360021716371-Reference-TDownloader


l Basic: A strictly IP address-based proxy server allows a specified list of servers to traverse the proxy and access the network

or Internet. Add the IP addresses or fully qualified domain names of the Tanium Server and Module Server to the access list

of the proxy server. If the proxy server requires authentication, configure the account ID and password.

l NTLM: If the proxy server is set up to use Microsoft NT LAN Manager (NTLM), and you configure the Tanium Server service to

run in the context of a service account that has sufficient permissions to traverse the proxy server, you do not have to

configure an account ID and password.

TDownloader user contextFor Tanium™ Appliance deployments, TDownloader runs in the context of the tanium service account user.

For Tanium deployments on customer-provided Windows Infrastructure, TDownloader runs in the context of the Tanium Server

service account user that was specified during installation.

Configure proxy settings with the Tanium ConsoleIn most cases, use the Tanium Console to configure proxy settings unless you must configure the settings before you can access the

console. See the Tanium Console User Guide: Configuring proxy server settings.

Tanium Appliance: Configure proxy settingsIn most cases, use the Tanium Console to configure proxy settings. In some circumstances, you might need to configure proxy

settings before you have access to the Tanium Console. If necessary, you can configure proxy settings on the Tanium Server or

Module Server host.

The proxy server configuration is stored in configuration files on the Tanium Server. Active-active Tanium Servers do

not automatically synchronize the configuration files. If you change these settings in active-active deployments, be

sure to perform the procedure on both Tanium Servers in the cluster.




4. Enter 2 to go to the Tanium Server TDL Settingsmenu or enter 5 to go to the Module Server TDL Settingsmenu.

5. Use the menu to edit proxy server settings.

https://docs.tanium.com/platform_user/platform_user/console_proxy_server_settings.html


Settings Guidelines





























Table 22: Tanium Server TDownloader (TDL) settings


Settings Guidelines

TrustedHostList By default, the Tanium Server validates the SSL/TLS certificate of remote servers when establishing connections to

them (such as for downloading files). To bypass certificate validation for specific servers, enter their FQDN or IP

address. Tanium Core Platform 7.0.314.6242 and later support wildcards. You must enter IPv6 addresses within

square brackets (for example, [2001:db8::1]).

In an active-active deployment, you do not need to add the Tanium Servers to the list. The servers automatically

trust each other, as well as traffic from 127.0.0.1 or localhost.


ForceIPV6 Add this setting manually if you need it, but only with guidance from Tanium Support ([email protected]). In

deployments where traffic between Tanium Core Platform servers and the Internet traverses a proxy server,



Table 22: Tanium Server TDownloader (TDL) settings (continued)

Windows: Configure proxy settingsIn most cases, use the Tanium Console to configure proxy settings. In some circumstances, you might need to configure proxy

settings before you have access to the Tanium Console. If necessary, you can configure proxy settings on the Tanium Server or

Module Server host.

The proxy server configuration is stored in configuration files on the Tanium Server. Tanium Servers do not

automatically synchronize the configuration files among active-active peers. If you change these settings in active-

active deployments, be sure to perform the procedure on both Tanium Servers.

The Windows Registry entry for proxy server settings is found in the following location for on the Tanium Server host and Tanium

Module Server host:

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Tanium\Tanium Server

Name Type Data

BypassCRLCheckHostList REG_SZ Use this setting to list servers that the Tanium Server can trust without

checking a certificate revocation list (CRL). The Tanium Server performs a CRL

check on all servers that are not in this list, and does not download files from

a server that fails the check. Specify the servers by FQDN or IP address. You

must enter IPv6 addresses within square brackets (for example,

[2001:db8::1]).

Table 23: TDownloader settings




Name Type Data

BypassProxyHostList REG_SZ Must be set with a comma-separated list of FQDN or IP addresses that specify

all Tanium Servers and the Module Server, 127.0.0.1, and localhost. You must

enter IPv6 addresses within square brackets (for example,

[2001:db8::1]).. Specify literal values. Tanium Core Platform 7.0.314.6242

and later supports wildcards.

Note: Enhancements have been made in recent releases to automatically

bypass the proxy server for these host addresses:



7.2.314.3181+ — Automatically bypass Tanium Server, 127.0.0.1, and

localhost.

7.3.314.2866+ — Automatically bypass Tanium Server, 127.0.0.1, and

localhost.

ProxyServer REG_SZ IP address of the proxy server.

Note: By default, TDownloader resolves the proxy server address as an IPv4

address. If the proxy server has an IPv6 address, you must enter it within

brackets (for example, [2001:db8::1]) and configure the TDownloader

setting ForceIPV6 to 1.


ProxyType REG_SZ The options are Basic, NTLM, or None.

ProxyUserid REG_SZ For a proxy server that requires authentication, enter the user ID to establish

the connection with the proxy server.

ProxyPassword REG_SZ The corresponding password.

TrustedHostList REG_SZ By default, the Tanium Server validates the SSL/TLS certificate of remote


files). To bypass certificate validation for specific servers, enter their FQDN or

IP address. Tanium Core Platform 7.0.314.6242 and later support wildcards.


[2001:db8::1]).

In an active-active deployment, you do not need to add the Tanium Servers to

the list. The servers automatically trust each other, as well as traffic from

127.0.0.1 or localhost.


Table 23: TDownloader settings (continued)



By default, TDownloader resolves a proxy server hostname as an IPv4 address. Tanium Core Platform 7.3 and later support IPv6. If

necessary, you can override the default by adding a setting to the TDownloader registry in the following location:

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Tanium\Downloader

Name Type Data






only.

ForceIPV6 REG_DWORD Add this registry key manually if you need it, but first contact Tanium Support

at [email protected] for guidance. By default, TDownloader resolves the

proxy server address as an IPv4 address. If the proxy server has an IPv6

address, add the ForceIPV6 key and set its value to 1.

Table 24: TDownloader Registry Key setting



Smart card authenticationThe Tanium™ Console supports smart card authentication. A smart card is physical credential that has a microchip and data, such as

secure certificates and keys. Smart cards are also known as common access cards (CAC) and personal identity verification

(PIV) cards. Endpoint systems are set up with smart card readers, and end users use their smart card to authenticate and gain

access.

Deployment requirementsWhen smart card authentication is enabled, the Tanium Server and Tanium Module server must reside on separate hosts. All

authentication to the Tanium Console requires smart cards unless the authentication request is from one of the following sources:

l The system hosting the Tanium Server through the local loopback address (127.0.0.1 for IPv4 or [::1] for IPv6).

l The Module Server connection to the Tanium Server.

Consequently, any additional integrations that you want to automate must reside on one of the two hosts. The following are some

examples:

l SSRS plugin

l Microsoft Excel plugin (unless using the version that supports smart card authentication)

l Tanium™ Connect for Lightweight Directory Access Protocol (LDAP) synchronization

l PyTan

l Thrid-party security operations center (SOC) websites that query Tanium for data

An air gap deployment with smart card authentication has additional caveats:

l Links to content that is hosted on the Tanium Server must use the local loopback address. This is because

the TDownloader service that downloads content to the Tanium Server cannot present a certificate.

l Links to Tanium module or shared service imports use both the local loopback address (for the workbench)

and the Tanium Module Server fully qualified domain name (FQDN) for the portion of the solution installed

on the Module Server.

Create a certificateSmart card authentication for Tanium Console access depends on the public key infrastructure (PKI) of your organization. You can

get started if you have a client certificate that is signed by the root certificate authority (CA) certificate for the domain where the

Tanium Server is deployed. Make sure the certificate has the Proves your identity to a remote computer attribute.


Figure 7: Proves your identity to a remote computer

Perform the following procedures to create a new certificate file from certificates that you extract from the client certificate. Usually,

you need to extract only the root certificate. If this does not work, you might also need to add intermediate certificates to the

certificate chain.

Extract the certificates

1. Get a copy of a client certificate file that is signed by the root CA certificate for the domain. See Figure 7.

2. On a Windows endpoint, double-click the certificate file to open it in the Windows Certificate Snap-In.

3. On the Certification Path tab, select the root certificate. In this example, DigiCert is the root certificate.


4. Go to the Details tab and click Copy to File to display the Certificate Export Wizard.

5. Select Base-64 encoded X.509 (.CER).

6. Select a folder and specify a file name such as example1.cer.

7. Review the settings and click Finish to save the certificate.


8. If your deployment has intermediate CA certificates, repeat these steps to extract them. Go to the Certification Path tab and

select the next certificate in the chain. In the following example, DigiCert SHA2 High Assurance Server CA is the next certificate.

Export this certificate with a name such as example2.cer.


Create a new certificate file

1. Create a file named cac.pem.

2. Copy and paste in the contents of each certificate in the chain into the file.


l Each section of the certificate file must start with -----BEGIN CERTIFICATE----- and end with

-----END CERTIFICATE-----.

l There must be only one carriage return between each certificate in the chain.

l There must be no extra white spaces or carriage returns at the beginning or end of the file.

l The preceding example shows the root certificate last, which is a convention that Tanium Support

uses.

3. Save the file.

Tanium Appliance: Configure CAC

Add your CAC account user name (EDIPI) as a Tanium Administrator before enabling CAC.

Step 1: Install the certificate

Upload and install the certificate:

1. Use SFTP to copy the certificate file (PEM format) to the /incoming directory on the Tanium Server appliance.



4. Enter 9 and follow the prompts to import and install the CAC certificate file.

Step 2: Add the required Tanium Server configuration settings




4. Enter 1 to go to the Tanium Server Config Settingsmenu.

5. Use the menu to add Tanium Server settings as described in Table 25.

6. Restart the Tanium Server service. For more information, see Tanium Appliance Deployment Guide: Start, stop, and restart

Tanium services.

You can now sign in to the Tanium Console with your CAC.

The following table summarizes the settings you must add to enable CAC.




Setting Names Guidelines

ForceSOAPSSLClientCert Optional. If the registry value does not exist (but

other CAC/PIV registry values do exist), or is set

to a value of 1, CAC/PIV authentication

becomes mandatory.

Note: The design supports the value 0 to turn

off client certificate authentication and use the

console sign in credentials instead. However,

the current implementation to support the

value 0 is not finished. At this time, the value

should only be set to 1.

ClientCertificateAuthField Optional. If it is not defined, certificate

authentication matches on the Subject field.

Specify a value for this key if you want to match

on a different attribute. Many organizations use

X509v3 Subject Alternative Name.

Example:

X509v3 Subject Alternative Name

Note: X509v3 is typically hidden when displayed

in Windows. Note that X509v3 is case sensitive.

ClientCertificateAuthRegex Optional. If it is not defined, the default regular

expression (regex) is used to match the user

identifier. The default is .*CN=(.*)$.

The following expression is

the best practice to match

any Subject Alternative Name

entry:

.*:\s(\d+)@.*

ClientCertificateAuth Defines the location of the certificate file to use

for authentication, such as:

/opt/Tanium/TaniumServer/cac.pem

Note: The path name is case sensitive.

Table 25: Enable CAC settings



TrustedHostList Do not remove any values. Instead, append

127.0.0.1 (for IPv4) and [::1] (for IPv6) so

that TDownloader can add local packages to

the Tanium Server with CAC/PIV enabled.

CACTrustedAddresses Defines which endpoints to exempt from CAC

authentication requirements. These systems

will not require a CAC/PIV certificate to

authenticate and will work for all Tanium

assets.

Specify the Tanium Server and Tanium Module

Server. Specify additional addresses to exempt

any other trusted systems and components.

In an active-active deployment, you must

configure this setting on both Tanium Servers

to prevent errors with TDownloader.

cac_ldap_server_url Optional. If it is defined, requires that Tanium

validate every CAC/PIV authentication attempt

with LDAP to determine the state of the account

that is signing in. Because this does not use the

Windows authentication subsystem, the service

account running Tanium must have the

privileges to look up accounts through a direct

LDAP query.

Use the following syntax, where LDAPmust be

uppercase:

LDAP://<LDAP FQDN>

If multiple domains are in use, specify a global

catalog in the syntax GC://<domain>.

It is highly recommended that

you also use Tanium Connect

to align LDAP users and

security groups with roles in

Tanium.

Table 25: Enable CAC settings (continued)



CertLDAPQueryField Optional. If it is defined, it specifies an LDAP

user naming attribute. If it is not defined, the

default attribute is used. Valid values are:

l userPrincipalName — The sign in

name for the user.

l sAMAccountName — A sign in name that

supports previous version of Windows.

CertLDAPCertField Optional. Add this setting in conjunction with

the cac_ldap_server_url setting. This setting

specifies a secondary attribute to query within

the X509 certificate. Usually, this value is

expected to match ClientCertificateAuthField

with a value of X509v3 Subject

Alternative Name.

If it is not defined, certificate authentication

matches on the Subject attribute.

X509v3 is typically hidden

when displayed in Windows.

The string X509v3 is case

sensitive.

CertLDAPCertFieldRegex Optional. Add this attribute in conjunction with

the cac_ldap_server_url setting. This setting

specifies a regular expression that accounts for

the User Principal Name (UPN) Suffix when a

secondary LDAP lookup occurs. This is

necessary because LDAP synchronization

matches UPN without the UPN Suffix.

If it is not defined, whatever is returned in the

user naming attribute is used.

The following example is most commonly used.

It returns the full UPN:

.*\:\s*([^@]+@.*)$

The following example returns just the numeric

value from the UPN:

([^@]+)@.*$

Table 25: Enable CAC settings (continued)


To disable CAC authentication, remove the CAC settings and then restart the Tanium Server service.

Windows: Configure CAC

Step 1: Copy the certificate to the Tanium Server installation directory

Copy the file to the Tanium Server installation directory, which by default is \Program Files\Tanium\Tanium Server.

Step 2: Add Windows registry keys on Tanium Server host

1. Add Windows registry key entries as described in the following tables.

2. Open the Windows Services program, right-click the Tanium Server service, and select Restart.

Location HKLM\Software\Wow6432Node\Tanium\Tanium Server

Value ForceSOAPSSLClientCert

Value Type REG_DWORD

Valid Range 0 or 1

Default Value 1

Guidelines Optional. If the registry value does not exist (but other CAC/PIV registry values do exist), or is set to a value of 1,

CAC/PIV authentication becomes mandatory.

The design supports the value 0 to turn off client certificate authentication and use the Tanium

Console sign in credentials instead. However, the current implementation to support the value 0

is not finished. At this time, set the value only to 1.

Table 26: Enable smart card authentication


Value ClientCertificateAuthField

Value Type REG_SZ

Valid Range Any valid certificate field.

Default Value Subject

Table 27: Certificate attribute to be matched


Guidelines Optional. If it is not defined, certificate authentication matches on the Subject field.

Specify a value for this key if you want to match on a different attribute. Many organizations use X509v3

Subject Alternative Name.

Note: X509v3 is typically hidden when displayed in Windows. Note that the string X509v3 is case sensitive.

Table 27: Certificate attribute to be matched (continued)


Value ClientCertificateAuthRegex

Value Type REG_SZ

Valid Range Any valid regular expression.

Default Value .*CN=(.*)$

Guidelines Optional. If it is not defined, the default regular expression is used to match the user's identifier.

Use the following expression to match any Subject Alternative Name entry: .*:\s

(\d+\.?\w?)@.*

Table 28: Regular expression to match


Value ClientCertificateAuth

Value Type REG_SZ

Valid Range Any valid certificate file.

Default Value None

Guidelines Defines the location of the certificate file to use for authentication, such as D:\Program

Files\Tanium\Tanium Server\cac.pem.

The path name is case sensitive.

Table 29: Location of the smart card certificate file


Value TrustedHostList

Table 30: Add 127.0.0.1 and [::1] to the TrustedHostList entry


Value Type REG_SZ

Valid Range A comma-separated list of IP addresses or FQDNs for the Tanium Server, Module Server, and Tanium database

server host computers. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).

Default Value None

Guidelines Do not remove any values. Instead, append 127.0.0.1 (for IPv4) and [::1] (for IPv6) so that TDownloader can

add local packages to the Tanium Server with CAC/PIV enabled.

Table 30: Add 127.0.0.1 and [::1] to the TrustedHostList entry (continued)


Value CACTrustedAddresses

Value Type REG_SZ

Valid Range A comma-separated list of FQDNs.

Default Value None

Guidelines Defines which endpoints to exempt from CAC authentication requirements. These systems do not require a CAC/PIV

certificate to authenticate and work for all Tanium assets.

Specify the Tanium Server and Module Server. In an active-active deployment, configure this setting on both Tanium

Servers to prevent TDownloader errors. Specify additional addresses to exempt any other trusted systems and

components.

Table 31: Define trusted systems and components


Value cac_ldap_server_url

Value Type REG_SZ

Valid Range A valid LDAP server.

Default Value None

Table 32: (Optional) LDAP server


Guidelines Optional. If it is defined, requires that Tanium validate every CAC/PIV authentication attempt with LDAP to

determine the state of the account that is signing in. Because this does not use the Windows authentication

subsystem, the service account running Tanium must have the permissions to look up accounts through a direct

LDAP query.

Use the following syntax, where LDAPmust be uppercase: LDAP://<LDAP FQDN>

If multiple domains are in use, specify a global catalog. It must use the syntax GC://<domain>.

It is highly recommended that you also use Tanium Connect to align LDAP users and security

groups with roles in Tanium.

Table 32: (Optional) LDAP server (continued)


Value CertLDAPQueryField

Value Type REG_SZ

Valid Range userPrincipalName or sAMAccountName

Default Value userPrincipalName

Guidelines Optional. If it is defined, it specifies an LDAP user naming attribute. If it is not defined, the default attribute is used.

The valid values are:

l userPrincipalName — The sign in name for the user.

l sAMAccountName — A sign in name that supports previous version of Windows.

Table 33: (Optional) LDAP query


Value CertLDAPCertField

Value Type REG_SZ

Valid Range

Default Value Subject

Table 34: (Optional) LDAP secondary lookup


Guidelines Optional. Add this setting in conjunction with the cac_ldap_server_url setting. This setting specifies a secondary

attribute to query within the X509 certificate. Usually, this value is expected to match ClientCertificateAuthField

with a value of X509v3 Subject Alternative Name.

If it is not defined, certificate authentication matches on the Subject attribute.

X509v3 is typically hidden when displayed in Windows. The string X509v3 is case sensitive.

Table 34: (Optional) LDAP secondary lookup (continued)


Value CertLDAPCertFieldRegex

Value Type REG_SZ

Valid Range Any valid regular expression.

Default Value None

Guidelines Optional. Add this attribute in conjunction with the cac_ldap_server_url setting. This setting specifies a regular

expression that accounts for the UPN Suffix when a secondary LDAP lookup occurs. This is necessary because LDAP

synchronization matches UPN without the UPN Suffix.

If it is not defined, whatever is returned in the user naming attribute would be used.

The following example is most commonly used. It returns the full UPN:

.*\:\s*([^@]+@.*)$

The following example returns just the numeric value from the UPN:

([^@]+)@.*$

Table 35: (Optional) LDAP regex

Troubleshoot smart card authenticationl Check the configuration for typos, such as extra spaces or letter case errors.

l Test whether the system works with just the required registry keys. Then enable and test optional settings, such as the LDAP

integration settings.

l In an active-active deployment, configure the CACTrustedAddresses value with entries for each Tanium Server and the

Module Server to avoid TDownloader errors during package synchronization.

l Set the logging level to 41 or higher on the Tanium Server and Module Server to record the following events. See Tanium

Console User Guide: Configure server logging levels. If you configure a custom log that records only these events, use

.*Client Certificate auth.* as the filter regex. See Create a custom log on page 172.

https://docs.tanium.com/platform_user/platform_user/troubleshooting.html#logging_levels



o If ClientCertificateMatchField is set and does not match:

n No regex match:

Client Certificate auth logon denied, match failed

n Field used for regex not found in the CA certificate:

Client Certificate auth logon denied, match property not present

o If ClientCertificateMatchField passes or is empty, the user is extracted using the ClientCertificateAuthField and

ClientCertificateAuthRegex:

n If ClientCertificateAuthRegex is not matched:

Client Certificate auth logon denied, regex not matched

n If ClientCertificateAuthField is not found:

Client Certificate auth logon denied, field not found

n If the the regex matches and the field is found but the name is not valid:

Client Certificate auth logon denied, unknown user

o Any other error or information message also starts with:

Client Certificate auth


Command-line interfaceIn Tanium Core Platform 7.1.314.2924 or later, you can configure platform server settings through a command-line interface (CLI).

Version 7.3.314.3431 or later is required to use the CLI for configuring platform settings.

Contact Tanium Support for guidance ([email protected]) before you create, edit, or delete platform settings.

Tanium ApplianceFor Tanium Appliance deployments, you can use the TanOS menu to read and write the configuration. In rare cases, you might be

granted shell access to troubleshoot an issue. The CLI programs are installed in the following locations.

Component CLI program location

Tanium Server /opt/Tanium/TaniumServer/TaniumServer

Module Server /opt/Tanium/TaniumModuleServer/TaniumModuleServer

Zone Server /opt/Tanium/TaniumZoneServer/ZoneServer

TDownloader /opt/Tanium/TaniumServer/TaniumTDownloader

/opt/Tanium/TaniumModuleServer/TaniumTDownloader

Table 36: CLI directories for Appliance deployment

For details about the TanOS CLI, see Tanium Appliance Deployment Guide: TanOS command line interface.

WindowsFor Windows deployments, the Windows Registry is still the canonical source of configuration. You can use the CLI if you need to get

or set the configuration using a program.

Component CLI program location

Tanium Server Program Files\Tanium\TaniumReceiver.exe

Module Server Program Files\Tanium\TaniumModuleServer.exe

Zone Server Program Files (x86)\Tanium\Tanium Zone Server\TaniumZoneServer.exe

TDownloader Program Files\Tanium\Tanium Server\TDownloader.exe

Program Files\Tanium\Tanium Module Server\TDownloader.exe

Table 37: CLI directories for Windows deployment


https://docs.tanium.com/appliance/appliance/cli.html


If necessary, elevate permissions to open the command prompt as administrator.

ExamplesThe following examples show how to use the CLI.

Display help

TaniumReceiver --help

Usage: TaniumReceiver [options] <command> [<args>]

General Options:

-h [ --help ] Print this help message

-v [ --version ] Print the version

--verbose Verbose output

Service Options:

-i Install the service

-u Uninstall the service

-s Start the service

-e Stop the service

Internal Tanium Options - DO NOT USE:

-d Run without daemonizing


Commands:

config Manage configuration

clean-downloads Clean the downloads catalog

database Manages a database

global-settings Manages global settings

license Manages Deployment License

pki Manages PKI

python-auth-plugin Run a python authentication plugin - DO NOT USE

server-registrations Manages server registration requests

test-hsm Test an HSM configuration

trust-module-certs Add trusted Module Server certificates

For help on a specific command run `TaniumReceiver COMMAND -h`

Display config help

cmd-prompt>TaniumReceiver config --help

Usage: TaniumReceiver config <action> [<key>] [<value>]

Actions:

config list List all keys and non-protected values

config list-protected List all keys and values

config get <key> Print non-protected config value

config get-protected <key> Print config value

config set <key> <value> Set config value and try to guess type

config set-string <key> <value> Set string value

config set-protected <key> <value> Set protected string value

config set-number <key> <value> Set numeric value (in decimal or hex notation)

config remove <key> Remove config value

Example: List configuration settings

When displaying the current settings, note that the CLI output displays (protected) instead of the actual value for settings that

are designated as protected, which means they are sensitive in the security sense.

cmd-prompt>TaniumReceiver config list

Keys:

- AddressMask: 16777215

- ConsoleSettingsJSON: C:\Program Files\Tanium\Tanium Server\http\config\console.json

- DBUserDomain: tam.local


- DBUserName: taniumsvc

- LogPath: C:\Program Files\Tanium\Tanium Server\Logs

- LogVerbosityLevel: 1

- Logs:

- Logs.MiniDumpMessages:

- Logs.MiniDumpMessages.FilterRegex: .*Begin MiniDumper.*

- Logs.MiniDumpMessages.LogVerbosityLevel: 1

- ModuleServer: tms1.tam.local,TMS1.tam.local:17477

- ModuleServerPort: 17477

- PGDLLPath: C:\Program Files\Tanium\Tanium Server\postgres\bin

- PKIDatabasePassword: (protected)

- PGRoot: C:\Program Files\Tanium\Tanium Server\postgres

- Path: C:\Program Files\Tanium\Tanium Server

- ProxyPassword: (protected)

- ProxyPort:

- ProxyServer:

- ProxyType: NONE

- ProxyUserid:

- SQLConnectionString: postgres:localhost@dbname=postgres port=5432

- ServerName: 0.0.0.0

- ServerPort: 17472

- ServerSOAPPort: 443

- TrustedCertPath: C:\Program Files\Tanium\Tanium Server\Certs\installedcacert.crt

- TrustedHostList: ts1.tam.local

- TrustedModuleServerCertsPath: C:\Program Files\Tanium\Tanium Server\trusted-module-servers.crt

- Version: 7.3.314.4283

Example: Set configuration values

cmd-prompt>TaniumReceiver config set BypassProxyHostList

ts1.example.com,ts2.example.com,localhost,127.0.0.1,10.10.10.11,10.10.10

.15

cmd-prompt>TaniumReceiver config get BypassProxyHostList

ts1.example.com,ts2.example.com,localhost,127.0.0.1,10.10.10.11,10.10.10.15

Example: Set configuration values

cmd-prompt>TDownloader config set ProxyServer 10.10.10.10

cmd-prompt>TDownloader config get ProxyServer


10.10.10.10

Example: Register the Module Server with the Tanium Server

On the Module Server host computer, use the CLI to register with a Tanium Server. Specify a Tanium Console administrator user

name and password.

Registration involves copying files between the Module Server and the Tanium Server. Both servers must be

reachable when you issue the registration command or the command fails.

After registering the Module Server, you must restart the services for the Tanium Module Server and all Tanium

modules and shared services. On the Module Server, open the Windows Services application and, for each service,

right-click the service name and select Restart.

cmd-prompt>TaniumModuleServer register -h

Usage: TaniumModuleServer register <server> [opts]

--server arg Tanium Server hostname (optionally including

port)

--address arg (=TMS1.tam.local) DNS name or IP that the Tanium Server should

use to connect to this Module Server

--timeout arg (=120) Registration timeout in seconds

--user arg Administrator username

--pass arg Administrator password (leave blank for

interactive prompt)

--pass-file arg Administrator password protected file

--trusted-fingerprint arg Trust the given server certificate

fingerprint

--json-out arg JSON file to output results to

cmd-prompt>TaniumModuleServer register ts2.tam.local

Enter administrator username: TaniumAdmin

Enter password for user 'TaniumAdmin':


If the Tanium Console has been configured to use a non-standard port, you must specify the port number, as shown in the following

example.


cmd-prompt>TaniumModuleServer register ts2.tam.local:8443

Enter administrator username: TaniumAdmin

Enter password for user 'TaniumAdmin':


cmd-prompt>

If the Tanium Console is not listening on 443 and you do not specify the port in the registration command, the registration results in

failure with the message:

Failed to register module server. Failed to authenticate for registration.SSLClientConnection has failed to complete request.

Example: Configure global settings

cmd-prompt>TaniumReceiver global-settings -h

Usage: TaniumReceiver global-settings list|list-all|get|set|set-string|set-numbe

r|set-flags|unset-flags|remove

-c [ --command ] arg Command to run:

list

list-all

get <setting>

set <setting> <value>

set-string <setting> <value>

set-number <setting> <value>

set-flags <setting> [public|hidden|read-only|server...]

unset-flags <setting> [public|hidden|read-only|server ...]

remove <setting>

cmd-prompt>TaniumReceiver global-settings set ReportingTLSMode 0

Example: Add an admin user

cmd-prompt>TaniumReceiver database -h

Usage: TaniumReceiver database create|upgrade|create-admin-user

-c [ --command ] arg Command to run:


create

upgrade

create-admin-user [username] [domain]

sqlserver2postgre outputfile

cmd-prompt>TaniumReceiver database create-admin-user admin-recover tam.local


Logs

OverviewTanium Core Platform servers and Tanium Clients generate several predefined logs that you can use to diagnose issues and

unexpected behavior. You can also configure custom logs that copy specific content from the predefined logs based on a filter: see

Create a custom log on page 172. The logging level determines how much detail logs record. The following logging levels are best

practices for specific use cases:


l 1: Normal (default) logging level.

l 41: Best practice value during troubleshooting.

l 91 or higher: Most detailed logging level. Because this level consumes the most resources, enable it for short periods only.

To change the logging level through the Tanium Console for the Tanium Server and Tanium Module Server, see Tanium Console User

Guide: Configure server logging levels. You can also change the logging level for platform servers by configuring the

LogVerbosityLevel settings (see Tanium Core Platform settings on page 122) through the CLI on Windows on page 161 or through

the TanOS menus on the Tanium Appliance on page 122. To change the logging level of custom logs, see Create a custom log on

page 172.

For information about Tanium Client logs, see Tanium Client Management User Guide: Troubleshooting.

Tanium ApplianceThe Tanium Appliance supports the following log features:

l Heath Check report: see Tanium Appliance Deployment Guide: Run the Health Check

l Tanium Core Platform logs: see Tanium Appliance Deployment Guide: Review Tanium Core Platform logs. These are similar

to the platform logs that you see in a Windows on page 169 deployment.

l Tanium module logs: see Tanium Appliance Deployment Guide: Review Tanium solution module logs

l TanOS partition sync log: see Tanium Appliance Deployment Guide: View the TanOS partition sync log

l TanOS upgrade log: see Tanium Appliance Deployment Guide: View the TanOS upgrade log

l Tanium Support Gatherer logs: see Tanium Appliance Deployment Guide: Run Tanium Support Gatherer

l Tanium Platform Analyzer (TPAN): see Tanium Health Check User Guide: Generating reports

l System activity report (SAR): see Tanium Appliance Deployment Guide: Use the Performance Monitoring menu

l Syslog forwarding: see Tanium Appliance Deployment Guide: Configuring syslog

l SNMP walk: see Tanium Appliance Deployment Guide: Configuring SNMP



https://docs.tanium.com/client/client/troubleshooting.html

https://docs.tanium.com/appliance/appliance/troubleshooting.html#health_check

https://docs.tanium.com/appliance/appliance/troubleshooting.html#core_logs

https://docs.tanium.com/appliance/appliance/troubleshooting.html#module_logs

https://docs.tanium.com/appliance/appliance/advanced_maintenance_menu.html#tanos_partition_sync_log

https://docs.tanium.com/appliance/appliance/advanced_maintenance_menu.html#tanos_upgrade_log

https://docs.tanium.com/appliance/appliance/troubleshooting.html#tsg

https://docs.tanium.com/health_check/health_check/generating_reports.html

https://docs.tanium.com/appliance/appliance/tanium_support_menu.html#performance_monitoring

https://docs.tanium.com/appliance/appliance/appliance_configuration_menu.html#syslog

https://docs.tanium.com/appliance/appliance/appliance_configuration_menu.html#snmp


WindowsTo view Tanium Core Platform logs, you require access to the platform server hosts. In the following log file locations, variables such

as <Tanium Server> represent the server installation directories.

Action scheduler logs

l Content: Records events and issues that relate to scheduled actions. For example, the logs record information about why

the Tanium Server did or did not deploy the actions. If you set the logging level to 1 (default) or 41, the server generates the

logs only if errors occurred (such as actions failing to deploy). To record additional details for normal (successful) operations

of scheduled actions, set the logging level to 91.

l Location and file name: <Tanium Server>\Logs\action-scheduler<#>.txt

Authentication logs

l Content: Records user access to the Tanium Console or API through all authentication methods.

l Location and file name: <Tanium Server>\Logs\auth<#>.txt

Database upgrade logs

l Content: Record actions that the Tanium Server installer performs on Tanium database schemas when you upgrade the

Tanium Core Platform.

l Location and file name: <Tanium Server>\Logs\database-upgrade<#>.txt

HTTP connection logs

HTTP connection logs are available in Tanium Core Platform 7.3 or later.

l Content: Records attempts to connect to the Tanium Server. For example, the logs record registration attempts by Tanium

Clients or the Zone Server.

l Location and file name: <Tanium Server>\Logs\http-access<#>.txt

Installation logs

l Content: Records actions that the installer for a Tanium Core Platform server performs during installations and upgrades. If

you encounter issues with your installation, examine the logs to see which actions completed successfully and which failed.

Each time you run the installer, it appends the actions for that execution to the end of the file instead of rolling over the file.

l Location and file name:

o Tanium Server: <Tanium Server>\Install.txt

o Tanium Module Server: <Module Server>\Install.txt

o Tanium Zone Server: <Zone Server>\Install.txt


LDAP logs

l Content: Records LDAP synchronization and authentication events for interactions between the Tanium Server and LDAP

servers.

l Location and file name: <Tanium Server>\Logs\ldap<#>.txt

Module plugin history logs

Module plugin history logs are available in Tanium Core Platform 7.3 or later.

l Content: Records plugin executions. A plugin is an extension to a Tanium Core Platform component or solution module.

Plugin operations are usually transparent to users. However, Tanium Support might instruct you to review plugin details

when troubleshooting unexpected behavior (contact [email protected]).


o Tanium Server: <Tanium Server>\Logs\module-history<#>.txt

o Tanium Module Server: <Module Server>\Logs\module-history<#>.txt

Package cache cleaner logs

l Content: Records which package files the Tanium Server removed from the shard cache because the packages no longer

exist, the files expired, or the server replaced the files with updated versions.

l Location and file name: <Tanium Server>\Logs\package-cleaner<#>.txt

PKI logs

PKI logs are available in Tanium Core Platform 7.4 or later.

l Content: Records events related to the use of digital keys when Tanium Core Platform components prove their identity to

each other. The logs also record events related to trust approvals and denials among Tanium Servers, Zone Servers, and

Zone Server Hubs.


o Tanium Server: <Tanium Server>\Logs\pki<#>.txt

o Tanium Module Server: <Module Server>\Logs\pki<#>.txt

o Tanium Zone Server: <Zone Server>\Logs\pki<#>.txt

o Tanium Zone Server Hub (if the hub is not on the Tanium Server): <Zone_Server_Hub_installation_folder>\Logs\pki<#>.txt

RBAC logs

l Content: Records events related to Tanium role-based access control (RBAC). For example, when the Tanium Server denies

users access to a resource, the logs indicate which required permissions are missing in the user roles.

l Location and file name: <Tanium Server>\Logs\rbac<#>.txt



Server logs

l Content: These are the main logs for each Tanium Core Platform server, and record all events that the other log types do

not capture.


o Tanium Server: <Tanium Server>\Logs\log<#>.txt

o Tanium Module Server: <Module Server>\Logs\log<#>.txt

o Tanium Zone Server: <Zone Server>\Logs\log<#>.txt

Tanium Data Service logs

l Content: Records operations related to collecting results for sensors that are registered for automatic collection. For each

question that the Tanium Server issues to collect sensor results, the log has an entry that indicates the issue date-time, the

question ID (Harvesting qid), and information about each sensor in the question.

l Location and file name: <Module Server>\services\tanium-data-files\tanium-data.log<#>.txt

TDownloader logs

l Content: History of the actions that the TDownloader service performs when it downloads files from Tanium and other

Internet locations. The logs include proxy server connection status events when applicable. The TDownloader logs might

help you troubleshoot when importing Tanium content packs and solution modules or downloading updates to package

files.


o Tanium Server: <Tanium Server>\TDL_Logs\log<#>.txt

o Tanium Module Server: <Module Server>\TDL_Logs\log<#>.txt

Rollover for Tanium Core Platform logsTo clear space for new logs, Tanium Core Platform servers roll over and compress existing logs when they exceed the maximum log

size (10 MB) and maximum number of logs. The maximum number of log files varies by log type and format. By default, custom log

types have a maximum of 10 plain text logs and 10 ZIP logs.

Log File Name Plain Text ZIP

action-scheduler<#>.txt 10 10

authlog<#>.txt 10 10

database-upgrade<#>.txt 10 10

Table 38: Number of log files


Log File Name Plain Text ZIP

download-catalog-cleaner<#>.txt 10 10

http-access<#>.txt 2 3

ldap<#>.txt 10 10

log<#>.txt (main server log for each Tanium Core Platform server) 10 10

log<#>.txt (TDownloader log) 10 0

module-history<#>.txt 2 3

package-cleaner<#>.txt 10 10

pki<#>.txt 10 10

rbac<#>.txt 10 10

Table 38: Number of log files (continued)

The rollover process is as follows, where <log_type#>.txt is the log file name (such as log0.txt):

Plain text logs

When the first log file <log_type>0.txt reaches 10 MB in size, it is renamed <log_type>1.txt and a new <log_

type>0.txt is created. When <log_type>0.txt again reaches 10 MB, <log_type>1.txt is renamed <log_

type>2.txt, <log_type>0.txt is again renamed <log_type>1.txt, and <log_type>0.txt is again recreated.

The process of rolling logs whenever <log_type>0.txt reaches 10 MB continues until the maximum number of plain-text

logs exist. For example, each Tanium Core Platform server log has a maximum of 10 plain-text logs: log0.txt to

log9.txt.

ZIP logs

After recording the maximum number of plain-text logs, the oldest log is compressed. For example, log9.txt is saved as

log10.zip. When <log_type>0.txt again reaches 10 MB, the file name of the first ZIP log is incremented (for example,

log10.zip becomes log11.zip and the oldest plain-text log is again compressed and replaces the first ZIP log. The ZIP

file rollover process continues until the maximum number of ZIP files exist. For example, each Tanium Core Platform server

log has a maximum of 10 ZIP files: log10.zip to log19.zip. When <log_type>0.txt reaches 10 MB again after that,

the first ZIP log is created again (such as log10.zip) but the oldest ZIP log (such as log19.zip) is not renamed and is

effectively dropped because the second oldest ZIP file replaces it (for example, log18.zip becomes the new log19.zip).

Create a custom logIf you want to troubleshoot only specific information in predefined Tanium logs, you can configure a Tanium Core Platform server or

Tanium Client to filter the logs based on a regular expression and to copy the matching content to a custom log. Custom logs are

especially useful if you set a high logging level for the predefined logs such that they roll over too quickly and record too much

information for you to easily find specific issues. You can create as many custom logs as necessary and base each one on a different


filter. After you configure a new log type, the platform server or client creates a custom log file upon recording an event in a

predefined log that matches the regular expression. Thereafter, whenever the predefined logs record additional events that match

the filter, the server or client copies those records to the custom log.

Log filtering can consume significant resources on a server or client, especially if you set a high logging level.

Therefore, the best practice is to remove custom logs after you finish a troubleshooting session. For more

information, see the logging level setting in Table 39.

The following procedures describe how to configure custom logs using the TanOS console (Appliance) or using the CLI command

executables and options listed in Table 39 (Tanium Clients or platform servers on Windows).

Executable/Option Description

<executable> The Tanium Client and Tanium Core Platform servers use the following executables for

running CLI commands. The executables reside in the server or client installation

directory.

l Tanium Server: TaniumReceiver

l Module Server: TaniumModuleServer

l Zone Server or Zone Serve Hub: TaniumZoneServer

l Tanium Client: TaniumClient

<log prefix> The log file prefix. The server or client automatically appends a number to the prefix and

adds the suffix (.txt) upon generating the log. For example, if you enter

CompletedRegistrations as the prefix for a custom client log, the first file that the

client generates for that log type is CompletedRegistrations0.txt.

Table 39: CLI command executables and options for custom logs

server_installation_path.htm

client_installation_path.htm


Executable/Option Description

<filter regex> The regular expression to use for filtering the predefined logs. The server or client copies

log entries that match the filter to the custom log.

The filter applies only to log messages, not to thread names, thread

IDs, or timestamps.

The following are examples of useful filter expressions for Tanium Server logs:

l .*Begin MiniDumper.* records messages about application crashes.

l .*Failing to sync sensors.* identifies sensor synchronization failures.

l .*msg=NoMaxAgeFound.* records instances where the Tanium Server issues a

question that uses deleted sensors.

l .*Client Certificate auth.* records authentication messages relating to

Tanium Client certificates. This is useful for troubleshooting smart card (common

access card) authentication issues. See Troubleshoot smart card authentication on

page 159.

The following are examples of useful filter expressions for Tanium Server or Zone Server

logs:

l .*Begin registration.* identifies Tanium Clients that are trying to register.

l .*Registration complete.* identifies clients that successfully registered.

<logging level> The logging level of the custom log. For details, see Overview on page 168.

Higher logging levels consume more resources on the server or client.

If different custom log types have different levels, the server or client

generates all log types at the highest level that is set for any custom

log type. This ensures that filter matching applies to all log messages

at the highest configured level. However, in this case, each log file still

contains only the level of detail that corresponds to the level you set

for its log type. For example, you might set the logging level to 1 for

predefined logs on the Tanium Server and set the level to 91 for a

custom log. In this case, the server generates log messages at level 91

for all log types and the custom log contains messages at level 91, but

the predefined logs contain messages only at level 1.

Table 39: CLI command executables and options for custom logs (continued)


Create a custom log on the Appliance




4. Enter 1 to go to the Tanium Server Config Settingsmenu.

5. For each log setting (LogVerbosityLevel, LogPrefix, and FilterRegex), enter A to add the setting and then enter its value. Table

39 describes the settings. For the <log subject>, specify any text string to identify the purpose of the log.

l Logs.<log subject>.LogVerbosityLevel

l Logs.<log subject>.LogPrefix

l Logs.<log subject>.FilterRegex

For example, if the log is for troubleshooting common access card (CAC) authentication, you might specify the following

values:

l Logs.CAC.LogVerbosityLevel = 41

l Logs.CAC.LogPrefix = CACAuthLog

l Logs.CAC.FilterRegex = .*Client Certificate auth.*

To review the log after the Appliance generates messages that match the filter:


2. Enter B to go to the Appliance Maintenancemenu.

3. Enter 5 to go to the Shell Keysmenu.

4. Enter O and enter yes at the prompt to open a read-only (RO) shell.

5. Go to the Logs directory:

cd /opt/Tanium/TaniumServer/Logs

6. List the directory contents:

ls -la

The following is an example of the output, including the custom log CACAuthLog:

total 1264drwxr-x---. 2 tanium tanium 4096 Nov 16 21:24 .drwxr-x---. 20 tanium tanium 4096 Nov 16 22:15 ..-rw-r-----. 1 tanium tanium 685 Nov 16 21:28 CACAuthLog0.txt-rw-r-----. 1 tanium tanium 2805 Oct 26 19:39 auth0.txt-rw-r-----. 1 tanium tanium 322930 Oct 26 18:41 database-upgrade0.txt


-rw-r-----. 1 tanium tanium 857760 Nov 16 19:36 http-access0.txt-rw-r-----. 1 tanium tanium 31873 Nov 16 20:01 log0.txt

-rw-r-----. 1 tanium tanium 27082 Nov 16 19:36 module-history0.txt-rw-r-----. 1 tanium tanium 17223 Nov 16 19:33 package-cleaner0.txt-rw-r-----. 1 tanium tanium 3300 Oct 26 18:46 pki0.txt

7. Display the custom log contents using standard UNIX commands such asmore, cat, or tail:

more CACAuthLog0.txt

8. When you finish viewing the log contents, enter exit to close the shell.

Create a custom log on a platform server or client for Windows

Perform the following steps using the command executables and options listed in Table 39 to create a custom log on a Tanium Core

Platform server or Tanium Client that is installed on a Windows host.

1. Sign in to the host system of the platform server or Tanium Client.

2. Open the Command Prompt and navigate (cd) to the server or client installation directory.

3. Configure a regular expression for the custom log.

<executable> config set Logs.<log prefix>.FilterRegex "<filter regex>"

4. (Optional) Set the logging level of the custom log. If you skip this step, the default level is 1.

<executable> config set Logs.<log prefix>.LogVerbosityLevel <logging level>

Create a custom log on Tanium Client for macOS

Perform the following steps using the command options listed in Table 39 to create a custom log on a managed macOS endpoint.

The variable <Tanium Client> is the Tanium Client installation directory.

1. Sign in to the endpoint that hosts the Tanium Client.

2. Open the Terminal program.


sudo <Tanium Client>/TaniumClient config set Logs.<log prefix>.FilterRegex "<filter regex>"


sudo <Tanium Client>/TaniumClient config set Logs.<log prefix>.LogVerbosityLevel <logging level>

Create a custom log on Tanium Client for Linux, Solaris, or AIX

Perform the following steps using the command options listed in Table 39 to create a custom log on a managed Linux, Solaris, or AIX

endpoint. The variable <Tanium Client> is the Tanium Client installation directory.

server_installation_path.htm





1. Sign in to the endpoint that hosts the Tanium Client.


sudo <Tanium Client>/TaniumClient config set Logs.<log prefix>.FilterRegex "<filter regex>"


sudo <Tanium Client>/TaniumClient config set Logs.<log prefix>.LogVerbosityLevel <logging level>


Export Commodity ClassificationThe Export Commodity Classification Automated Tracking System (CCATS) number for Tanium is G172792. The Export Control

Classification Numbers (ECCNs) for Tanium products are:

Product ECCN License Exception Authorized for Export (See DefinitionsList Below)

Tanium Client software 5D992.c No License Required

("NLR")

All countries, except Embargoed Countries and

the Crimea Region of Ukraine

Tanium Server software 5D002.c.1 ENC/(b)(1) All countries, except Embargoed Countries and


Tanium Module Server software 5D002.c.1 ENC/(b)(1) All countries, except Embargoed Countries and


Table 40: Export Commodity Classification

Tanium prohibits software and hardware (both physical and virtual) installations in certain countries. To find out

whether a particular country is on the prohibited list, please contact Tanium Support at [email protected].



Change log

Date Revision Summary

December 9, 2021 Updated security exclusions for DOC-3317.

December 3, 2021 Added security exclusions for System User service and RDB. Updated the Appliance network diagram and

table. Updated for PLATDOCS-1049.

December 1, 2021 Added custom logs topic.

November 30, 2021 Links to On Prem topics in Risk and API Gateway guides.

November 16, 2021 Updated for PLATDOCS-1072.

November 9, 2021 Added links to Tanium API Gateway User Guide.

November 5, 2021 Updated fore DOC-3264 and DOC-3261.

November 4, 2021 Added Risk module (TaaS only) to topics that link to all Tanium solutions.

November 1, 2021 Updated platform version numbers to 7.5.2.3503

October 26, 2021 Released Console 3.0 and Platform 7.5.2 to Ring 4.

October 19, 2021 Updated for DOC-3212 and DOC-3215.

September 30, 2021 Updated for DOC-3086, DOC-3139, and DOC-3186.

September 28, 2021 Updated for DOC-3142.

September 16, 2021 Updated for DOC-3139, DOC-3142, and PLATDOCS-695.

September 13, 2021 Released Console 3.0.54 and Platform 7.5.2.3474 to Ring 2.

September 9, 2021 Updated for DOC-3086, DOC-3075, DOC-2983, DOC-3074, DOC-3090, DOC-2640.

August 31, 2021 Updated for DOC-3011.

August 25, 2021 Updated for PLATDOCS-1026, DOC-2934, DOC-2845, and DOC-2959.

August 19, 2021 Updated for DOC-2999 and PLATDOCS-426.

August 17, 2021 Updated for DOC-2746.

August 6, 2021 Updated for DOC-2947 and PLATDOCS-1014.

July 30, 2021 Updated for DOC-2847, DOC-2935, and DOC-2925.

July 27, 2021 Added security exclusions for Tanium Gateway Service and Tanium Reporting Service.



July 15, 2021 Updated for DOC-2884.

July 13, 2021 Updated for PLATDOCS-971.

June 29, 2021 Released Platform 7.4.6.1038.

June 28, 2021 Updated for DOC-1789, DOC-2646, DOC-2807, PLATDOCS-802

June 11, 2021 Updated for DOC-2745, DOC-2738, DOC-2572, and DOC-2782.

May 7, 2021 Updated for DOC-2622.

April 22, 2021 Updated for DOC-2617.

April 21, 2021 Republished for Documentation site redesign.

April 13, 2021 Released Platform 7.4.5.1200.

April 6, 2021 Released Console 2.1 to Ring 2.

March 4, 2021 Updated for DOC-2423, DOC-2453, DOC-2388, DOC-2417, PLAT-10037.

February 9, 2021 Released Platform 7.4.4.1362.

February 8, 2021 Updated table numbering.

January 28, 2021 Updated title page to show Tanium logo.

January 20, 2021 Added Internet URLs for Enforce.

December 23, 2020 Updated for PLATDOCS-482, PLATDOCS-735, PLATDOCS-741, COMPLIANCE-5137.

December 8, 2020 Updated for PLATDOCS-271, PLATDOCS-493, PLATDOCS-689

November 20, 2020 Updated for DOC-2194, DOC-2170.

November 2, 2020 Released Tanium Core Platform 7.4.4.1250.

October 29, 2020 Updated for PLATDOCS-614.

October 27, 2020 Removed taas-only condition from references to the Impact module.

October 13, 2020 Released Platform 7.4.4.1226.

October 9, 2020 Added Enforce (TaaS only) to the OS Support matrix and Security Exclusions.

July 16, 2020 Republished for Platform 7.4.3.1242 and Console 1.4.3.0135.

June 30, 2020 Republished for TaaS GA release.



June 16, 2020 Republished for Platform 7.4.3 release.

May 14, 2020 Updated for Interact 2.1.5.

May 12, 2020 Updated security exclusions for Deploy, Patch, Protect, Asset, Client Management, Integrity Monitor, and IR.

April 15, 2020 Updated for PLATDOCS-501: KeyUtility arguments.

April 3, 2020 Updated security exclusions for Deploy and Patch.

April 2, 2020 Updated security exclusions for Patch and updated content pack names (Default Content and Core Content).

March 31, 2020 Updated for PLATDOCS-406 (Tanium Client Management GA release) and support for Tanium Client

7.2.314.3632)

March 19, 2020 Updated for PLATDOCS-494, DOC-1384, DOC-1454.

March 13, 2020 Updated for PLATDOCS-492.

March 11, 2020 Updated for PLATDOCS-437.

February 25, 2020 Released 7.4.2 (common module import feature).

February 11, 2020 Updated security exceptions for 7.4.

February 6, 2020 Released 7.4 GA for the Tanium Client.

January 28, 2020 Released 7.4 GA for Tanium Core Platform servers.

December 4, 2019 Updated for DOC-1326.

November 18, 2019 Corrected the order of links to the module processes in the Security Exclusions topic.

November 15, 2019 Republished for 7.4 Limited Availability release.

November 12, 2019 Updated for DOC-1293, DOC-1274, DOC-1272, DOC-1222, DOC-1276.

October 15, 2019 Added security exclusions for the Performance module.

October 9, 2019 Updated for PLATDOCS-346, PLATDOCS-343, PLATDOCS-315, PLATDOCS-357, DOC-1170, DOC-1113, DOC-940,

DOC-1199, DOC-1253.

September 20, 2019 Updated for DOC-1242.

August 20, 2019 Updated for PLATDOCS-300.

July 17, 2019 Updated the Host Security Exclusions topic and added list of links (to module guides) in the Tanium Network

Ports topic.

July 2, 2019 Updated for 7.3-Next.



May 21, 2019 Updated appliance TLS procedures for Zone Server and added a note to SOAP certificate replacement

procedures to restart module services after redoing the Module Server registration.

April 19, 2019 Moved Internet URL list to a separate topic.

April 16, 2019 Initial release.

Documents

Tanium™ CorePlatformDeployment ReferenceGuide