how to check tanium client status in linux

When log0.txt reaches the maximum size again after that, the client compresses log9.txt as a file named log10.zip. Client Management allows you to connect directly to a Windows, Linux, or macOS endpoint. The Tanium Client also checks hourly, or immediately upon resetting, whether any corresponding Action_ directories have expired, and deletes them if they have. right hand side filter. Review the list of packages and sensors and click, Select the endpoints from the results and click. Action history logs provide a longer history of which actions a managed endpoint has run, but without the CLI output and other details. This article will cover the most common scenarios for getting data out of Tanium. outgoing questions since this is how the client determines whether or not a user has the The Module Server might be blocked from initiating a connection to the target endpoint by a firewall. For more information about using client health features in Client Management, see Monitor the client health overview in Client Management and Access detailed client health and troubleshooting information on an endpoint. From the Client Management menu, click Client Health. By checking the version of the Tanium Client installed on your Linux machines, you can ensure that the version is secure and up-to-date, and that your network is protected from potential risks. trickling in from endpoints beyond 30 seconds, then it is advised that the REST API be Filter the list as necessary to help locate the endpoint. When Finished appears in the Run State column, select the package and click Download to download a ZIPfile that contains the troubleshooting information. Please review the Integration Methods article to help select which method is best suited to your use case. Discussion Forum. After reaching the 10MB threshold, the client archives the oldest logs as ZIP files before adding new logs as plain-text files. The general steps are as follows: Users cannot see that the Tanium Client is allowed in the firewall unless you provide those users access to the Tanium Client installation directory. you can cache the results for offline systems. The selected logs and artifacts are gathered from the endpoint. Be aware that because saved questions only return results from endpoints that are currently In the Dashboards section in Interact, click Control Service State Permissions to issue the dashboard question. Using the following commands, you can relocate a Tanium Client installation on Solaris. For each with a REJECT all rule, run the following command, where is the line number of the rule. Click a tab to view the detailed client health information for the endpoint. You can save Client Management logs as a ZIP file that you can download with your browser. Tanium Client is installed as a system service on Linux endpoints. For additional macOS information, see the following sections: The Tanium Client is installed as a system service on macOS endpoints. It is crucial to maintain accurate clock synchronization between the VDAs, Delivery Controllers, and domain controllers. Select the Endpoint Connection option from the Direct Connect Overview pages settings. Some sensors, described as Parameterized Sensors, require When you configure a firewall rule or System Preferences through a policy or profile, the specific steps depend on your UAMDM. Go to Administration > Configuration > Client Status to go to the page. To get the values returned by In the Domain section, select the category or Tanium Solution for which you want to gather troubleshooting information. This set of results is available for saved questions only. To remove sensors from quarantine through the operating system CLI on the endpoint, perform the following steps: The output displays the number of sensors removed from quarantine. As in the case of a new installation, wipe all client data as if it were new. For more information, see Access individual endpoint logs in Client Management. The following subsections list example commands for managing Linux firewalls based on default distributions of Linux. left hand side will execute at all. For example, if you deploy a package that has five files, the Tanium Client places each file in the Action_ directory after it finishes downloading. In this article, well cover the steps to check the version of the Tanium Client installed on your Linux machines. Parameter values (the logs identify parameterized sensors as temp sensors), Number of answer strings and associated hash value, Access the operating system CLI on the endpoint and change directory (, From the Main menu in the Tanium console, go to. As sensors are scripts executed on the endpoints, they consume To disable UACremote restrictions, add the following value to the Windows registry and restart the machine: Subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\SystemData type: REG_DWORDValue name: LocalAccountTokenFilterPolicyValue data: 1. 2016-11-28 14:12:37 +0000|Command Completed. This section provides information about the following activities to manage the Tanium Client on macOS: Manage pop-ups for Tanium Client upgrades, Manage the Tanium Client service on macOS, (Non-Windows only) Manage custom tags in the CustomTags.txt file. The process of rolling logs whenever log0.txt reaches the maximum size continues until 10 logs exist: log0.txt to log9.txt. endpoint itself, but some sensors are more costly than others. The protocols that the client uses to communicate with Tanium Cloud the Tanium Server and peer clients are designed to be secure and prevent rogue sensors or actions, and digital signing prevents an attacker from causing the client to run sensors or packages that Tanium Cloudthe Tanium Server did not issue. You can specify the IP address or full domain name of the Tanium Server. The Tanium Console displays the Action ID in the Action > Action History and Action Status pages (see Tanium Console User Guide: Deploying actions). On the macOS endpoint, open Terminal and use the listed launchctl commands to complete the following actions: sudo launchctl load /Library/LaunchDaemons/com.tanium.taniumclient.plist, sudo launchctl unload /Library/LaunchDaemons/com.tanium.taniumclient.plist. This will impact the size of the response received by the Tanium server. Tanium is a registered trademark of Tanium Inc. All other trademarks herein are the property of their respective owners. The must match the sensor name that the Tanium Console displays with respect to capitalization and spaces. Finally, indicate if your installation uses a non-default installation directory for the Tanium Client. Leveraging this After you enable quarantine enforcement, Tanium Clients do not answer questions that use quarantined sensors and those sensors do not run for actions. A restart of the endpoint or Tanium Client service is not required. In the StateProtectedFlag client setting, enable encryption of the clients state and sensor queries stored on the client. The browser displays the hash value associated with the sensor. Stop the Tanium Client service. To verify that the endpoint can communicate with port 17472 on a Tanium Cloud FQDN, use one of the following commands: Windows PowerShell:Test-NetConnection -ComputerName -Port 17472, Non-Windows:nc -vz 17472. Tanium Support is your first contact for help when troubleshooting the initial deployment and for optimizing the speed and scale of your deployment as the number of managed endpoints grows. The default installation directory for Tanium Client files is /opt/Tanium/TaniumClient. Tanium provides endpoint visibility at unmatched speed and scale. With Tanium Client Linux, you can quickly and easily deploy and manage software patches, updates, and configurations, as well as detect, diagnose, and remediate security threats. To remove a sensor from quarantine through the operating system CLI on the endpoint, perform the following steps: Enter the following command to see the hash values associated with quarantined sensors. This section identifies resources that you can use when troubleshooting issues with the Tanium Client and with Client Management. Clients status can be found on the System Status page in Tanium Core Platform 7.4.2. Risk Score or latest Compliance Assessment, Tanium is the best source. Contact Tanium support before you uninstall Client Management. You can use Client Management to directly connect to an endpoint and retrieve action history logs. If the Tanium Client service, process, or installation directory does not exist, reinstall the Tanium Client. With its powerful automation capabilities, Tanium Client Linux can save your IT team valuable time and resources. Enter the following command, where is the hash associated with the sensor that you want to unquarantine: If you modify a sensor, Tanium Clients that receive its new definition automatically remove that sensor from quarantine. Credentials must be active and not disabled. On Windows infrastructure, Tanium Client Management records service logs in the client-management.log file in the \Program Files\Tanium\Tanium Module Server\services\client-management-files directory on the Module Server. For increased security, configuring a firewall rule to prevent the connections pop-up is preferable to configuring the System Preferences. Additionally, Taniums endpoint security capabilities are fully supported on Linux systems. By default, the iptables utility for managing the firewall is not configured on Amazon Linux AMI (2016.09, 2017.09, 2018.3) or Amazon Linux 2 LTS. Users with the Administrator reserved role have this permission. Tuning Tanium Webinar: Linux Patching - How It Works Under the Hood (Part 1) . For more information about the Client Status page, see Verify or remediate Tanium Client peering and leader connections. This is equivalent to left-side filters in Tanium Questions. You can review or reset the public key to help resolve connection issues that are related to an invalid key. The Settings dialog box can be used to modify the retention of deployment history from the Client Management Overview page. Server stores the results of saved questions for seven days by default. Make sure that the command returns licenses for the appropriate serversTanium Cloud instances, the status for each serverTanium Cloud instance is trusted, and the fingerprint for each license matches the fingerprint on the serverin Tanium Cloud. The client files are located in the /Library/Tanium/TaniumClient directory. Since no Error was NT_STATUS_CONNECTION_DISCONNECTED. (Salesforce deployments only) The Registration Error column provides additional information if the client failed to register. Make sure the endpoint has enough available space on the disk or partition where the client is installed. Check both the target endpoint firewall and network device firewalls. The following table lists the commands for managing firewall rules for versions 5.x and 6.x of CentOS, Oracle Linux, and Red Hat Linux. Leadership Lessons from the Military: Using Military Competence to Increase Your Career in the Business World, Easy Ways You Can Improve The Efficiency Of Working From Home, 7 Ways That You Can Have a Whole Career From Your Phone. assigned for management rights; it makes the questions get very long. From the Main menu, go to Administration > Configuration > Client StatusAdministration > Configuration > Client Status. More unique data The selected logs and artifacts are gathered from the endpoint. The installation method can also be used to obtain and install the client on endpoints. For more information, see Deploying the Tanium Client using Client Management and Deploying the Tanium Client using an installer or package file. For additional Solaris information, see the following sections: The Tanium Client is installed as a system service on Solaris endpoints. For the steps to download the tanium.pub file from the Tanium Server, see Tanium Console User Guide: Download infrastructure configuration files (keys). used to do the live Question. A network security administrator must ensure that host and network firewalls are configured to allow inbound and outbound TCP traffic on port 17472 and the portsport that the client uses for peer Tanium Client traffic (default 17472). See. and can return results from offline machines. Not all data from Tanium Sensors has been incorporated into the GraphQL Schema and not all Click the tab that contains the information that you want to view. The default maximum log file size is 10MB. Completion does not indicate success. If you need Software Installation and Utlization information or historical data from endpoints older than 30 days, This process ensures that the endpoint does not consume more disk space than necessary for Tanium actions. Hiding the Tanium Client from the Add/Remove Programs list helps to reduce accidental uninstallations and casual tampering by end users. Move the Tanium Client to a new directory. When the action finishes running, the log records a completion entry under the standard output capture of the action. Questions are composed of the primary clauses get and from. Work with your network administrator to resolve the issue. When Finished appears in the Run State column, select the package and click Download to download a ZIPfile that contains the troubleshooting information. Computer Groups - Whatever Computer Groups are assigned to a user for management right's If the Tanium Client fails to connect or register with Tanium Cloud the Tanium Server or Zone Server, does not establish the expected peer connections, or fails to respond to questions, review the Tanium Client logs, and check the following items. In the Dashboards section in Interact, click Hide From Add-Remove Programs to issue the dashboard question.. For Deployment Package, leave Client Service Hardening - Hide Client from Add-Remove Programs selected. You can perform this task for multiple endpoints by configuring a policy or profile through a User Approved Mobile Device Management (UAMDM) tool. Logs and other artifacts from a connected endpoint should be collected. Quarantines are useful for limiting the impact on endpoint resources, such as CPU utilization, when questions and actions use excessively long-running sensors. In this case. If youre an IT administrator, knowing how to check the version of the Tanium Client installed on your Linux machines is an important part of keeping your systems up-to-date and secure. by reading the introduction to Asking Questions found here. the question. In the Dashboards section in Interact, click Set Client Directory Permissions to issue the dashboard question.. For Deployment Package, select Client Service Hardening - Set SYSTEMonly permissions on Tanium Client directory. only restricted by the user's assigned Computer Groups for management rights. It allows searching for sensors you want to run and prompts for any required or optional Multiple sensors can be used within questions, varying in complexity and in the level (Optional) Reset the key with a new tanium-init.dat file. Querying Tanium found here. The process to roll the logs whenever sensor-history0.txt reaches 1MB continues until 10 logs exist: sensor-history0.txt to sensor-history9.txt. Tanium Clouds protocols are intended to be secure and prevent rogue sensors and actions from taking place. Tanium Success Community Home Question syntax supports these parameters being passed inline. Explore articles, documentations, videos, community posts and use cases to help you succeed with Tanium. Tanium Client - Red Hat Certified Software - Red Hat Customer Portal In the case of this question, we can see that the computer name can be found by querying the The following example shows a Tanium Client installation directory that includes a custom tag named Lab: After you add custom tags, you can use them to create a computer group as follows. The Tanium Client service is signed to automatically allow communication through the default macOS firewall. Add or edit the EnableSensorQuarantine setting on the Tanium Clients for which you want to enable or disable quarantine enforcement. It is compatible with both Red Hat Enterprise Linux and Ubuntu. MDM can be found in the macOS Developers Guide (only for macOS 11.10). The error message Network Config Timed Out or Failed to download netconfig at startup commonly appears when a Tanium Client fails to connect or register with Tanium Cloud the Tanium Server or Zone Server. It is quite common to determine a set of data you want to export via a Question and then need If the sensor output does not include a value meeting the left hand side filter condition, Tanium is a registered trademark of Tanium Inc. Monitor the client health overview in Client Management, Access detailed client health and troubleshooting information on an endpoint, Tanium Client and Client Management requirements, Troubleshoot issues with connection and registration, Managing client settings and Index configurations, Review action logs and associated files to troubleshoot actions and packages, Review action history logs to troubleshoot or audit actions, Review sensor history logs to troubleshoot or audit sensor activity, Review and manage sensor quarantines to troubleshoot sensors, Verify that the Tanium Client service and process are running on an endpoint, Verify or remediate Tanium Client peering and leader connections, Review or reset the public key to troubleshoot connection issues, Tanium Console User Guide: Download infrastructure configuration files (keys), Review or reset the public key to troubleshoot connection issues (Tanium Client 7.4 only), View the status of Tanium Client registration and communication, Manage the Tanium Client service on Windows, Manage the Tanium Client service on macOS, Manage the Tanium Client service on Linux, Manage the Tanium Client service on Solaris, Deploying the Tanium Client using Client Management, Deploying the Tanium Client using an installer or package file, Configuring connections to the Tanium Core Platform, Access individual endpoint logs in Client Management, Move an existing installation of the Tanium Client on Linux, Tanium Console User Guide: Deploying actions, Tanium Console User Guide: View action status, Tanium Console User Guide: Managing Tanium keys, Tanium Console User Guide: Manage sensor quarantines, Tanium Core Platform Deployment Reference Guide: TDownloader logs, Tanium Appliance Deployment Guide: Support menu, Network connectivity, ports, and firewalls, Tanium Server port (if the port is not specified in, Proxy auto configuration (PAC) file (where used), Review the Tanium Client Management service logs if you used that service to deploy the clients: see, Make sure the endpoint has enough available space on the disk or partition where you are installing the client: see. Tanium Sensors return data that is appropriate to store in TDS. Get product support and knowledge from the open source experts. This documentation provides examples but is not a reference for each Linux distribution. points will consume more resources. The action log contains the CLI output associated with the action command. Versions that use the systemd daemon (all distributions), AlmaLinux / Rocky Linux (all supported versions), Versions that use the init daemon (Debian-based distributions), Versions that use the init daemon (RPM-based distributions). You require read-only access to the /Library/Tanium/TaniumClient directory to perform this task. It provides comprehensive security, compliance, and configuration management capabilities across physical, virtual, and cloud-based Linux systems. For more information, see View the status of Tanium Client registration and communication. Reference: Tanium Client settings and CLI The troubleshooting information for connection and registration issues can be found in Troubleshoot issues with connection and registration. than Saved Questions, the API Gateway uses a GraphQL API to allow structured queries that If the connection fails, work with you network administrator to make sure that communication on port 17472 (or the otherwise configured custom port) is allowed by any firewalls and other security applications. In the Direct Connect search box, enter all or part of an IPaddress or a computer name. You can learn more about the hardware requirements by visiting Hardware Requirements. centerpiece of the question. For information about where to find this log, see Tanium Core Platform Deployment Reference Guide: TDownloader logs. Even if a deployed package has no associated package files, the Tanium Client creates an empty Action_ directory for it. As necessary, Tanium Support can help adjust Tanium Client-related settings, including: If you require further assistance from Tanium Support, include Tanium Client and, if applicable, Tanium Client Management version information for Tanium Core Platform components and, if applicable, Tanium Client Management. found here. In this case, the Tanium Client uses the quarantined status just to record that the sensor timed out. A network security administrator must ensure that host and network firewalls are configured to allow inbound and outbound TCP traffic on port 17472 and the portsport that the client uses for peer Tanium Client traffic (default 17472). The Tanium Client removes action logs from its host after a configurable interval (see Action log and package cleanup). evaluated next. If the endpoint does not appear in the current list, select Show systems that have reported in the last, and adjust the time period to determine if the endpoint has previously reported. Go to Administration > Actions > Scheduled Actions, select Default for the Action Group, and review the actions that are scheduled to run. Run the listed commands to complete the following actions: Use the following command to stop the Tanium Client service: Create a symbolic link, and set the PKG_NONABI_SYMLINKS environment variable to true. Client credentials are the names and passwords that are required to access a target endpoint. collection, go to the Interact Module workbench and select the Gear Icon at the top Log messages for the deployment contain the following message: Deployment Result Generated: All n connection attempt(s) resulted in no response from the target. In some cases, enabling the Tanium Client to answer questions that use quarantined sensors might be more important than limiting the impact that long sensor run times have on the resources of an endpoint. Use the following testing techniques to check the ports: You use a non-default Administrator account, or you use the default local Administrator account with the, Verify the client configuration and deployment settings. To resolve client extension failures, see the following sections: You can directly connect to a Windows, Linux, or macOS endpoint from Client Management to view detailed client health information and to access and collect information that can be useful for troubleshooting. Checking the Tanium Client status in Linux is a relatively simple process. Save your changes and restart the iptables service. For Deployment Package, select Client Service Hardening - Allow Only Local SYSTEMto Control Service. From the Client Management Overview page, download the installation package for the OS of the endpoint. In addition to providing detailed client health and troubleshooting information, an endpoint provides this information. Examine the Tanium Client installation log on the endpoints. Well also discuss the importance of keeping the Tanium Client up-to-date and how to upgrade it if necessary. To avoid seeing [no results], a right side filter is also needed. If the left side filters are false, [no results] is returned, because On a Linux endpoint, you can move the Tanium Client if the partition where it is installed does not have enough free space. In the Name column, click the name of a deployment. To send information to Tanium for troubleshooting, collect logs and other relevant information. If the client is a server, the host and network firewalls must be configured to allow outbound and inbound TCP traffic to flow through the port. Upvote. To avoid such outcomes, make the target clause as specific as possible and do not use negative matching conditions such as not equals true. If the route cannot be completed, work with your network administrator to resolve the issue. Make sure the endpoint has enough available space on the disk or partition where you are installing the client: see Hardware requirements. After all five files download, the action status changes from Preparing Files to Running on the Action Status page. During this phase, the action log notes that the action is currently running. You can use Client Management to directly connect to an endpoint and view and download individual logs. The Client Service Hardening dashboards in Interact provide easy access to review and manage access restrictions for the Tanium Client. The Tanium Client removes Action_ directories from its host after a configurable interval (see Action log and package cleanup). The server stores the results for 30 days is a script that runs on an endpoint to compute a response to a Tanium question. Gather: Collect a bundle of logs and other artifacts from a connected endpoint to help resolve issues. For more information, see Access individual endpoint logs in Client Management. The logging level is configurable (see LogVerbosityLevel1). here. Each time the Tanium Client receives an action message with an instruction set to execute, the client creates an action log file named Action_.log, where is the action identifier. you could also consider registering your sensors for harvest by TDS and receiving data from For IPv6, use the ip6tables command. For more information, see Tanium Direct Connect User Guide: Configure Direct Connect and Tanium Console User Guide: Managing action locks. To filter the available logs and artifacts, click a button in the Domain section. For sensors that are harvested by TDS, you can use sensorReadings with If you need Check the user name provided with the credentials. unregistered. PKG_NONABI_SYMLINKS=true Tanium Client is installed as a system service on the Solaris operating systems endpoints. from answering the question that do not match the filter. If you are not already familiar with installing and managing services on your target Linux distribution, review the documentation for the particular Linux operating system before you begin. Additionally, you can enter the command taniumclient status in the terminal window to view the Clients current status. Recall that a user's computer groups is the main filter that gets added to every single Optional client hardening features are provided by the Client Service Hardening content pack and the StateProtectedFlag client setting. A more detailed description of TDS, and how to configure the collection of its data collection This will block machines You can find the status of your client by going to Administration > Configuration > Client Status. Logs can be viewed and downloaded from a linked computer. The content pack also includes saved questions and scheduled actions that relate to the deployment of the Tanium Client. Interact is a core part of Tanium and all customers will have access to this module. Runtime. The log rollover process is as follows: The Tanium Client creates a new action-history0.txt file whenever an action runs. The Tanium Client stores sensor history logs in the /Logs directory. However, the Tanium Client is a traditional Win32 application on Windows. Each endpoints installation directory must be located on a local drive with a fixed path. Verify the Zone Server deployment Use the Tanium Client Management service to deploy the Tanium Client to a client in your environment. For each relevant where port 17472 is present, run: sudo firewall-cmd --permanent --zone= --remove-port=17472/tcp. When a package does not seem to work after you deploy it through an action, review action logs and the files associated with the action to help troubleshoot. The Tanium Client stores any files that are required to deploy an action package in Action_ID directories. Note that even after you remove the sensors from quarantine, if they exceed the timeout in a future question, the Tanium Client will then stop the sensors and quarantine them again without answering the question. Regardless, you should never create an integration that is querying live endpoints every few minutes for data. (Optional) Select a Computer Group to filter the summary information. For additional Windows information, see the following sections: The Tanium Client is installed as a service with a Startup Type set to Automatic on Windows endpoints. or SOAP? This encryption is not required for the security of the Tanium Client, but it might be required for compliance with certain regulations. Hosting the Linux VDA as a virtual machine (VM) can cause clock skew problems. You cannot connect to endpoints with action lock turned on.on, you must enable the Bypass Action Lock setting in Direct Connect. In this case, Windows endpoints on which the Is Windows sensor is quarantined would match the condition not equals true because their response would be TSE-Error: The sensor is quarantined rather than true. The client installation process does not modify any host-based firewall that might be in use. Logs: View and download logs from the connected client. online, you may need to schedule Connect to deliver the results to you frequently so that If you put a user with elevated privileges in charge, you can install the Tanium Client.