Ubuntu Patch Management with Tanium

I have more than a dozen Ubuntu servers that perform various jobs.  Some of these systems are considered “production” and keeping the installed packages up to date is extremely important.  For this article I want to discuss how I am upgrading the installed packages on these systems using the Apt-Get utility and the Tanium platform.

I have built a collection of content that was published on the Tanium Community website.  This solution includes multiple sensors, packages and other types of content called Ubuntu Package Management.

Download and Import Content

Visit https://community.tanium.com/repo/solution/192 and click the “Download” button after logging into the Tanium Community website.

Log into your development infrastructures Tanium Console, then browse to Authoring->Import Content, select the downloaded XML file to complete the import process.  It is safe to overwrite any existing sensors as the only one I am using that is not original content is the Operating System sensor.


Dashboard Tour

Now we move onto actually using this content and keeping the packages on your Ubuntu systems updated.   On the “Home” tab of your Tanium Console, you’ll find a new dashboard link appear under the “Other Dashboards” block.


A few saved questions will appear… the left pane shows all packages within your environment that have available updates.  The right pane will list all of the Ubuntu computers you have within your environment.


Available Actions

There are currently two available packages/actions included with the solution pack.  The first is accessible by right clicking on one or more of your Ubuntu systems in the right pane and the default action is Reboot Ubuntu Machine.


The second action is closely tied to the Ubuntu Available Patches sensor as it takes the selected result of that sensor to launch the action.  Thus in the left pane, right click on one of the packages and Upgrade Available Ubuntu Package.


There are other handy actions you can take.  Right clicking on one of the computers, you can drill down into the Ubuntu Available Patches and a list of packages for that one system will appear…Then you can deploy or upgrade a single package from there.  Further right clicking on the computer provides you with the ability to Upgrade All Ubuntu Packages, if that is preferable.

Setting up Scheduled Actions

The Tanium Community site does not allow for the sharing of Saved Actions on purpose.  Thus these must be setup manually.  The first one I’d like to setup is to download the available package updates definitions on a daily basis.  Since most of my systems are online 24×7, having this action run at least once a day is perfect.  To accomplish this, ask the following Tanium question:

Get Is Ubuntu from all machines

It uses the Is Ubuntu sensor which returns one of two answers for your entire infrastructure… True or False.  Right click on the True and deploy the Update Ubuntu Package Definitions package.


I would like this action to occur daily on all of my Ubuntu computers… thus I will be setting up a scheduled action.  I have decided to have the action run between 4am and 5am daily so when I start working and want to check my package status, I have the latest data.


Please note that the Action Group is “Ubuntu”.  This is because I have setup an action group that only includes my Ubuntu systems that I’ve targeted with my “Ubuntu Computers” computer group.



Using the Tanium platform to manage your enterprise is extremely easy.  With a little bit of work and understanding you can put together a solution to accomplish nearly anything you want.


Tanium Client Deployment Tool

I have recently stood up a half-dozen virtual servers in a new home lab I am building to compliment my home office.  This means I want to get the Tanium Client installed onto these endpoints.  Rather than do it manually, I’m choosing to use the Tanium Client Deployment Tool and install them remotely from my windows workstation.  At the time of this writing v5.0.0.6 was the latest and has a few essential features required for installing the agent onto my new non-windows systems.

Installing the Tool

Installation of the Client Deployment Tool is relatively straightforward.  Launch the installer and click “Install”.  Assuming the default installation directory is acceptable.




Initial Tool Setup

Once you launch the tool there are a few things that need to happen.  The first is the tool itself will prompt you to download the very latest agents for the various OS platform Tanium supports.  Allow that to happen…



Next we will need to point the tool at our server infrastructure in two ways… First by pointing the utility at our tanium.pub file.  This file can be found in the Tanium Server root folder on the server.  Second we’ll need to specify the hostname or IP address of the server we will be pointing endpoints at.  This second value could be the hostname or IP address of a zone server or even an alias that functions differently inside and outside your network.  Lastly if you chose to use a port number other than the default 17472, you’ll need to specify that now.

Install the Agent

For this article we will deploy the Tanium Agent to one of my new Ubuntu 14.04 LTS virtual servers.  My user account on that box has sudo permissions and that is required in order to install new software.


Next we will specify a single endpoint to deploy too.  To do that we change the lower-left tabs to “Computer List” and type in the hostname of the targeted endpoint.  Then change the very bottom left dropdown to “Linux_Mac_Only” to avoid unnecessary timeouts by trying a windows connection and hit the “Analyze” button.


If all works well our tool will report back “Client not installed”.  Select that row and click “Install”. 


All done… The client deployment was successful.  To validate, we can simply log into the Tanium Console and check Administration->System Status to see our new endpoint listed and reporting in.


In Conclusion

The Client Deployment Tool is a great utility for getting the Tanium Agent installed on your endpoints fast.

Creating OpenVPN Server and Setting up OpenVPN Clients

I recently setup a remote office that houses my huge Virtual Host machine and wanted private/encrypted access to that network from where ever I am.  Thus I turned to OpenVPN as a solution after a little bit of research (see this BestVPN Article).  This article covers the basics of setting up an OpenVPN server on a Ubuntu server sitting behind a NAT firewall. 

Let’s start on the Ubuntu Server…
Enter root first…

$ sudo su

Setup OpenVPN Server

Starting with a Ubuntu computer you’d like to make the OpenVPN Server… Install OpenVPN and Easy-RSA

$ apt-get install openvpn easy-rsa -y


The first thing to know about OpenVPN is we’ll be setting things up to use certificates.  It is the most secure method and requires you to manually distribute the client certificates and configuration files.  The method you choose determines the security.  Most secure is to hand deliver the certs on an encrypted thumb drive.

Certificate Authority

To setup your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients first copy the easy-rsa directory to /etc/openvpn.

$ mkdir /etc/openvpn/easy-rsa
$ cp -rf /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
$ vi /etc/openvpn/easy-rsa/vars

And, change the values that matches with your country, state, city, mail id etc.

export KEY_COUNTRY=”CountryCode”
export KEY_PROVINCE=”MyStateOrProvince”
export KEY_CITY=”MyCity”
export KEY_ORG=”Organization Name”
export KEY_EMAIL=”vpn@example.com”
export KEY_CN=MyVPN
export KEY_OU=MyVPN

Enter the following to generate the master Certificate Authority (CA) certificate and key:

$ cd /etc/openvpn/easy-rsa/
$ cp openssl-1.0.0.cnf openssl.cnf
$ source vars
$ ./clean-all

Run the following command to generate CA certificate and CA key:

$ ./build-ca

Server Certificates

Next, we will generate a certificate and private key for the server:

$ ./build-key-server server

Client Certificates

Each client will need a certificate to authenticate itself to the server. To create the certificate, enter the following in a terminal while being user root:

$ ./build-key client

Generate Diffie Hellman Parameter

This is a unique key used for our VPN Server, Enter the following command to generate DH parameter.

$ ./build-dh
Go to the directory /etc/openvpn/easy-rsa/keys/ and enter the following command to transfer the above files to /etc/openvpn/ directory.

$ cd /etc/openvpn/easy-rsa/keys/
$ cp dh1024.pem ca.crt server.crt server.key /etc/openvpn/

Client Configuration File

We need to copy and edit the client configuration file.
$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client.ovpn

Edit file client.ovpn,
$ vi /home/client.ovpn

Set the VPN server host name/IP address:

remote [public ip or hostname of your vpn server] 1194

Distributing Client Certificates

You must copy all client certificates and keys to the remote VPN clients in order to authenticate to the VPN server. In our case, we have generated certificates and keys to only one client, so we have to copy the following files to the VPN client.


You have to copy the above files to your VPN clients securely. Copy the keys with caution. If anyone gets ahold of your keys, they can easily intrude and get full access to your virtual private network.

Configuring VPN Server

Copy the file server.conf.gz file to /etc/openvpn/ directory.
$ cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/

Extract the file using the following command:
$ gzip -d /etc/openvpn/server.conf.gz

Edit file server.conf,
$ vi /etc/openvpn/server.conf

Find and uncomment the following lines to route client systems traffic through OpenVPN server.

push “redirect-gateway def1 bypass-dhcp”

Also, Uncomment and change the DNS servers to reflect your own DNS values. Here I am using Google public DNS servers.

push “dhcp-option DNS”
push “dhcp-option DNS”

Uncomment the following lines:

user nobody
group nogroup

Save and close the file.

IP forwarding and routing Configuration

Edit sysctl.conf file,
$ vi /etc/sysctl.conf

Find the following line and set value “1” to enable IP forwarding.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

Run the following command to apply the sysctl changes.
$ sysctl -p

Enter the following command to enable IP forwarding:
$ echo 1 > /proc/sys/net/ipv4/ip_forward

Start OpenVPN Server

Finally, start openvpn service and make it to start automatically on every reboot using the following commands:
$ service openvpn start

Verify if VPN interface(tun0) is created using ifconfig command:
$ ifconfig

Network Router Configuration

We need to do two things on your router and how you do them greatly depends on your router.  I’m assuming you have a hardware router hooked up to your DSL, Cable or other type of internet connection and you’re setting up a Ubuntu VPN server on the internal network and want to access other computers on that internal network once your remote clients have authenticated into the VPN tunnel.

1. Your VPN server should have an internal static IP address… We need to tell your router to route all traffic to your VPN server so when your VPN clients connect they can communicate with your internal network.

2. Open external port 1194 tcp and udp and point it at your VPN server’s internal static IP address.


Now we have the files needed to put on your clients, your server is all setup, and your router is configured correctly… it’s time to look at setting up clients.  I created a client certificate for each of my three workstations… each running a different OS:  Mac OS X, Ubuntu 14.04, and Windows 7.  I want to validate and connect into my VPN remote network from all three systems… but configuring their client is slightly different on each.  Below I go into details on setting each one up.

Ubuntu Client

I’ll assume you are using this system as a Ubuntu workstation/laptop and have a graphical interface… thus want to use Network Manager to connect in.  First we’ll need to install two items:
$ sudo apt-get install openvpn network-manager-openvpn

System Settings->Network->+ (hit pluse in bottom left)
Choose VPN interface and hit Create
Select OpenVPN from the type list and hit Create
Specify the Gateway (public ip or domain name of your vpn server)
Point the User Certificate at the client.crt file
Point the CA Certificate at the ca.crt file
Point the Private Key at the client.key file.

Save that and you’re done.  You should now connect into your VPN and run a few ping and other tests. 

Mac Client

My primary laptop is a Mac, so let’s go there next.  Here you’ll need to install a VPN client application called TunnelBlick.  https://www.tunnelblick.net/

Once you’ve installed the application, you need to dbl-click on your client.ovpn file.  The ovpn file type has been associated with Tunnelblick when it was installed and will open up the file allowing you to add that connection ot your available list.  Once done, simply connect into the VPN and run your tests.

Windows Client

Visit http://sourceforge.net/projects/securepoint and download the windows OpenVPN client.
Launch the Securepoint SSL VPN client, dbl click the tray icon when it appears, and select New. 
Enter Name of your VPN Connection and hit Next
Enter the Public IP or Domain Name of your VPN server, the port you configured (default is 1194) and I prefer TCP connections due to reliability reasons… then hit Next
Point the User Certificate at the client.crt file
Point the CA Certificate at the ca.crt file
Point the Private Key at the client.key file.
Hit Next
Under Advanced Settings
– check the “Comp-LZO” checkbox
– uncheck the “Auth user/pass” checkbox
– leave all others at their Defaults
hit Next
Lastly hit Finish


All done… let me know if you have any questions below.

Installing DB2 Enterprise v10.1

Extract installer file…


Run Prechecks…


I already solved the first one… See below on how to disable SELinux on your RHEL system.


Below that, I’ll show you how to solve the missing packages so we can continue with DB2 installation






Fully Disabling SELinux

Fully disabling SELinux goes one step further than just switching into permissive mode. Disabling will completely disable all SELinux functions including file and process labeling.

In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and change the SELINUX line to SELINUX=disabled:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.

… and then reboot the system.

(thanks… http://www.crypt.gen.nz/selinux/disable_selinux.html)

Installing dapl…

On my ISO are the various RPM packages I’ll need.  Attempting to install dapl resulted in additional dependencies…


…installing libibverbs…


…installing librdmacm…


and finally… it works


Installing sg3_utils…

This seems to be a recurring theme any time I play with *nix boxes.. dependencies upon dependencies…


…installing libsgutils2 which refers to sg3_utils-libs…


and finally… it works


I was unable to find an sg_persist package… so I re-ran the db2prereqcheck script… and looks like it is included in one of the packages that were installed… and v10.1.0.0 is ready for installation!

Back to the installation:


After answering some basic questions like where to install, etc…  it finished!


To validate it is running… try this:

ps –eaf | grep –i db2sysc



To automatically start DB2 instance…

/opt/ibm/db2/V10.1/bin/db2iauto –on db2inst1


Installing Windows Server 2012

Recently I’ve had a need to setup a Windows Server 2012 and wanted to document the process for future attempts.

I won’t document every single screen, only those that include decisions to be made and considerations to be considered.







I’ll be using this server as a root server for my new IBM Endpoint Manager v9, so a GUI would be very handy during install and general maintenance of that application.



At first I wanted to go with a regular install… not Custom… so I chose the top option.


Turns out this is for upgrading an existing OS installation.  Since this is a brand new hard drive with no pre-existing OS, I should have chosen the “Custom” option.  After hitting Close, I was sent back to the very beginning of the installation.






Once I arrived at the start up screen… it hung there for nearly 30 minutes.  Turns out since I was setting this up on a VMWare ESXi v5.0 server it doesn’t support Windows Server 2012.  So after some research I came across this article: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2006859 

I learned that I had to upgrade my VMWare ESXi server to a patch or v5.1… I opted for v5.1 and was able to get past this sticky part.








The server manager has been redesigned for the new GUI.  Interesting choices…




I don’t want this application to come up every time I log in… so choosing the Manager –> Server Manager Properties, I was able to check the “Do not start Server Manager automatically at logon”.


Now I need to add my new server to my LDAP domain.  Choosing “Local Server” from the left menu…


Click on “WORKGROUP” and the familiar computer properties dialog opens where you can change these settings.








One restart later I was able to log in and I’m done.

Installing Microsoft SQL 2012

Like many of my step-by-step articles, it’s mostly for corporate level documentation purposes.

I won’t describe every screen, only those that include important decision points that affect my particular use case.














The above dialog is warning me that the firewall does not allow remote database connectivity.  The below command line can be used to open up the SQL port.  The cmd prompt must be opened with administrative permissions for this to work.
netsh advfirewall firewall add rule name = SQLPort dir = inprotocol = tcp action – allow localport = 1433 remoteip = localsubnet profile = DOMAIN



This is one of those major decision points.  My purpose for this database is to house the newest IBM Endpoint Manager v9 database… nothing else.  So I only require a few items to accomplish this simple task.  The following items are needed for my particular use case:

  • Database Engine Services
    • Full-Text and Semantic Extractions for Search
  • Management Tools – Basic
    • Management Tools – Complete







In order to get IEM installed properly… an SA account is required. So I’ll configure the database authentication in “Mixed Mode” and specify a password for the SA account.








That’s all there is to it.  Installations are almost always straight forward… but some corporations require complete step-by-step documentation, I hope this fits the bill.

Installing BigFix.me MDM onto your iOS devices.

The following step-by-step process demonstrates how to install/configure MDM on your iOS devices… iPhones, iPods, and iPads.

1. Visit https://bigfix.me using your mobile device. Step 1 of 13
2. Click "Continue to this website (not recommended)" if prompted. Step 2 of 13
3. Click the "SSL certificate" link towards the bottom. Step 3 of 13
4. Click the "Install" button on the "Install Profile" screen. Step 4 of 13
5. Click the "Install" button on the "Warning" screen. Step 5 of 13
6. If you have a password set, you will need to enter it now and hit "Done". Step 6 of 13
7. Click the "Done" button on the "Profile Installed" screen, you will be returned to Sarfari. Step 7 of 13
8. Enter your email address, choose Device Ownership value and click the "Enroll" button. Step 8 of 13
9. Click the "Install" button on the "Install Profile" screen. Step 9 of 13
10. Click the "Install Now" button within the popup box. Step 10 of 13
11. If you have a password set, you will need to enter it now. Step 11 of 13
12. Click the "Install" button one more time for the "Warning" screen and your done. Step 12 of 13
13. Click "Done" and your all finished. Step 13 of 13