Standard

Posted by

Posted on

January 5, 2015

Posted under

Tanium

Comments

1 Comment

Retrieving Browser History using Tanium

There are many awesome solution packs available for use on the Tanium platform.  One of those solution packs is called Browser History.  It takes advantage of an awesome little utility from NirSoft called, not surprisingly, BrowserHistoryView.  It was written to read the history data of 4 different Web browsers like IE, Chrome, FF, and Safari.

One of the talented engineers over at Tanium wrapped that utility up in content for use on the Tanium platform.  I will go over the basics of setting up and using that content in this article.

Importing Content

Everything with Tanium typically starts by importing content and the Browser History solution pack is no different.  Ask your TAM or contact support@tanium.com if you do not have the BrowserHistory.xml solution pack file.

Once you have that xml file, log into your console and browse to the Authoring tab and click the Import button, browse to the xml file and hit ok.

bh1

Modify Distribution Package

Since this solution pack requires a 3rd party utility, you must acquire this utility by visiting the 3rd party vendors website.  Browse to the very bottom and download the 32bit version.

Now that you have the utility we need to modify the “Distribute Browser History Viewer” (https://community.tanium.com/repo/package/16) package.   Click the “Add Local Files…” button and find the downloaded BrowsingHistoryView.exe and add it to the package.

bh2

Edit:  It is entirely possible you are using a Tanium deployment that still has a self-signed SSL certificate.  This would prevent you from adding local files in this manner.  To work around that you have two options, the first is install a trusted certificate on the server which goes well beyond what this article is intended for.  The second is a lot easier but requires you to copy the file to the server.  We’ll explore that option here…

Place the BrowsingHistoryView.exe file into the following directory on the server.  I am calling out the default installation path, but your’s may vary if you changed it during install.

C:\Program Files\Tanium\Tanium Server\Apache24\htdocs\file

Any file within that directory is accessible via the following URL:

https://hostname-of-server/file

Then you can add a URL like the following screenshot:

bh6

Distribute Package via Scheduled Action

To follow my personal best-practice of distributing software with a Has-Sensor and a Distribute-Package, I have put together a “Has Browser History Utility” sensor (https://community.tanium.com/repo/sensor/789) that is downloadable directly from the community site.  It is a basic sensor that simply checks the install folder and tells you whether or not the utility exists.  You can then schedule the “Distribute Browser History Viewer” package to all endpoints that report “No”.

Download and import the Has_Browser_History_Utility.xml by going to Authoring and clicking the “Import” button.  Then ask the following Tanium Question:

Get Has Browser History Utility[BrowserHistory] from machines where Operating System contains Win 

The answers you get back should be either Yes or No.  If you have never distributed the package before, likely you will receive all No answers.

Note: Unlike other articles, I have qualified the above Tanium Question by limiting endpoints answering the question to my Windows computers.  I am using the Operating System sensor which is provided via the Initial Content solution pack..  This is to ease the work required on non-windows endpoints, but also since this particular utility only relates to Windows computers there is no need to involve my non-windows systems.

bh3

I want to ensure the utility is there when I need it (when I ask for browser history), so I am going to reissue the action every hour.  Only computers that report “No” will launch this scheduled action, thus once 100% of my computers receive the utility, it won’t run unless a brand new windows computer comes online.

bh4

Retrieving Browser History

Now that we have this solution all setup it’s time to use it.    The purpose of this solution is to retrieve the web browsing history of computers within my environment.

Legal Notice:  This is very sensitive data and you must use caution when asking for something you might not be authorized to receive.  Pay particular attention to privacy laws in your country and the policies setup for your organization.

Ask the following Tanium-Question to retrieve browsing history data:

Get Computer Name and Browser History from machines where Operating System contains Win

bh5

I’ve redacted the personal information for my personal “organization”, however  it does show you enough to know how the Browsing History Solution Pack works.

Standard

Posted by

Posted on

December 30, 2014

Posted under

Installation, Software, Tanium, Technology

Comments

Leave a comment

Tanium Client Deployment Tool

I have recently stood up a half-dozen virtual servers in a new home lab I am building to compliment my home office.  This means I want to get the Tanium Client installed onto these endpoints.  Rather than do it manually, I’m choosing to use the Tanium Client Deployment Tool and install them remotely from my windows workstation.  At the time of this writing v5.0.0.6 was the latest and has a few essential features required for installing the agent onto my new non-windows systems.

Installing the Tool

Installation of the Client Deployment Tool is relatively straightforward.  Launch the installer and click “Install”.  Assuming the default installation directory is acceptable.

cdt1

cdt2

cdt3

Initial Tool Setup

Once you launch the tool there are a few things that need to happen.  The first is the tool itself will prompt you to download the very latest agents for the various OS platform Tanium supports.  Allow that to happen…

cdt4

cdt5

Next we will need to point the tool at our server infrastructure in two ways… First by pointing the utility at our tanium.pub file.  This file can be found in the Tanium Server root folder on the server.  Second we’ll need to specify the hostname or IP address of the server we will be pointing endpoints at.  This second value could be the hostname or IP address of a zone server or even an alias that functions differently inside and outside your network.  Lastly if you chose to use a port number other than the default 17472, you’ll need to specify that now.

Install the Agent

For this article we will deploy the Tanium Agent to one of my new Ubuntu 14.04 LTS virtual servers.  My user account on that box has sudo permissions and that is required in order to install new software.

cdt6

Next we will specify a single endpoint to deploy too.  To do that we change the lower-left tabs to “Computer List” and type in the hostname of the targeted endpoint.  Then change the very bottom left dropdown to “Linux_Mac_Only” to avoid unnecessary timeouts by trying a windows connection and hit the “Analyze” button.

cdt7

If all works well our tool will report back “Client not installed”.  Select that row and click “Install”. 

cdt8

All done… The client deployment was successful.  To validate, we can simply log into the Tanium Console and check Administration->System Status to see our new endpoint listed and reporting in.

cdt9

In Conclusion

The Client Deployment Tool is a great utility for getting the Tanium Agent installed on your endpoints fast.

Standard

Posted by

Posted on

December 29, 2014

Posted under

Licensing, Software, Tanium

Comments

2 Comments

Recovering License Keys with Tanium

Lately I’ve been exploring the content that is posted in the Tanium Community Repository and found an interesting content pack called License Key Recovery.  For the purposes of this article I will assume you already have a Tanium server setup and have a half dozen or more windows clients reporting into this infrastructure.  In my case I’m using a personal lab deployment Tanium Server v6.2.314.3258 that has various Windows, Mac and Linux endpoints located all around the state of Arkansas.

Acquire and Import the Content Pack

You’ll need the content pack XML which is available from your assigned TAM, if you don’t have one reach out to Tanium Support, I bet they’ll get you the help you need.  After you have the file browse to Authoring and push the “Import Content…” button on the far right.  The import preview window should look something like this:

licensekey1

Update and Distribute Package

This content pack uses an 3rd party utility that is licensed separately from Tanium and can be downloaded/purchased from recover-keys.com, you’ll need the enterprise version which includes the command line executable.  After acquiring the software, find the file named RecoverKeysCmd.exe.   The Recover Keys product also uses SQLite which must also be downloaded separately from SQLite.org.  (Find the section called Precompiled Binaries for Windows and download the sqlite-dll-win32-x86…)

Edit the “Distribute Recover Keys Utility” package under Authoring->Packages and filter by package name.  Remove both the exe and dll from the Files list and add the newly acquired files by clicking “Add Local Files…” button.

licensekey2

Deploying the Utility

Included in the content pack is a saved action which automatically attempts to distribute the above package every two hours.  However, if you can’t wait that long and want to distribute it immediately, ask the following Tanium question:

Get Has Recover Keys Tool from all machines

Right click on the “No” answer and deploy the “Distribute Recover Keys Utility” for one time distribution… to all endpoints.  Any endpoint not currently online will receive the package command via the scheduled action within the content pack.

licensekey3

Retrieving License Keys

Everything is now prepared for the very fast and easy question you really want to know…

Get License Keys from all machines

licensekey4

In Conclusion…

Utilizing Tanium to take advantage of a 3rd party utility is extremely easy.   Break open the content by editing the packages or sensors and you will see exactly how simple it was to distribute and retrieve the results of the Recover Keys Utility.

Standard

Posted by

Posted on

December 19, 2014

Posted under

Applications, Security

Comments

Leave a comment

CRITs use of MongoDB and starting automatically on Ubuntu

I recently was playing around with CRITs and followed their installation instructions closely (VERY HARD).  They could use some better install scripts to make things smoothly, but what do you expect from a community project.

Anyways, I see in their documentation when it gets to the MongoDB section how to start it at the command line.  Getting past that worked well… but i’m wanting to setup a production style instance which requires the database to start automatically on startup.  Apache (which runs the CRITs UI starts automaticaly by default) but their instance of MongoDB does not.  So i submitted a ticket… which quickly got squashed as “not their problem”.  While I agree this is not their problem, they do want people to use their product, right?  A few bits of documentation on here’s a link to starting MongoDB automatically would have been helpful.  Well… I submit this as that link…

Create /etc/init.d/mongodb with the following info:

#!/bin/sh

### BEGIN INIT INFO
# Provides:          mongodb
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: MongoDB
### END INIT INFO

# Change the next 3 lines to suit where you install your script and what you want to call it
DIR=/usr/local/bin
DAEMON=$DIR/mongod
DAEMON_NAME=mongod

# Add any command line options for your daemon here
DAEMON_OPTS="--fork --logpath /var/log/mongodb.log --logappend --nohttpinterface"

# This next line determines what user the script runs as.
# Root generally not recommended but necessary if you are using the Raspberry Pi GPIO from Python.
DAEMON_USER=root

# The process ID of the script when it runs is stored here:
PIDFILE=/var/run/$DAEMON_NAME.pid

. /lib/lsb/init-functions

do_start () {
    log_daemon_msg "Starting system $DAEMON_NAME daemon"
    echo 0 > /proc/sys/vm/zone_reclaim_mode
    start-stop-daemon --start --background --pidfile $PIDFILE --make-pidfile --user $DAEMON_USER --chuid $DAEMON_USER --startas $DAEMON -- $DAEMON_OPTS
    log_end_msg $?
}
do_stop () {
    log_daemon_msg "Stopping system $DAEMON_NAME daemon"
    start-stop-daemon --stop --pidfile $PIDFILE --retry 10
    log_end_msg $?
}

case "$1" in

    start|stop)
        do_${1}
        ;;

    restart|reload|force-reload)
        do_stop
        do_start
        ;;

    status)
        status_of_proc "$DAEMON_NAME" "$DAEMON" && exit 0 || exit $?
        ;;
    *)
        echo "Usage: /etc/init.d/$DAEMON_NAME {start|stop|restart|status}"
        exit 1
        ;;

esac
exit 0

Change /etc/init.d/mongodb to executable:

sudo chmod +x /etc/init.d/mongodb

and configure it for startup:

sudo update-rc.d mongodb defaults

Now your MongoDB instance that is spoken to in the CRITs documentation will start automatically on boot.

Standard

Posted by

Posted on

July 21, 2014

Posted under

Uncategorized

Comments

2 Comments

Dynamic DNS and Cloudflare

I am extremely happy with the services from cloudflare, and with my minions project I wanted an easy way to know where they all were. So I did my research and finally narrowed down a way to use ddclient to update cloudflare.

Installing DDClient to function with CloudFlare on Ubuntu 14.04 LTS

1. Create a domain entry on CloudFlare.com for your fqdn… mycomputer.example.com or whatever you want.domain.com

2. install perl and required modules…

apt-get install perl libjson-any-perl libio-socket-ssl-perl

3. download the latest ddclient files from the official project: http://sourceforge.net/projects/ddclient/
at the time of this writing…

wget http://downloads.sourceforge.net/project/ddclient/ddclient/ddclient-3.8.2/ddclient-3.8.2.tar.gz

4. Untar ddclient files…

tar -xzf ddclient-3.8.2.tar.gz
cd ddclient-3.8.2

5. Download patch file from http://blog.peter-r.co.uk/cloudflare-ddclient-patch.html
at time of this writing…

wget http://blog.peter-r.co.uk/uploads/ddclient-3.8.0-cloudflare-22-6-2014.patch

6. perform patch…

patch < ddclient-3.8.0-cloudflare-22-6-2014.patch

7. Manually install…

mkdir /etc/ddclient
mkdir /var/cache/ddclient
cp ddclient /usr/sbin/
cp sample-etc_ddclient.conf /etc/ddclient/ddclient.conf
cp sample-etc_rc.d_init.d_ddclient.ubuntu /etc/init.d/ddclient

8. Edit configuration and make it look like this: (make special note of where I put commas)

vi /etc/ddclient/ddclient.conf

daemon=300
syslog=yes
mail=root
mail-failure=root
pid=/var/run/ddclient.pid
ssl=yes

ssl=yes
protocol=cloudflare,
use=web
server=www.cloudflare.com,
zone=example.com,
login=your@email.com,
password=your-api-key-here
mycomputer.example.com,

9. start the service…

service ddclient start

then to see what happened… logs are pushed into the syslog file… so tail that.

tail /var/log/syslog

10. To ensure ddclient runs at startup… do the following:

sudo update-rc.d -f ddclient remove
sudo update-rc.d ddclient defaults

It took a bit of research and troubleshooting to get this to work consistently… but hope this helps someone. Let me know if you have any questions.

Standard

Posted by

Posted on

July 15, 2014

Posted under

Configuration, Installation, Software

Comments

Leave a comment

Creating OpenVPN Server and Setting up OpenVPN Clients

I recently setup a remote office that houses my huge Virtual Host machine and wanted private/encrypted access to that network from where ever I am.  Thus I turned to OpenVPN as a solution after a little bit of research (see this BestVPN Article).  This article covers the basics of setting up an OpenVPN server on a Ubuntu server sitting behind a NAT firewall. 

Let’s start on the Ubuntu Server…
Enter root first…

$ sudo su

Setup OpenVPN Server

Starting with a Ubuntu computer you’d like to make the OpenVPN Server… Install OpenVPN and Easy-RSA

$ apt-get install openvpn easy-rsa -y

Certificates

The first thing to know about OpenVPN is we’ll be setting things up to use certificates.  It is the most secure method and requires you to manually distribute the client certificates and configuration files.  The method you choose determines the security.  Most secure is to hand deliver the certs on an encrypted thumb drive.

Certificate Authority

To setup your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients first copy the easy-rsa directory to /etc/openvpn.

$ mkdir /etc/openvpn/easy-rsa
$ cp -rf /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
$ vi /etc/openvpn/easy-rsa/vars

And, change the values that matches with your country, state, city, mail id etc.

export KEY_COUNTRY=”CountryCode”
export KEY_PROVINCE=”MyStateOrProvince”
export KEY_CITY=”MyCity”
export KEY_ORG=”Organization Name”
export KEY_EMAIL=”vpn@example.com”
export KEY_CN=MyVPN
export KEY_NAME=MyVPN
export KEY_OU=MyVPN

Enter the following to generate the master Certificate Authority (CA) certificate and key:

$ cd /etc/openvpn/easy-rsa/
$ cp openssl-1.0.0.cnf openssl.cnf
$ source vars
$ ./clean-all

Run the following command to generate CA certificate and CA key:

$ ./build-ca

Server Certificates

Next, we will generate a certificate and private key for the server:

$ ./build-key-server server

Client Certificates

Each client will need a certificate to authenticate itself to the server. To create the certificate, enter the following in a terminal while being user root:

$ ./build-key client

Generate Diffie Hellman Parameter

This is a unique key used for our VPN Server, Enter the following command to generate DH parameter.

$ ./build-dh
Go to the directory /etc/openvpn/easy-rsa/keys/ and enter the following command to transfer the above files to /etc/openvpn/ directory.

$ cd /etc/openvpn/easy-rsa/keys/
$ cp dh1024.pem ca.crt server.crt server.key /etc/openvpn/

Client Configuration File

We need to copy and edit the client configuration file.
$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client.ovpn

Edit file client.ovpn,
$ vi /home/client.ovpn

Set the VPN server host name/IP address:

remote [public ip or hostname of your vpn server] 1194

Distributing Client Certificates

You must copy all client certificates and keys to the remote VPN clients in order to authenticate to the VPN server. In our case, we have generated certificates and keys to only one client, so we have to copy the following files to the VPN client.

ca.crt
client.crt
client.key
client.ovpn

You have to copy the above files to your VPN clients securely. Copy the keys with caution. If anyone gets ahold of your keys, they can easily intrude and get full access to your virtual private network.

Configuring VPN Server

Copy the file server.conf.gz file to /etc/openvpn/ directory.
$ cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/

Extract the file using the following command:
$ gzip -d /etc/openvpn/server.conf.gz

Edit file server.conf,
$ vi /etc/openvpn/server.conf

Find and uncomment the following lines to route client systems traffic through OpenVPN server.

[…]
push “redirect-gateway def1 bypass-dhcp”
[…]

Also, Uncomment and change the DNS servers to reflect your own DNS values. Here I am using Google public DNS servers.

[…]
push “dhcp-option DNS 208.67.222.222”
push “dhcp-option DNS 208.67.220.220”
[…]

Uncomment the following lines:

[…]
user nobody
group nogroup
[…]

Save and close the file.

IP forwarding and routing Configuration

Edit sysctl.conf file,
$ vi /etc/sysctl.conf

Find the following line and set value “1” to enable IP forwarding.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

Run the following command to apply the sysctl changes.
$ sysctl -p

Enter the following command to enable IP forwarding:
$ echo 1 > /proc/sys/net/ipv4/ip_forward

Start OpenVPN Server

Finally, start openvpn service and make it to start automatically on every reboot using the following commands:
$ service openvpn start

Verify if VPN interface(tun0) is created using ifconfig command:
$ ifconfig

Network Router Configuration

We need to do two things on your router and how you do them greatly depends on your router.  I’m assuming you have a hardware router hooked up to your DSL, Cable or other type of internet connection and you’re setting up a Ubuntu VPN server on the internal network and want to access other computers on that internal network once your remote clients have authenticated into the VPN tunnel.

1. Your VPN server should have an internal static IP address… We need to tell your router to route all 10.8.0.0 traffic to your VPN server so when your VPN clients connect they can communicate with your internal network.

2. Open external port 1194 tcp and udp and point it at your VPN server’s internal static IP address.

Clients

Now we have the files needed to put on your clients, your server is all setup, and your router is configured correctly… it’s time to look at setting up clients.  I created a client certificate for each of my three workstations… each running a different OS:  Mac OS X, Ubuntu 14.04, and Windows 7.  I want to validate and connect into my VPN remote network from all three systems… but configuring their client is slightly different on each.  Below I go into details on setting each one up.

Ubuntu Client

I’ll assume you are using this system as a Ubuntu workstation/laptop and have a graphical interface… thus want to use Network Manager to connect in.  First we’ll need to install two items:
$ sudo apt-get install openvpn network-manager-openvpn

Navigate…
System Settings->Network->+ (hit pluse in bottom left)
Choose VPN interface and hit Create
Select OpenVPN from the type list and hit Create
Specify the Gateway (public ip or domain name of your vpn server)
Point the User Certificate at the client.crt file
Point the CA Certificate at the ca.crt file
Point the Private Key at the client.key file.

Save that and you’re done.  You should now connect into your VPN and run a few ping and other tests. 

Mac Client

My primary laptop is a Mac, so let’s go there next.  Here you’ll need to install a VPN client application called TunnelBlick.  https://www.tunnelblick.net/

Once you’ve installed the application, you need to dbl-click on your client.ovpn file.  The ovpn file type has been associated with Tunnelblick when it was installed and will open up the file allowing you to add that connection ot your available list.  Once done, simply connect into the VPN and run your tests.

Windows Client

Visit http://sourceforge.net/projects/securepoint and download the windows OpenVPN client.
Launch the Securepoint SSL VPN client, dbl click the tray icon when it appears, and select New. 
Next
Enter Name of your VPN Connection and hit Next
Enter the Public IP or Domain Name of your VPN server, the port you configured (default is 1194) and I prefer TCP connections due to reliability reasons… then hit Next
Point the User Certificate at the client.crt file
Point the CA Certificate at the ca.crt file
Point the Private Key at the client.key file.
Hit Next
Under Advanced Settings
– check the “Comp-LZO” checkbox
– uncheck the “Auth user/pass” checkbox
– leave all others at their Defaults
hit Next
Lastly hit Finish

 

All done… let me know if you have any questions below.

Standard

Posted by

Posted on

April 24, 2014

Posted under

Uncategorized

Comments

1 Comment

Developing Content 101 – INI Files

Update: Added link to Location sensor on Tanium community website.
So you’d like to create Tanium Content for distribution to your infrastructure. Knowing what you want to do goes a long way to knowing how to do it with Tanium. For this article we’ll start with a very simple scenario: You need to create a brand new INI file that will hold physical location data about each of your endpoints. This INI file will be configured manually but you’d like the data retrieved whenever you need it.
To make this happen we’ll need a few things:
1. Two packages… one for Windows and one for Mac/Linux. Packages are not cross-platform, thus to do what we want, we’ll need to create two packages. The Windows package will contain a simple VBS script that takes are incoming arguments and writes out an INI file. The Mac/Linux both handle shell scripts, so we can create a single shell script to do the same thing our VBS will be doing.
2. One sensor… These are indeed cross-platform and we can embed both a VBS and SH scripts for all three operating systems to read our INI file and return the results.

Development Environment
To get started, we’ll need a test box for all three environments. Most of us have a file synchronization application running like Google Drive, Microsoft’s OneDrive, Dropbox or others. This is a great place to work from since many of these apps also have cross-platform clients.
Start by creating a directory for your project as well as our content. Make it look like this:
> Location Project
>> Content
>>> Sensors
>>>> Location (https://community.tanium.com/repo/sensor/393)
>>> Packages
>>>> Set Location (Windows)
>>>> Set Location (Mac/Linux)

Package: Set Location (Windows)
Most likely you are working from a windows workstation, so let’s start with the VB script since we can very quickly test it on this system. Here is the sudo code for our VB Script:
1. Capture our command line arguments into variables
2. If our INI file already exists, then open for writing, otherwise create it for writing.
3. Write to the INI file in the proper INI format all of our incoming arguments.
To accomplish this we’re going to need two of our highly reused functions:
GetTaniumDir and GeneratePath
These functions will give us the full path of our Tanium Client directory and create any sub directories as needed.
Here is the full Set Location for Windows VB Script:

‘=======================================
’ Set Location
’=======================================

If WScript.Arguments.Count >= 5 Then
Country = Replace(WScript.Arguments.Item(0),“%20”,“ ”)
State = Replace(WScript.Arguments.Item(1),“%20”,“ ”)
City = Replace(WScript.Arguments.Item(2),“%20”,“ ”)
Street = Replace(WScript.Arguments.Item(3),“%20”,“ ”)
Number = Replace(WScript.Arguments.Item(4),“%20”,“ ”)

Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8
Set fso = CreateObject(“Scripting.FileSystemObject”)

locationFilePath = GetTaniumDir(““) & ”Location.ini”
If fso.FileExists(locationFilePath) Then
WScript.Echo “Location.ini File Does Exist – Overwriting”
Set locationFile = fso.OpenTextFile(locationFilePath, ForWriting)
Else
WScript.Echo “Location.ini File Does Not Exist – Creating”
Set locationFile = fso.CreateTextFile(locationFilePath)
End If

locationFile.WriteLine “[Location]”
locationFile.WriteLine “Country=” & Country
locationFile.WriteLine “State=” & State
locationFile.WriteLine “City=” & City
locationFile.WriteLine “Street=” & Street
locationFile.WriteLine “Number=” & Number
locationFile.Close
End If

Function GetTaniumDir(strSubDir)
‘GetTaniumDir with GeneratePath, works in x64 or x32
‘looks for a valid Path value

Dim objShell
Dim keyNativePath, keyWoWPath, strPath

Set objShell = CreateObject(“WScript.Shell”)

keyNativePath = “HKLM\Software\Tanium\Tanium Client”
keyWoWPath = “HKLM\Software\Wow6432Node\Tanium\Tanium Client”

’ first check the Software key (valid for 32-bit machines, or 64-bit machines in 32-bit mode)
On Error Resume Next
strPath = objShell.RegRead(keyNativePath&“\Path”)
On Error Goto 0

If strPath = ““ Then
’ Could not find 32-bit mode path, checking Wow6432Node
On Error Resume Next
strPath = objShell.RegRead(keyWoWPath&”\Path“)
On Error Goto 0
End If

If Not strPath = ”“ Then
If strSubDir <> ”“ Then
strSubDir = ”” & strSubDir
End If

Dim fso
Set fso = WScript.CreateObject(“Scripting.Filesystemobject”)
If fso.FolderExists(strPath) Then
If Not fso.FolderExists(strPath & strSubDir) Then
’’Need to loop through strSubDir and create all sub directories
GeneratePath strPath & strSubDir, fso
End If
GetTaniumDir = strPath & strSubDir & “”
Else
’ Specified Path doesn’t exist on the filesystem
WScript.Echo ”Error: “ & strPath & ” does not exist on the filesystem“
GetTaniumDir = False
End If
Else
WScript.Echo ”Error: Cannot find Tanium Client path in Registry”
GetTaniumDir = False
End If
End Function ’GetTaniumDir

Function GeneratePath(pFolderPath, fso)
GeneratePath = False
If Not fso.FolderExists(pFolderPath) Then
If GeneratePath(fso.GetParentFolderName(pFolderPath), fso) Then
GeneratePath = True
Call fso.CreateFolder(pFolderPath)
End If
Else
GeneratePath = True
End If
End Function ’GeneratePath

Test our “Set Location” script by using the following command line:
cscript setlocation.vbs “US” “Arkansas” “Springdale” “Daniel Ave” “1234”
You should see a brand new “Location.ini” file appear within your Tanium Client directory.
(Note that this script writes to the Program Files directory, so you’ll need administrative access on your command prompt.)

Location Sensor (Windows)
Since we’re still our windows computer, let’s quickly develop the windows script for reading our new Location.ini file. Just like the “Set Location” script, we’ll need a few reusable functions and a new one that will easily read our INI file: GetTaniumDir, GeneratePath, and ReadIni
The sudo code for this script is extremely easy!

1. Locate our INI file
2. Read each property within the INI file
3. Echo to the command prompt which gets picked up by the Tanium client during sensor execution.
The following is our Location Sensor’s VBScript:

‘=======================================
’ Read Location
’=======================================

Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8
Set fso = CreateObject(“Scripting.FileSystemObject”)
locationFilePath = GetTaniumDir(““) & ”Location.ini“
location = Trim(ReadIni(locationFilePath, ”Location“, ”Country“))
location = location & ”|“ & Trim(ReadIni(locationFilePath, ”Location“, ”State“))
location = location & ”|“ & Trim(ReadIni(locationFilePath, ”Location“, ”City“))
location = location & ”|“ & Trim(ReadIni(locationFilePath, ”Location“, ”Street“))
location = location & ”|“ & Trim(ReadIni(locationFilePath, ”Location“, ”Number”))
wscript.echo location

Function ReadIni( myFilePath, mySection, myKey )
’ This function returns a value read from an INI file

’ Arguments:
’ myFilePath [string] the (path and) file name of the INI file
’ mySection [string] the section in the INI file to be searched
’ myKey [string] the key whose value is to be returned

’ Returns:
’ the [string] value for the specified key in the specified section

’ CAVEAT: Will return a space if key exists but value is blank

’ Written by Keith Lacelle
’ Modified by Denis St-Pierre and Rob van der Woude
Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8

Dim intEqualPos
Dim objFSO, objIniFile
Dim strFilePath, strKey, strLeftString, strLine, strSection

Set objFSO = CreateObject( “Scripting.FileSystemObject” )

ReadIni = “”
strFilePath = Trim( myFilePath )
strSection = Trim( mySection )
strKey = Trim( myKey )

If objFSO.FileExists( strFilePath ) Then
Set objIniFile = objFSO.OpenTextFile( strFilePath, ForReading, False )
Do While objIniFile.AtEndOfStream = False
strLine = Trim( objIniFile.ReadLine )

‘ Check if section is found in the current line
If LCase( strLine ) = “[” & LCase( strSection ) & “]” Then
strLine = Trim( objIniFile.ReadLine )

‘ Parse lines until the next section is reached
Do While Left( strLine, 1 ) <> “[”
‘ Find position of equal sign in the line
intEqualPos = InStr( 1, strLine, “=”, 1 )
If intEqualPos > 0 Then
strLeftString = Trim( Left( strLine, intEqualPos – 1 ) )
‘ Check if item is found in the current line
If LCase( strLeftString ) = LCase( strKey ) Then
ReadIni = Trim( Mid( strLine, intEqualPos + 1 ) )
‘ In case the item exists but value is blank
If ReadIni = “” Then
ReadIni = ” ”
End If
‘ Abort loop when item is found
Exit Do
End If
End If

‘ Abort if the end of the INI file is reached
If objIniFile.AtEndOfStream Then Exit Do

‘ Continue with next line
strLine = Trim( objIniFile.ReadLine )
Loop
Exit Do
End If
Loop
objIniFile.Close
Else
‘WScript.Echo strFilePath & ” doesn’t exists. Exiting…”
Wscript.Quit 1
End If
End Function

Function GetTaniumDir(strSubDir)
‘GetTaniumDir with GeneratePath, works in x64 or x32
‘looks for a valid Path value

Dim objShell
Dim keyNativePath, keyWoWPath, strPath

Set objShell = CreateObject(“WScript.Shell”)

keyNativePath = “HKLM\Software\Tanium\Tanium Client”
keyWoWPath = “HKLM\Software\Wow6432Node\Tanium\Tanium Client”

’ first check the Software key (valid for 32-bit machines, or 64-bit machines in 32-bit mode)
On Error Resume Next
strPath = objShell.RegRead(keyNativePath&“\Path”)
On Error Goto 0

If strPath = ““ Then
’ Could not find 32-bit mode path, checking Wow6432Node
On Error Resume Next
strPath = objShell.RegRead(keyWoWPath&”\Path“)
On Error Goto 0
End If

If Not strPath = ”“ Then
If strSubDir <> ”“ Then
strSubDir = ”” & strSubDir
End If

Dim fso
Set fso = WScript.CreateObject(“Scripting.Filesystemobject”)
If fso.FolderExists(strPath) Then
If Not fso.FolderExists(strPath & strSubDir) Then
’Need to loop through strSubDir and create all sub directories
GeneratePath strPath & strSubDir, fso
End If
GetTaniumDir = strPath & strSubDir & “”
Else
’ Specified Path doesn’t exist on the filesystem
WScript.Echo ”Error: “ & strPath & ” does not exist on the filesystem“
GetTaniumDir = False
End If
Else
WScript.Echo ”Error: Cannot find Tanium Client path in Registry”
GetTaniumDir = False
End If
End Function ’GetTaniumDir

Function GeneratePath(pFolderPath, fso)
GeneratePath = False
If Not fso.FolderExists(pFolderPath) Then
If GeneratePath(fso.GetParentFolderName(pFolderPath), fso) Then
GeneratePath = True
Call fso.CreateFolder(pFolderPath)
End If
Else
GeneratePath = True
End If
End Function ’GeneratePath

Now we have our location.vbs script… so let’s test it… run the following command line:
cscript location.vbs
You should see the lcoation information echo’d out to the command line and pipe | delimited.

Set Location (Mac/Linux)
What we’re trying to accomplish with writing and reading INI files is easily done with Shell script. We are not doing anything special and thus a common Mac/Linux script is possible. If you are trying to “DO” something else, you need to consider the various flavors of Linux like: Red Hat, CentOS, Ubuntu, and so many more.
The sudo code for our Mac/Linux shell script is identical to that of the Windows VBScript, so refer to that section for details.

Let’s switch over to our non-windows computer for further development. Typically I prefer to work on my Mac laptop but on occasion I’ll boot up my Ubuntu laptop to have a different experience. Here is the full script for setting the location on Posix systems:

#!/bin/bash
#=======================================
#Set Location
#=======================================
Country=$1
State=$2
City=$3
Street=$4
Number=$5

echo “[Location]” > ‘../../Location.ini’
echo “Country=$Country” | sed -e “s/%20/ /g” >> ‘../../Location.ini’
echo “State=$State” | sed -e “s/%20/ /g” >> ‘../../Location.ini’
echo “City=$City” | sed -e “s/%20/ /g” >> ‘../../Location.ini’
echo “Street=$Street” | sed -e “s/%20/ /g” >> ‘../../Location.ini’
echo “Number=$Number” | sed -e “s/%20/ /g” >> ‘../../Location.ini’

The working directory for packages in Tanium is within the client directory… Tanium Client/Downloads/Action_XXXX (Where XXXX is your action number). This means to write a file within the Tanium Client directory, you need to go up two as shown in the script above.
To test the above setlocation.sh script, use the following shell commands:
chmod +x setlocation.sh
./setlocation.sh “US” “Arkansas” “Springdale” “Daniel Ave” “1234”
You should find the Location.ini file two directories above where you developed this… and if you’re using the directory structure described at the beginning of this article, it’ll be within the “Content” directory.

Location Sensor (Mac/Linux)
Let’s quickly write up our location.sh script for reading the ini file. Note that the working directory for sensors is the root directory of your Tanium Client… Thus there is no need to go up two directories like we did in the package script. Here is the full location.sh script:

#!/bin/bash
#=======================================
#Read Location
#=======================================
if [ -f Location.ini ]; then
Country=grep -w "^Country" Location.ini| cut -d= -f2
State=grep -w "^State" Location.ini| cut -d= -f2
City=grep -w "^City" Location.ini| cut -d= -f2
Street=grep -w "^Street" Location.ini| cut -d= -f2
Number=grep -w "^Number" Location.ini| cut -d= -f2

echo “$Country|$State|$City|$Street|$Number”
else
echo “”
fi

To test this, copy the Location.ini file into the same directory as your script and run the following commands:
chmod +x location.sh
./location.sh
You should see the exact same output as our Windows VBScript with the location information pipe | delimited.

Pulling It All Together
Now that we have working and validated scripts… it is extremely easy to switch over to the Tanium Console and wrap them up in sensor and package objects for use on our entire infrastructure.

Building the Sensor:
Open your Tanium Console website and navigate to the Authoring->Sensors section. Click the “Add New Sensor” button in the top right.

We will need to define additional columns for the pipe | delimited values…


Next we’ll want to copy and past our VBScript into the Windows script box, and our Shell Script into both the Mac and Linux script boxes.

Building the Packages:
Open your Tanium Console website and navigate to the Authoring->Packages section. Click the “Add New Package” button in the top right.
We’ll start with the “Set Location (Windows)” package. In the files section, choose the “Add Local Files” button and locate/select the “setlocation.vbs” file.

Upon launch, the console user will need to enter some parameters that are written… so click Advanced Settings and configure as follows:

Next we’ll build the “Set Location (Mac/Linux)” package… and just like before, choose the “Add Local Files” button and locate/select the “setlocation.sh” file.

And just like the windows package, we need to configure a few parameters:

Testing
That’s it. Now it’s time to do some expanded testing in your lab.

Ask the following question: Get Computer Name and Location from all machines
Your machines will all reply with no set location. Select one or more of your windows machines and deploy the “Set Location (Windows)” package with some location information to be written.
Run the question again and you should see location information appearing for those windows computers.

Continue testing to validate each of the scenarios you anticipate your console users will want to do.

Post your questions below and I’ll try to answer as best I can.

Standard

Posted by

Posted on

February 17, 2014

Posted under

Uncategorized

Comments

Leave a comment

New Flickr Picture Browsing Site

I did it again! I went looking for a way to easily get links to the picture I publish to flickr for my blog articles. Sadly I couldn’t find what I wanted. So after a few hours of searching I gave up and created one of my own.

Let’s all welcome http://bypicture.com

The value I’m adding here is the ability to type in any flickr user’s name and see an infinite scrolling list of their photo stream. Click on any of the images and you’ll see all the various versions Flickr image sizes along with buttons to copy into your clipboard.

I’m using ByWord on my Mac to create blog articles… so there’s an extra button to click to get properly formatted image code for pasting directly into my article.

If you find this website useful… leave a comment. If you have other formats you’d like me to provide easy buttons for… leave a comment for that too.

Hope you guys find the site as useful as I do!

Standard

Posted by

Posted on

February 17, 2014

Posted under

Software, Tanium

Comments

Leave a comment

Installing Tanium v6.1

Installing Tanium is actually really easy and I’m going to make it even easier by walking you through the express installation of the product.

In the following article I’ll provide you with the various screen shots for the express installation of Tanium v6.1.314.2342 and I’ll call out screens that may need additional explainations. Let’s get started!
I assume you’ve already acquired the installation executable from your Technical Account Manager or Sales person…
tanium01
Double click it to launch the installer. If you’re installing onto a Windows 2008r2 server, like I am here, you may need to click yes to the UAC request dialog:
tanium02
tanium03
tanium04
This virtual computer I’m installing our server onto, does not have an MSSQL server installed, so we’ll choose to install the MSSQL Express Edition.
tanium05
tanium06
tanium08
We’ll have to agree to Microsoft’s EULA…
tanium09
I’ve chosen to download and install updates to MSSQL here.
tanium10
I’m also using the default options…
tanium13
Leave the named instance settings as is.
tanium14
As well as the service configuration settings…
tanium15
We only support Windows authentication so choosing between only Windows Auth or both is up to you.
tanium16
tanium19
Now… back to the Tanium installation… choose the Express Install.
tanium20
Provide your windows credentials for the initial user. If your server is linked to a domain, it can be a domain login (does not need to be an admin or anything). If your server is NOT on a domain, simply provide one of the local accounts username/passwords to continue.
tanium22
All done!
tanium23

The express installation of our product creates a self signed certificate for the console, so you’ll need to agree to continue.
tanium24
Log in with the username/password you specified earler…
tanium25
When you have successfully logged in, an initial content load will occur. This means your server is downloading a “starter” pack of content (sensors, packages, dashboards, etc) which will get you started with the product immediately. This process does take several minutes, so please be patient.
tanium26
Once the content load is complete, you’ll get to play around with the product!
tanium27

Currently you do not have any endpoints to work with. I’ll release another article very soon which explains a few ways of getting agent installed onto your computers.