Tanium Client Deployment Tool

I have recently stood up a half-dozen virtual servers in a new home lab I am building to compliment my home office.  This means I want to get the Tanium Client installed onto these endpoints.  Rather than do it manually, I’m choosing to use the Tanium Client Deployment Tool and install them remotely from my windows workstation.  At the time of this writing v5.0.0.6 was the latest and has a few essential features required for installing the agent onto my new non-windows systems.

Installing the Tool

Installation of the Client Deployment Tool is relatively straightforward.  Launch the installer and click “Install”.  Assuming the default installation directory is acceptable.

cdt1

cdt2

cdt3

Initial Tool Setup

Once you launch the tool there are a few things that need to happen.  The first is the tool itself will prompt you to download the very latest agents for the various OS platform Tanium supports.  Allow that to happen…

cdt4

cdt5

Next we will need to point the tool at our server infrastructure in two ways… First by pointing the utility at our tanium.pub file.  This file can be found in the Tanium Server root folder on the server.  Second we’ll need to specify the hostname or IP address of the server we will be pointing endpoints at.  This second value could be the hostname or IP address of a zone server or even an alias that functions differently inside and outside your network.  Lastly if you chose to use a port number other than the default 17472, you’ll need to specify that now.

Install the Agent

For this article we will deploy the Tanium Agent to one of my new Ubuntu 14.04 LTS virtual servers.  My user account on that box has sudo permissions and that is required in order to install new software.

cdt6

Next we will specify a single endpoint to deploy too.  To do that we change the lower-left tabs to “Computer List” and type in the hostname of the targeted endpoint.  Then change the very bottom left dropdown to “Linux_Mac_Only” to avoid unnecessary timeouts by trying a windows connection and hit the “Analyze” button.

cdt7

If all works well our tool will report back “Client not installed”.  Select that row and click “Install”. 

cdt8

All done… The client deployment was successful.  To validate, we can simply log into the Tanium Console and check Administration->System Status to see our new endpoint listed and reporting in.

cdt9

In Conclusion

The Client Deployment Tool is a great utility for getting the Tanium Agent installed on your endpoints fast.

Recovering License Keys with Tanium

Lately I’ve been exploring the content that is posted in the Tanium Community Repository and found an interesting content pack called License Key Recovery.  For the purposes of this article I will assume you already have a Tanium server setup and have a half dozen or more windows clients reporting into this infrastructure.  In my case I’m using a personal lab deployment Tanium Server v6.2.314.3258 that has various Windows, Mac and Linux endpoints located all around the state of Arkansas.

Acquire and Import the Content Pack

You’ll need the content pack XML which is available from your assigned TAM, if you don’t have one reach out to Tanium Support, I bet they’ll get you the help you need.  After you have the file browse to Authoring and push the “Import Content…” button on the far right.  The import preview window should look something like this:

licensekey1

Update and Distribute Package

This content pack uses an 3rd party utility that is licensed separately from Tanium and can be downloaded/purchased from recover-keys.com, you’ll need the enterprise version which includes the command line executable.  After acquiring the software, find the file named RecoverKeysCmd.exe.   The Recover Keys product also uses SQLite which must also be downloaded separately from SQLite.org.  (Find the section called Precompiled Binaries for Windows and download the sqlite-dll-win32-x86…)

Edit the “Distribute Recover Keys Utility” package under Authoring->Packages and filter by package name.  Remove both the exe and dll from the Files list and add the newly acquired files by clicking “Add Local Files…” button.

licensekey2

Deploying the Utility

Included in the content pack is a saved action which automatically attempts to distribute the above package every two hours.  However, if you can’t wait that long and want to distribute it immediately, ask the following Tanium question:

Get Has Recover Keys Tool from all machines

Right click on the “No” answer and deploy the “Distribute Recover Keys Utility” for one time distribution… to all endpoints.  Any endpoint not currently online will receive the package command via the scheduled action within the content pack.

licensekey3

Retrieving License Keys

Everything is now prepared for the very fast and easy question you really want to know…

Get License Keys from all machines

licensekey4

In Conclusion…

Utilizing Tanium to take advantage of a 3rd party utility is extremely easy.   Break open the content by editing the packages or sensors and you will see exactly how simple it was to distribute and retrieve the results of the Recover Keys Utility.

Installing Tanium v6.1

Installing Tanium is actually really easy and I’m going to make it even easier by walking you through the express installation of the product.

In the following article I’ll provide you with the various screen shots for the express installation of Tanium v6.1.314.2342 and I’ll call out screens that may need additional explainations. Let’s get started!
I assume you’ve already acquired the installation executable from your Technical Account Manager or Sales person…
tanium01
Double click it to launch the installer. If you’re installing onto a Windows 2008r2 server, like I am here, you may need to click yes to the UAC request dialog:
tanium02
tanium03
tanium04
This virtual computer I’m installing our server onto, does not have an MSSQL server installed, so we’ll choose to install the MSSQL Express Edition.
tanium05
tanium06
tanium08
We’ll have to agree to Microsoft’s EULA…
tanium09
I’ve chosen to download and install updates to MSSQL here.
tanium10
I’m also using the default options…
tanium13
Leave the named instance settings as is.
tanium14
As well as the service configuration settings…
tanium15
We only support Windows authentication so choosing between only Windows Auth or both is up to you.
tanium16
tanium19
Now… back to the Tanium installation… choose the Express Install.
tanium20
Provide your windows credentials for the initial user. If your server is linked to a domain, it can be a domain login (does not need to be an admin or anything). If your server is NOT on a domain, simply provide one of the local accounts username/passwords to continue.
tanium22
All done!
tanium23

The express installation of our product creates a self signed certificate for the console, so you’ll need to agree to continue.
tanium24
Log in with the username/password you specified earler…
tanium25
When you have successfully logged in, an initial content load will occur. This means your server is downloading a “starter” pack of content (sensors, packages, dashboards, etc) which will get you started with the product immediately. This process does take several minutes, so please be patient.
tanium26
Once the content load is complete, you’ll get to play around with the product!
tanium27

Currently you do not have any endpoints to work with. I’ll release another article very soon which explains a few ways of getting agent installed onto your computers.

Tanium How-to SigCheck

If you’ve read my blog over the past few days, you already know that I now work for Tanium. Tanium has a self-named product that is used at many of the top fortune 50 businesses to help them manage and get instant answers on the most common security and systems management questions they face in mere seconds!
I thought I’d start sharing some how-to articles related to the product. I’m still learning myself so I will share as I learn. For this first article, I thought I’d start slightly after the beginning. I’m sure anyone reading this has gotten the full intro and some basic training from their assigned Technical Account Managers. And if you have any questions, the TAMs are always listening and willing to help!
Now, for this first article I want to tackle a problem that comes up all too often when distributing software that might be used by the Tanium client itself. In the example below, I will teach you how to distribute the Sysinternals tool called SigCheck. To do this you will need to produce a few pieces of content:
1. “Has SigCheck” is a sensor that checks your endpoints and determines if you have the utility already installed or not. This sensor allows you to ask the following question: Get Has SigCheck from all machines. This question needs to return a Yes or No depending on the presence of the sigcheck.exe utility.
2. “Distribute SigCheck” is a package that pulls the SigCheck.zip from the Sysinternals website, it also pulls an unzip utility from our Tanium content site and since we’re building this on the Community website, pulls the distributesigcheck.vbs from the Tanium Community website.

The logical process once our content is built is as follows:
1. Ask the question “Get Has SigCheck from all machines”
2. Select the No answer and deploy an action, choose the “Distribute SigCheck” package and you’re execute.

“Has SigCheck” Sensor
Of course this all starts with the basic “has” sensor. To build this we’ll be writing an extremely simple sensor that will check the existence of our file within the Tools directory of our Tanium Client. This vbscript will look a little something like this:

‘========================================
’ Has SigCheck Utility
’========================================

’ This sensor will report on the existence of the sigcheck file.

Option Explicit
Dim objFSO
Dim strTaniumToolsDir, strFile
Set objFSO = CreateObject(“Scripting.FileSystemObject”)

strFile = “sigcheck.exe”
strTaniumToolsDir = GetTaniumDir(“Tools\Sigcheck”)

If objFSO.FileExists(strTaniumToolsDir&strFile) Then
WScript.Echo “Yes”
Else
WScript.Echo “No”
End If

Function GetTaniumDir(strSubDir)
‘GetTaniumDir with GeneratePath, works in x64 or x32
‘looks for a valid Path value

Dim objShell
Dim keyNativePath, keyWoWPath, strPath

Set objShell = CreateObject(“WScript.Shell”)

keyNativePath = “HKLM\Software\Tanium\Tanium Client”
keyWoWPath = “HKLM\Software\Wow6432Node\Tanium\Tanium Client”

’ first check the Software key (valid for 32-bit machines, or 64-bit machines in 32-bit mode)
On Error Resume Next
strPath = objShell.RegRead(keyNativePath&“\Path”)
On Error Goto 0

If strPath = "“ Then
’ Could not find 32-bit mode path, checking Wow6432Node
On Error Resume Next
strPath = objShell.RegRead(keyWoWPath&”\Path“)
On Error Goto 0
End If

If Not strPath = ”“ Then
If strSubDir <> ”“ Then
strSubDir = ”" & strSubDir
End If

Dim fso
Set fso = WScript.CreateObject(“Scripting.Filesystemobject”)
If fso.FolderExists(strPath) Then
If Not fso.FolderExists(strPath & strSubDir) Then
’’Need to loop through strSubDir and create all sub directories
GeneratePath strPath & strSubDir, fso
End If
GetTaniumDir = strPath & strSubDir & “"
Else
’ Specified Path doesn’t exist on the filesystem
WScript.Echo ”Error: “ & strPath & ” does not exist on the filesystem“
GetTaniumDir = False
End If
Else
WScript.Echo ”Error: Cannot find Tanium Client path in Registry"
GetTaniumDir = False
End If
End Function ’GetTaniumDir

Function GeneratePath(pFolderPath, fso)
GeneratePath = False
If Not fso.FolderExists(pFolderPath) Then
     If GeneratePath(fso.GetParentFolderName(pFolderPath), fso) Then
         GeneratePath = True
         Call fso.CreateFolder(pFolderPath)
     End If
 Else
     GeneratePath = True
 End If
End Function ’GeneratePath

Notice that I have copied code from existing sensors, namely the GetTaniumDir function (also requires GeneratePath and RegKeyExists) which reads the registry to determine where our client is installed. Providing an argument will append that to the end of the Tanium directory that was read. The new community will soon have the feature to add reusable code blocks like this with a simple checkbox. But until then, simply copy-paste the functions needed from other code.

“Distribute SigCheck” Package
The distribution package has multiple components that are a bit complicated when combined together. I will boil down each component and help you build this package. The Tanium Client will automatically download all files related to the package for us… they’ll all be sitting in the working directory of the command line we specify. Typically that is Tanium Client\Downloads\Action_XXXX. Knowing that, let’s look at the overall logic we’ll be using:
1. Unzip the SigCheck.zip file
2. Get the Tanium client directory using the same reusable code we added to the sensor.
3. Copy the SigCheck.exe into the Tools directory under the Tanium Client directory.
4. Agree to the Sysinternals EULA by indicating agreement within the Registry. (this is required or the SigCheck utility will hang every time waiting for user input which will never come since you’re running as SYSTEM on the endpoint).

Distributing SigCheck

Steps 1, 2, and 3: Unzip SigCheck.zip into Tools Directory
To unzip our utility we acquired from Microsoft, we’ll need to use a command line unzip utility. In the official content, we often use 7za.exe. It is an extremly small utility we will add to our package with the following details:

Filename: 7za.exe
URI: https://community.tanium.com/files/7za.exe
SHA–256: c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
Check for Updates: Never

The following reusable code block will be used to unzip our utility zip file:

Sub Unzip(strZipFilePath, strTargetDir)
’ Takes full file path to zip file, path to target directory
’ will extract to target directory as a subdirectory
’ overwriting anything in the subdirectory and showing no UI.
 Dim objShell, objFSO, strCurrentDir, strZipUtil
 Dim strTempDir, strZipFileName, strCommand, intResult

 Set objShell = WScript.CreateObject("WScript.Shell")
 Set objFSO = CreateObject("Scripting.FileSystemObject")

 strCurrentDir = Replace(WScript.ScriptFullName, WScript.ScriptName, "")

 If Not objFSO.FileExists(strZipFilePath) Then
     WScript.Echo "Cannot continue - " & strZipFilePath & " does not exist"
     Exit Sub
 End If

 strZipUtil = strCurrentDir & "7za.exe"

 If Not objFSO.FileExists(strZipUtil) Then 
     WScript.Echo "Cannot continue - " & strZipUtil & " does not exist"
     Exit Sub
 End If 

 If Not objFSO.FolderExists(strTargetDir) Then
     objFSO.CreateFolder(strTargetDir)
 End If

 strZipFileName = objFSO.GetFile(strZipFilePath).Name
 ' remove .zip from end"
 If InStr(LCase(strZipFileName),".zip") = Len(strZipFileName) - 3 Then ' ends in zip
     strZipFileName = Left(strZipFileName,Len(strZipFileName) - 4)
 End If
 strTempDir = strCurrentDir & strZipFileName
 WScript.Echo "Unzipping to " & strTempDir
 If Not objFSO.FolderExists(strTempDir) Then
     objFSO.CreateFolder strTempDir
 End If

 strCommand = Chr(34) & strZipUtil & Chr(34) & " x -y -o" & Chr(34) & strTempDir & Chr(34) & " " & Chr(34) & strZipFilePath & Chr(34)

 WScript.Echo "running unzip:"
 WScript.Echo "   command: " & strCommand

 objShell.Run strCommand, 0, True

 If objFSO.FolderExists(strTempDir) Then
     WScript.Echo "Copying " & strTempDir & " to " & strTargetDir
     On Error Resume Next
     intResult = objFSO.CopyFolder(strTempDir,strTargetDir,True) ' overwrite
     On Error Goto 0
     If intResult = 0 Then
         WScript.Echo "Success"
     Else
         WScript.Echo "Failure - result is " & intResult
     End If
 End If
End Sub ’Unzip

This function allows us to unzip with a single command: Unzip Source-Zip-File Destination-Folder
We’ll accomplish steps 1–3 in one fail swoop after setting up a few variables for use. We need the full path of our zip file as well as the destination folder to extract into. To get our current working directory where the zip file was downloaded for us, we can use the filesystem object as follows:

Set objShell = CreateObject(“WScript.shell”)
strCurrentDir = objShell.CurrentDirectory
To get the destination folder, we’ll reuse the technique we learned from the sensor above to get the tanium client directory:
strTaniumDir = GetTaniumDir(“Tools”)
Now accomplishing steps 1 through 3 is as easy as:
Unzip strCurrentDir&“\SigCheck.zip”, strTaniumDir

Step 4: Agree to Sysinternals EULA
Before we can execute the SigCheck utility, Sysinternals requires you to agree to their EULA. When you execute it for the first time a popup box appears with the EULA with an Agree or Cancel button. After some research I learned the EULA agreement flag is stored in the users profile inside of the registry. (HKEY_CURRENT_USER\Software\Sysinternals\SigCheck)
Before the Tanium Client can use this utility, the SYSTEM user must agree to the EULA. This presents a problem since SYSTEM doesn’t have a UI nor are we sitting at the thousands of machines we want to run the utility on. Thus we will need to indicate agreement by adding the “EulaAccepted” registry value. We’ll do that with the following code:

Dim WshShell
Set WshShell = WScript.CreateObject(“WScript.Shell”)
WshShell.RegWrite “HKEY_CURRENT_USER\Software\Sysinternals\SigCheck\EulaAccepted”, “1”, “REG_DWORD”
set WshShell = Nothing

Downloads
You can download the “Has SigCheck” sensor from the Tanium Community website at: https://community.tanium.com/repo/sensor/788
I’m still building the packages feature of our Community so I’ll follow up later with the package download link.

Bonus… Distribute SigCheck Automatically
All done! To review, we built a sensor to check the existance of our SigCheck utility and built a package to distribute it to our computers. The only problem now is we may want to have distribution occur anytime an endpoint comes online and doesn’t have the utliity. To accomplish this we’ll need to ask our new sensor question and deploy our new package with the reissue option specified. The following is a screen shot of what this looks like:

Reissue SigCheck

New Job Announcement

As many of you may already know, I am no longer a BigFix Engineer with IBM. This is purely a voluntary thing as I have moved onto a new opportunity which, in my opinion, goes way beyond what BigFix, err IBM Endpoint Manager, can do.

logoEssentially, BigFix was “invented” back in the late 90’s. The technology was amazing and extremely advanced at the time. It remained so for more than a decade. If you examine the market for truely generic software that allows very large enterprises to manage hundreds of thousands of endpoints… you would be hard pressed to find more than a couple. BigFix would top that list and is used at many of the fortune 50 companies.

During my employment with BigFix/IBM, I founded an online community for BigFix enthusiasts to share knowledge, content and collaborate to solve problems. The http://bigfix.me community is still alive and extremely active with more than 1000 community members and nearly 500 visitors last week alone.

This community building experience and the projects I started as part of that community is what caught the attention of my new employer, Tanium, Inc.

Tanium is a software designed and built by the exact same people that invented BigFix all those years ago. Their decade long experience has served them well as they created the next generation of enterprise management software.

I joined Tanium with the express purpose of building a community to help customers solve huge problems with this truely amazing product. To give you a few hints, Tanium allows administrators the ability to ask plain english questions and get answers back from nearly 400,000 computers in 15sec–1min timeframe. I have personally seen this work on a 50,000 computer deployment with the customer getting responses back in less than a few seconds on a huge batch of computers and the entire query completeting in far less than a minute.

It took a few months, but I have just finished the first version of my new Tanium Community at http://community.tanium.com. This first itteration allows visitors the ability to search and download Tanium sensors as well as actually build them right on the website. Just like the inventors of Tanium drawing from their BigFix experiences, I too have pulled the knowledge I accrued while building the bigfix.me community to create this wonderful new community. Here are a few of the features I gave a lot of attention to:

1. Must be Mobile compatible. The new community is mobile friendly. It is built using the Responsive techniques I have learned about over the past 6 months. This means you can simply resize your browser and the website will adapt itself for your screen size.
2. Content building Teams. It is rare that enterprises have a single developer. Thus this new community allows for teams to work on content that is shared between them. Any community user can create one or more teams which they can then add any other community user as a member. This means any member of the team can add or edit content (sensors, packages, dashboards, etc) assigned to that team.
3. Private/Hidden content. Every piece of content uploaded or created on this new community website can be hidden. This means only you and your team mates can see it. This allows you to decide what is public and what is private and allows you to experiment with different content ideas before sharing it with the world.
4. One account to rule them all. This will occur in phases, but the Tanium KB and Forum will be pulled into our community and linked directly to your community account. This means you do not have to remember more than one username/password to take full advantage of this new community.
5. Common interface. This one is a bit unusual in that this new website very closely matches the interface used for product. As you use the website and/or the console for the product, you will become extremely familiar with the navigation. This means without any training you can seemlessly transition between the two.
6. Build content right on the website! This one is very different from my previous community experience. I wanted an almost effortless way to build content from this single interface. Having this built right into the community website means I will be able to open it up with lots of script writing enhancements and help menus to make developing content extremely easy.

I am very excited about my new opportunity here at Tanium. As time permits I will strive to publish more on the Tanium product, and my experiences building communities for top notch products like BigFix and Tanium.