ClientLocation 2.1.1.0017 en
Introduction: Tanium Client Network Location
Determine if a Tanium client is on or off the network.
Download Location
This content is available at: https://content.tanium.com/files/published/ClientLocation/2018-05-15_10-40-30_2.1.1.0017-g6cc8c65/ClientLocation.xml
Usage
A client location configuration package is deployed with values specific to the customers deployment. A sensor reads from this configuration file and performs various checks against the local system to determine it's relative network state as on or off site. Black listing of IPs and subnets are possible as well via the configuration files.
Packages
Create Client Location Config
The Create Client Location Config package is used to generate a config on Windows systems that will be used by the Client Network Location sensor to determine the relative state of the endpoint as on or off site.
- Tanium Server and IP values are the internal Tanium Server and respective IPs.
- Zone Server and IP values are the external facing Tanium Server and Respective IPs. This value is not limited to only Zone Servers, but for any remote facing Tanium Servers and their external IP addresses.
- VPN Adapter Name is pattern matched, and derived from the Win32_NetworkAdapter Name property.
- Black List and White List IPs and Ranges are pattern matched values from left to right of a subnet you wish to always exclude or include.
This package contains 1 files and 0 sensors.
Additional Properties:
- Command Line: cmd /c start /B cscript //T:3600 Location_Config.vbs /TaniumServer:$1 /ZoneServer:$2 /VPN:$3 /BlackList:$4 /WhiteList:$5
- Command Line Timeout: 60
Prompts:
| Name / Value | Prompt Help | Type | Possible / Default Values |
|---|---|---|---|
| Tanium Server and IP | server:ip,server2:ip2 | Text | |
| Zone Server and IP | server:ip,server2:ip | Text | |
| VPN Adapter Name | Cisco AnyConnect,Juniper | Text | |
| Black List IPs and Ranges | 10.0.1.,10.1.1.32,10.2. | Text | |
| White List IPs and Ranges | 10.0.1.,10.1.1.32,10.2. | Text |
Files:
- Location_Config.vbs
Remove Client Location Config
The Remove Client Location Config package is used to remove the existing client location configuration file from Windows endpoints.
This package contains 1 files and 0 sensors.
Additional Properties:
- Command Line: cmd /c cscript.exe delete-client-location-config.vbs
- Command Line Timeout: 60
Prompts:
Files:
- delete-client-location-config.vbs
Create Client Location Config - Non-Windows
The Create Client Location Config - Non-Windows package is used to generate a config on Non-Windows systems (Mac and Linux) that will be used by the Client Network Location sensor to determine the relative state of the endpoint as on or off site.
- Tanium Server and IP values are the internal Tanium Server and respective IPs.
- Zone Server and IP values are the external facing Tanium Server and Respective IPs. This value is not limited to only Zone Servers, but for any remote facing Tanium Servers and their external IP addresses.
- Black List and White List IPs and Ranges are pattern matched values from left to right of a subnet you wish to always exclude or include.
This package contains 1 files and 0 sensors.
Additional Properties:
- Command Line: /bin/bash Location_Config.sh $1 $2 $3 $4
- Command Line Timeout: 60
Prompts:
| Name / Value | Prompt Help | Type | Possible / Default Values |
|---|---|---|---|
| Tanium Server and IP | server:ip,server2:ip2 | Text | |
| Zone Server and IP | server:ip,server2:ip | Text | |
| Black List IPs and Ranges | 10.0.1.,10.1.1.32,10.2. | Text | |
| White List IPs and Ranges | 10.0.1.,10.1.1.32,10.2. | Text |
Files:
- Location_Config.sh
Remove Client Location Config - Non-Windows
The Remove Client Location Config - Non-Windows package is used to remove the existing client location configuration file from Non-Windows (Mac and Linux) endpoints.
This package contains 1 files and 0 sensors.
Additional Properties:
- Command Line: /bin/bash delete-client-location-config.sh
- Command Line Timeout: 60
Prompts:
Files:
- delete-client-location-config.sh
Sensors
Client Network Location
The Client Network Location sensor reads values set within the Client Location Config and attempts to determine the systems location state as on or off network.
- The first checks performed by the sensor are the presence of the systems IP address within the blacklisted or whitelisted subnet range. If it appears there it is an immediate assertion of off-site or on-site respectively.
- The next step will be determining if the system has an active VPN session. If a VPN session is established the assertion made is the system is off site. If not then a current server check and connection check will be performed.
- The Tanium settings are then checked for currently active Tanium server and a connection check via netstat outputs to validate the IP is a match if a split DNS configuration has been determined.
Based on the configuration of Tanium Servers to Tanium Zone Servers in the config file the resulting match will report accordingly.
Used in conjunction with Create Client Location Config will logically determine if a client is on or off the organizations network. Primary use is for Discover targeting.
Example: On-Site
Has Client Location Config
The Has Client Location Config sensor is used to determine if the Client Location Config exists on an endpoint. Returns True or False if Client Location Config exists on the endpoint.
Client Location Config
The Client Location Config sensor is used to view the values within the Client Location Config on Windows and Non-Windows (Mac and Linux) systems. The goal is to allow easy configuration review across the enterprise. Reads Client Location Config if it exists on the local machine.