Tanium 6.x: Parameterized Packages

Introduction

For the cases where it is desirable to simply enter arbitrary values whenever the package is deployed, Tanium gives the operators a powerful option in Action Parameters.

This is conceptually different than, but similar to Packages with Sourced Sensors where the Package's command line is dynamic. Rather than Sensor output changing the command line, however, the command line values are entered at Run Time.

Unescaping

As a security precaution, all values which are fed onto the command line are escaped/URL encoded. This ensures that most special characters, including spaces, are encoded into values which are considered safe. For example, the Space character is transformed into "%20" once the command line makes it to the client. Therefore, DOS commands which take encoded input should be run through a wrapper script which would unescape the characters and ensure their safety before passing them onto the client. A useful function for Windows is the unescape function in VBScript.

Creating Packages Which Take User Input

Changing Action Name Dynamically

Notice that the picture below has the Package Name with a $1 in it.

Package_with_user_input_1.JPG
 

$1 indicates the first variable entered in when the Action is run. If this variable is specified in the Package Name field, it will insert the text into the Action Name, visible when run, listed in Scheduled Actions, or in Action History.

Changing the Command Line Dynamically

To change a command line dynamically based on console operator input entered at action deployment time, enter a value of $1 on the command line, as in the picture above.

Next, press the "Advanced settings" link in the upper right corner and then select the "Prompt For User Input" checkbox at the bottom of the dialog.

Package_with_user_input_2.JPG
 

Multiple Variables

More than one input can be specified at run time. $2, $3, $4 can all be asked for and their values usable in the command line or the Package Name. When entering the prompts, ensure that there is a new paragraph tag in between each line, or the prompt text will all draw on one wrapped line.

Package_with_user_input_3.JPG

Running the Action

Packages which take user input when the Action is issued have a box at the top where the values are entered.

Package_with_user_input_4.JPG
 

This Action will kill dropbox.exe, or whatever else is typed in, when it is deployed. Note the section above on escaping the character sequence - this would fail if the executable was called "drop box.exe" unless it was passed to a wrapper which unescaped it and validated that the characters were safe. This is a security precaution.

Options Available for Parameters

Several options are available for parameter inputs. The following table explains each option and what information is sent to the variable.

Data Input Description
Text Input Users can enter text input. Allowed entries can be controlled with regular expressions. The user input is entered into the variable.
Drop Down List Users can select only one option from a list. The value selected by the user is entered into the variable.
Check Box Users can enable a setting by checking a box. 0 or 1 is entered into the variable. Returns 1 if checked and 0 if not checked.
Numeric Users can enter a number. The input can be controlled with minimum and maximums. In addition Step Size will require that the input be divisible by the Step Size. Snap Interval is the amount that a number will be increased or decreased by pressing the up or down button respectively. Please note Step Size should be a multiple of Snap Interval unless Snap Interval is 0. The user selected number is entered into the variable.
Numeric Interval Allows a user to select a number and an item from a list. The list item has a numeric value. The value entered into the variable is the result of the multiplication. For example if a user selects 2 and selects High (with high having a value of 3) the value will be 6 in the variable.
Date Time Users can select a date and time. The date time format in epoch with milliseconds is entered into the variable.
Date Range Two date times in epoch with milliseconds is entered into the variable separated by a pipe.
List Users can select one or more values. The values selected are entered into the variable separated by a pipe.
Text Area Users can enter a large amount of text. The text is entered into the variable.
Plugin This is not intended for use by most customers. Please contact a Technical Account Manager for additional information about its use.
Separator A separator is a graphical way to separate sections. There is no input or output.

Please note that Max Characters set to 0 will allow unrestricted data input. Choosing the number 20 will limit the users to 20 characters.

Conclusion

Packages which take user input when the Action is deployed make Packages much more flexible and reusable.

Have more questions? Submit a request