Asset requirements

Review the requirements before you use Asset.

Also review the Tanium as a Service requirements, as described in Tanium as a Service User Guide: Tanium as a Service requirements.

Tanium dependencies

Component	Requirement
Tanium™ Core Platform	7.3.314.4250 or later TanOS 1.3.4 or later
Tanium™ Content	(Optional) Asset includes all of the content it needs for base functionality. You can import additional content or sensors into Asset after installation.
Tanium™ Client	Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements. If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.
Tanium solutions	If you selected Tanium Recommended Installation when you installed Asset, the Tanium Server automatically installed all your licensed solutions at the same time. Otherwise, you must manually install the solutions that Asset requires to function, as described under Tanium Console User Guide: Import, re-import, or update specific solutions. Asset requires the following Tanium solutions: Tanium Endpoint Configuration 1.2 or later (installed as part of Tanium Client Management 1.5 or later) Tanium Trends 3.6 or later (create charts on Asset Overview page) The following solutions are optional: Tanium Connect 4.3 or later (create connections with Asset reports as a data source) Tanium Index (create reports with file evidence data, for example, the Flexera File Evidence report)

Tanium™ Module Server

Asset runs as a service on the Tanium Module Server.

Disk space

Asset requires disk storage capacity that is necessary to support the number of endpoints in the environment. For planning purposes, use 100 MB per 1000 endpoints:

5,000 endpoints: 500 MB
50,000 endpoints: 5 GB
100,000 endpoints: 10 GB
250,000 endpoints: 25 GB
500,000 endpoints: consult your Technical Account Manager

Usage might vary significantly based on the following variables:

Number of endpoints
Number of applications
Number of users, if file evidence data is enabled
Attributes that you add on the Inventory Management > Attributes page.

These suggested sizes are considered a good estimate for most environments.

Endpoints

Supported internet protocols

Asset communicates over IPv4 and IPv6 networks. For more information, see Tanium Client Management User Guide: Network connectivity, ports, and firewalls.

Supported operating systems

For Tanium Client operating system support, see Tanium Client Management User Guide: Client version and host system requirements.

Operating System	Version
Windows	Windows 7 SP1 or later Windows 2008 R2 SP1 or later
macOS	Same as Tanium Client support
Linux	Same as Tanium Client support Software Inventory & Usage is not available on Linux operating systems.
Solaris	Same as Tanium Client support Software Inventory & Usage is not available on Solaris operating systems.
AIX	7.1.4 or later The IBM XL C++ runtime libraries file set (xlC.rte), version 16.1.0.0 or later, and the IBM LLVM runtime libraries file set (libc++.rte) must be installed. For installation instructions, see Tanium Client Management User Guide: Deploy the Tanium Client to AIX endpoints using a package file. Software Inventory & Usage is not available on AIX operating systems.

Third-party software

The following third-party software is optional:

For the ServiceNow CMDB connector to export data from Asset, the Jakarta release or later is required.
For Flexera integration to export data from Asset, you must have an SQL database that can be configured to receive data from Asset. For more information, Contact Tanium Support.
To use the Asset Collect MS Exchange Info package to collect Microsoft Exchange data, the Microsoft Exchange Server Computer objects need to be a member of the View-Only Organization Management group for Microsoft Exchange Security Groups.

Host and network security requirements

Specific ports and processes are needed to run Asset.

Ports

For Tanium as a Service ports, see Tanium as a Service User Guide: Host and network security requirements.

The following ports are required for Asset communication.

Source	Destination	Port	Protocol	Purpose
Module Server	ServiceNow	443	TCP	Access to your ServiceNow instance
Module Server	Module Server (loopback)	17459 17461	TCP	Internal purposes; not externally accessible

Source

Destination

Port

Protocol

Purpose

Module Server

ServiceNow

443

TCP

Access to your ServiceNow instance

Module Server

Module Server (loopback)

17459

17461

TCP

Internal purposes; not externally accessible

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Security exclusions

A security administrator must create exclusions to allow Tanium processes to run without interference if security software is in use in the environment to monitor and block unknown host system processes.

Asset security exclusions
Target Device	Notes	Exclusion Type	Exclusion
Module Server		Process	<Module Server>\services\asset-service\node.exe
		Process	<Module Server>\services\asset-service\[email protected]\postgresql\lib\win32\bin\postgres.exe
		Process	<Module Server>\services\asset-service\[email protected]\postgresql\lib\win32\bin\pg_ctl.exe
		Process	<Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Windows endpoints	For integration with Flexera	Process	<Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
	For integration with Flexera	Process	<Tanium Client>\Tools\Asset\TaniumFileEvidence.exe
		Process	<Tanium Client>\extensions\TaniumSoftwareManager.dll
		Process	<Tanium Client>\extensions\TaniumSoftwareManager.dll.sig
macOS endpoints	For integration with Flexera	Process	<Tanium Client>/Tools/EPI/TaniumEndpointIndex
	For integration with Flexera	Process	<Tanium Client>/Tools/Asset/TaniumFileEvidence
		Process	<Tanium Client>/extensions/libTaniumSoftwareManager.dylib
		Process	<Tanium Client>/extensions/libTaniumSoftwareManager.dylib.sig
Linux endpoints	For integration with Flexera	Process	<Tanium Client>/Tools/EPI/TaniumEndpointIndex
	For integration with Flexera	Process	<Tanium Client>/Tools/Asset/TaniumFileEvidence
		Process	<Tanium Client>/extensions/libTaniumSoftwareManager.so
		Process	<Tanium Client>/extensions/libTaniumSoftwareManager.so.sig

Asset security exclusions
Target Device	Notes	Exclusion Type	Exclusion
Windows endpoints	For integration with Flexera	Process	<Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
	For integration with Flexera	Process	<Tanium Client>\Tools\Asset\TaniumFileEvidence.exe
		Process	<Tanium Client>\extensions\TaniumSoftwareManager.dll
		Process	<Tanium Client>\extensions\TaniumSoftwareManager.dll.sig
macOS endpoints	For integration with Flexera	Process	<Tanium Client>/Tools/EPI/TaniumEndpointIndex
	For integration with Flexera	Process	<Tanium Client>/Tools/Asset/TaniumFileEvidence
		Process	<Tanium Client>/extensions/libTaniumSoftwareManager.dylib
		Process	<Tanium Client>/extensions/libTaniumSoftwareManager.dylib.sig
Linux endpoints	For integration with Flexera	Process	<Tanium Client>/Tools/EPI/TaniumEndpointIndex
	For integration with Flexera	Process	<Tanium Client>/Tools/Asset/TaniumFileEvidence
		Process	<Tanium Client>/extensions/libTaniumSoftwareManager.so
		Process	<Tanium Client>/extensions/libTaniumSoftwareManager.so.sig

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, a security administrator might need to allow the following URLs on the Tanium Module Server for the Asset service.

ServiceNow instance (yourcompany.service-now.com)

User role requirements

The following tables list the role permissions required to use Asset. To review a summary of the predefined roles, see Set up Asset users.

For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.

Asset user role permissions
Permission	Asset Administrator¹	Asset Operator¹	Asset User^1,6	Asset Report Reader^1,6	Asset Service Account^1,5	Asset Endpoint Configuration Approver²
Asset View Asset workbench	SHOW	SHOW	SHOW	SHOW		SHOW
Asset Configuration Item Configure all aspects of Asset (service settings, schedules, attributes, destinations)	WRITE	WRITE
Asset Endpoint Configuration Approve Asset configuration changes in the Endpoint Configuration service						APPROVE
Asset Plugin Configure Asset communication with the Tanium Server and Tanium Module Server					CALLBACK
Asset Report View, create, edit, and delete reports and views	READ WRITE	READ WRITE	READ WRITE³	READ
Asset Service Configure all aspects of Asset services	CONFIGURE
Asset Trends Integration Service Account Provide access for module service accounts to read and write data, and to define sources and boards		EXECUTE⁴			EXECUTE⁴
¹ This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements. ² This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see the Tanium Endpoint Configuration User Guide: User role requirements. ³ For owned reports and views only. ⁴ Grants access to content in the Reserved content set. ⁵ If you installed Tanium Client Management, Endpoint Configuration is installed, and by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements. ⁶ This role can only view the Reports and Views pages.

Provided Asset administration and platform content permissions
Permission	Permission Type	Asset Administrator¹	Asset Operator¹	Asset User¹	Asset Report Reader¹	Asset Service Account¹	Asset Endpoint Configuration Approver¹
Action Group	Administration	READ WRITE	READ WRITE	READ	READ	READ WRITE
Action	Platform Content	READ WRITE	READ WRITE			WRITE
Action for Saved Question	Platform Content					WRITE
Filter Group	Platform Content	READ	READ
Own Action	Platform Content	READ	READ			READ
Package	Platform Content	READ	READ			READ
Plugin	Platform Content	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE
Saved Question	Platform Content					READ WRITE
Sensor	Platform Content	READ	READ	READ	READ	READ
You can view which content sets are granted to any role in the Tanium Console. ¹ This role provides content set permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

Optional roles for Asset
Role	Enables
Connect Administrator (prior to Connect 4.8 only)	Create, edit, or delete a Flexera destination
Connect User (Connect 4.8 and later)	Create, edit, or delete a Flexera destination
Tanium Administrator	Create scheduled actions for the file evidence content for Flexera destinations