Asset requirements
Review the requirements before you use Asset.
Also review the Tanium as a Service requirements, as described in Tanium as a Service User Guide: Tanium as a Service requirements.
Tanium dependencies
In addition to a license for the Asset product module, make sure that your environment also meets the following requirements.
Component | Requirement |
---|---|
Tanium™ Core Platform |
|
Tanium™ Content | (Optional) Asset includes all of the content it needs for base functionality. You can import additional content or sensors into Asset after installation. |
Tanium™ Client | Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client User Guide: Client version and host system requirements. If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions. |
Tanium Products |
If you clicked the Install with Recommended Configurations button when you installed Asset, the Tanium Server automatically installed all your licensed modules at the same time. Otherwise, you must manually install the modules that Asset requires to function, as described under Tanium Console User Guide: Manage Tanium modules. Asset requires the following modules:
The following modules are optional:
|
Tanium™ Module Server
Asset runs as a service on the Tanium Module Server.
Disk space
Asset requires disk storage capacity necessary to support the number of endpoints in your environment. For planning purposes, use 100 MB per 1000 endpoints, for example:
- 5,000 endpoints: 500 MB
- 50,000 endpoints: 5 GB
- 100,000 endpoints: 10 GB
- 250,000 endpoints: 25 GB
- 500,000 endpoints: consult your Technical Account Manager
Usage might vary significantly based on the following variables: the number of endpoints, the number of applications, the number of users, if file evidence data is enabled, and most importantly the attributes that you add on the Inventory Management > Attributes page. These suggested sizes are considered a good estimate for most environments.
Tanium Module Server on Linux
If you are running your Tanium Module server on Linux (not TanOS), the Tanium user must have write permission on the /tmp directory. To make the directory writable by any user of the system, run the chmod 777 command on the /tmp directory.
Endpoints
Supported operating systems
For Tanium Client operating system support, see Tanium Client User Guide: Host system requirements.
Operating System | Version |
---|---|
Windows |
|
macOS |
Same as Tanium Client support |
Linux | Same as Tanium Client support |
Solaris | Same as Tanium Client support |
AIX |
7.1.4 or later The IBM XL C++ runtime libraries file set (xlC.rte), version 16.1.0.0 or later, and the IBM LLVM runtime libraries file set (libc++.rte) must be installed. For installation instructions, see Tanium Client User Guide: Deploying the Tanium Client to AIX endpoints. |
Third-party software
The following third-party software is optional for exporting data from Asset:
- For the ServiceNow CMDB connector, the Jakarta release or later is required.
- For Flexera integration, contact Tanium Support to configure a SQL database to receive data from Asset. For more information, see Contact Tanium Support.
Host and network security requirements
Specific ports and processes are needed to run Asset.
Ports
For Tanium as a Service ports, see Tanium as a Service User Guide: Host and network security requirements.
The following ports are required for Asset communication.
Source | Destination | Port | Protocol | Purpose |
---|---|---|---|---|
Module Server |
ServiceNow | 443 | TCP | Access to your ServiceNow instance |
Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.
Security exclusions
A security administrator must create exclusions to allow Tanium processes to run without interference if security software is in use in the environment to monitor and block unknown host system processes.
Target Device | Notes | Process |
---|---|---|
Module Server | <Module Server>\services\asset-service\node.exe | |
<Module Server>\services\asset-service\[email protected]\postgresql\lib\win32\bin\postgres.exe | ||
<Module Server>\services\asset-service\[email protected]\postgresql\lib\win32\bin\pg_ctl.exe | ||
<Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe | ||
Windows endpoints | For integration with Flexera | <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe |
macOS and Linux endpoints | For integration with Flexera | <Tanium Client>/Tools/EPI/TaniumEndpointIndex |
Internet URLs
If security software is deployed in the environment to monitor and block unknown URLs, your security administrator might need to allow the following URLs on the Tanium Module Server for the Asset service.
- ServiceNow instance (yourcompany.service-now.com)
User role requirements
Permission | Asset Administrator1 | Asset Operator1 | Asset User1 | Asset Report Reader1 | Asset Service Account1,5 | Asset Endpoint Configuration Approver2 |
---|---|---|---|---|---|---|
Asset Endpoint Configuration Approve Approve Asset configuration changes in the Endpoint Configuration service |
|
|
|
|
|
|
Show Asset View Asset workbench |
|
|
|
|
|
|
Asset Report Read View reports and views |
|
|
|
|
|
|
Asset Report Write Create, edit, and delete reports and views |
|
|
|
|
|
|
Asset Configuration Item Write Configure all aspects of Asset (service settings, schedules, attributes, destinations) |
|
|
|
|
|
|
Asset Plugin Callback Configure Asset communication with the Tanium Server and Tanium Module Server |
|
|
|
|
|
|
Asset Service Configure Configure all aspects of Asset services |
|
|
|
|
|
|
Asset Trends Integration Service Account Provide access for module service accounts to read and write data, and to define sources and boards |
|
|
|
|
|
|
1 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements. 2 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see the Tanium Endpoint Configuration User Guide: User role requirements. 3 For owned reports and views only. 4 Grants access to content in the Reserved content set. 5
|
Permission | Content Set for Permission | Asset Administrator | Asset Operator | Asset User | Asset Report Reader | Asset Service Account | Asset Endpoint Configuration Approver |
---|---|---|---|---|---|---|---|
Ask Dynamic Questions |
|
|
|
|
|
|
|
Execute Plugin | Asset |
|
|
|
|
|
|
Execute Plugin | Reserved |
|
|
|
|
|
|
Read Plugin | Asset |
|
|
|
|
|
|
Read Plugin | Reserved |
|
|
|
|
|
|
Read Sensor | Asset |
|
|
|
|
|
|
Read Sensor | Reserved |
|
|
|
|
|
|
Read Sensor | Base |
|
|
|
|
|
|
Read Action | Asset |
|
|
|
|
|
|
Write Action | Asset |
|
|
|
|
|
|
Read Own Action | Asset |
|
|
|
|
|
|
Read Package |
Asset |
|
|
|
|
|
|
Show Preview | Asset |
|
|
|
|
|
|
Read Action Group | Asset |
|
|
|
|
|
|
Write Action Group | Asset |
|
|
|
|
|
|
Write Action for Saved Question | Asset |
|
|
|
|
|
|
Read Associated Packages | Asset |
|
|
|
|
|
|
Read Saved Question | Asset |
|
|
|
|
|
|
Write Saved Question | Asset |
|
|
|
|
|
|
Read Filter Group | Asset |
|
|
|
|
|
|
Read Filter Group | Reserved |
|
|
|
|
|
|
Read Filter Group | Default Filter Groups |
|
|
|
|
|
|
Role | Enables |
---|---|
Connect Administrator (prior to Connect 4.8 only) | Create, edit, or delete a Flexera destination |
Connect User |
Create, edit, or delete a Flexera destination |
Tanium Administrator |
Create scheduled actions for the file evidence content for Flexera destinations |
Last updated: 3/16/2021 4:47 PM | Feedback