Asset requirements

Review the requirements before you use Asset.

Also review the Tanium as a Service requirements, as described in Tanium as a Service User Guide: Tanium as a Service requirements.

Tanium dependencies

In addition to a license for the Asset product module, make sure that your environment also meets the following requirements.

Component Requirement
Tanium™ Core Platform
  • 7.3.314.4250 or later
  • TanOS 1.3.4 or later
Tanium™ Content (Optional) Asset includes all of the content it needs for base functionality. You can import additional content or sensors into Asset after installation.
Tanium™ Client Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client User Guide: Client version and host system requirements.

If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.
Tanium Products

If you clicked the Install with Recommended Configurations button when you installed Asset, the Tanium Server automatically installed all your licensed modules at the same time. Otherwise, you must manually install the modules that Asset requires to function, as described under Tanium Console User Guide: Manage Tanium modules.

Asset requires the following modules:

  • Tanium Endpoint Configuration 1.2 or later

    Endpoint Configuration is installed as part of Tanium Client Management 1.5 or later.

The following modules are optional:

  • Tanium Trends 3.6 or later (create charts on Asset Overview page)
  • Tanium Connect 4.3 or later (create connections with Asset reports as a data source)
  • Tanium Index (create Flexera reports with file evidence data)

Tanium™ Module Server

Asset runs as a service on the Tanium Module Server.

Disk space

Asset requires disk storage capacity necessary to support the number of endpoints in your environment. For planning purposes, use 100 MB per 1000 endpoints, for example: 

  • 5,000 endpoints: 500 MB
  • 50,000 endpoints: 5 GB
  • 100,000 endpoints: 10 GB
  • 250,000 endpoints: 25 GB
  • 500,000 endpoints: consult your Technical Account Manager

Usage might vary significantly based on the following variables: the number of endpoints, the number of applications, the number of users, if file evidence data is enabled, and most importantly the attributes that you add on the Inventory Management > Attributes page. These suggested sizes are considered a good estimate for most environments.

Tanium Module Server on Linux

If you are running your Tanium Module server on Linux (not TanOS), the Tanium user must have write permission on the /tmp directory. To make the directory writable by any user of the system, run the chmod 777 command on the /tmp directory.

Endpoints

Supported operating systems

For Tanium Client operating system support, see Tanium Client User Guide: Host system requirements.

Operating System Version
Windows

  • Windows 7 SP1 or later

  • Windows 2008 R2 SP1 or later
macOS

Same as Tanium Client support
Linux Same as Tanium Client support
Solaris Same as Tanium Client support
AIX

7.1.4 or later

The IBM XL C++ runtime libraries file set (xlC.rte), version 16.1.0.0 or later, and the IBM LLVM runtime libraries file set (libc++.rte) must be installed. For installation instructions, see Tanium Client User Guide: Deploying the Tanium Client to AIX endpoints.

Third-party software

The following third-party software is optional for exporting data from Asset: 

  • For the ServiceNow CMDB connector, the Jakarta release or later is required.
  • For Flexera integration, contact Tanium Support to configure a SQL database to receive data from Asset. For more information, see Contact Tanium Support.

Host and network security requirements

Specific ports and processes are needed to run Asset.

Ports

For Tanium as a Service ports, see Tanium as a Service User Guide: Host and network security requirements.

The following ports are required for Asset communication.

Source Destination Port Protocol Purpose

Module Server

 ServiceNow 443 TCP Access to your ServiceNow instance

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Security exclusions

A security administrator must create exclusions to allow Tanium processes to run without interference if security software is in use in the environment to monitor and block unknown host system processes.

Table 1:   Asset security exclusions
Target Device Notes Process
Module Server   <Module Server>\services\asset-service\node.exe
  <Module Server>\services\asset-service\[email protected]\postgresql\lib\win32\bin\postgres.exe
  <Module Server>\services\asset-service\[email protected]\postgresql\lib\win32\bin\pg_ctl.exe
  <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Windows endpoints For integration with Flexera <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
macOS and Linux endpoints For integration with Flexera <Tanium Client>/Tools/EPI/TaniumEndpointIndex

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator might need to allow the following URLs on the Tanium Module Server for the Asset service.

  • ServiceNow instance (yourcompany.service-now.com)

User role requirements

Table 2:   Asset user role permission
Permission Asset Administrator1 Asset Operator1 Asset User1 Asset Report Reader1 Asset Service Account1,5 Asset Endpoint Configuration Approver2

Asset Endpoint Configuration Approve

Approve Asset configuration changes in the Endpoint Configuration service






Show Asset

View Asset workbench






Asset Report Read

View reports and views






Asset Report Write

Create, edit, and delete reports and views


3  



Asset Configuration Item Write

Configure all aspects of Asset (service settings, schedules, attributes, destinations)





Asset Plugin Callback

Configure Asset communication with the Tanium Server and Tanium Module Server





Asset Service Configure

Configure all aspects of Asset services






Asset Trends Integration Service Account

Provide access for module service accounts to read and write data, and to define sources and boards
4
4


4

1 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

2 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see the Tanium Endpoint Configuration User Guide: User role requirements.

3 For owned reports and views only.

4 Grants access to content in the Reserved content set.

5 If you installed Tanium Client Management, Endpoint Configuration is installed, and by By default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

 

Table 3:   Provided Asset Advanced user role permissions
Permission Content Set for Permission Asset Administrator Asset Operator Asset User Asset Report Reader Asset Service Account Asset Endpoint Configuration Approver
Ask Dynamic Questions  
Execute Plugin Asset
Execute Plugin Reserved
Read Plugin Asset
Read Plugin Reserved
Read Sensor Asset
Read Sensor Reserved
Read Sensor Base
Read Action Asset
Write Action Asset
Read Own Action Asset

Read Package

 Asset
Show Preview Asset
Read Action Group Asset
Write Action Group Asset
Write Action for Saved Question Asset
Read Associated Packages Asset
Read Saved Question Asset
Write Saved Question Asset
Read Filter Group Asset
Read Filter Group Reserved
Read Filter Group Default Filter Groups

 

Table 4:   Optional roles for Asset
Role Enables
Connect Administrator (prior to Connect 4.8 only) Create, edit, or delete a Flexera destination
Connect User (Connect 4.8 and later)

Create, edit, or delete a Flexera destination
Tanium Administrator

Create scheduled actions for the file evidence content for Flexera destinations