Asset requirements
Review the requirements before you use Asset.
Also review the Tanium™ Cloud requirements, as described in Tanium Cloud Deployment Guide: Tanium Cloud requirements.
Core platform dependencies
Make sure that your environment meets the following requirements:
-
Tanium license that includes Asset
- Tanium™ Core Platform servers:
- 7.4.5.1240 or later
- TanOS 1.5.5 or later
- Tanium Content: (Optional) Asset includes all of the content it needs for base functionality. You can import additional content or sensors into Asset after installation.
- Tanium™ Client:
Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.
If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.
Solution dependencies
Other Tanium solutions are required for Asset to function (required dependencies) or for specific Asset features to work (feature-specific dependencies). The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.
Some Asset dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies and Feature-specific dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Asset requires.
Tanium recommended installation
If you select Tanium Recommended Installation when you import Asset, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.
Import specific solutions
If you select only Asset to import and are using Tanium Core Platform 7.5.2.3531 with Tanium Console 3.0.72 or later, the Tanium Server automatically imports the latest available versions of any required dependencies that are missing. If some required dependencies are already imported but their versions are earlier than the minimum required for Asset, the server automatically updates those dependencies to the latest available versions.
If you select only Asset to import and you are using Tanium Core Platform 7.5.2.3503 or earlier with Tanium Console 3.0.64 or earlier, you must manually import or update required dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.
Required dependencies
Asset has the following required dependencies at the specified minimum versions:
- Tanium™ Trends 3.6 or later. Creates charts on Asset Overview page.
-
Tanium™ Endpoint Configuration 1.2 or later
. Installed as part of Tanium Client Management 1.5 or later. - Tanium™ RDB service 1.0.172 or later
- Tanium™ System User service 1.0.40 or later
Feature-specific dependencies
If you select only Asset to import, you must manually import or update its feature-specific dependencies regardless of the Tanium Console or Tanium Core Platform versions. Asset has the following feature-specific dependencies at the specified minimum versions:
- Tanium™ Connect 4.3 or later. Creates connections with Asset reports as a data source.
- Tanium™ Index 2.5.16 or later. Creates reports with file evidence data, for example, the Flexera File Evidence report.
Asset 1.19.158 and later includes the Tanium Client Index Extension (Index CX) to support the SBOM add-in. Asset does not start the Index process on endpoints, but it might already be running on endpoints to support other Tanium solutions. For more information, see SBOM Overview.
Client extensions
Tanium Endpoint Configuration installs client extensions for Asset on endpoints. Client Extensions perform tasks that are common to certain Tanium solutions. The Tanium Client uses code signatures to verify the integrity of each client extension prior to loading the extension on the endpoint. Each client extension has recommended security exclusions to allow the Tanium processes to run without interference. See Security exclusions for more information. The following client extensions perform Asset functions:
- Core CX - Provides a management framework API for all other client extensions and exposes operating system metrics. Tanium Client Management installs this client extension.
- Index CX - Provides the ability to index the local file systems on endpoints. Tanium Asset, Tanium Integrity Monitor, Tanium Reveal, or Tanium Threat Response installs this client extension.
- Config CX - Provides installation and configuration of extensions on endpoints. Tanium Client Management installs this client extension.
- Software Manager CX - Provides a catalog of all installed software on an endpoint. Tanium Asset or Tanium Patch installs this client extension.
Tanium™ Module Server
Asset runs as a service on the Tanium Module Server.
Disk space
Asset requires disk storage capacity that is necessary to support the number of endpoints in the environment. For planning purposes, use 100 MB per 1000 endpoints:
- 5,000 endpoints: 500 MB
- 50,000 endpoints: 5 GB
- 100,000 endpoints: 10 GB
- 250,000 endpoints: 25 GB
- 500,000 endpoints: consult your Technical Account Manager
Usage might vary significantly based on the following variables:
-
Number of endpoints
-
Number of applications
-
Number of users, if file evidence data is enabled
-
Attributes that you add on the Inventory Management > Attributes page.
These suggested sizes are considered a good estimate for most environments.
Endpoints
Supported internet protocols
Asset communicates over IPv4 and IPv6 networks. For more information, see Tanium Client Management User Guide: Network connectivity, ports, and firewalls.
Supported operating systems
For Tanium Client operating system support, see Tanium Client Management User Guide: Client version and host system requirements.
| Operating System | Version | Notes |
|---|---|---|
| Windows |
|
|
| macOS |
Same as Tanium Client support |
|
| Linux |
Same as Tanium Client support |
Software Inventory & Usage is not available on Linux operating systems. |
| Solaris |
Same as Tanium Client support |
Software Inventory & Usage is not available on Solaris operating systems. |
| AIX |
7.1.4 or later |
The IBM XL C++ runtime libraries file set (xlC.rte), version 16.1.0.0 or later, and the IBM LLVM runtime libraries file set (libc++.rte) must be installed. For installation instructions, see Tanium Client Management User Guide: Deploy the Tanium Client to AIX endpoints using a package file. Software Inventory & Usage is not available on AIX operating systems. |
Third-party software
The following third-party software is optional:
- For the ServiceNow CMDB connector to export data from Asset, the Jakarta release or later is required.
- For Flexera integration to export data from Asset, you must have an SQL database that can be configured to receive data from Asset. For more information, Contact Tanium Support.
- To use the Asset Collect MS Exchange Info package to collect Microsoft Exchange data, the Microsoft Exchange Server Computer objects need to be a member of the View-Only Organization Management group for Microsoft Exchange Security Groups.
Host and network security requirements
Specific ports and processes are needed to run Asset.
Ports
For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.
The following ports are required for Asset communication.
| Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
|
Module Server |
ServiceNow | 443 | TCP | Access to your ServiceNow instance |
| ServiceNow MID Server | Tanium Server | 443 | TCP | If using the Service Graph Connector for Tanium Asset app, access to the Tanium Server |
| Module Server |
Module Server (loopback) |
17459 17461 |
TCP | Internal purposes; not externally accessible |
No additional ports are required.
Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.
Security exclusions
If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
| Target Device | Notes | Exclusion Type | Exclusion |
|---|---|---|---|
| Module Server | Process | <Module Server>\services\asset-service\node.exe | |
| Required only during upgrade from Asset 1.18 and earlier | Process | <Module Server>\services\asset-service\node_modules\@tanium\postgresql\lib\win32\bin\postgres.exe | |
| Required only during upgrade from Asset 1.18 and earlier | Process | <Module Server>\services\asset-service\node_modules\@tanium\postgresql\lib\win32\bin\pg_ctl.exe | |
| Process | <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe | ||
| Windows endpoints | For integration with Flexera | Process | <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe |
| Process | <Tanium Client>\Tools\Asset\TaniumFileEvidence.exe | ||
| For SBOM add-in | Process | <Tanium Client>\Tools\BOM\bin\psftp.exe | |
| For SBOM add-in | Process | <Tanium Client>\Tools\BOM\bin\syft.exe | |
| File | <Tanium Client>\extensions\TaniumSoftwareManager.dll | ||
| File | <Tanium Client>\extensions\TaniumSoftwareManager.dll.sig | ||
| File | <Tanium Client>\TaniumClientExtensions.dll | ||
| File | <Tanium Client>\TaniumClientExtensions.dll.sig | ||
| File | <Tanium Client>\extensions\SupportCX.dll | ||
| File | <Tanium Client>\extensions\SupportCX.dll.sig | ||
| File | <Tanium Client>\extensions\TaniumConfig.dll | ||
| File | <Tanium Client>\extensions\TaniumConfig.dll.sig | ||
| macOS endpoints | For integration with Flexera | Process |
<Tanium Client>/Tools/EPI/TaniumEndpointIndex |
| Process |
<Tanium Client>/Tools/Asset/TaniumFileEvidence |
||
| For SBOM add-in | Process |
<Tanium Client>/Tools/BOM/bin/syft |
|
| File | <Tanium Client>/extensions/libTaniumSoftwareManager.dylib | ||
| File | <Tanium Client>/extensions/libTaniumSoftwareManager.dylib.sig | ||
| File | <Tanium Client>/libTaniumClientExtensions.dylib | ||
| File | <Tanium Client>/libTaniumClientExtensions.dylib.sig | ||
| File | <Tanium Client>/extensions/libSupportCX.dylib | ||
| File | <Tanium Client>/extensions/libSupportCX.dylib.sig | ||
| File | <Tanium Client>/extensions/libTaniumConfig.dylib | ||
| File | <Tanium Client>/extensions/libTaniumConfig.dylib.sig | ||
| Linux endpoints | For integration with Flexera | Process |
<Tanium Client>/Tools/EPI/TaniumEndpointIndex |
| Process |
<Tanium Client>/Tools/Asset/TaniumFileEvidence |
||
| For SBOM add-in | Process |
<Tanium Client>/Tools/BOM/bin/syft |
|
| File | <Tanium Client>/extensions/libTaniumSoftwareManager.so | ||
| File | <Tanium Client>/extensions/libTaniumSoftwareManager.so.sig | ||
| File | <Tanium Client>/libTaniumClientExtensions.so | ||
| File | <Tanium Client>/libTaniumClientExtensions.so.sig | ||
| File | <Tanium Client>/extensions/libSupportCX.so | ||
| File | <Tanium Client>/extensions/libSupportCX.so.sig | ||
| File | <Tanium Client>/extensions/libTaniumConfig.so | ||
| File | <Tanium Client>/extensions/libTaniumConfig.so.sig |
| Target Device | Notes | Exclusion Type | Exclusion |
|---|---|---|---|
| Windows endpoints | For SBOM add-in | Process | <Tanium Client>\Tools\BOM\bin\psftp.exe |
| For SBOM add-in | Process | <Tanium Client>\Tools\BOM\bin\syft.exe | |
| File | <Tanium Client>\extensions\TaniumSoftwareManager.dll | ||
| File | <Tanium Client>\extensions\TaniumSoftwareManager.dll.sig | ||
| File | <Tanium Client>\TaniumClientExtensions.dll | ||
| File | <Tanium Client>\TaniumClientExtensions.dll.sig | ||
| File | <Tanium Client>\extensions\SupportCX.dll | ||
| File | <Tanium Client>\extensions\SupportCX.dll.sig | ||
| File | <Tanium Client>\extensions\TaniumConfig.dll | ||
| File | <Tanium Client>\extensions\TaniumConfig.dll.sig | ||
| macOS endpoints | For SBOM add-in | Process |
<Tanium Client>/Tools/BOM/bin/syft |
| File | <Tanium Client>/extensions/libTaniumSoftwareManager.dylib | ||
| File | <Tanium Client>/extensions/libTaniumSoftwareManager.dylib.sig | ||
| File | <Tanium Client>/libTaniumClientExtensions.dylib | ||
| File | <Tanium Client>/libTaniumClientExtensions.dylib.sig | ||
| File | <Tanium Client>/extensions/libSupportCX.dylib | ||
| File | <Tanium Client>/extensions/libSupportCX.dylib.sig | ||
| File | <Tanium Client>/extensions/libTaniumConfig.dylib | ||
| File | <Tanium Client>/extensions/libTaniumConfig.dylib.sig | ||
| Linux endpoints | For SBOM add-in | Process |
<Tanium Client>/Tools/BOM/bin/syft |
| File | <Tanium Client>/extensions/libTaniumSoftwareManager.so | ||
| File | <Tanium Client>/extensions/libTaniumSoftwareManager.so.sig | ||
| File | <Tanium Client>/libTaniumClientExtensions.so | ||
| File | <Tanium Client>/libTaniumClientExtensions.so.sig | ||
| File | <Tanium Client>/extensions/libSupportCX.so | ||
| File | <Tanium Client>/extensions/libSupportCX.so.sig | ||
| File | <Tanium Client>/extensions/libTaniumConfig.so | ||
| File | <Tanium Client>/extensions/libTaniumConfig.so.sig |
Internet URLs
If security software is deployed in the environment to monitor and block unknown URLs, a security administrator might need to allow the following URLs on the Tanium Module Server for the Asset service.
- ServiceNow instance (yourcompany.service-now.com)
User role requirements
The following tables list the role permissions required to use Asset. To review a summary of the predefined roles, see Set up Asset users.
Do not assign the Asset Service Account and Asset Service Account - All Content Sets roles to users. These roles are for internal purposes only.
For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.
| Permission | Asset Administrator1 | Asset Operator1 | Asset User1,5 | Asset Report Reader1,5 | Asset Endpoint Configuration Approver1,2 |
|---|---|---|---|---|---|
|
Asset View Asset workbench |
SHOW |
SHOW |
SHOW |
SHOW |
SHOW |
|
Asset Configuration Item Configure all aspects of Asset (service settings, schedules, attributes, destinations) |
WRITE |
WRITE |
|
|
|
|
Asset Endpoint Configuration Approve Asset configuration changes in the Endpoint Configuration service |
|
|
|
|
APPROVE |
|
Asset Report View, create, edit, and delete reports and views |
READ WRITE |
READ WRITE |
READ WRITE3 |
READ |
|
|
Asset Service Configure all aspects of Asset services |
CONFIGURE |
|
|
|
|
|
Asset Trends Integration Service Account Provide access for module service accounts to read and write data, and to define sources and boards |
|
EXECUTE4 |
|
|
|
|
1 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements. 2 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see the Tanium Endpoint Configuration User Guide: User role requirements. 3 For owned reports and views only. 4 Grants access to content in the Reserved content set. 5 This role can only view the Reports and Views pages. |
|||||
| Permission | Permission Type | Asset Administrator1 | Asset Operator1 | Asset User1 | Asset Report Reader1 | Asset Endpoint Configuration Approver1 |
|---|---|---|---|---|---|---|
| Action Group | Administration |
READ WRITE |
READ WRITE |
READ |
READ |
|
| User Group | Administration |
READ |
READ |
|
|
|
|
Action |
Platform Content |
READ WRITE |
READ WRITE |
|
|
|
|
Filter Group |
Platform Content |
READ |
READ |
|
|
|
|
Own Action |
Platform Content |
READ |
READ |
|
|
|
|
Package |
Platform Content |
READ |
READ |
|
|
|
|
Plugin |
Platform Content |
READ EXECUTE |
READ EXECUTE |
READ EXECUTE |
READ EXECUTE |
READ EXECUTE |
|
Sensor |
Platform Content |
READ |
READ |
READ |
READ |
|
|
To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions. 1 This role provides content set permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements. |
||||||
| Role | Enables |
|---|---|
| Connect Administrator (prior to Connect 4.8 only) | Create, edit, or delete a Flexera destination |
| Connect User |
Create, edit, or delete a Flexera destination |
| Tanium Administrator |
Create scheduled actions for the file evidence content for Flexera destinations |
Last updated: 2/7/2023 4:59 PM | Feedback