Creating a Software Bill of Materials

The Software Bill of Materials (SBOM) add-in for Asset uses Tanium™ Client Index Extension (Index CX) to generate an SBOM for Windows, macOS, and Linux endpoints.

When you have a complete inventory of the software on endpoints, including dependencies, you can quickly respond to emergent vulnerabilities that are identified in a specific component.

This add-in requires a license for Asset plus an additional license for SBOM.

Overview

The SBOM add-in identifies candidate files on the endpoint by querying Index CX, which has indexed the file system, for the files and file types that you specify in the SBOM profile.

The identified files are then processed to define and extract their software bill of materials, providing identifying details such as the dependency name and version.

For a list of changes for each SBOM release, see the SBOM release notesSBOM release notes.

If you deployed SBOM to endpoints before the release that introduced SBOM profiles, earlier SBOM data is removed from endpoints when an SBOM profile is pushed to the endpoint. For additional details, see the SBOM release notes.

Requirements

Required dependencies

  • Asset 1.24.76 or later
  • Tanium Client 7.4 or later
  • Tanium Client Index Extension (installed as part of Asset 1.24.76 or later)
  • Extras Client Extension (installed as part of Asset 1.24.76 or later)
  • Software Manager Client Extension (installed as part of Asset 1.24.76 or later)

Tanium Client Index Extension (Index CX) is required for the proper operation of Software Manager CX. Removing or disabling Index CX will result in the inoperability of SBOM and other modules and features.

Required RBAC permissions

To view SBOM content, you must be assigned the Administrator reserved role and have permission to access to the SBOM content set. For more information, see Tanium Console User Guide: Manage content set permissions for a role. To work with SBOM content, you must have the required RBAC permission for the operation. For more information, see Tanium Console User Guide: Action management permissions.

Supported operating systems

The following endpoint operating systems are supported for use with SBOM:

Operating System Version Notes
Windows

  • Windows 7 SP1 or later

  • Windows 2008 R2 SP1 or later
  • 32-bit (x86)* and 64-bit (x64)

  • Windows 7 SP1 requires Microsoft KB2758857.

  • Windows Server 2008 R2 SP1 requires Microsoft KB2758857.

macOS

Same as Tanium Client support

 32-bit (x86)* and 64-bit (x64 and arm64)
Linux

Same as Tanium Client support

32-bit (x86)* and 64-bit (x64 and aarch64)

* Go file types are not supported for identification on 32-bit (x86) systems.

Supported ecosystems

SBOM supports scanning for these file types:

  • Java
  • JavaScript
  • Python
  • Ruby
  • PHP
  • Go
  • Native library files*

* Native library files include shared libraries and executable files for the endpoint operating system.

For a list of specific files and file types that are supported for scanning, see Reference: SBOM files and file types.

Install SBOM

Upgrade from SBOM 1.x to SBOM 2.x

Before you begin

Read the upgrade notes.

If you upgrade from SBOM 1.x to SBOM 2.x, SBOM 1.x data is removed from endpoints when an SBOM 2.x profile is pushed to the endpoint.

Install SBOM 2.x and later

  1. Sign in to the Tanium Console with an account that has the Administrator reserved role.
  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. In the Content section, select the row for SBOM and click Install.
  4. Review the content to import and click Begin Install.
  5. Depending on your Tanium Server configuration, enter your credentials and click Submit, or click Yes.

Work with SBOM profiles

Create an SBOM profile

Create an SBOM profile to configure SBOM settings for targeted endpoints so that you can generate and gather SBOM data.

  1. From the Asset menu, click Inventory Management > Profiles.
  2. Click Create Profile.
  3. In the General Information section, specify the Profile Name and optional Profile Description.
  4. In the Target section, click Select Computer Groups.
  5. Select one or more computer groups to target with this profile and click Save.

    Target only endpoints on operating systems that are supported by SBOM.

  6. In the Candidate Ecosystems section, select the file types to identify on targeted endpoints.
  7. In the Settings section, adjust the Index CX settings as needed:
    SettingDescription
    Tanium Index Scan Frequency

    Controls how often the Tanium Index scan runs.

    Tanium Index First Scan Distribute Over TimeSets the time distribution for the initial Tanium Index scan.
    File Exclusions by Regular ExpressionUse a regular expression to specify files to exclude from file system indexes.
    Directory Exclusions by Regular ExpressionUse a regular expression to specify directories to exclude from file system indexes.

    Use directory exclusions rather than file exclusions since directory exclusions are more efficient.

    • The SBOM Index subscription calculates SHA-256 hashes and limits the scope of the scan to all local drives.
    • If you updated any Index CX settings through the configuration options in another module that uses Index CX, such as Threat Response, those changes are not applied to the SBOM Index subscription. If you updated these settings globally, by using the TaniumClient config command or by deploying an action to endpoints to update the settings, those changes are applied to the SBOM Index subscription.
  8. Click Create.

The initial Index CX scan must finish before you can review SBOM results. The timing of the first scan depends on the Tanium Index First Scan Distribute Over Time setting in the SBOM profile.

Edit an SBOM profile

  1. From the Asset menu, click Inventory Management > Profiles.
  2. Select the profile.
  3. Click Edit.
  4. Make the necessary changes and click Save.

Delete an SBOM profile

  1. From the Asset menu, click Inventory Management > Profiles.
  2. Select one or more profiles and click Delete.

When you delete a profile, the SBOM Index CX subscription is removed for endpoints that were targeted by that profile.

View SBOM results

View SBOM results in Asset

You can view SBOM results on the Tracked Components & Libraries page. The Libraries section of this page shows the results of this question: Get SBOM Packages from all machines with SBOM Has Results contains true.

  1. From the Asset menu, click Software Bill of Materials > Libraries.

Use the Filter by text field to filter the results.

View SBOM results in Interact

If you want to drill down further into the SBOM results, you can ask a question in Interact using one of the SBOM Packages sensors.

  1. From the Main menu, click Modules > Interact.
  2. Ask a question using one of the SBOM Packages sensors: SBOM Packages, SBOM Package Information Filtered By, or SBOM Package Information For Hash with SBOM Has Results contains true.

    For example, ask this question: Get SBOM Packages from all machines with SBOM Has Results contains true.

  3. Drill down into the results to review the data. For example, you can select a package and drill down using Computer Name to determine the endpoints on which the component is installed.

Track libraries and vendors

You can track libraries and vendors to monitor the endpoints on which a specific library or version exists. When you enable tracking, a new reserved entity, named SBOM Package Information - <library or vendor name> - type, with a set of attributes for the tracked component is created and enabled for collection in Asset. A new SBOM report using the attributes, also named SBOM Package Information - <library or vendor name> - type, is automatically created and populated after the first data collection.

  1. From the Asset menu, click Software Bill of Materials > Tracked Components & Libraries.
  2. In the Libraries section, select the row for the library or vendor that you want to track.
    You can track multiple components concurrently, but you must enable tracking on each one separately.
  3. Click Enable Tracking.
  4. Select the keys that you want to track: name and/or vendor.
  5. Click Track.

Do not track more than 20 components at a time to reduce the possibility for performance impacts.

Manage tracked components

Tracked components are libraries and vendors for which you enabled tracking in the Libraries section of the Tracked Components & Libraries page. For more information about tracking libraries and vendors, see Track libraries and vendors. If needed, you can disable, enable or stop tracking components.

Disable a tracked component

When you disable a tracked component, the corresponding attributes are disabled, but the attributes and report remain.

  1. From the Asset menu, click Software Bill of Materials > Tracked Components & Libraries.
  2. In the Tracked Components section, select the row for the tracked component that you want to disable.
  3. Click Disable.

The status for the tracked component changes to Disabled .

Enable a tracked component

If you previously disabled a tracked component, you can re-enable tracking to move the corresponding attributes back to a Ready state and re-activate the corresponding report.

  1. From the Asset menu, click Software Bill of Materials > Tracked Components & Libraries.
  2. In the Tracked Components section, select the row for the disabled component that you want to enable.
  3. Click Enable.

The status for the tracked component changes to Enabled .

Stop tracking a component

When you stop tracking a tracked component, the corresponding attributes and report are deleted.

  1. From the Asset menu, click Software Bill of Materials > Tracked Components & Libraries.
  2. In the Tracked Components section, select the row for the component that you want to stop tracking.
  3. Click Stop Tracking.
  4. Click Yes to confirm your action.

The tracked component and associated report are deleted. The status for the corresponding attributes changes to Deleting , and they are deleted from the Asset database on the next scheduled load of data from the Tanium source for Asset. For more information, see Configure the Tanium source and Schedule and run Asset data imports.For more information, see View Asset data imports.

View reports for tracked components

When you enable tracking for a library or vendor, a report that uses the associated attributes is automatically generated. You can view these automatically-generated reports for tracked components on the SBOM Reports page.

  1. From the Asset menu, click Software Bill of Materials > SBOM Reports.
  2. Click the name of the report that you want to view.

    Reports for actively tracked components have a Ready status. Reports for tracked components that are disabled have a Disabled status and are not updated.

For more information working with reports, see Work with existing reports.

You can also view the reports from the Asset Reports page.

Create custom reports

Create a custom report in Asset that includes columns with SBOM Packages to review SBOM data.

Create a report to show all SBOM package details

Add the required attributes

Add SBOM attributes as available columns in the Asset database so that you can include them in reports.

  1. From the Asset menu, click Inventory Management > Attributes > Add Attribute. If you enabled custom sources, click Inventory Management > Attributes > Add Attribute > Add Existing Attribute.
  2. Expand the section for SBOM Packages.
  3. (Optional) As a best practice, click Settings next to one of the SBOM Packages attributes and select Multiple Rows for a Computer.
  4. Select the five attributes for this entity: CPE, Name, Type, Vendor, and Version.
  5. Click Add in the section for SBOM Packages.
  6. Click Add Attributes.

The attribute status is Pending until the next import job runs, which occurs approximately once per hour. Wait until the attribute status is Ready before you create a report. For more information about adding attributes, see Configure additional Tanium attributes. To run the import job immediately, see View schedule and run import.

Create The report

  1. From the Asset menu, click Reports.
  2. Click Create Custom Report.
  3. Specify a Name and optional Description.
  4. (Optional) Select Enabled for Summary Report if you want the data grouped into rows with an associated count that you can click to view more details.
  5. In the Select Report Columns from Asset Tables section, expand the Asset table.
  6. Select the CPE, Name, Type, Vendor, and Version attributes.
  7. Click Add selected .
  8. Click Submit.

For more information about creating reports, see Create a report.

Create a report to show SBOM package details for a specific component

If you need to determine which endpoints have a specific component installed, create a report that uses attributes from the SBOM Discovered Package Information For Name entity. The following example looks for instances of log4j on endpoints, but you can substitute that value with another component name.

Add the required attributes

Add SBOM attributes as available columns in the Asset database so that you can include them in reports.

  1. From the Asset menu, click Inventory Management > Attributes > Add Attribute. If you enabled custom sources, click Inventory Management > Attributes > Add Attribute > Add Existing Attribute.
  2. Expand the section for SBOM Package Information Filtered By.
  3. Select the attributes for this entity: CPE, Library Hash, Name, Package Hash, Parent, Type, Vendor, and Version.
  4. Click Add in the section for SBOM Package Information Filtered By.
  5. Specify the details on the Create Instance of Entity: SBOM Discovered Package Information For Name page:
    1. Change the Entity Name to a value you can use to identify this entity set later, such as SBOM Package Information For Log4J.
    2. In the Name field, specify the component that you want to look for, such as log4j.
    3. In the Select storage method for data section, select Multiple Rows for a Computer.
    4. Click Next.
    5. Click Create.
  6. Review the attributes and click Add Attributes.

The attribute status is Pending until the next import job runs. Wait until the attribute status is Ready before you create a report. For more information about adding attributes, see Configure additional Tanium attributes. To run the import job immediately, see View schedule and run import. The attributes will be available after the next import job runs, which occurs approximately once per hour.

Create the report

  1. From the Asset menu, click Reports.
  2. Click Create Custom Report.
  3. Specify a Name and optional Description.
  4. (Optional) Select Enabled for Summary Report if you want the data grouped into rows with an associated count that you can click to view more details.
  5. In the Select Report Columns from Asset Tables section, expand the Asset table.
  6. Select the CPE, Library Hash, Name, Package Hash, Parent, Type, Vendor, and Version attributes.
  7. Click Add selected .
  8. Click Submit.

For more information about creating reports, see Create a report.

Track libraries and vendors across your enterprise.

Export SBOM data

Create a view to export SBOM data to a destination, such as Tanium Connect, Flexera FlexNet Manager Suite, or ServiceNow. The steps to create a view vary based on the destination. For more information, see Configuring views.

SBOM Sensors

SBOM uses the following sensors. Do not delete these sensors from the Tanium Server.

Sensor Description
SBOM Has Results Returns true if the endpoint processed BOMs and components were found.
SBOM Package Information Filtered By Returns the SBOM package information from endpoints, filtered by a specific field and value. Includes these columns: Name, Vendor, Version, CPE, Type, Library Hash, Parent, Package Hash.

Use a regular expression to specify the version. The version field supports Perl-style syntax, except for backreferences. Leave the field blank to match any version.
SBOM Package Information For Hash Returns the SBOM package detailed information from endpoints, filtered by a specific hash. Includes these columns: Name, Vendor, Version, CPE, Type, Library Hash, Parent, Package Hash.
SBOM Packages Returns an overview of the SBOM package information from endpoints. Includes these columns: Name, Vendor, Version, CPE, Type.
SBOM Packages Count Returns the count of all discovered packages on the endpoint.
SBOM Packages Filtered By Returns an overview of the SBOM package information from endpoints for the specified Name, Vendor, Version, or Ecosystem.

Use a regular expression to specify the version. The version field supports Perl-style syntax, except for backreferences. Leave the field blank to match any version.