Creating a Software Bill of Materials

The Software Bill of Materials (SBOM) add-in for Asset uses Tanium™ Client Index Extension (Index CX) to direct the generation of an SBOM for Windows, macOS, and Linux endpoints.

This add-in requires a license for Asset plus an additional license for SBOM.

When you have a complete inventory of the software on endpoints, including dependencies, you can quickly respond to emergent vulnerabilities that are identified in a specific component.

Overview

The SBOM add-in identifies interesting or candidate files on the endpoint, based on your choices, and then assesses those files to build the software bill of materials.

SBOM identifies the candidate files by querying Index CX, which has indexed the file system, for the files and file types that you specify to the Tanium SBOM engine.

The identified files are then processed to define and extract their software bill of materials, providing identifying details such as the dependency name and version.

The SBOM installation process creates a new subscription to Client Index Extension (Index CX) for SBOM with these parameters:

  • Tanium Index Scan Frequency (ScanFrequencyMinutes) is set to one week.
  • Tanium Index First Scan Distribute Over Time (FirstScanDistributeOverTimeMinutes) is set to 24 hours.
  • SHA-256 hashes are calculated.
  • The scope of the scan is limited to all local drives.

If you updated any of these settings through the configuration options in another module that uses Index CX, such as Threat Response, those changes are not applied to the SBOM Index subscription. If you updated these settings globally, by using the TaniumClient config command or by deploying an action to endpoints to update the settings, those changes are applied to the SBOM Index subscription.

Requirements

Required dependency

Required RBAC permissions

To view SBOM content, you must be assigned the Administrator reserved role or a role with permission to access to the SBOM content set. For more information, see Tanium Console User Guide: Manage content set permissions for a role. To work with SBOM content, you must have the required RBAC permission for the operation. For more information, see Tanium Console User Guide: Action management permissions.

Supported operating systems

The following endpoint operating systems are supported for use with SBOM

Operating System Version Notes
Windows
  • Windows 7 SP1 or later

  • Windows 2008 R2 SP1 or later

  • 64-bit only (x64)
  • Windows 7 SP1 requires Microsoft KB2758857.

  • Windows Server 2008 R2 SP1 requires Microsoft KB2758857.

macOS

Same as Tanium Client support

64-bit only (x64 and arm64)
Linux

Same as Tanium Client support

64-bit only (x64 and aarch64)

Supported binary file types

SBOM supports scanning for these binary file types:

  • Java (JAR, PAR, SAR, WAR, EAR, JHI, JPI, LPKG)
  • JavaScript (NODE, NPM)
  • Python
  • PHP (Composer)
  • Ruby (GEM)
  • GoLang

SBOM also supports scanning for OpenSSL shared libraries.

Before you begin

Create an SBOM action group

As a best practice, create a separate action group to use when you target endpoints for SBOM. Limit this action group to endpoints on operating systems that are supported by SBOM. For steps to create an action group, see Tanium Console User Guide: Create an action group.

Optional: Generate key files for your SFTP server

If you plan to upload SBOM results to a central location via SFTP, you must generate key files for your SFTP server. Generate key files (KEY and PPK) for your SFTP server with these file names: upload_key.key and upload_key.ppk.

Import the SBOM content

  1. Sign in to the Tanium Console with an account that has the Administrator reserved role.
  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. In the Content section, select the row for SBOM and click Install.
  4. Review the content to import and click Begin Install.
  5. Depending on your Tanium Server configuration, enter your credentials and click Submit, or click Yes.

Deploy SBOM tools to endpoints

Use an action to deploy the SBOM tools to endpoints so that you can generate and gather data. For more information about the configuration options that are available when you deploy actions, see Interact User Guide: Deploying actions.

If you upgrade SBOM to a newer version, redeploy SBOM tools to endpoints to ensure that endpoints are using the latest version.

Before you begin

If you did not already create an SBOM action group in the preceding Before you begin section, as a best practice, create a separate action group to use when you target endpoints for SBOM. Limit this action group to endpoints on operating systems that are supported by SBOM. For steps to create an action group, see Tanium Console User Guide: Create an action group. SBOM cannot install tools on endpoints with action locks turned on. See Tanium Console User Guide: Managing action locks.

  1. From the Main menu, click Modules > Interact.
  2. In the Dashboards section, click the SBOM Status dashboard.
  3. In the SBOM Deployment Details report, select the row with SBOM Tools deployment required.
  4. Click Deploy Action.

    The Action Deployment page for the Distribute SBOM Tools package opens.

  5. (Optional) Set the Deployment Schedule for the action.

    Use a recurring action with a deployment schedule to keep SBOM tools up to date on endpoints.

  6. In the Targeting Criteria section, select the Action Group to which you want to deploy the SBOM tools.

    Use the SBOM action group that you created in the Before you begin steps.

  7. Click Show preview to continue.
  8. Click Deploy Action.
  9. Review the estimated clients affected and, if you want to proceed, click Confirm.
  10. Depending on your Tanium Server configuration, enter your credentials and click Submit, or click Yes.

    The Action Status page appears. The States of machines section shows Completed for all machines when the deployment completes. You can also ask the Get SBOM Deployment Details from all machines question in Interact to verify the status of the tools installations.

    After the tools deploy, Client Index Extension must run on the endpoint before you can generate an SBOM. This index scan is randomized over a period of time to balance resource use and can take up to a day to complete.

Gather SBOM results

After you deploy the SBOM tools to endpoints, use the SBOM Generate data package to identify candidate files and generate their SBOMs on endpoints. For more information about the configuration options that are available when you deploy actions, see Interact User Guide: Deploying actions. SBOM cannot gather results from endpoints with action locks turned on. See Tanium Console User Guide: Managing action locks.

The initial Client Index Extension scan must finish before you can gather SBOM results. Because this scan is randomized over a period of time to balance resource use, it can take up to a day to complete. Subsequent changes on the endpoint can take up to a week to be reflected in the Index data store.

Before you begin

If you did not already create an SBOM action group in one of the preceding tasks, a best practice, create a separate action group to use when you target endpoints for SBOM. Limit this action group to endpoints on operating systems that are supported by SBOM. If you already created an action group to use when you deployed the SBOM tools, you can use the same action group for this task. For steps to create an action group, see Tanium Console User Guide: Create an action group.

  1. From the Main menu, click Modules > Interact.
  2. Ask this question: Get Online from all machines with SBOM Results Age > <results age> where <results age> matches a value returned by the SBOM Results Age sensor. For details, see SBOM Results Age.

    Use a recurring action with a deployment schedule to keep SBOM results files up to date on endpoints.

  3. Select the row with True in the Online column.
  4. Click Deploy Action.
  5. In the Deployment Package section, select the Gather SBOM Data package.
  6. Provide a Name and optional Description for the action.
  7. Specify the parameters for the package:
    ParameterDescription
    Work Percentage

    Sets a throttle for resource utilization as the percentage of work time versus idle time. After working n seconds, the engine delays (1 / (work percentage / 100) * n) -n seconds.

    A lower number creates less load on the endpoint, but scans take longer.

    Enable JavaEnabled by default. Returns results for JAR, PAR, SAR, WAR, EAR, JHI, JPI, and LPKG binary files on the endpoint.
    Enable JavaScriptIncludes JavaScript binary files (Node and NPM) in the results.
    Enable PythonIncludes Python binary files in the results.
    Enable PHPIncludes PHP (Compose) binary files in the results.
    Enable RubyIncludes Ruby binary files (GEM) in the results.
    GoLang BinariesScans all of the binary files on the endpoint, determine whether the file is a GoLang binary file, and include the GoLang binary files in the results.

    This scan can have a significant performance impact on the endpoint. To minimize the impact if you enable this setting, set exclusion paths in the Exclude Paths field to minimize the impact or run GoLang scans separate from other file types and schedule the action to run during off hours.

    OpenSSL Shared LibsScans for OpenSSL shared libraries on the endpoint.

    If you run OpenSSL scans separate from other file types, clear the Use Exclude Paths option. The default paths might be relevant for OpenSSL scans, and excluding the default paths should not significantly impact the performance of the scan.

    Include Paths

    Leave this field blank to scan all directories. If you specify paths in this field, only those paths are included in results. You can specify paths using literal strings or regular expressions. All literal strings and regular expressions evaluate as CONTAINS, meaning that they are evaluated as a search rather than a match. If you specify paths using regular expressions, select Includes are RegExp.

    SBOM scans only the paths that are scanned by the Client Index Extension.

    Includes are RegExpSelect this parameter if you specified path inclusions using regular expressions.
    Exclude Paths

    Excludes the system folders for the operating system by default. For example, C:\ProgramData\Microsoft is excluded by default on Windows endpoints.

    Add additional paths to exclude from results. You can specify paths using literal strings or regular expressions. All literal strings and regular expressions evaluate as CONTAINS, meaning that they are evaluated as a search rather than a match. If you specify paths using regular expressions, select Excludes are RegExp.

    Excludes are RegExpSelect this parameter if you specified path exclusions using regular expressions.
    Ignore caseSelect this parameter to ignore case in path inclusions and exclusions.
    Exclude Tanium Folders

    Selected by default. Excludes Tanium folders from results.

    Clear Old Results

    Selected by default. Clears the existing results before building a new results file.

    In some scenarios, you might want to run several actions on the endpoint using different parameters. Clear this parameter to keep the results from each run. For example, if you want to include GoLang binary files in results, but you want to minimize the impact on performance, you can run one scan that includes Java files in the results and schedule a second scan that includes only GoLang binary files that runs during off hours.

  8. (Optional) Set the Deployment Schedule for the action.

    Use a recurring action with a deployment schedule of 24 or 48 hours to keep SBOM data up to date.

  9. In the Targeting Criteria section, select the Action Group from which you want to gather SBOM results files.
  10. Click Show preview to continue.
  11. Click Deploy Action.
  12. Review the estimated clients affected and, if you want to proceed, click Confirm.
  13. Depending on your Tanium Server configuration, enter your credentials and click Submit, or click Yes.

    The Action Status page appears. Wait until the States of machines section shows Completed for all machines before you attempt to review SBOM data. You can also ask the Get SBOM Has Results from all machines question in Interact to verify the status of SBOM generation.

Review SBOM results

Ask questions in Interact

  1. From the Main menu, click Modules > Interact.
  2. Ask this question: Get SBOM Discovered Packages from all machines with SBOM Has Results contains true.
  3. Drill down into the results to review the data. For example, you can select a package and drill down using Computer Name to determine the endpoints on which the component is installed.

Review dashboards

SBOM includes an SBOM Reports dashboard that contains three reports that show data related to known vulnerabilities that are identified by versions of specific software on an endpoint: SBOM Report: openssl, SBOM Report: apache-commons-text, SBOM Report: spring-beans, SBOM Report: log4j-core, and SBOM Report: struts. These reports might be empty if no endpoints in your environment returned SBOMs that contain components that match these vulnerabilities. These reports include all versions of the associated components, not only versions with known vulnerabilities. You can create custom reports to return results on other packages.

  1. From the Main menu, click Modules > Interact.
  2. In the Dashboards section, click the SBOM Reports dashboard.
  3. Review the data in each report.

Create reports

You can create a custom report in Asset that includes columns with SBOM Packages to review SBOM data.

Create a report to show all SBOM package details

Add the required attributes

Add SBOM attributes as available columns in the Asset database so that you can include them in reports.

  1. From the Asset menu, click Inventory Management > Attributes.
  2. Click Add Attribute.
  3. Expand the section for SBOM Discovered Packages.
  4. (Optional) As a best practice, click Settings next to one of the SBOM Discovered Packages attributes and select Multiple Rows for a Computer.
  5. Select the four attributes for this entity: CPE, Name, Type, and Version.
  6. Click Add in the section for SBOM Discovered Packages.
  7. Review the attributes and click Add Attributes.

The attribute status is Pending until the next import job runs. Wait until the attribute status is Ready before you create a report. For more information about adding attributes, see Configure additional Tanium attributes. To run the import job immediately, see View schedule and run import. The attributes will be available after the next import job runs, which occurs approximately once per hour.

Create The report

  1. From the Asset menu, click Reports.
  2. Click Create Custom Report.
  3. Specify a Name and optional Description.
  4. (Optional) Select Enabled for Summary Report if you want the data grouped into rows with an associated count that you can click to view more details.
  5. In the Select Report Columns from Asset Tables section, expand the Asset table.
  6. Select the CPE, Name, Type, and Version attributes.
  7. Click Add selected .
  8. Click Submit.

For more information about creating reports, see Create a report.



Create a report to show SBOM package details for a specific component

If you need to determine which endpoints have a specific component installed, create a report that uses attributes from the SBOM Discovered Package Information For Name entity. The following example looks for instances of log4j on endpoints, but you can substitute that value with another component name.

Add the required attributes

Add SBOM attributes as available columns in the Asset database so that you can include them in reports.

  1. From the Asset menu, click Inventory Management > Attributes.
  2. Click Add Attribute.
  3. Expand the section for SBOM Discovered Package Information For Name.
  4. Select the seven attributes for this entity: CPE, Name, Type, Parent, Parent SHA256 Hash, SHA1 Hash, Type, and Version.
  5. Click Add in the section for SBOM Discovered Package Information For Name.
  6. Specify the details on the Create Instance of Entity: SBOM Discovered Package Information For Name page:
    1. Change the Entity Name to a value you can use to identify this entity set later, such as SBOM Discovered Package Information For Log4J.
    2. In the Name field, specify the component that you want to look for, such as log4j.
    3. In the Select storage method for data section, select Multiple Rows for a Computer.
    4. Click Next.
    5. Click Create.
  7. Review the attributes and click Add Attributes.

The attribute status is Pending until the next import job runs. Wait until the attribute status is Ready before you create a report. For more information about adding attributes, see Configure additional Tanium attributes. To run the import job immediately, see View schedule and run import. The attributes will be available after the next import job runs, which occurs approximately once per hour.

Create the report

  1. From the Asset menu, click Reports.
  2. Click Create Custom Report.
  3. Specify a Name and optional Description.
  4. (Optional) Select Enabled for Summary Report if you want the data grouped into rows with an associated count that you can click to view more details.
  5. In the Select Report Columns from Asset Tables section, expand the Asset table.
  6. Select the CPE, Name, Type, Parent, Parent SHA256 Hash, SHA1 Hash, Type, and Version attributes.
  7. Click Add selected .
  8. Click Submit.

For more information about creating reports, see Create a report.



Export SBOM data

Create a view to export SBOM data to a destination, such as Tanium Connect, Flexera FlexNet Manager Suite, or ServiceNow. The steps to create a view vary based on the destination. For more information, see Configuring views.

Upload SBOM data

The SBOM add-in includes two templates to use as a starting point for uploading SBOM results to a central location via SFTP using a passwordless key. For more information about the configuration options that are available when you deploy actions, see Interact User Guide: Deploying actions. SBOM cannot upload SBOM data from endpoints with action locks turned on. See Tanium Console User Guide: Managing action locks.

Windows endpoints use PuTTY for these actions, which is included with the SBOM tools. macOS and Linux endpoints use the native SFTP tool on the operating system. If the native tool does not exist or is not in the default path, these actions fail.

Before you begin

If you did not have not already done so, generate key files (KEY and PPK) for your SFTP server with these file names: upload_key.key and upload_key.ppk.

Make a copy of the template package before you customize the parameters in the package. If you do not first create a copy of the template, your changes will be lost if a new version of the package is released.

Configure the destination so that the content is not read or listed after it is uploaded to the server.

Upload SBOM results

Deploy an action that runs the Upload SBOM Data package to upload SBOM results files to another server.

  1. From the Main menu, click Administration > Packages.
  2. Select the TEMPLATE - Upload SBOM Data package.
  3. Click Clone.
  4. Specify a Package Name and, optionally, update the Display Name.
  5. In the Files section, click the upload_key.key and upload_key.ppk files and add the KEY and PPK files for your SFTP server.
  6. In the Parameters section, specify values for the parameters in each section. Check the help text for details about each parameter.
    • Server Name/Address
    • Username
    • Destination Folder

      Leave this parameter blank to upload the file to the home directory of the user (username).

    • Filter Field
    • Filter Value
    • Initial Delay
  7. Click Save.
  8. On the Packages page, select the package that you updated.
  9. Click Deploy Action.

    The Action Deployment page for the Upload SBOM Data package opens.

  10. (Optional) Set the Deployment Schedule for the action.
  11. In the Targeting Criteria section, select the Action Group from which you want to upload the SBOM results files.
  12. Click Show preview to continue.
  13. Click Deploy Action.
  14. Review the estimated clients affected and, if you want to proceed, click Confirm.
  15. Depending on your Tanium Server configuration, enter your credentials and click Submit, or click Yes.

    The Action Status page appears. The States of machines section shows Completed for all machines when the SBOM results files for each targeted endpoint are uploaded to the external server.

Upload SBOM support information

If you experience issues when using SBOM, Tanium Support might request an SBOM support data file, which includes statistics files, log files, and files that show what parameters were used for input to the action. Deploy an action that runs the Upload SBOM Support Data package to upload SBOM support files to another server.

  1. From the Main menu, click Administration > Packages.
  2. Select the TEMPLATE - Upload SBOM Support Data package.
  3. Click Clone.
  4. Specify a Package Name and, optionally, update the Display Name.
  5. In the Files section, click the upload_key.key and upload_key.ppk files and add the KEY and PPK files for your SFTP server.
  6. In the Parameters section, specify values for the parameters in each section. Check the help text for details about each parameter.
    • Server Name/Address
    • Username
    • Destination Folder

      Leave this parameter blank to upload the file to the home directory of the user (username).

  7. Click Save.
  8. On the Packages page, select the package that you updated.
  9. Click Deploy Action.

    The Action Deployment page for the Upload SBOM Support Data package opens.

  10. (Optional) Set the Deployment Schedule for the action.
  11. In the Targeting Criteria section, select the Action Group from which you want to upload the SBOM support files.
  12. Click Show preview to continue.
  13. Click Deploy Action.
  14. Review the estimated clients affected and, if you want to proceed, click Confirm.
  15. Depending on your Tanium Server configuration, enter your credentials and click Submit, or click Yes.

    The Action Status page appears. The States of machines section shows Completed for all machines when the SBOM support files for each targeted endpoint are uploaded to the external server.

Generate a local SBOM support package

If you experience issues when using SBOM, Tanium Support might request an SBOM support data file, which includes statistics files, log files, and files that show what parameters were used for input to the action. If you want to upload that package to an external server, follow the steps in Upload SBOM support information. If you want to store the content on the endpoint for future transfer using another method, use an action to deploy the Store SBOM Support Data package, as described in the following steps. SBOM cannot generate a local SBOM support package on endpoints with action locks turned on. See Tanium Console User Guide: Managing action locks.

  1. Ask a question in Interact to return the endpoints on which you want to generate an SBOM support package.
  2. Select the row for those endpoints.
  3. Click Deploy Action.
  4. In the Deployment Package section, select the Store SBOM Support Data package.
  5. Provide a Name and optional Description for the action.
  6. (Optional) Set the Deployment Schedule for the action.
  7. In the Targeting Criteria section, select the Action Group on which you want to generate the SBOM support files.
  8. Click Show preview to continue.
  9. Click Deploy Action.
  10. Review the estimated clients affected and, if you want to proceed, click Confirm.
  11. Depending on your Tanium Server configuration, enter your credentials and click Submit, or click Yes.

    The Action Status page appears. The States of machines section shows Completed for all machines when the SBOM support files for each targeted endpoint are created.

    The Store SBOM Support Data package creates a Support folder in the Tanium Client\Tools\BOM folder on the endpoint, which contains a support.tgz file. The support.tgz file contains the following directories and files:

    • bom.ver: version of SBOM installed on the endpoint
    • stats.dat: statistics for several operations
    • Logs/log.txt: log files
    • input/index.dat: discovered libraries that are not OpenSSL, but were library types selected for scanning
    • input/index_sharedlibs.dat: discovered OpenSSL libraries, if OpenSSL was selected for scanning
    • input/combined.dat: merges index.dat and index_sharedlibs.dat. Non-OpenSSL discovered files are prefixed with interpreted_or_binary. OpenSSL discovered files are prefixed with sharedlib.
    • results_SBOM\results.dat: SBOM results file
    • results_SBOM\results.stat: statistics for the results file
    • bin\bomgen.ver: version of SBOM engine installed on the endpoint
    • gatherprogress: output of the SBOM Gather Status sensor
    • deployment.dat: endpoint OS information, IndexCX initialization status, and number of IndexCX scans started and completed

Uninstall SBOM

Remove SBOM content from endpoints

Deploy an action that runs the Uninstall SBOM package to remove SBOM files for tools and results from targeted endpoints. The Index subscription for SBOM is also removed. SBOM content remains on the Tanium Server. For more information about deploying actions, see Interact User Guide: Deploying actions.

Remove the SBOM add-in from your Tanium Server

  1. From the Main menu, go to Administration > Configuration > Solutions.
  2. In the Content section, select the Asset row.
  3. Click Delete Selected and then click Uninstall to complete the process.

The uninstall process does not remove the SBOM Reports and SBOM Results dashboards from Interact. After you uninstall SBOM, these dashboards do not display any data because the corresponding saved question is removed by the uninstall process. You can manually delete these dashboards. For more information, see Interact User Guide: Delete a category or dashboard configuration.

SBOM Sensors

Sensor Description
SBOM Has Results Returns true if the endpoint processed BOMs and components were found.
SBOM Deployment Details Returns key value pairs of the status of the SBOM deployment, including versions expected (latest) versus discovered (currently installed).
SBOM Discovered Packages Returns all of the SBOM package information from endpoints. Includes these columns: Name, Version, CPE, Type.
SBOM Discovered Packages Filtered By Returns the SBOM package brief information from endpoints, filtered by a specific value. Includes these columns: Name, Version, CPE, Type.
SBOM Discovered Package Information Filtered By Returns the SBOM package detailed information from endpoints, filtered by a specific value. Includes these columns: Name, Version, CPE, Type, SHA1 Hash, Parent, Parent SHA256 Hash.
SBOM Discovered Package Information For CPE Returns the SBOM package detailed information from endpoints, filtered by a specific component CPE.
SBOM Discovered Package Information For Name Returns the SBOM package detailed information from endpoints, filtered by a specific component name.
SBOM Discovered Package Stats Returns counts of statistics regarding the discovered bill of materials, such as the number of components or components and versions.
SBOM Results Age

Returns the bracketed age of the SBOM results based on last destructive Gather SBOM Data run (package ran with Clear Old Results selected). Possible values: 

  • 0: SBOM is not deployed
  • 99999: no SBOM results returned
  • 12: results are 0-12 hours old
  • 24: results are 13-24 hours old
  • 48: results are 25-48 hours old
  • 72: results are 49-72 hours old
  • 96: results are 73-96 hours old
  • 120: results are 97-120 hours old
  • 168: results are 121 hours old - 7 days old
  • 336: results are 8 days old - 2 weeks old
  • 672: results are older than 15 days