Integrity Monitor requirements

Review the requirements before you install and use Integrity Monitor.

Core platform dependencies

Make sure that your environment meets the following requirements:

Tanium license that includes Client Management
Tanium™ Core Platform servers 7.4 or later
Tanium™ Client
- Windows: 7.2.314.3584 or later
- Linux, AIX, Solaris: Any supported version of Tanium Client
Any supported version of a Tanium Client

For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.

If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Computer group dependencies

When you first sign in to Tanium Console after a fresh installation of Tanium Server 7.4.2 or later, the server Tanium Cloud automatically imports the computer groups that Client Management requires:

All AIX
All Linux
All Solaris
All Windows
All Windows Servers
All Windows Server 2022
All Windows Server 2019
All Windows Server 2016
All Windows Server 2012 R2
All Windows Server 2012
All Windows Server 2008 R2

For earlier versions of the Tanium Server, or after upgrading from an earlier version, you must manually create the computer groups. See Tanium Console User Guide: Create a computer group.

Solution dependencies

Other Tanium solutions are required for Client Management to function (required dependencies) or for specific Client Management features to work (feature-specific dependencies). The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Client Management dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies and Feature-specific dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Client Management requires.

Tanium recommended installation

If you select Tanium Recommended Installation when you import Client Management, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.

Import specific solutions

If you select only Client Management to import and are using Tanium Core Platform 7.5.2.3531 or later with Tanium Console 3.0.72 or later, the Tanium Server automatically imports the latest available versions of any required dependencies that are missing. If some required dependencies are already imported but their versions are earlier than the minimum required for Client Management, the server automatically updates those dependencies to the latest available versions.

If you select only Client Management to import and you are using Tanium Core Platform 7.5.2.3503 or earlier with Tanium Console 3.0.64 or earlier, you must manually import or update required dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Client Management has the following required dependencies at the specified minimum versions:

Tanium™ Client Index Extension^*
Tanium™ Client Recorder Extension^*
Tanium™ Endpoint Configuration 1.2 or later
Tanium™ Interact 2.4.50 or later
Interact 3.0 or later requires Tanium Core Platform 7.6.1 or later
Tanium™ Trends 3.6 or later

^*= The required version of this client extension is installed as part of Client Management. The Client Recorder Extension also includes the Tanium Driver.

Feature-specific dependencies

Client Management has the following feature-specific dependencies at the specified minimum versions:

Tanium™ Connect 4.0 or later for event export
Tanium Connect 5.8.54 or later for watchlist data export

Client extensions

Tanium Endpoint Configuration installs client extensions for Client Management on endpoints. Client Extensions perform tasks that are common to certain Tanium solutions. The Tanium Client uses code signatures to verify the integrity of each client extension prior to loading the extension on the endpoint. Each client extension has recommended security exclusions to allow the Tanium processes to run without interference. See Security exclusions for more information. The following client extensions perform Client Management functions:

Core CX - Provides a management framework API for all other client extensions and exposes operating system metrics. Tanium Client Management installs this client extension.
Config CX - Provides installation and configuration of extensions on endpoints. Tanium Client Management installs this client extension.
Extras CX - Provides a helper library that contains re-usable functions for various client extensions to use. Tanium Asset, Tanium Discover, Tanium Integrity Monitor, and Tanium Investigate install this client extension.
Index CX - Provides the ability to index the local file systems on endpoints. Tanium Asset, Tanium Integrity Monitor, Tanium Reveal, or Tanium Threat Response installs this client extension.
Integrity Monitor CX - Provides Integrity Monitor functions on the endpoint. Tanium Integrity Monitor installs this client extension.
Recorder CX - Provides the ability to save event data on each endpoint and monitor the endpoint kernel and other low-level subsystems to capture a variety of events. Tanium Enforce, Tanium Integrity Monitor, Tanium Map, or Tanium Threat Response installs this client extension.

Endpoints

Supported operating systems

The following endpoint operating systems are supported with Integrity Monitor.

Operating System	Version	Notes
Windows	Windows 7 or later Windows Server 2008 R2 or later
Linux	Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.	Client Management uses the Client Recorder Extension when you enable the Collect process and user attribution information option for a monitor. The Client Recorder Extension does not support CentOS and Red Hat Enterprise Linux versions 5.3 and earlier. Endpoints require version 5.4 or later of CentOS or Red Hat Enterprise Linux. The Client Recorder Extension provides SELinux policies for the following distributions and versions: Red Hat Enterprise Linux (RHEL) 5.4 and later, 6.x, 7.x, and 8.x CentOS 5.4 and later, 6.x, 7.x, and 8.x Amazon Linux 2 LTS (2017.12) At this time, SELinux is not supported on other Linux distributions. For Linux endpoints: Install the most recent stable version of the audit daemon and audispd-plugins. For information on deprecated parameters in the audit daemon configuration, see Tanium Client Recorder Extension User Guide. See the specific operating system documentation for instructions. Be aware that when using immutable "-e 2" mode, the recorder adds Tanium audit rules in front of the immutable flag. When using the -e 2 flag on Linux, the endpoint must be restarted after the recorder is enabled. Be aware that when using the failure "-f 2" mode, the Linux kernel panics in the event that the auditd message is lost. The recorder does not add audit rules if this configuration is detected.
AIX	AIX 7.1.4 or later	The IBM XL C++ runtime libraries file set (xlC.rte), version 16.1.0.0 or later, and the IBM LLVM runtime libraries file set (libc++.rte) must be installed. For installation instructions, see Tanium Client Management User Guide: Deploy the Tanium Client to AIX endpoints using a package file.
Solaris	Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.

Disk space requirements

On managed endpoints, Integrity Monitor requires at least 1 GB of disk space. On installation, 100 MB is reserved on disk, and the database increases in size up to 1 GB before event pruning occurs. 3 GB is recommended. Free disk space is checked when a snapshot is requested.

CPU and memory requirements

The CPU demand on the endpoint averages less than 2.5% for each CPU core.

The Client Recorder Extension does not start on endpoints with a single logical core without updating the CX.recorder.EnableSingleCpuRequirement configuration setting to 0. To update CX.recorder.EnableSingleCpuRequirement to 0, edit the Recorder - Set Recorder Extension Setting [OS] package to add a parameter with the configuration key EnableSingleCpuRequirement and a value of 0, and deploy the package to appropriate endpoints. Alternatively, you can run the following command from the Tanium Client directory on endpoints to update this configuration setting:

(Windows) TaniumClient.exe config set CX.recorder.EnableSingleCpuRequirement 0
(Linux) ./TaniumClient config set CX.recorder.EnableSingleCpuRequirement 0

A minimum of 4 GB RAM is recommended on each endpoint device.

Permission recording requirements

Linux endpoints do not have any special requirements to monitor changes in file permissions.

To monitor changes in file permissions on Windows endpoints, you must configure the Audit File System permission under Local Security Policy on the endpoint. For more information, see Prepare Endpoints.

Client Recorder Extension

Integrity Monitor uses the Tanium™ Client Recorder Extension to gather data from endpoints when you enable the Collect process and user attribution information option for a monitor. For more information, see Client Recorder Extension User Guide.

Integrity Monitor does not use the Client Recorder Extension for Solaris and AIX endpoints.

Tanium Event Recorder Driver

Integrity Monitor uses the Tanium Event Recorder Driver to record file and registry events on supported Windows endpoints.

The Tanium Event Recorder Driver is installed automatically when you deploy a monitor with the Collect process and user attribution information option enabled. For more information, see Create or edit a monitor.

If the Tanium Event Recorder Driver is updated, endpoints that use Integrity Monitor require a reboot to see the recorder status.

Third-party software

To integrate Integrity Monitor with an IT workflow in ServiceNow Change Management, ServiceNow Madrid or later is required.

Host and network security requirements

Specific ports and processes are needed to run Integrity Monitor.

Ports

The following ports are required for Client Management communication.

Source	Destination	Port	Protocol	Purpose
Module Server	Module Server (loopback)	17456	TCP	Internal communication; firewall rules are not typically required

No additional ports are required.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Integrity Monitor security exclusions for Tanium Core Platform servers (Windows deployments only)
Target Device	Notes	Exclusion Type	Process
Tanium Module Server		Process	<Module Server>\services\integrity-monitor-service\node.exe
Tanium Module Server		Process	<Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe

Integrity Monitor security exclusions for endpoints
Endpoint OS	Notes	Exclusion Type	Process
Windows x86 and x64		File	<Tanium Client>\extensions\TaniumIndex.dll
		File	<Tanium Client>\extensions\TaniumIndex.dll.sig
		File	<Tanium Client>\extensions\TaniumIntegrityMonitor.dll
		File	<Tanium Client>\extensions\TaniumIntegrityMonitor.dll.sig
		File	<Tanium Client>\extensions\TaniumRecorder.dll
		File	<Tanium Client>\extensions\TaniumRecorder.dll.sig
		File	<Tanium Client>\extensions\recorder\proc.bin
		File	<Tanium Client>\extensions\recorder\recorder.db
		File	<Tanium Client>\extensions\recorder\recorder.db-shm
		File	<Tanium Client>\extensions\recorder\recorder.db-wal
		File	<Tanium Client>\extensions\index\index.db
		File	<Tanium Client>\extensions\index\index.db-shm
		File	<Tanium Client>\extensions\index\index.db-wal
		File	<Tanium Client>\TaniumClientExtensions.dll
		File	<Tanium Client>\TaniumClientExtensions.dll.sig
		Process	<Tanium Client>\TaniumCX.exe
		Folder	<Tanium Client>\extensions\index
		Folder	<Tanium Client>\extensions\integrity-monitor
		File	C:\Windows\System32\drivers\TaniumRecorderDrv.sys
		File	C:\Windows\system32\drivers\TaniumProcessMonitor.dll
		Process	<Tanium Client>\tools\driver\service\TaniumDriverSvc.exe
	x86 endpoints	Process	<Tanium Client>\tools\driver\TaniumDriverCtl.exe
	x86 endpoints	Process	<Tanium Client>\tools\driver\TaniumDriverSvc.exe
	x86 endpoints	File	<Tanium Client>\tools\driver\TaniumProcessMonitor.dll
	x64 endpoints	Process	<Tanium Client>\tools\driver\TaniumDriverCtl64.exe
	x64 endpoints	Process	<Tanium Client>\tools\driver\TaniumDriverSvc64.exe
	x64 endpoints	File	<Tanium Client>\tools\driver\TaniumProcessMonitor64.dll
	x64 endpoints	File	C:\Windows\SysWOW64\TaniumProcessMonitor.dll
Linux x86 and x64		Process	<Tanium Client>/extensions/recorder/TaniumAuditPipe
		File	<Tanium Client>/libTaniumClientExtensions.so
		File	<Tanium Client>/libTaniumClientExtensions.so.sig
		File	<Tanium Client>/extensions/libTaniumIndex.so
		File	<Tanium Client>/extensions/libTaniumIndex.so.sig
		File	<Tanium Client>/extensions/libTaniumIntegrityMonitor.so
		File	<Tanium Client>/extensions/libTaniumIntegrityMonitor.so.sig
		File	<Tanium Client>/extensions/libTaniumRecorder.so
		File	<Tanium Client>/extensions/libTaniumRecorder.so.sig
		File	<Tanium Client>/extensions/recorder/proc.bin
		File	<Tanium Client>/extensions/recorder/recorder.db
		File	<Tanium Client>/extensions/recorder/recorder.db-shm
		File	<Tanium Client>/extensions/recorder/recorder.db-wal
		File	<Tanium Client>/extensions/recorder/recorder.auditpipe
		File	<Tanium Client>/extensions/index/index.db
		File	<Tanium Client>/extensions/index/index.db-shm
		File	<Tanium Client>/extensions/index/index.db-wal
		Process	<Tanium Client>/TaniumCX
		Folder	<Tanium Client>/extensions/index
		Folder	<Tanium Client>/extensions/integrity-monitor

Service account user

The Integrity Monitor service account requires certain privileges to run background jobs which include gathering endpoint statistics, sending labels to Connect, and evaluating rules. See Installing Integrity Monitor to create a service account user and configure the service account within Integrity Monitor.

User role requirements

The following tables list the role permissions required to use Client Management. To review a summary of the predefined roles, see Set up Client Management users.

For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.

Integrity Monitor user role permissions
Privilege	Integrity Monitor Administrator^1,2,5	Integrity Monitor Operator^1,2,⁴⁵	Integrity Monitor Author¹	Integrity Monitor User¹	Integrity Monitor Read Only User¹	Integrity Monitor Service Account^1,2,3,5	Integrity Monitor Endpoint Configuration Approver^1,2
Integrity Monitor View the Integrity Monitor workbench	SHOW TROUBLESHOOTING	SHOW	SHOW	SHOW	SHOW		SHOW
Integrity Monitor Admin Settings Set the service account and log level	WRITE
Integrity Monitor API Perform Integrity Monitor operations using the API	EXECUTE	EXECUTE	EXECUTE	EXECUTE	EXECUTE	EXECUTE	EXECUTE
Integrity Monitor Deploy MONITORS: Deploy monitors RULES: Deploy rules WATCHLISTS: Deploy watchlists	MONITORS RULES WATCHLISTS	MONITORS RULES WATCHLISTS				MONITORS RULES WATCHLISTS
Integrity Monitor Endpoint Configuration Approve Integrity Monitor configuration changes in Tanium Endpoint Configuration							APPROVE
Integrity Monitor Execute Scheduled Run tasks in the IM service with the IM schedule plugin, including running ServiceNow scheduled tasks.	TASK					TASK
Integrity Monitor Integrations Create, edit, and schedule integrations with IT workflows	ADMIN	ADMIN
Integrity Monitor Labels View, create, and edit labels	READ WRITE	READ WRITE	READ WRITE	READ	READ		READ
Integrity Monitor Monitor Event Labels View, create, edit, and delete monitor event labels and label notes Send labeled events to Connect manually⁴³	READ WRITE DELETE	READ WRITE DELETE	READ WRITE	READ WRITE	READ
Integrity Monitor Monitor Events View monitor events	READ	READ	READ	READ	READ
Integrity Monitor Monitors View, create, and edit monitors. View, download, enable, disable, or delete reports for a monitor.	READ WRITE	READ WRITE	READ WRITE	READ	READ		READ
Integrity Monitor Rules View, create, and edit rules	READ WRITE	READ WRITE	READ WRITE	READ WRITE	READ
Integrity Monitor Settings View and update general settings, templates, and default labels	READ WRITE	READ WRITE	READ	READ	READ
Integrity Monitor Watchlists View, create, and edit watchlists	READ WRITE	READ WRITE	READ WRITE	READ	READ		READ
¹ This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements. ² This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements. ³ If you enabled configuration approvals in Endpoint Configuration, then by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to the Client Management Service Account role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements and Tanium Endpoint Configuration User Guide: Managing approvals. ⁴To send labeled events to Tanium Connect, you must have Connect installed. You must also have the Integrity Monitor Monitor Event Labels Write permission and the Tanium Connect Connect Event Write permission, which is provided through the Connect roles. The least privileged Connect role that an Administrator can assign to grant this privilege is Connect User. ³To send labeled events to Tanium Connect, you must have Connect installed. You must also have the Integrity Monitor Monitor Event Labels Write permission and the Tanium Connect Connect Event Write permission, which is provided through the Connect roles. The least privileged Connect role that an Administrator can assign to grant this privilege is Connect User. ⁴ This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see the Tanium Interact User Guide: User role requirements. ⁵ This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see the Tanium Interact User Guide: User role requirements.

Provided Integrity Monitor administration and platform content permissions
Permission	Permission Type	Integrity Monitor Administrator¹	Integrity Monitor Operator	Integrity Monitor Author	Integrity Monitor User	Integrity Monitor Read Only User	Integrity Monitor Service Account	Integrity Monitor Endpoint Configuration Approver
Action Group	Administration	READ	READ	READ	READ	READ	READ	READ
Action	Platform Content	READ WRITE	READ WRITE				READ WRITE
Filter Group	Platform Content	READ	READ	READ	READ	READ	READ	READ
Own Action	Platform Content	READ	READ				READ
Package	Platform Content	READ WRITE	READ WRITE				READ WRITE
Plugin	Platform Content	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE
Saved Question	Platform Content	READ WRITE	READ WRITE	READ	READ	READ	READ WRITE
Sensor	Platform Content	READ	READ	READ	READ	READ	READ
To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions. ¹ This role provides content set permissions for Tanium Trends. You can view which Trends content sets are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.