Discover requirements
Review the requirements before you use Discover.
Also review the Tanium as a Service requirements, described in Tanium as a Service User Guide: Tanium as a Service requirements.
Tanium dependencies
| Component | Requirement |
|---|---|
| Tanium™ Core Platform |
Version 7.3.314.4250 or later |
| Tanium™ Client | Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements. If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions. |
| Tanium solutions |
If you selected Tanium Recommended Installation when you installed Discover, the Tanium Server automatically installed all your licensed solutions at the same time. Otherwise, you must manually install the solutions that Discover requires to function, as described in Tanium Console User Guide: Import, re-import, or update specific solutions. Discover requires the following solutions:
The following solutions are optional:
|
Tanium™ Module Server
Discover is installed and runs as a service on the Module Server host computer. The impact on Module Server host computer sizing is minimal and depends on usage.
For more information, see Tanium Core Platform Installation Guide: Host system sizing guidelines.
Endpoints
Supported internet protocols
Discover currently scans only for IPv4 addresses.
Supported operating systems
For Tanium Client operating system support, see Tanium Client Management User Guide: Client version and host system requirements. Managed endpoints perform discovery scans.
| Operating System | Version |
|---|---|
| Windows |
Windows 7 SP1 or later and Windows Server 2008 R2 SP1 or later If the endpoints are not up-to-date and Python content does not run and generates an error about nt._add_dll_directory with The specified procedure could not be found, see this Microsoft Security Advisory. |
| macOS | 10.11 and later |
| Linux |
Same as Tanium Client support |
| Solaris |
Same as Tanium Client support |
| AIX |
7.1.4 or later The IBM XL C++ runtime libraries file set (xlC.rte), version 16.1.0.0 or later, and the IBM LLVM runtime libraries file set (libc++.rte) must be installed. For installation instructions, see Tanium Client Management User Guide: Deploy the Tanium Client to AIX endpoints using a package file. |
| Level 1 (ARP cache) | Level 1 (Interface Connections) | Level 2 (Ping) | Level 3/4 (Nmap) | |
|---|---|---|---|---|
| Windows |
|
|
|
1
|
| Linux |
|
|
|
|
| macOS |
|
|
|
|
| Solaris |
|
|
3
|
 2
|
| AIX |
|
|
|
2
|
| 1 For level 3 and 4 discovery on Windows 2003 Server and Windows XP, level 2 discovery is used. 2 For level 3 and 4 discovery on Solaris and AIX, level 2 discovery is used because Nmap is not supported on these platforms. 3 Solaris endpoints do not perform OS detection. |
||||
Host and network security requirements
Specific ports and processes are needed to run Discover.
Ports
For Tanium as a Service ports, see Tanium as a Service User Guide: Host and network security requirements.
The following ports and protocols are required for Discover communication.
| Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
|
Module Server |
Module Server | 17446 | TCP and UDP | Internal purposes for Discover; not externally accessible |
| Module Server | 17447 | TCP and UDP | Internal purposes for Discover; not externally accessible |
Scan communication requirements
The following ports and protocols are required for Discover scanning.
| Source | Destination | Scan Type | Port | Protocol | Purpose |
|---|---|---|---|---|---|
|
Tanium Client |
Devices with an IP address in the same subnet as the Tanium Client
|
Level 2 distributed |
N/A | ICMP | Level 2 distributed scans require ICMP echo-request and echo-response traffic from all managed endpoints to all other devices on the Tanium Client subnet. |
| Level 3 | N/A | ARP |
Level 3 distributed scans require ARP-request traffic from the managed endpoint on the Tanium Client subnet. |
||
|
Level 4 distributed |
1000 most common TCP ports (default setting) | ARP TCP |
Level 4 distributed scans require ARP-request traffic from the managed endpoint on the Tanium Client subnet. Additionally, by default, Discover scans the 1000 most commonly used TCP ports on the Tanium Client subnet to calculate the OS Generation field. You can change this setting in the scan profile. For more information, see Running distributed scans. |
||
| Module Server
|
Customer-defined subnets | Centralized Nmap | N/A |
ICMP
|
Centralized Nmap scans require ICMP traffic to all IP addresses specified in the scan. |
| 1000 most common open TCP ports (default setting) | TCMP | For centralized Nmap scans, by default, Discover scans the 1000 most commonly used TCP ports on the Tanium Client subnet to calculate the OS Generation field. You can change this setting in the scan profile. For more information, see Running centralized scans. | |||
|
ec2.*.amazonaws.com sts.*.amazonaws.com ssm.*.amazonaws.com |
Centralized Amazon EC2 environment | 443 | TCP | Centralized Amazon EC2 environment scans require access to Amazon Web Services. |
Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.
Security exclusions
If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
| Target Device | Notes | Exclusion Type | Exclusion |
|---|---|---|---|
| Module Server | Process | <Module Server>\services\discover-service\node.exe | |
| Process | <Module Server>\plugins\content\discover-proxy\proxyplugin.exe | ||
| Process | <Module Server>\services\twsm-v1\twsm.exe | ||
| Process | <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe | ||
| Windows endpoints | (Level 3 and 4 profiles only) | Folder | C:\Program Files\Npcap |
| (Level 3 and 4 profiles only) | Process | <Tanium Client>\Tools\Discover\nmap\nmap.exe | |
| Linux endpoints | (Level 3 and 4 profiles only) | Process |
<Tanium Client>/Tools/Discover/nmap/nmap |
| macOS endpoints | (Level 3 and 4 profiles only) | Process | <Tanium Client>/Tools/Discover/nmap/nmap |
Internet URLs
If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must allow the following URLs:
-
From both Tanium Server and Tanium Module Server: content.tanium.com
-
From Tanium Module Server: ec2.*.amazonaws.com, sts.*.amazonaws.com, and ssm.*.amazonaws.com (for centralized scans of Amazon EC2 environments)
User role requirements
The following tables list the role permissions required to use Discover. To review a summary of the predefined roles, see Set up Discover users.
For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.
| Permission | Discover Administrator1,3 | Discover Operator1,3 | Discover User1 | Discover Read Only User1 | Discover Service Account1,2,3,5 | Discover Endpoint Configuration Approver3 |
|---|---|---|---|---|---|---|
|
Discover View managed and unmanaged interfaces |
SHOW |
SHOW |
SHOW |
SHOW |
|
|
|
Discover API Use the Discover API |
EXECUTE |
EXECUTE |
EXECUTE |
EXECUTE |
EXECUTE |
EXECUTE |
|
Discover Asset View lists of managed and unmanaged interfaces; export data from interface tables; apply or remove label on an interface |
READ WRITE |
READ WRITE |
READ WRITE |
READ |
|
|
|
Discover Components Manage backend components, including Discover action groups and computer groups |
|
|
|
|
MANAGE |
|
|
Discover Connect Integration Service Account Enable the Discover service account to interface with Connect. |
|
|
|
|
EXECUTE |
|
|
Discover Endpoint Configuration Approve Discover configuration changes in the Endpoint Configuration service |
|
|
|
|
|
APPROVE |
|
Discover Keys Rotate keys used to encrypt sensitive data |
ROTATE |
|
|
|
|
|
|
Discover Location Permissions Define locations and corresponding permissions for user groups |
WRITE |
WRITE |
|
|
|
|
|
Discover Locations Define locations by importing CSV file |
WRITE |
WRITE |
|
|
|
|
|
Discover Manual Import Import interfaces manually with the Discover Unmanaged Interfaces button |
EXECUTE |
EXECUTE |
EXECUTE |
|
EXECUTE |
|
|
Discover Profile View, create, edit, and delete Discover profiles |
READ WRITE |
READ WRITE |
|
|
|
READ |
|
Discover Settings Edit Discover settings |
WRITE |
|
|
|
|
|
|
Discover Tag Create or remove labels |
WRITE |
WRITE |
WRITE4 |
|
|
|
|
Discover Tds Integration Service Account Provide access to promote Discover data to Tanium Data Service (TDS). |
|
|
|
|
EXECUTE |
|
|
Discover Trends Manipulate Discover data in Trends. |
WRITE |
WRITE |
|
|
|
|
|
Discover Trends Integration Service Account Provide access for module service accounts to read and write data, and to define sources and boards |
|
|
|
|
EXECUTE |
|
|
1 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements. 2 This role provides module permissions for Tanium Connect. For more information, see the Tanium Connect User Guide: User role requirements. 3 This role provides module permissions for Tanium Endpoint Configuration. For more information, see the Tanium Endpoint Configuration User Guide: User role requirements. 4If location permissions are defined, Discover User role cannot create labels. 5 This role provides module permissions for Tanium Interact. For more information, see the Tanium Interact User Guide: User role requirements. 6
|
||||||
| Permission | Permission type | Discover Administrator1,2 | Discover Operator1,2 | Discover User1 | Discover Read Only User1 | Discover Service Account1,2,3,4 | Discover Endpoint Configuration Approver2 |
|---|---|---|---|---|---|---|---|
| Computer Group | Administration |
READ |
READ |
|
|
READ |
READ |
| Server Status | Administration |
|
|
|
|
READ |
|
| User | Administration |
READ |
|
|
|
READ |
|
| User Group | Administration |
|
|
|
|
READ |
|
| Action | Platform Content |
READ WRITE |
READ WRITE |
|
|
READ WRITE |
READ |
| Own Action | Platform Content |
READ |
READ |
|
|
READ |
READ |
| Package | Platform Content |
READ |
READ |
|
|
READ |
|
| Plugin | Platform Content |
READ EXECUTE |
READ EXECUTE |
READ EXECUTE |
READ EXECUTE |
READ EXECUTE |
READ EXECUTE |
| Saved Question | Platform Content |
READ |
READ |
|
|
READ WRITE |
|
| Sensor | Platform Content |
READ |
READ |
|
|
READ |
|
|
You can view which content sets are granted to any role in the Tanium Console. 1 This role provides content set permissions for Tanium Trends. You can view which Trends content sets are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements. 2 This role provides content set permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration content sets are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements. 3 This role provides content set permissions for Tanium Connect. You can view which Connect content sets are granted to this role in the Tanium Console. For more information, see Tanium Connect User Guide: User role requirements. 4 This role provides content set permissions for Tanium Data Service. |
|||||||
| Role | Enables |
|---|---|
| Connect User |
For signed in user:
|
| Administrator |
|
Last updated: 9/20/2021 2:16 PM | Feedback