Configuring Integrity Monitor

If you did not install Integrity Monitor with the Apply All Tanium recommended configurations option, you must enable and configure certain features.

(Tanium Core Platform 7.4.5 or later only) You can set the Integrity Monitor action group to target the No Computers filter group by enabling restricted targeting before adding Integrity Monitor to your Tanium licenseimporting Integrity Monitor. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Tanium Integrity Monitor action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

When you import Integrity Monitor with automatic configuration, the following default settings are configured:

The following default settings are configured:

Setting Default value
Action group
  • Restricted targeting disabled (default): All Computers computer group
  • Restricted targeting enabled: No Computers computer group
Service account

The service account is set to the account that you used to import the module.

Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization. See Configure the Integrity Monitor service account.

Watchlist A watchlist is created for each supported operating system (Windows, Linux, AIX, and Solaris) based on the Critical System Files template for the operating system.
Monitor creation

A monitor is created to deploy the watchlist for each supported operating system.

The Windows monitor is targeted only to Windows Server computer groups: All Windows Server 2008 R2, All Windows Server 2012, All Windows Server 2012 R2, All Windows Server 2016, and All Windows Server 2019.

All other monitors are targeted to the associated All <Operating System> computer group: All Linux, All AIX, and All Solaris.

If one or more of the targeted operating systems are not used in your environment, delete the associated monitors.

Monitor deployments The monitors are deployed to endpoints.

Prepare Endpoints

(Windows) Configure permission recording

To monitor permission event types, you must configure the Audit File System permission under Local Security Policy on the endpoint.

To determine whether this permission is already configured, ask the question: Get Integrity Monitor Endpoint Tools Status and Computer name from all machines. If the permission is not configured, endpoints report Recorder - Error: File permission auditing is disabled.

To configure the Audit File System permission, complete the following steps. (These steps apply to Windows 10 and might vary for different versions of Windows.)

  1. From the Control Panel, open Administrative Tools > Local Security Policy.
  2. Go to Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Object Access.
  3. Double-click Audit File System.
  4. Select Configure the following audit events: and then select Success.
  5. Click OK.

Remove legacy Client Recorder Extension

If Client Recorder Extension version 1.x exists on a targeted endpoint, you must remove it before you install Client Recorder Extension version 2.x tools. To target endpoints where Client Recorder Extension version 1.x exists, ask the question: Legacy - Recorder Installed. If the Supported Endpoints column displays No, you must remove Client Recorder Extension version 1.x from the endpoint before you install Client Recorder Extension 2.x tools. To remove Client Recorder Extension version 1.x, deploy the Recorder - Remove Legacy Recorder [Operating System] package to targeted endpoints.

Install and configure Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Additionally you can use Endpoint Configuration to manage configuration approval. For example, configuration changes are not deployed to endpoints until a user with approval permission approves the configuration changes in Endpoint Configuration. For more information about the roles and permissions that are required to approve configuration changes for Integrity Monitor, see User role requirements.

To use Endpoint Configuration to manage approvals, you must enable configuration approvals.

  1. From the Main menu, go to Administration > Shared Services > Endpoint Configuration to open the Endpoint Configuration Overview page.
  2. Click Settings and click the Global tab.
  3. Select Enable configuration approvals, and click Save.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

Configure Integrity Monitor

Configure the Integrity Monitor service account

You must create and configure an Integrity Monitor service account to run several background processes, which include gathering endpoint statistics, sending labels to Connect, and evaluating rules.

If you imported Integrity Monitor with default settings, the service account is set to the account that you used to perform the import. Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization.

This user must either be a Tanium Administrator or have the following roles and access configured:

  • The Integrity Monitor Service Account role
  • Access to monitored computer groups
  • If you installed Tanium Client Management, the TheEndpoint Configuration Service Account role (Endpoint Configuration is installed as a part of Tanium Client Management.)

The Integrity Monitor Administrator role does not grant all the required privileges for the service account user.

Grant the service account user access to the All Computers group for access to any endpoints assigned to monitors. Otherwise, any time you add a computer group to a monitor, you must also assign that computer group to the service account to avoid issues monitoring the endpoints in that computer group.

  1. From the Integrity Monitor Overview page, click Settings .
  2. Click the Service Account tab.
  3. Enter the User Name and Password for the service account user and click Save.

Set up Integrity Monitor users

You can use the following set of predefined user roles to set up Integrity Monitor users.

To review specific permissions for each role, see User role requirements.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Integrity Monitor Administrator

Assign the Integrity Monitor Administrator role to users who manage all configuration and deployment of Integrity Monitor functionality to endpoints.
This role can perform the following tasks:

  • Configure all Integrity Monitor settings, templates, and labels
  • Execute scheduled tasks in the Integrity Monitor service using the schedule plugin
  • Run and apply rules to events
  • View, create, edit, and deploy monitors, rules, and watchlists
  • Create, edit, and schedule integrations with IT workflows
  • Delete labels and event labels

Integrity Monitor Operator

Assign the Integrity Monitor Operator role to users who manage most configuration and deployment of Integrity Monitor functionality to endpoints.
This role can perform the following tasks:

  • Configure Integrity Monitor settings, templates, and labels
  • Run and apply rules to events
  • View, create, edit, and deploy monitors, rules, and watchlists
  • Create, edit, and schedule integrations with IT workflows
  • Delete labels and event labels

Integrity Monitor Author

Assign the Integrity Monitor Author role to users who manage monitors, rules, and labels in Integrity Monitor.

This role can perform the following tasks:

  • View, create, and edit monitors, rules, and labels

  • View Integrity Monitor events and settings

Integrity Monitor User

Assign the Integrity Monitor User role to users who manage event labels and rules in Integrity Monitor.
This role can perform the following tasks:

  • View, create, and edit event labels and rules

  • View Integrity Monitor monitors, events, labels, and settings

Integrity Monitor Read Only User

Assign the Integrity Monitor Read Only User role to users who need visibility into Integrity Monitor data.
This role can view Integrity Monitor Read Only User events, event labels, labels, monitors, rules, and settings.

Integrity Monitor Service Account

Assign the Integrity Monitor Service Account role to the account that configures system settings for Integrity Monitor.
The Integrity Monitor Service Account runs several background processes, which include gathering endpoint statistics, sending labels to Connect, and evaluating rules.

Integrity Monitor Endpoint Configuration Approver

Assign the Integrity Monitor Author role to a user who approves or rejects Integrity Monitor configuration items in Tanium Endpoint Configuration.