Configuring Integrity Monitor

If you did not install Integrity Monitor with the Apply All Tanium recommended configurations option, you must enable and configure certain features.

(Tanium Core Platform 7.4.5 or later only) You can set the Integrity Monitor action group to target the No Computers filter group by enabling restricted targeting before adding Integrity Monitor to your Tanium licenseimporting Integrity Monitor. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Tanium Integrity Monitor action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

When you import Integrity Monitor with automatic configuration, the following default settings are configured:

The following default settings are configured:

Setting Default value
Action group
  • Restricted targeting disabled (default): All AIX, All Linux, All Solaris, and All Windows computer groups
  • Restricted targeting enabled: No Computers computer group
Service account

The service account is set to the account that you used to import the module.

Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization. See Configure the Integrity Monitor service account.

Monitor creation

A monitor is created for each supported operating system (Windows, Linux, Solaris, and AIX).

The Windows monitor is targeted only to Windows Server computer groups: All Windows Server 2008 R2, All Windows Server 2012, All Windows Server 2012 R2, All Windows Server 2016, All Windows Server 2019, and All Windows Server 2022.

All other monitors are targeted to the associated All <Operating System> computer group: All Linux, All AIX, and All Solaris.

If one or more of the targeted operating systems are not used in your environment, delete the associated monitors.

Monitor deployments The monitors are deployed to endpoints.
Watchlist

A watchlist is created for each supported operating system based on the Critical System Files template for the operating system.

The Windows watchlist is targeted only to Windows Server computer groups: All Windows Server 2008 R2, All Windows Server 2012, All Windows Server 2012 R2, All Windows Server 2016, All Windows Server 2019, and All Windows Server 2022.

All other watchlists are targeted to the associated All <Operating System> computer group: All Linux, All AIX, and All Solaris.

If one or more of the targeted operating systems are not used in your environment, delete the associated watchlists.

Watchlist deployments The watchlists are deployed to endpoints.

Prepare Endpoints

(Windows) Configure permission recording

To monitor changes in file permissions, you must configure the Audit File System permission under Local Security Policy on the endpoint.

Endpoints that do not have this permission configured return Recorder - Error: File permission auditing is disabled when you ask a question using the Client Extensions - Status sensor, and they appear in the Endpoint Health panel on the Integrity Monitor Overview page.

To configure the Audit File System permission, complete the following steps. (These steps apply to Windows 10 and might vary for different versions of Windows.)

  1. From the Control Panel, open Administrative Tools > Local Security Policy.
  2. Go to Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Object Access.
  3. Double-click Audit File System.
  4. Select Configure the following audit events: and then select Success.
  5. Click OK.

Remove legacy Client Recorder Extension

If Client Recorder Extension version 1.x exists on a targeted endpoint, you must remove it before you install Client Recorder Extension version 2.x tools. To target endpoints where Client Recorder Extension version 1.x exists, ask the question: Recorder - Legacy Installed. If the Supported Endpoints column displays Yes, you must remove Client Recorder Extension version 1.x from the endpoint before you install Client Recorder Extension 2.x tools. To remove Client Recorder Extension version 1.x, deploy the Recorder - Remove Legacy Recorder [Operating System] package to targeted endpoints.

Install and configure Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Additionally you can use Endpoint Configuration to manage configuration approval. For example, configuration changes are not deployed to endpoints until a user with approval permission approves the configuration changes in Endpoint Configuration. For more information about the roles and permissions that are required to approve configuration changes for Integrity Monitor, see User role requirements.

To use Endpoint Configuration to manage approvals, you must enable configuration approvals.

  1. From the Main menu, go to Administration > Shared Services > Endpoint Configuration to open the Endpoint Configuration Overview page.
  2. Click Settings and click the Global tab.
  3. Select Enable configuration approvals, and click Save.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

Configure Integrity Monitor

Configure the Integrity Monitor service account

You must create and configure an Integrity Monitor service account to run several background processes, which include gathering endpoint statistics, sending labels to Connect, and evaluating rules.

If you imported Integrity Monitor with default settings, the service account is set to the account that you used to perform the import. Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization.

This user must either be a Tanium Administrator or have the following roles and access configured:

  • The Integrity Monitor Service Account role
  • Access to monitored computer groups
  • If you installed Tanium Client Management, the TheEndpoint Configuration Service Account role (Endpoint Configuration is installed as a part of Tanium Client Management.)

The Integrity Monitor Administrator role does not grant all the required privileges for the service account user.

Grant the service account user access to the same computer groups as the Integrity Monitor action group for access to any endpoints that are targeted by watchlists and monitors. Otherwise, any time you add a computer group to a watchlist or monitor, you must also assign that computer group to the service account to avoid issues monitoring the endpoints in that computer group.

  1. From the Integrity Monitor Overview page, click Settings .
  2. Click the Service Account tab.
  3. Enter the User Name and Password for the service account user and click Save.

(Optional) Configure the Integrity Monitor action group

Importing the Integrity Monitor module automatically creates an action group to target specific endpoints. If you did not use automatic configuration or you enabled restricted targeting when you imported Integrity Monitor, the action group targets No Computers.

If you used automatic configuration and restricted targeting was disabled when you imported Integrity Monitor, configuring the Integrity Monitor action group is optional.

Select the computer groups to include in the Integrity Monitor action group.

Clear the selection for No Computers and make Make sure that all operating systems that are supported by Integrity Monitor are included in the Integrity Monitor action group.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Click Tanium Integrity Monitor.
  3. Select the computer groups that you want to include in the action group and click Save.
    If you select multiple computer groups, choose an operator (AND or OR) to combine the groups.

Organize computer groups

You deploy watchlists and monitors by computer group. Target monitors as broadly as possible, and create more specific groups if you need different settings or intervals for scanning some endpoints. Create specific groups for watchlists, targeted more narrowly to watch only the necessary paths on the necessary endpoints.

When possible, avoid targeting different monitors to computer groups that contain some of the same endpoints. One monitor is deployed to each endpoint. You can prioritize monitors when computer groups overlap, but it is better to create non-overlapping computer groups to use with monitors for a more predictable deployment.

Create relevant computer groups to organize your endpoints for monitor and watchlist targeting. Some options include:

  • Applications in use on an endpoint
  • Endpoint type, such as servers with a specific function
  • Endpoint compliance requirements, such as endpoints that must comply with Payment Card Industry Data Security Standard (PCI DSS) or the Sarbanes-Oxley Act (SOX)
  • Endpoint location, such as by country or time zone
  • Endpoint priority, such as business-critical machines
  • Endpoint configuration needs, such as VDI machines

For more information, see Tanium Core Platform User Guide: Managing computer groups.

Set up Integrity Monitor users

You can use the following set of predefined user roles to set up Integrity Monitor users.

To review specific permissions for each role, see User role requirements.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Integrity Monitor Administrator

Assign the Integrity Monitor Administrator role to users who manage all configuration and deployment of Integrity Monitor functionality to endpoints.
This role can perform the following tasks:

  • Configure all Integrity Monitor settings, templates, and labels
  • Execute scheduled tasks in the Integrity Monitor service using the schedule plugin
  • Run and apply rules to events
  • View, create, edit, and deploy monitors, rules, and watchlists
  • Create, edit, and schedule integrations with IT workflows
  • Delete labels and event labels

Integrity Monitor Operator

Assign the Integrity Monitor Operator role to users who manage most configuration and deployment of Integrity Monitor functionality to endpoints.
This role can perform the following tasks:

  • Configure Integrity Monitor settings, templates, and labels
  • Run and apply rules to events
  • View, create, edit, and deploy monitors, rules, and watchlists
  • Create, edit, and schedule integrations with IT workflows
  • Delete labels and event labels

Integrity Monitor Author

Assign the Integrity Monitor Author role to users who manage monitors, rules, and labels in Integrity Monitor.

This role can perform the following tasks:

  • View, create, and edit monitors, rules, and labels

  • View Integrity Monitor events and settings

Integrity Monitor User

Assign the Integrity Monitor User role to users who manage event labels and rules in Integrity Monitor.
This role can perform the following tasks:

  • View, create, and edit event labels and rules

  • View Integrity Monitor monitors, events, labels, and settings

Integrity Monitor Read Only User

Assign the Integrity Monitor Read Only User role to users who need visibility into Integrity Monitor data.
This role can view Integrity Monitor Read Only User events, event labels, labels, monitors, rules, and settings.

Integrity Monitor Service Account

Assign the Integrity Monitor Service Account role to the account that configures system settings for Integrity Monitor.
The Integrity Monitor Service Account runs several background processes, which include gathering endpoint statistics, sending labels to Connect, and evaluating rules.

Integrity Monitor Endpoint Configuration Approver

Assign the Integrity Monitor Author role to a user who approves or rejects Integrity Monitor configuration items in Tanium Endpoint Configuration.