Installing Integrity Monitor

Tanium as a Service automatically handles module installations and upgrades.

Use the Tanium Solutions page to install Integrity Monitor and choose either automatic or manual configuration:

  • Automatic configuration with default settings (Tanium Core Platform 7.4.2 or later only): Integrity Monitor is installed with any required dependencies and other selected products. After installation, the Tanium Server automatically configures the recommended default settings. This option is the best practice for most deployments. For details about the automatic configuration for Integrity Monitor, see Import and configure Integrity Monitor with default settings.
  • Manual configuration with custom settings: After installing Integrity Monitor, you must manually configure required settings. Select this option only if Integrity Monitor requires settings that differ from the recommended default settings. For more information, see Import and configure Integrity Monitor with custom settings.

Before you begin

Prepare Endpoints

(Windows) Configure permission recording

To monitor permission event types, you must configure the Audit File System permission under Local Security Policy on the endpoint.

To determine whether this permission is already configured, ask the question: Get Integrity Monitor Endpoint Tools Status and Computer name from all machines. If the permission is not configured, endpoints report Recorder - Error: File permission auditing is disabled.

To configure the Audit File System permission, complete the following steps. (These steps apply to Windows 10 and might vary for different versions of Windows.)

  1. From the Control Panel, open Administrative Tools > Local Security Policy.
  2. Go to Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Object Access.
  3. Double-click Audit File System.
  4. Select Configure the following audit events: and then select Success.
  5. Click OK.

Remove legacy Client Recorder Extension

If Client Recorder Extension version 1.x exists on a targeted endpoint, you must remove it before you install Client Recorder Extension version 2.x tools. To target endpoints where Client Recorder Extension version 1.x exists, ask the question: Legacy - Recorder Installed. If the Supported Endpoints column displays No, you must remove Client Recorder Extension version 1.x from the endpoint before you install Client Recorder Extension 2.x tools. To remove Client Recorder Extension version 1.x, deploy the Recorder - Remove Legacy Recorder [Operating System] package to targeted endpoints.

Import and configure Integrity Monitor with default settings

When you import Integrity Monitor with automatic configuration, the following default settings are configured:

  • The Integrity Monitor service account is set to the account that you used to import the module.
  • The Integrity Monitor action group is set to the computer group All Computers.
  • A watchlist is created for each supported operating system (Windows, Linux, AIX, and Solaris) based on the Critical System Files template for the operating system.
  • A monitor is created to deploy the watchlist for each supported operating system.

    The Windows monitor is targeted only to Windows Server computer groups: All Windows Server 2008 R2, All Windows Server 2012, All Windows Server 2012 R2, All Windows Server 2016, and All Windows Server 2019.

    All other monitors are targeted to the associated All <Operating System> computer group: All Linux, All AIX, and All Solaris.

    If one or more of the targeted operating systems are not used in your environment, delete the associated monitors.

  • The monitors are deployed to endpoints.

To import Integrity Monitor and configure default settings, be sure to select the Apply Tanium recommended configurations check box while performing the steps in Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Integrity Monitor version.

Import and configure Integrity Monitor with custom settings

To import Integrity Monitor without automatically configuring default settings, be sure to clear the Apply Tanium recommended configurations check box while performing the steps in Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed (see Verify Integrity Monitor version).

Configure the Integrity Monitor service account

You must create and configure an Integrity Monitor service account to run several background processes, which include gathering endpoint statistics, sending labels to Connect, and evaluating rules. This user must either be a Tanium Administrator or have the following roles and access configured:

  • The Integrity Monitor Service Account role
  • Access to monitored computer groups
  • If you installed Tanium Client Management, the The Endpoint Configuration Service Account role (Endpoint Configuration is installed as a part of Tanium Client Management.)

The Integrity Monitor Administrator role does not grant all the required privileges for the service account user.

Grant the service account user access to the All Computers group for access to any endpoints assigned to monitors. Otherwise, any time you add a computer group to a monitor, you must also assign that computer group to the service account to avoid issues monitoring the endpoints in that computer group.

  1. From the Integrity Monitor Overview page, click Settings .
  2. Click the Service Account tab.
  3. Enter the User Name and Password for the service account user and click Save.

Manage dependencies for Tanium solutions

When you start the Integrity Monitor workbench for the first time, the Tanium console ensures that all of the required dependencies for Integrity Monitor are installed at the required version. You must install all required Tanium dependencies before the Integrity Monitor workbench can load. A banner appears if one or more Tanium dependencies are not installed in the environment. The Tanium Console lists the required Tanium dependencies and the required versions.

  1. From the Main menu, go to Administration > Configuration > Solutions.
  2. Select the required solutions, click Import Selected, and then click Begin Import. When the import is complete, you are returned to the Tanium Solutions page.
  3. From the Main menu, go to Modules > Integrity Monitor to open the Integrity Monitor Overview page after you import all of the required Tanium dependencies.

Verify Integrity Monitor version

After you import or upgrade Integrity Monitor, verify that the correct version is installed:

  1. Refresh your browser.
  2. From the Main menu, go to Modules > Integrity Monitor to open the Integrity Monitor Overview page.
  3. To display version information, click Info Info.

Configure Integrity Monitor

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Additionally you can use Endpoint Configuration to manage configuration approval. For example, configuration changes are not deployed to endpoints until a user with approval permission approves the configuration changes in Endpoint Configuration. For more information about the roles and permissions that are required to approve configuration changes for Integrity Monitor, see User role requirements.

To use Endpoint Configuration to manage approvals, you must enable configuration approvals.

  1. From the Main menu, go to Administration > Shared Services > Endpoint Configuration to open the Endpoint Configuration Overview page.
  2. Click Settings and click the Global tab.
  3. Select Enable configuration approvals, and click Save.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.