Requirements

Review the requirements before you install and use Integrity Monitor.

Tanium dependencies

Component Requirement
Tanium Platform Version 7.0.314.6422 or later

If you are using an older version, please contact your Technical Account Manager (TAM) before installing and using Integrity Monitor.

Tanium Client

The event recorder is supported on the same Linux endpoints as the Tanium Client and on endpoints with Windows NT 6.1 (Windows 7 / Windows Server 2008 R2) or newer. For more information about specific Tanium Client versions, see Client host system requirements.

Integrity Monitor does not use the recorder for Solaris and AIX.

For more information about deploying the Tanium Client to endpoints with different operating systems, see the Client Deployment Guide.

Tanium Index

1.6.0 or later is required for monitoring endpoints with Windows NT 6.0 (Windows Server 2008 / Windows Vista) or older.

On endpoints with Windows versions 6.1 and newer (such as Windows 7 and Windows Server 2008 R2), Integrity Monitor does not use Index. The installation of any version of Index does not affect Integrity Monitor.

Tanium™ Connect

4.0.0 or later

Requires a Connect license

Endpoint hardware and software requirements

A minimum of 100 MB RAM is required on each endpoint device. By default, the endpoint database is 1 GB in size. There must be 2 times the maximum database size available in free disk space on the partition where the Tanium Client is installed. The CPU demand on the endpoint averages less than 1%.

Linux

Install the audit daemon and audispd plugins before deploying Integrity Monitor tools. The minimum compatible version of auditd is 1.8; however, Tanium recommends using the most recent stable version. See the specific operating system documentation for instructions.

Be aware that the recorder appends its own rules to the end of the existing audit rules. If the existing audit system is in an immutable mode, using the -e 2 flag, the recorder on Linux is not supported.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.

Target device Process
Tanium Module Server

node.exe

Endpoint computers
  • TaniumSQLiteQuery.exe
  • /opt/Tanium/TaniumClient/Tools/Trace/recorder

Service account user

The Integrity Monitor service account requires certain privileges to run background jobs which include gathering endpoint statistics, sending labels to Connect, and evaluating rules. See Installing Integrity Monitor to create a service account user and configure the service account within Integrity Monitor.

User roles and privileges

Tanium Server 7.0

The following user roles are supported in Integrity Monitor on 7.0:

Administrator or Content Administrator

Can create watchlists and create, deploy, and view results for monitors.

Tanium Server 7.1 and later

Integrity Monitor 1.2.1 introduces role-based access control (RBAC) permissions that control access to Integrity Monitor functions. The four predefined roles are Integrity Monitor Admin, Integrity Monitor Author, Integrity Monitor User, and Integrity Monitor Read Only User.

Table 1:   Integrity Monitor User Role Privileges
Privilege Integrity Monitor Administrator Integrity Monitor Author Integrity Monitor User Integrity Monitor Read Only User
View monitors, watchlists, and labels
View general settings, templates, and default labels
View monitor events
View and download reports
Label events
Create and edit label notes
Send labeled events to Connect manually
Create, edit, and delete monitors, watchlists, and labels
Enable / disable reports for a monitor
Delete reports
Deploy monitors
Delete labeled events and notes
Send labeled events to Connect via a background scheduled task
Edit general settings including default labels
Schedule weekly day / time to generate reports
Collect logs for troubleshooting

Legacy deployment requirements

Endpoints are considered to be legacy if they are using Windows versions older than 6.1, such as Windows XP, Windows Server 2008, or older. Windows Server 2008 R2 is not considered legacy.

See Microsoft Windows Operating System Version for more information.

The following requirements must be met in order to monitor legacy endpoints:

  • You must use Index version 1.6.0 or higher.
  • Index must be deployed and started separately. Integrity Monitor does not deploy or start Index.
  • Index must have finished its initial scan.

Permission recording

Linux

To monitor permission event types, there are no special requirements for Linux endpoints.

Standard Windows

To monitor permission event types for Windows versions 6.1 and newer, you must configure the Audit File System permission under Local Security Policy on the endpoint.

You can check to see if this permission is already configured using the Get Integrity Monitor Endpoint Tools Status and Computer name from all machines sensor in Tanium™ Interact. You will get the following results if the permission is not configured:

Audit Policy for File System auditing is configured for: No Auditing

or

Audit Policy for File System auditing is configured for: Failure

and then

Error: Audit Policy for File System auditing is not properly configured

The following steps to configure the Audit File System permission may slightly vary depending on your exact version of Windows.

Figure  1:  Local Security Policy in Windows 10

  1. Open Local Security Policy, usually found in the Administrative Tools folder.
  2. Expand Advanced Audit Policy Configuration under Security Settings.
  3. Expand System Audit Policies - Local Group Policy Object.
  4. Double click Object Access.
  5. Double click Audit File System.
  6. Select Configure the following audit events: and then select Success.
  7. Click Apply and then click OK.

Legacy Windows

To monitor permission event types for Windows versions 6.0 and older, you must enable the ScanFilePermissions=on setting in your Index configuration for legacy Windows endpoints.

Last updated: 10/23/2018 2:42 PM | Feedback