Integrity Monitor requirements

Review the requirements before you install and use Integrity Monitor.

Tanium dependencies

In addition to a license for Integrity Monitor, make sure that your environment meets the following requirements.

Component Requirement
Tanium™ Core Platform 7.3 or later
Tanium™ Client
  • Windows:
    • 7.2.314.3584 or later
    • 7.4.1.1955 or later
  • Linux:
    • 7.2.314.3211 or later
    • 7.4.1.1955 or later
  • AIX:
    • 7.2.314.3584 or later
    • 7.4.1.1955 or later
  • Solaris:
    • 7.2.314.3584 or later
    • 7.4.1.1955 or later

For more information about specific Tanium Client versions and supported operating system versions, see Tanium Client User Guide: Host system requirements.

For more information about deploying the Tanium Client to endpoints with different operating systems, see the Tanium Client User Guide.

Tanium products

If you clicked Install with Recommended Configurations when you installed Integrity Monitor, the Tanium Server automatically installed all your licensed modules at the same time. Otherwise, you must manually install the modules that Integrity Monitor requires to function, as described under Tanium Console User Guide: Manage Tanium modules.

The following module is required for features of Integrity Monitor to function. The given version is the minimum required:

  • Tanium™ Endpoint Configuration 1.3 or later (installed as part of Tanium™ Client Management 1.5.3 or later)

The following modules are optional, but Integrity Monitor requires the specified minimum versions to work with them:

  • Tanium™ Connect 4.0 or later
  • Tanium™ Trends 3.6 or later
Computer groups (Tanium Core Platform 7.4.2 or later only) When you first log into the Tanium Console after installing the Tanium Server, the server automatically imports the computer groups that Integrity Monitor requires:
  • All Computers
  • All AIX
  • All Linux
  • All Solaris
  • All Mac
  • All Windows Server 2019
  • All Windows Server 2016
  • All Windows Server 2012 R2
  • All Windows Server 2012
  • All Windows Server 2008 R2

Computer groups with manual membership are not supported in Integrity Monitor.

Endpoints

Supported operating systems

The following endpoint operating systems are supported with Integrity Monitor.

Operating System Version Notes
Windows

A minimum of Windows 7 SP1 or Windows Server 2008 R2 SP1 is required.

For Windows 7 endpoints, update to Windows 7 SP2 or later whenever possible. Windows 7 SP1 requires Microsoft Windows Update KB2758857.

Linux

Same as Tanium Client support. See Tanium Client User Guide: Host system requirements.

The Client Recorder Extension does not support CentOS and Red Hat Enterprise Linux versions 5.3 and earlier. Endpoints require version 5.4 or later of CentOS or Red Hat Enterprise Linux.

The Client Recorder Extension provides SELinux policies for the following distributions and versions:

  • Oracle Enterprise Linux 5.x, 6.x, 7.x, and 8.x

    When SELinux is enabled, only process information is returned. This is a known issue and will be addressed in a future version of Integrity Monitor.

  • Red Hat Enterprise Linux (RHEL) 5.4 and later, 6.x, 7.x, and 8.x
  • CentOS 5.4 and later, 6.x, 7.x, and 8.x
  • Amazon Linux 2 LTS (2017.12)

At this time, SELinux is not supported on other Linux distributions.

On endpoints where the recorder is not supported, event monitoring is unavailable, and only hash monitoring is supported.

For Linux endpoints:

  • Install the most recent stable version of the audit daemon and audispd-plugins. For information on deprecated parameters in the audit daemon configuration, see Tanium Client Recorder Extension User Guide. See the specific operating system documentation for instructions.
  • Be aware that when using immutable "-e 2" mode, the recorder adds Tanium audit rules in front of the immutable flag. When using the -e 2 flag on Linux, the endpoint must be restarted after the recorder is enabled.
  • Be aware that when using the failure "-f 2" mode, the Linux kernel panics in the event that auditd message is lost. The recorder does not add audit rules if this configuration is detected.

AIX Same as Tanium Client support. See Tanium Client User Guide: Host system requirements.  
Solaris Same as Tanium Client support. See Tanium Client User Guide: Host system requirements.  

Disk space requirements

On managed endpoints, Integrity Monitor requires at least 1 GB of disk space.

CPU and memory requirements

The CPU demand on the endpoint averages less than 1%. For full functionality, a minimum of two CPUs per endpoint is required. The Tanium Client Recorder Extension cannot operate on fewer than 2 CPU cores.

A minimum of 4 GB RAM is recommended on each endpoint device.

Permission recording requirements

Linux endpoints do not have any special requirements to monitor the permission event type.

To monitor the permission event type on Windows endpoints, you must configure the Audit File System permission under Local Security Policy on the endpoint. For more information, see Prepare EndpointsPrepare Endpoints

Client Recorder Extension

Integrity Monitor uses the Tanium™ Client Recorder Extension to gather data from endpoints. For more information, see Client Recorder Extension User Guide.

Integrity Monitor does not use the Client Recorder Extension for Solaris and AIX endpoints.

Tanium Event Recorder Driver

Use the Tanium Event Recorder Driver to record registry events on supported Windows endpoints. For more information, see Tanium Client Recorder Extension User Guide: Installing the Tanium Event Recorder Driver.

The Tanium Event Recorder Driver is installed by default when you deploy a monitor that is configured to use it. For more information, see Create a new monitor.

If you need to troubleshoot an issue with the Tanium Event Recorder Driver, see Manually install the Tanium Event Recorder Driver.

Third-party software

To integrate Integrity Monitor with an IT workflow in ServiceNow Change Management, ServiceNow Madrid or later is required.

Host and network security requirements

Specific processes are needed to run Integrity Monitor.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.

Table 1:   Integrity Monitor security exclusions
Target Device Notes Process
Tanium Module Server   <Module Server>\services\integrity-monitor-service\node.exe
  <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Tanium Zone Server   <Zone Server>\proxy\node.exe
Windows x86 and x64 endpoints   <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe
  <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
  <Tanium Client>\Tools\IM\TaniumSQLiteQuery.exe
  <Tanium Client>\Tools\IM\TaniumExecWrapper.exe
  <Tanium Client>\extensions\TaniumRecorder.dll
  <Tanium Client>\extensions\TaniumRecorder.dll.sig
  <Tanium Client>\extensions\recorder\proc.bin
  <Tanium Client>\extensions\recorder\recorder.db
  <Tanium Client>\extensions\recorder\recorder.db-shm
  <Tanium Client>\extensions\recorder\recorder.db-wal
  <Tanium Client>\extensions\core\libTaniumPythonCx.dll
  <Tanium Client>\extensions\core\libTaniumPythonCx.dll.sig
  <Tanium Client>\TaniumClientExtensions.dll
  <Tanium Client>\TaniumClientExtensions.dll.sig
7.2.x clients <Tanium Client>\Python27\TPython.exe
7.4.x clients <Tanium Client>\Python38\TPython.exe
7.4.x clients <Tanium Client>\Python38\*.dll
  <Tanium Client>\TaniumCX.exe
Linux x86 and x64 endpoints   <Tanium Client>/TaniumAuditPipe
  <Tanium Client>/Tools/Trace/recorder
  <Tanium Client>/Tools/EPI/TaniumEndpointIndex
  <Tanium Client>/Tools/EPI/TaniumExecWrapper
  <Tanium Client>/Tools/IM/TaniumExecWrapper
7.2.x clients <Tanium Client>/python27/python
7.2.x clients <Tanium Client>/python27/bin/pybin
7.4.x clients <Tanium Client>/python38/python
  <Tanium Client>/libTaniumClientExtensions.so
  <Tanium Client>/libTaniumClientExtensions.so.sig
  <Tanium Client>/extensions/recorder/proc.bin
  <Tanium Client>/extensions/recorder/recorder.db
  <Tanium Client>/extensions/recorder/recorder.db-shm
  <Tanium Client>/extensions/recorder/recorder.db-wal
  <Tanium Client>/extensions/recorder/recorder.auditpipe
  <Tanium Client>/extensions/core/libTaniumPythonCx.so
  <Tanium Client>/extensions/core/libTaniumPythonCx.so.sig
  <Tanium Client>/TaniumCX
Table 2:   Integrity Monitor security exclusions
Target Device Notes Process
Windows x86 and x64 endpoints   <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe
  <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
  <Tanium Client>\Tools\IM\TaniumSQLiteQuery.exe
  <Tanium Client>\Tools\IM\TaniumExecWrapper.exe
  <Tanium Client>\extensions\TaniumRecorder.dll
  <Tanium Client>\extensions\TaniumRecorder.dll.sig
  <Tanium Client>\extensions\recorder\proc.bin
  <Tanium Client>\extensions\recorder\recorder.db
  <Tanium Client>\extensions\recorder\recorder.db-shm
  <Tanium Client>\extensions\recorder\recorder.db-wal
  <Tanium Client>\extensions\core\libTaniumPythonCx.dll
  <Tanium Client>\extensions\core\libTaniumPythonCx.dll.sig
  <Tanium Client>\TaniumClientExtensions.dll
  <Tanium Client>\TaniumClientExtensions.dll.sig
7.4.x clients <Tanium Client>\Python38\TPython.exe
7.4.x clients <Tanium Client>\Python38\*.dll
  <Tanium Client>\TaniumCX.exe
Linux x86 and x64 endpoints   <Tanium Client>/TaniumAuditPipe
  <Tanium Client>/Tools/Trace/recorder
  <Tanium Client>/Tools/EPI/TaniumEndpointIndex
  <Tanium Client>/Tools/EPI/TaniumExecWrapper
  <Tanium Client>/Tools/IM/TaniumExecWrapper
7.4.x clients <Tanium Client>/python38/python
  <Tanium Client>/libTaniumClientExtensions.so
  <Tanium Client>/libTaniumClientExtensions.so.sig
  <Tanium Client>/extensions/recorder/proc.bin
  <Tanium Client>/extensions/recorder/recorder.db
  <Tanium Client>/extensions/recorder/recorder.db-shm
  <Tanium Client>/extensions/recorder/recorder.db-wal
  <Tanium Client>/extensions/recorder/recorder.auditpipe
  <Tanium Client>/extensions/core/libTaniumPythonCx.so
  <Tanium Client>/extensions/core/libTaniumPythonCx.so.sig
  <Tanium Client>/TaniumCX

Service account user

The Integrity Monitor service account requires certain privileges to run background jobs which include gathering endpoint statistics, sending labels to Connect, and evaluating rules. See Installing Integrity Monitor to create a service account user and configure the service account within Integrity Monitor.

User role requirements

Use role-based access control (RBAC) permissions to restrict access to Integrity Monitor functions.

Table 3:   Integrity Monitor user role privileges
Privilege Integrity Monitor Administrator1,2 Integrity Monitor Operator1 Integrity Monitor Author1 Integrity Monitor User1 Integrity Monitor Read Only User1 Integrity Monitor Service Account1,2,3 Integrity Monitor Endpoint Configuration Approver1

Show Integrity Monitor

View the Integrity Monitor workbench

Integrity Monitor Use API

Perform Integrity Monitor operations using the API

Integrity Monitor Monitor Event Labels Read

View monitor event labels

Integrity Monitor Watchlists Read

View watchlists

Integrity Monitor Rules Read

View rules

Integrity Monitor Monitor Events Read

View monitor events

Integrity Monitor Monitors Read

View monitors. View and download reports

Integrity Monitor Settings Read

View general settings, templates, and default labels

Integrity Monitor Monitor Event Labels Write

Create and edit monitor event labels and label notes
Send labeled events to Connect manually4

Integrity Monitor Watchlists Write

Create and edit watchlists

Integrity Monitor Rules Write

Create and edit rules

Integrity Monitor Monitors Write

Create and edit monitors
Enable, disable, or delete reports for a monitor

Integrity Monitor Settings Write

Update general settings, templates, and default labels

Integrity Monitor Monitor Event Labels Delete

Delete monitor event labels and notes

Integrity Monitor Execute Scheduled Task

Run tasks in the IM service with the IM schedule plugin, including sending labeled events to Connect via a background scheduled task and scheduling the weekly day and time to generate reports; run and apply rules to events

Integrity Monitor Deploy Monitors

Deploy monitors

Integrity Monitor Deploy Rules

Deploy rules

Integrity Monitor Troubleshooting

Create, check the status of, and download the troubleshooting archive

Integrity Monitor Admin Settings Write

Set the service account and log level

Integrity Monitor Integrations Admin

Create, edit, and schedule integrations with IT workflows

Integrity Monitor Endpoint Configuration Approve

Approve Integrity Monitor configuration changes in Tanium Endpoint Configuration

1 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

2 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

3 If you installed Tanium Client Management, this This user requires the Endpoint Configuration Service Account role. Endpoint Configuration is installed as a part of Tanium Client Management.

4To send labeled events to Tanium Connect, you must have Connect installed. You must also have the Integrity Monitor Monitor Event Labels Write permission and the Tanium Connect Connect Event Write permission, which is provided through the Connect roles. The least privileged Connect role that an Administrator can assign to grant this privilege is Connect User.




Table 4:   Provided Integrity Monitor Advanced user role permissions
Permission Content Set for Permission Integrity Monitor Administrator Integrity Monitor Operator Integrity Monitor Author Integrity Monitor User Integrity Monitor Read Only User Integrity Monitor Service Account
Execute plugin Integrity Monitor Events
Execute plugin Integrity Monitor
Execute plugin Connect
Execute plugin Trends
Read action Integrity Monitor Deployment
Read action Integrity Monitor Troubleshooting
Read filter group Reserved
Read filter group Default Filter Groups
Read filter group Integrity Monitor
Read filter group Integrity Monitor Deployment
Read saved question Integrity Monitor
Read saved question Integrity Monitor Events
Read sensor Reserved
Read sensor Base
Read sensor Integrity Monitor
Read sensor Integrity Monitor Deployment
Read sensor Integrity Monitor Events
Write action Integrity Monitor Deployment
Write action Integrity Monitor Troubleshooting
Write package Integrity Monitor Deployment
Write package Integrity Monitor Troubleshooting
Write saved question Integrity Monitor
Write saved question Integrity Monitor Events