Review the requirements before you install and use Integrity Monitor.
|Tanium Platform||Version 7.2 or later
If you are using an older version, contact your Technical Account Manager (TAM) before installing and using Integrity Monitor.
For best results with AIX and Solaris endpoints, use version 7.2.314.3518 or later due to known issues with file handling in the 6.0 client that were fixed in later versions.
Integrity Monitor does not use the recorder for Solaris and AIX endpoints.
For more information about specific Tanium Client versions, see Client host system requirements.
Integrity Monitor is not currently supported on Red Hat Enterprise Linux (RHEL) 8.x.
For more information about deploying the Tanium Client to endpoints with different operating systems, see the Client Deployment Guide.
|Tanium™ Connect||4.0.0 or later|
Integrity Monitor uses the Tanium™ Client Recorder Extension to gather data from endpoints. For more information, see Client Recorder Extension User Guide.
Integrity Monitor 2.0 and later includes an upgrade to Client Recorder Extension 2.0, commonly referred to as the recorder. Recorder 2.0 includes significant improvements to performance and interoperability between modules that use the recorder (Integrity Monitor, Tanium™ Threat Response, and Tanium™ Map).
This upgrade does not require you to update all three modules at the same time, but conditional logic is applied to determine whether to upgrade the recorder component from version 1.x to 2.0 when more than one of these modules is deployed to an endpoint. The recorder updates on an endpoint as follows:
- If Integrity Monitor is the only module installed that uses the recorder, the endpoint updates to the new recorder when you upgrade to Integrity Monitor 2.0 or later.
- If Threat Response 1.4.2 or earlier is installed along with Integrity Monitor 2.0 or later, the previous version of the recorder is used on the endpoint until you upgrade to Threat Response 2.0 or later.
- If Map 1.2.2 or earlier is installed along with Integrity Monitor 2.0 or later and Threat Response 2.0 or later, the endpoint updates to the new recorder. Map will not function as expected until you upgrade to Map 2.0.
Each endpoint device must have a minimum of 100 MB RAM. By default, the endpoint database is 1 GB in size. There must be 2 times the maximum database size available in free disk space on the partition where the Tanium Client is installed. The CPU demand on the endpoint averages less than 1%.
The recorder is supported on the same Linux endpoints as the Tanium Client. For Windows endpoints, a minimum of Windows 7 or Windows Server 2008 R2 is required. Integrity Monitor does not use the Client Recorder Extension for Solaris and AIX.
For Linux endpoints:
- Install the most recent stable version of the audit daemon and audispd-plugins. For information on depricated parameters in the audit daemon configuration, see Tanium Client Recorder Extension User Guide. See the specific operating system documentation for instructions.
- Be aware that when using immutable "-e 2" mode, the Linux recorder adds Tanium audit rules in front of the immutable flag. When using the -e 2 flag on Linux, the endpoint must be restarted after the recorder is enabled.
Specific processes are needed to run Integrity Monitor.
If you use security software in your environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.
|Module Server||<Module Server>\services\integrity-monitor-service\node.exe|
|Windows x86 endpoints||<Tanium Client>\Tools\IM\TaniumSQLiteQuery.exe|
|Windows x64 endpoints||<Tanium Client>\Tools\IM\TaniumSQLiteQuery.exe|
|Linux x86 endpoints||<Tanium Client>/Tools/Trace/recorder|
|Linux x64 endpoints||<Tanium Client>/Tools/Trace/recorder|
For best results, add a recursive security exclusion for the Tanium Client directory:
- Windows endpoints: <Tanium Client>
This path is usually C:\Program Files (x86)\Tanium\Tanium Client.
- Linux endpoints: /opt/Tanium/TaniumClient
The Integrity Monitor service account requires certain privileges to run background jobs which include gathering endpoint statistics, sending labels to Connect, and evaluating rules. See Installing Integrity Monitor to create a service account user and configure the service account within Integrity Monitor.
Integrity Monitor 1.2.1 introduced role-based access control (RBAC) permissions that control access to Integrity Monitor functions. The four predefined roles are Integrity Monitor Admin, Integrity Monitor Author, Integrity Monitor User, and Integrity Monitor Read Only User.
|Privilege||Integrity Monitor Administrator||Integrity Monitor Author||Integrity Monitor User||Integrity Monitor Read Only User|
Show Integrity Monitor
View the Integrity Monitor workbench.
Integrity Monitor Use API
Integrity Monitor Monitor Event Labels Read
View monitor event labels.
Integrity Monitor Watchlists Read
Integrity Monitor Rules Read
Integrity Monitor Monitor Events Read
View monitor events.
Integrity Monitor Monitors Read
View monitors. View and download reports.
Integrity Monitor Settings Read
View general settings, templates, and default labels.
Integrity Monitor Monitor Event Labels Write
Create and edit monitor event labels and label notes.
Integrity Monitor Watchlists Write
Create and edit watchlists.
Integrity Monitor Rules Write
Create and edit rules.
Integrity Monitor Monitors Write
Create and edit monitors.
Integrity Monitor Settings Write
Update general settings, templates, and default labels.
Integrity Monitor Monitor Event Labels Delete
Delete monitor event labels and notes.
Integrity Monitor Execute Scheduled Task
Execute tasks in the IM service via the IM schedule plugin, including sending labeled events to Connect via a background scheduled task and scheduling the weekly day and time to generate reports.
Integrity Monitor Deploy Monitors
Integrity Monitor Troubleshooting
Create, check the status of, and download the troubleshooting archive.
1 Denotes a provided permission.
2To send labeled events to Tanium Connect, you must have Connect installed. You must also have the Integrity Monitor Monitor Event Labels Write permission and the Tanium Connect Connect Event Write permission, which is provided through the Connect roles. The lowest privileged Connect role that an Administrator can assign to grant this privilege is Connect User.
|Permission||Content Set for Permission||Integrity Monitor Administrator||Integrity Monitor Author||Integrity Monitor User||Integrity Monitor Read Only User|
|Execute plugin||Integrity Monitor Events|
|Execute plugin||Integrity Monitor|
|Read action||Integrity Monitor Deployments|
|Read saved question||Integrity Monitor Events|
|Read sensor||Integrity Monitor Deployment|
|Read sensor||Integrity Monitor Events|
|Write action||Integrity Monitor Deployment|
|Write package||Integrity Monitor Deployment|
|Write saved question||Integrity Monitor Events|
Endpoints are considered to be legacy if they are using Windows versions older than 6.1, such as Windows XP, Windows Server 2008, or older. Windows Server 2008 R2 is not considered legacy. See Microsoft: Microsoft Windows Operating System Version for more information.
Index must have finished its installation and initial scan in order to capture events.
To monitor permission event types, there are no special requirements for Linux endpoints.
To monitor permission event types for Windows versions 6.1 and newer, you must configure the Audit File System permission under Local Security Policy on the endpoint.
You can check to see if this permission is already configured using the Get Integrity Monitor Endpoint Tools Status and Computer name from all machines sensor in Tanium™ Interact. You will get the following results if the permission is not configured:
Audit Policy for File System auditing is configured for: No Auditing
Audit Policy for File System auditing is configured for: Failure
Error: Audit Policy for File System auditing is not properly configured
The following steps to configure the Audit File System permission might slightly vary depending on your exact version of Windows.
- Open Local Security Policy, usually found in the Administrative Tools folder.
- Expand Advanced Audit Policy Configuration under Security Settings.
- Expand System Audit Policies - Local Group Policy Object.
- Double click Object Access.
- Double click Audit File System.
- Select Configure the following audit events: and then select Success.
- Click Apply and then click OK.
By default, Integrity Monitor monitors permission event types for Windows versions 6.0 and older. Consult with your TAM if you choose to override this setting.
Last updated: 1/2/2020 4:28 PM | Feedback