Performance requirements

Review the requirements before you install and use Performance.

Tanium dependencies

Component Requirement
Tanium™ Core Platform 7.3.314.4250 or later
Tanium™ Client Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.

If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

For supported endpoint operating systems, see Endpoints.
Tanium solutions If you selected Tanium Recommended Installation when you installed Performance, the Tanium Server automatically installed all your licensed solutions at the same time. Otherwise, you must manually install the solutions that Performance requires to function, as described under Tanium Console User Guide: Import, re-import, or update specific solutions.

Solutions at the following minimum versions are required:

  • Tanium™ Endpoint Configuration 1.2 or later (installed as part of Tanium™ Client Management 1.5 or later)
  • Tanium Interact 2.4.50 or later
  • Tanium Trends 3.6 or later

The following solutions are optional, but Performance requires the specified minimum versions to work with them:

  • Tanium Direct Connect 1.1.0 or later (1.3.0 or later to terminate processes or browse files on an endpoint)

If you are using any of the following Tanium™ solutions that use the Tanium™ Client Recorder Extension, you must use the specified versions:

  • Tanium™ Integrity Monitor 1.7.0.0035 or later
  • Tanium™ Map 1.1.1.0006 or later
  • Tanium™ Threat Response 1.2.0.0037 or later
  • Tanium™ Trace 2.9.0.0035 or later

Endpoints

Supported operating systems

The following endpoint operating systems are supported with Performance.

Operating System Version Notes
Windows
  • Windows 7 (SP1) and later
  • Windows Server 2008 R2 (SP1) and later
  • Windows 7 Service Pack 1 requires Microsoft KB2758857.
  • A page file is required for metric collection.
macOS
  • 10.11 and later
  
Linux
  • Red Hat Enterprise Linux (RHEL) 6.x, 7.x, 8.x
  • CentOS 6.x, 7.x, 8.x
  • Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS
  • Amazon Linux 2 LTS
  • Only POSIX-compliant file systems are supported.

Support for specific metrics varies by operating system. For more information, see Reference: Event Rules.

Disk space requirements

The Database maximum size parameter in the Retention Settings section of the profile determines the maximum amount of disk space that the Performance database uses on the endpoint. For more information, see Create a profile.

Endpoints must have at least the amount specified in the Database maximum size parameter plus 100 megabytes (MB) for tools available in free disk space.

Processor and memory requirements

Same as the Tanium Client. For detailed requirements, see Tanium Client Management User Guide: Client version and host system requirements.

Host and network security requirements

Specific ports and processes are needed to run Performance.

Ports

The following ports are required for Performance communication.

Source Destination Port Protocol Purpose
Tanium Client (internal) Module Server 17475 TCP Used by the Module Server for endpoint connections to internal clients.
Tanium Client (external) Zone Server1 Tanium as a Service 17486 TCP Used by the Zone Server for endpoint connections to external clients.
The default port number is 17486. If needed, you can specify a different port number when you configure the Zone Proxy.
Module Server Zone Server1 17487 TCP Used by the Zone Server for Module Server connections.
The default port number is 17487. If needed, you can specify a different port number when you configure the Zone Proxy.
17488 TCP Allows communication between the Zone Server and the Module Server. On TanOS, the Direct Connect Zone Proxy installer automatically opens port 17488 on the Zone Server. This port must be manually opened on Windows.
Module Server Module Server (loopback)
 17471 TCP Internal purposes; not externally accessible
1 These ports are required only when you use a Zone Server.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

For Tanium as a Service ports, see Tanium as a Service Deployment Guide: Host and network security requirements.

For Direct Connect ports, see Direct Connect User Guide: Host and network security requirements.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, a security administrator must create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Performance security exclusions
Target Device Notes Exclusion Type Exclusion
Module Server   Process <Module Server>\services\performance\node.exe
  Process <Module Server>\services\event-service\twsm.exe
  Process <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Windows (x86 and x64) endpoints   Process <Tanium Client>\TaniumClientExtensions.dll
  Process <Tanium Client>\TaniumClientExtensions.dll.sig
  Process <Tanium Client>\extensions\TaniumPerformance.dll
  Process <Tanium Client>\extensions\TaniumPerformance.dll.sig
  Process <Tanium Client>\Tools\Performance\TaniumTSDB.exe
7.2.x clients1 Process <Tanium Client>\Python27\TPython.exe
7.4.x clients1 Process <Tanium Client>\Python38\TPython.exe
7.4.x clients Folder <Tanium Client>\Python38
  Process <Tanium Client>\TaniumCX.exe
Linux (x86 and x64) endpoints   Process <Tanium Client>/libTaniumClientExtensions.so
  Process <Tanium Client>/libTaniumClientExtensions.so.sig
  Process <Tanium Client>/extensions/libTaniumPerformance.so
  Process <Tanium Client>/extensions/libTaniumPerformance.so.sig
  Process <Tanium Client>/Tools/Performance/TaniumTSDB
7.2.x clients Process <Tanium Client>/python27/bin/pybin
7.4.x clients Process <Tanium Client>/python38/bin/pybin
  Process <Tanium Client>/TaniumCX
macOS endpoints   Process <Tanium Client>/libTaniumClientExtensions.dylib
  Process <Tanium Client>/libTaniumClientExtensions.dylib.sig
  Process <Tanium Client>/extensions/libTaniumPerformance.dylib
  Process <Tanium Client>/extensions/libTaniumPerformance.dylib.sig
  Process <Tanium Client>/Tools/Performance/TaniumTSDB
7.2.x clients Process <Tanium Client>/python27/bin/pybin
7.4.x client Process <Tanium Client>/python38/bin/pybin
  Process <Tanium Client>/TaniumCX
1 = TPython requires SHA2 support to allow installation.
Performance security exclusions
Target Device Notes Exclusion Type Exclusion
Windows (x86 and x64) endpoints   Process <Tanium Client>\TaniumClientExtensions.dll
  Process <Tanium Client>\TaniumClientExtensions.dll.sig
  Process <Tanium Client>\extensions\TaniumPerformance.dll
  Process <Tanium Client>\extensions\TaniumPerformance.dll.sig
  Process <Tanium Client>\Tools\Performance\TaniumTSDB.exe
7.4.x clients1 Process <Tanium Client>\Python38\TPython.exe
7.4.x clients Folder <Tanium Client>\Python38
  Process <Tanium Client>\TaniumCX.exe
Linux (x86 and x64) endpoints   Process <Tanium Client>/libTaniumClientExtensions.so
  Process <Tanium Client>/libTaniumClientExtensions.so.sig
  Process <Tanium Client>/extensions/libTaniumPerformance.so
  Process <Tanium Client>/extensions/libTaniumPerformance.so.sig
  Process <Tanium Client>/Tools/Performance/TaniumTSDB
7.4.x clients Process <Tanium Client>/python38/bin/pybin
  Process <Tanium Client>/TaniumCX
macOS endpoints   Process <Tanium Client>/libTaniumClientExtensions.dylib
  Process <Tanium Client>/libTaniumClientExtensions.dylib.sig
  Process <Tanium Client>/extensions/libTaniumPerformance.dylib
  Process <Tanium Client>/extensions/libTaniumPerformance.dylib.sig
  Process <Tanium Client>/Tools/Performance/TaniumTSDB
7.4.x clients Process <Tanium Client>/python38/bin/pybin
  Process <Tanium Client>/TaniumCX
1 = TPython requires SHA2 support to allow installation.

User role requirements

The following tables list the role permissions required to use Performance. To review a summary of the predefined roles, see Set up Performance users.

For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.

Performance user role permissions
Permission Performance Administrator1,2,3,4 Performance Operator1,2,3,4 Performance User1,2,4 Performance Read Only User1,2,4 Performance Service Account2,3,4,5,7 Performance Endpoint Configuration Approver2,3

Performance

ADMINISTER: View all pages in Performance. Update settings, profiles, and the service account credentials; can generate and retrieve a support bundle

SHOW: View the Performance workbench
ADMINISTER
SHOW
SHOW
SHOW
SHOW
SHOW

Performance Components

Manage back-end components for Performance, such as actions
MANAGE

Performance Direct Connect6

Connect to an endpoint using Direct Connect and read data from that endpoint.

READ

READ

READ

READ

Performance Endpoint Configuration

Allows approving endpoint configuration items
APPROVE

Performance Event

View Performance events

READ

READ

READ

READ

Performance File

Browse the file system and download a file from an endpoint that you connect to through Performance
DOWNLOAD
DOWNLOAD
DOWNLOAD

Performance Kill

Terminate endpoint processes when you connect to an endpoint through Performance
PROCESS
PROCESS
PROCESS

Performance Profile

View, create or modify Performance profiles

READ
WRITE

READ
WRITE

READ

READ

READ

Performance Settings

View Performance settings

READ

READ

READ

READ

READ

1 This role provides module permissions for Tanium Direct Connect. You can view which Direct Connect permissions are granted to this role in the Tanium Console. For more information, see the Tanium Direct Connect User Guide: User role requirements.

2 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see the Tanium Trends User Guide: User role requirements.

3 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

4 This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see the Tanium Trends User Guide: User role requirements.

5 If you installed Tanium Client Management, Endpoint Configuration is installed, and by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

6 If you are using Direct Connect 1.9.30 or 1.9.32, users must also have the Data Collection Registration Read Interact permission to connect directly to endpoints. If you are using Direct Connect 2.0 or later, the Data Collection Registration Read Interact permission is not required.

7 This role provides the Content Administrator global permission.

Provided Performance administration and platform content permissions
Permission Permission Type Performance Administrator1,2 Performance Operator1,2 Performance User1,2 Performance Read Only User1,2 Performance Service Account1 Performance Endpoint Configuration Approver1
Action Group Administration
READ
READ
READ
READ
READ
WRITE
Action Platform content
WRITE
WRITE
WRITE
Action for Saved Question Platform content
WRITE
Approve Action Platform content
APPROVE
Dashboard Platform content
READ
WRITE
Dashboard Group Platform content
READ
WRITE
Filter Group Platform content
READ
READ
READ
READ
Own Action Platform content
READ
READ
READ
Package Platform content
READ
WRITE
READ
WRITE
READ
WRITE
Plugin Platform content
READ
EXECUTE
READ
EXECUTE
READ
EXECUTE
READ
EXECUTE
READ
EXECUTE
READ
EXECUTE
Saved Question Platform content
READ
READ
READ
READ
READ
WRITE
Sensor Platform content
READ
READ
READ
READ
READ
WRITE

You can view which content sets are granted to any role in the Tanium Console.

1 This role provides content set permissions for Tanium Trends. You can view which Trends content sets are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

2 This role provides content set permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration content sets are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.