Console Requirements

Review the requirements before you install and use Console.

Core platform dependencies

Make sure that your environment meets the following requirements:

  • Tanium Core Platform 7.6.1. This version and later versions do not support Interact versions earlier than 3.0.
  • Tanium Console 3.6

Solution dependencies

Other Tanium solutions are required for Interact to function (required dependencies) or for specific Interact features to work (feature-specific dependencies). The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Interact dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies and Feature-specific dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Interact requires.

For the Tanium Core Platform version that Interact requires, see Core platform dependencies.

Tanium recommended installation

If you select Tanium Recommended Installation when you import Interact, the Tanium Server automatically imports all your licensed solutions at the same time. See Import all modules and services.

Import specific solutions

If you select only Interact to import and are using Tanium Core Platform 7.5.2.3531 or later with Tanium Console 3.0.72 or later, the Tanium Server automatically imports the latest available versions of any required dependencies that are missing. If some required dependencies are already imported but their versions are earlier than the minimum required for Interact, the server automatically updates those dependencies to the latest available versions.

If you select only Interact to import and you are using Tanium Core Platform 7.5.2.3503 or earlier with Console 3.0.64 or earlier, you must manually import or update required dependencies. See Import or update specific solutions.

Required dependencies

Interact has the following required solution dependencies at the specified minimum versions:

  • Tanium™ Core Content 1.3.100 or later

    Core Content 1.8.5 or later requires Tanium™ Client Management

  • Tanium™ Default Computer Groups 1.0.6 or later
  • Tanium™ Default Content 8.4.9 or later
  • Tanium™ RDB Service 1.2.151 or later
  • Tanium™ System User Service 1.0.235 or later

For details about the content-only solutions (Core Content, Default Computer Groups, and Default Content), see Content-only solutions.

Feature-specific dependencies

If you select only Console to import, you must manually import or update its feature-specific dependencies regardless of the Tanium Console or Tanium Core Platform versions. Console has the following feature-specific dependencies at the specified minimum versions:

Tanium Server computer resource and network requirements

Console includes both the Console workbench and Tanium Data Service. The Console workbench installs and run on the Tanium Server, while Tanium Data Service installs and runs on the Module Server. The general resource specifications for the Tanium Server include the host computer resource and network requirements for Tanium Console and Console. The impact of Tanium Data Service on the Tanium Module Server depends on usage. See the guide for your deployment for details.

Endpoints

Supported operating systems

Interact supports the same operating systems (OSs) for endpoints that the Tanium Client supports:

  • Windows
  • MacOS 
  • Linux
  • AIX
  • Solaris

For details about support for specific OS versions, see Tanium Client Management User Guide: Client version and host system requirements.

Disk space requirements

On managed endpoints, Interact requires at least 100 MB of disk space and another 100 MB of cache space for data files. The cache space includes the Tanium Client chunk cache and objects such as sensors and logs.

Processor requirements

On managed endpoints, Interact requires at least 10 MB of RAM and accounts for less than 0.5% of idle CPU usage.

Host and network security requirements

Specific ports and processes are needed to run Console.

Ports

The following ports are required for Console communication.

Source Destination Port Protocol Purpose
Module Server Module Server (loopback) 17495 TCP Internal purposes, not externally accessible

No additional ports are required.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.

Security exclusions

Host and network security requirements for the Tanium Core Platform apply to Console. For details, see Tanium Core Platform Deployment Reference Guide: Host system security exceptions.

User role requirements

Tanium has roles and permissions for both Console and associated Tanium Data Service. To review a summary of the predefined roles, see Configuring Console.

Console module permissions

Interact has the following predefined module roles and associated module permissions.

 Table 1: Interact user role permissions
Permission Interact Power User Interact Basic User Interact Read-Only User Interact Show

Ask Dynamic Questions1

Issue questions through the Interact Ask a Question field and Question Builder.
SPECIAL
SPECIAL

Interact

View the Interact workbench.
SHOW
SHOW
SHOW
SHOW

Interact Execute2

Deploy actions in Interact.
ACTION


Interact Module3,4

View, create, edit, or delete Interact content.
READ
WRITE
READ
WRITE
READ

1 This permission applies to the Reserved content sets.

2 The Interact Execute permission provides the following permissions:

  • Platform content permissions: Filter Group read, Sensor read, Saved Question read, Dashboard read, Dashboard Group read, Package read, Action read, Saved Question write, Dashboard write, Dashboard Group write, and Action write. The Dashboard read and write permissions apply to Interact dashboards, not Reporting dashboards.

  • Reporting module permissions: See Table 3.

3 The Interact Module read permission provides the following platform content permissions: Filter Group read, Sensor read, Saved Question read, Dashboard read, and Dashboard Group read. The Dashboard read and write permissions apply to Interact dashboards, not Reporting dashboards.

4 The Interact Module write permission provides the following permissions:

  • Platform content permissions: Filter Group read, Sensor read, Saved Question read, Dashboard read, Dashboard Group read, Saved Question write, Dashboard write, Dashboard Group write. The Dashboard read and write permissions apply to Interact dashboards, not Reporting dashboards.

  • Reporting module permissions: See Table 3.

The following table lists the provided platform content permissions and associated content sets (see the table footnotes) for the Interact permissions in Table 1.

 Table 2: Provided platform content permissions for Interact
Permission Permission Type Interact Power User Interact Basic User Interact Read-Only User Interact Show
Action Platform Content
READ
WRITE


Dashboard1 Platform Content
READ
WRITE
READ
WRITE
READ
Dashboard Group Platform Content
READ
WRITE
READ
WRITE
READ
Filter Group Platform Content
READ
READ
READ
Own Action Platform Content
READ


Package Platform Content
READ


Plugin Platform Content
READ
EXECUTE
READ
EXECUTE
READ
EXECUTE
READ
EXECUTE
Saved Question Platform Content
READ
WRITE
READ
WRITE
READ
Sensor Platform Content
READ
READ
READ

To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions.

1The Dashboard read and write permissions apply to Interact dashboards, not Reporting dashboards.

The Interact Execute action permission and Interact Module write permission each provide the following Reporting module permissions and associated content sets (see the table footnotes). These permissions enable users to access the Endpoint Details page in the Reporting workbench. For information about the Endpoint Details page, see Tanium Reporting User Guide: Viewing and managing a single endpoint.

 Table 3: Provided Reporting permissions for Interact
Permission Interact Power User Interact Basic User Interact Read-Only User Interact Show
Dashboard1
READ
READ
Report1
READ
READ
Report API
USER
USER
Reporting Category
READ
READ

Reporting Settings
READ
READ

1The Dashboard and Report permissions apply to the Reporting content set. The Reporting Dashboard module permission is distinct from the platform content Dashboard permission that Table 2 references.

The following table summarizes the permissions required to perform specific tasks in Interact. Interact includes the Interact Overview page and Question Builder page. The Administrator reserved role has all the listed permissions. The table also indicates whether other reserved roles have permissions for the features.

 Table 4: Required permissions to perform Interact tasks
Tasks Roles and permissions
Install or uninstall Interact Administrator reserved role only
All tasks in Interact Interact show (module) permission is required for all Interact features, so be sure to assign a role with that permission to all Interact users.
View Interact content Interact Module read (module) permission is required to view content in the Interact content set.
Manage Interact content Interact Module write (module) permission is required to add, edit, or delete content in the Interact content set.
Deploy actions in Interact Interact Execute (module) permission enables users to deploy actions in Interact. It implies the platform content permissions Package read, Action read, and Action write.
Issue questions through the Ask a Question field and Question Builder Ask Dynamic Questions (module) permission is required to issue questions through the Ask a Question field and Question Builder. You can assign the permission to any custom role.

Sensor read content set permissions determine which sensors are available for you to select for questions. Filter Group read content set permissions determine which computer filter groups are available for you to view and select for questions and question results.

Depending on whether Tanium™ Reporting, Tanium™ Asset, or both are installed, you require additional permissions to see endpoint details through the Search Endpoints field or the Question Results page. For more information, see View details for a single endpoint.

The Admin reserved role has Administrator and Content Administrator reserved roles have all these permissions.
Save a question Saved Question write permission is required to assign a saved question to content sets for which you have permission. Saved Question write is also required to create, edit, or delete saved questions. The Sensor read content set permissions determine the available sensors. Filter Group read content set permissions determine the available filter groups.

In addition to the Saved Question write permission, users require the Action write and Package write permissions to add associated packages to a new saved question configuration. In addition to these three permissions, users require owner permissions for the question if they want to modify or delete the associated packages.

The Admin reserved role has Administrator and Content Administrator reserved roles have all these permissions.
Use Interact Saved Questions Saved Question read content set permissions determine the saved questions that you can see in Tanium Console, such as on the Interact Overview page, Question Builder page, and Question Results grid drill-down.

Sensor read permission is required for the sensors specified in a saved question that you want to issue. Filter Group read content set permission is required for the filter groups specified in the saved question.

Ask Dynamic Questions permission is required to use the drill down feature in the saved question results grid.
Use Interact Categories Dashboard Group read content set permissions determine the categories that you can see in Console, such as on the Interact Overview page.

Dashboard Group write permission is required to create, modify, or delete category configurations. Dashboard read content set permissions determine which Interact dashboards are available in categories.

The Admin reserved role Administrator and Content Administrator reserved roles can export and import categories.
Use Interact Dashboards Dashboard read content set permissions determine the Interact dashboards that you can see in Console, such as on the Interact Overview page.

Dashboard write permission is required to create, modify, or delete Interact dashboard configurations. Saved Question read content set permissions determine which saved questions are available in dashboards.

These Dashboard read and write permissions apply to Interact dashboards, not Reporting dashboards.

The Admin Administrator or Content Administrator reserved role can export and import Interact dashboards.
Deploy an action Action write permission is required to see the Deploy Action button on the Question Results grid.

Package read content set permissions determine which packages are available for you to select for actions.

Sensor read and Saved Question read permissions on the Reserved content set are required to complete the deploy action workflow. During the workflow, these permissions allow special saved questions thatTanium Cloud the Tanium Server uses to track and report action status.

The Administrator reserved role and Interact Power User role have all these permissions.
Use the Interact Overview page To see the following sections of the Interact Overview page, users require the specified permissions:
  • Overview: Dashboard Group read, Dashboard read, and Saved Question read permissions control the summary counts.
  • Favorite Categories: Dashboard Group read permission
  • Favorite DashboardsDashboard read permission
  • Favorite Saved Questions: Saved Question read permission

The Dashboard permissions apply to Interact dashboards, not Reporting dashboards.

The Administrator reserved role has all these permissions.

Tanium Data Service permissions

Tanium Data Service has the following predefined module roles and associated module permissions.

Do not assign the Tanium Data Service Account, Tanium Data Service Account - All Content Sets, or Data Collection Service Account roles to users. These roles are for internal purposes only.

 Table 5: Tanium Data Service user role permissions
Permission Data Collection Administrator Data Collection Operator

Ask Dynamic Questions

A global permission that applies to all content sets. It enables issuing questions through the Interact Ask a Question field and Question Builder.

Data Collection

OPERATOR: Access to configure data collection settings

START: Manually start an unscheduled query to collect sensor results
START
OPERATOR
START

Data Collection Administrator

Unrestricted access to configure data collection
ADMINISTER

Data Collection API Identify Endpoint

The following permissions are for internal purposes only and apply to the Tanium Data Service content set:

READ: Read the results of the internal Endpoint ID sensor

WRITE: Allocate Endpoint ID values to endpoints

DELETE: Purge the sensor results of specific endpoints from Tanium Data Service based on Endpoint ID values


READ
WRITE
DELETE
READ
DELETE

Data Collection Bundle Config

View and edit configuration data for the next support bundle (internal purposes only)
READ
WRITE

Data Collection EID Namespace

Read and write endpoint ID namespaces (internal purposes only)

Data Collection Identify Endpoint

The following permissions are for internal purposes only:

READ: Resolve which sensors are used to determine the endpoint ID (EID)

WRITE: Allocate the sensors that are used to determine the EID
READ
WRITE

Data Collection Job

Read and cancel pipeline jobs (internal purposes only)

Data Collection Metrics

View the Data Service Sensor Metrics and Data Service Database Metrics charts in the Interact Info page
READ
READ

Data Collection Operator Settings

View and edit Tanium Data Service settings (internal purposes only)
READ
WRITE
READ
WRITE

Data Collection Pipeline

Read pipeline data (internal purposes only)

Data Collection Pipeline Write

Write pipeline data (internal purposes only)

Data Collection Purge

Purge data for specific sensors (internal purposes only)
SENSOR
SENSOR

Data Collection Rdb

Connect to the Tanium™ RDB service (internal purposes only)

Data Collection Registration

READ: View the Interact Settings > Registration & Collection page to see which sensors are registered for results collection

WRITE: Register or unregister sensors for results collection, pause (disable) or resume (enable) collection, and purge results
READ
WRITE
READ
WRITE

Data Collection Sensor

Write virtual sensor data (internal purposes only)

Data Collection Settings

View and edit Tanium Data Service settings (internal purposes only)
READ
WRITE

Data Collection Status

View the Data Service Status chart in the Interact Info page
READ
READ

Data Collection Virtual Sensor Definition

View and edit virtual sensors (internal purposes only)

Result Exclusion

Read and write exclusions (internal purposes only)
READ
WRITE

Result Expansion

Read and write expansions (internal purposes only)
READ
WRITE

Tanium Data Service roles also have the following administration and platform content permissions:

 Table 6: Provided Tanium Data Service administration and platform content permissions
Permission Permission Type Data Collection Administrator Data Collection Operator
Action Group Administration

Client Status Administration

Computer Group Administration

Persona Administration

User Administration
READ
Action Platform Content

Own Action Platform Content

Plugin Platform Content
READ
EXECUTE
READ
EXECUTE
Saved Question Platform Content

Sensor Platform Content
READ
READ

To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions.