Client Recorder Extension overview

The Client Recorder Extension is a feature common to the Tanium Integrity Monitor, Tanium Map, and Tanium Threat Response solution modules. It continuously saves event data on each endpoint. The Client Recorder Extension monitors the endpoint kernel and other low-level subsystems to capture a variety of events.

Traditional disk and memory forensics techniques can successfully reconstruct fragments of endpoint activity, but are limited to the evidence that is natively preserved by the underlying operating system. This type of evidence from a period of interest can rapidly degrade as time elapses. In contrast, the Client Recorder Extension maintains a complete, easy-to-interpret history of events so you can replay recent system events.

Even an idle system quickly accumulates data. The Client Recorder Extension returns event information based on a subscription that a module provides. Subscriptions can save event information in a number of ways, for example in JSON format or in a database. Modules can retain up to several months of historical data. You can customize the amount of local storage that is consumed by the Client Recorder Extension, and create subscriptions to capture specific types of recorded evidence.

Types of recorded events

The Client Recorder Extension captures a broad range of events, that include additional context and metadata. Recorded event examples include:

  • process execution
  • file system activity
  • registry changes
  • network connections
  • driver and library loads
  • user authentication
You can specify which process, registry, network, file, and security events to record, depending on whether or not they apply to the operating systems of the endpoints.

For more meaningful data and to retain data for longer periods, consider excluding events that occur frequently; for example, LanguageList registry values are a verbose event on Windows endpoints.

Registry

[Windows only] Changes to the registry, such as the creation or alteration of registry keys and values. Includes the associated process and user context.

Network

Network connection events, such as an HTTP request to an internet location, including the associated process and user context. Events are recorded for all inbound and outbound TCP connections.

File

File system events, such as files written to directory locations on the endpoint. The associated process and user context are included. Examples: A malware file copied to a location that Windows Update uses, or content changes made to a file.

Security

[Windows and Linux only] Security events such as authentication, privilege escalation, and more. This event type includes logon events.

DNS

[Windows 8.1 or later] Request information, including the process path, user, query, response, and the type of operation.

Sources of Client Recorder Extension data on Windows

The Client Recorder Extension gathers data from multiple sources into a database and/or journal feeds. Kernel events are gathered from Windows tools. On Windows endpoints, the Tanium Driver is recommended to provide additional information about the executed processes.

Some features of the Client Recorder Extension require specific versions of Windows.

Table 1:   Client Recorder Extension features - Windows
Feature Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 or later Windows 7 Windows 8 Windows 8.1 or later
DNS events Not Available Not Available Available Not Available Not Available Available
Process hashes and command-line information Requires Tanium driver or Sysmon Tanium driver recommended Tanium driver recommended Requires Tanium driver or Sysmon Tanium driver recommended Tanium driver recommended
Driver loads Available* Available Available Available* Available Available

* If Sysmon is configured, the driver load information recorded by Sysmon is used.

Sources of Client Recorder Extension data on Linux

The Client Recorder Extension for Linux uses the Linux audit subsystem to collect events. The Client Recorder Extension for Linux uses the following components for event collection:

Kernel Driver (kaudit)

This process is a part of the Linux kernel responsible for the kernel audit events and will forward audited events to the uauditd process. Audited events are defined by a rules file. This rules file is called audit.rules and is located at /etc/audit/audit.rules. Additional rules files that can be read into the kauditd process and added to the audit.rules file are located in /etc/audit/rules.d/.

Audit Daemon (auditd)

This process communicates to the to the kernel via the netlink socket. For most Linux versions this is limited to a single listener. This process writes to audit log files or forwards events to the audispd process for dispatching.

The Client Recorder Extension for Linux requires an application that is started by auditd. In the Client Recorder Extension for Linux, the Tanium Auditpipe is the application that auditd starts. When a Client Recorder Extension configuration is provided, auditd is restarted, and in turn starts the Tanium Auditpipe. When a configuration is removed, auditd also restarts. For this reason you can see auditd starting and stopping when Client Recorder Extension configurations are added or removed.

The log_format parameter in auditd.conf has been deprecated in versions of auditd 2.5.2 and later. The log_format parameter has two settings:

  • RAW
  • NOLOG

If the auditd.conf contains log_format = NOLOG on these versions of auditd, the audispd process does not start. To disable RAW logging on these versions, change the following parameters in auditd.conf:

  • write_logs = NO
  • log_format = RAW

When the Client Recorder Extension starts on an endpoint that has auditd version 2.5.2 or later, it changes log_format = NOLOG to log_format = RAW. If the write_log parameter is detected in auditd.conf, the value of the log_format parameter is not changed. If the write_log parameter is not detected, it is added to auditd.conf corresponding to RAW or NOLOG.

For example:

  • If log_format = NOLOG and write_logs is not set, the Client Recorder Extension sets log_format = RAW and write_logs = NO
  • If log_format = NOLOG and write_logs = YES, the Client Recorder Extension sets log_format = RAW and does not make changes to the value of the write_logs parameter.

When the Client Recorder Extension starts on an endpoint that has a version of auditd earlier than 2.5.2, the write_logs parameter is removed.

Audit Dispatcher (audispd)

This process is an event multiplexor that helps overcome limitations of single listener socket. This process consumes audit events from the auditd process and dispatches them to child plugins that want to analyze events in real-time. The Client Recorder Extension is an example of one of these child plugins. The configuration for these child plugins is found under /etc/audisp/plugins.d/.

The recording of DNS events is not available on Linux.

Sources of Client Recorder Extension data on Mac

On Mac endpoints, the Client Recorder Extension collects data from:

  • The OpenBSM auditing system that is installed in all Mac releases from 10.8 to current.
  • FSevents, which enables applications to register for notifications of changes to a directory tree.
  • Kextd, which provides information about kernel extensions.

The Client Recorder Extension connects to a clone of /dev/auditpipe to record events. When the recorder is installed on a Mac endpoint, /etc/security/audit_class is updated with a Tanium Recorder entry to map subscribed events at runtime. The Client Recorder Extension then clones /dev/auditpipe and configures the copy to use the tan audit class. When the Client Recorder Extension configuration is read, the types of wanted events are translated to the appropriate system calls to monitor, and those calls are then mapped to the tan audit class. This prevents the Client Recorder Extension from writing the audited events to the audit.log of the endpoint and allows the Client Recorder Extension to be very selective about which system calls are monitored.

Process Events

Command Lines of Process

Process Hashes

Network Events

File Events

The recording of security and DNS events is not available on Mac.

Last updated: 2/1/2020 9:48 AM | Feedback