Installing the Client Recorder Extension

The Client Recorder Extension is installed by a module to record event data. The Distribute Tools packages that the Tanium platform uses distribute configuration files and software on all targeted endpoints. The following list details configuration files and software that the Distribute Tools package installs on endpoints for the modules that use the Client Recorder Extension.

Software and configuration files added by the Client Recorder Extension

/opt/Tanium/TaniumClient/extensions/ (Linux)
/opt/Tanium/TaniumClient/extensions/libTaniumRecorder.dylib (Mac)
C:\Program Files(x86)\Tanium\Tanium Client\extensions\TaniumRecorder.dll (Windows)

The Client Recorder Extension process.

/opt/Tanium/TaniumClient/extensions/ (Linux)
/opt/Tanium/TaniumClient/extensions/libTaniumRecorder.dylib.sig (Mac)
C:\Program Files(x86)\Tanium\Tanium Client\extensions\TaniumRecorder.dll.sig (Windows)

A signature file that you can use to verify that the contents of the .so, .dylib, or .dll file is authentic and have not been tampered with.

/opt/Tanium/TaniumClient/extensions/recorder/proc.bin (Linux)
/opt/Tanium/TaniumClient/extensions/recorder/proc.bin (Mac)
C:\Program Files(x86)\Tanium\Tanium Client\extensions\recorder\proc.bin (Windows)

Captures an enumeration of processes that were running when Client Recorder Extension is stopped the so a delta can be captured when the Client Recorder Extension is started. For example, the last known signal states are recorded.

/opt/Tanium/TaniumClient/extensions/recorder/recorder.db (Linux)
/opt/Tanium/TaniumClient/extensions/recorder/recorder.db (Mac)
C:\Program Files(x86)\Tanium\Tanium Client\extensions\recorder\recorder.db (Windows)

The database that the Client Recorder Extension creates. It contains a history of recorded event details.

/opt/Tanium/TaniumClient/extensions/recorder/recorder.db-shm (Linux)
/opt/Tanium/TaniumClient/extensions/recorder/recorder.db-shm (Mac)
C:\Program Files(x86)\Tanium\Tanium Client\extensions\recorder\recorder.db-shm (Windows)

A shared memory file. Database connections that share the same db file must update the same memory location to prevent conflicts.

/opt/Tanium/TaniumClient/extensions/recorder/recorder.db-wal (Linux)
/opt/Tanium/TaniumClient/extensions/recorder/recorder.db-wal (Mac)
C:\Program Files(x86)\Tanium\Tanium Client\extensions\recorder\recorder.db-wal (Windows)

A write journal that is useful for commits and database rollback purposes.

/opt/Tanium/TaniumClient/extensions/recorder/<sample_database>.json (Linux)
/opt/Tanium/TaniumClient/extensions/recorder/<sample_database>.json (Mac)
C:\Program Files(x86)\Tanium\Tanium Client\extensions\recorder\<sample_database>.json (Windows)

A sample database.

/opt/Tanium/TaniumClient/extensions/recorder/recorder.auditpipe (Linux)
/opt/Tanium/TaniumClient/extensions/recorder/recorder.auditpipe (Mac)

An auditpipe that receives forwarded events from audispd that is created by /opt/Tanium/TaniumClient/TaniumAuditPipe. For systems that have SE Linux, a Tanium Client and a Tanium Recorder policy are installed.

/etc/audisp/plugins.d/tanium.conf (Linux)

A configuration file for the audispd process to forward events to the Client Recorder Extension. This configuration file is also used to restart the Tanium Recorder when auditd is stopped or restarted. If augenrules exists on the system, audit rules are also generated to /etc/audit/rules.d/tanium.rules.

Tanium Recorder Driver (Windows)

The driver is installed to the following location by default:


Configuration changes on endpoints

The Distribute Tools packages make changes to the audit configurations on the targeted endpoints when you install a module that uses the Client Recorder Extension.

The following list details changes to configuration files and the audit subsystem on Mac and Linux endpoints.

/etc/audit/auditd.conf (Linux)

A configuration file specific to the audit daemon. The Client Recorder Extension installation in the module workbench prompts an administrator to set RAW logging to enabled or disabled.

/etc/audisp/audispd.conf (Linux)

A configuration file controls the configuration of the audit event dispatcher process. The Client Recorder Extension modifies the q_depth setting to 32768. q_depth is the only setting that is configured by default.

/etc/audit/audit.rules (Linux/Mac)

This file specifies the audit events that the kernel audit system logs. This file is loaded into the kernel audit system.

Starting and stopping the Client Recorder Extension

You might need to manually start or stop the Client Recorder Extension. For example, when troubleshooting you must resolve the underlying issue first and then manually restart the Client Recorder Extension. Or, if you find that the Client Recorder Extension is using more system resources than expected, you can stop the Client Recorder Extension and troubleshoot the issue with the risk of additional resource consumption.

The Client Recorder extension starts when a configuration is deployed. Without a configuration, the Client Recorder Extension is idle. When a configuration is provided the Client Recorder Extension is granted permission to interface with operating system processes.

In the event of a troubleshooting situation, you can stop or start the Client Recorder Extension by stopping and starting the Tanium Client. Since the Client Recorder Extension starts and stops depending on the availability of a configuration, this is not a common necessity.

Windows endpoints

You can stop, start, or restart the Tanium Client service through the Windows Services program. Select the service and then select an action in the Action > All Tasks menu.

Mac endpoints

Use the launchctl command to manage the Tanium Client service.

To start the Tanium Client service:

sudo launchctl load /Library/LaunchDaemons/com.tanium.taniumclient.plist

To stop the Tanium Client service:

sudo launchctl unload /Library/LaunchDaemons/com.tanium.taniumclient.plist

To remove the Tanium Client from the launch list:

sudo launchctl remove com.tanium.taniumclient

Linux Endpoints

Linux service commands vary according to Linux distribution. This documentation provides examples but is not a reference for each Linux distribution. If you are not already familiar with installing and managing services on your target Linux distribution, please review the documentation for the particular Linux operating system before you begin.

Linux Distribution Example Commands
Amazon Linux service TaniumClient start

service TaniumClient stop

Debian service taniumclient start

service taniumclient stop

Oracle Enterprise Linux systemctl start taniumclient (Version 7)

systemctl stop taniumclient (Version 7)

service TaniumClient start (Version 5, 6)

service TaniumClient stop (Version 5, 6)

Red Hat / CentOS systemctl start taniumclient (Version 7)

systemctl stop taniumclient (Version 7)

service TaniumClient start (Version 5, 6)

service TaniumClient stop (Version 5, 6)

SUSE / OpenSUSE service taniumclient start

service taniumclient stop

Ubuntu systemctl start taniumclient (Version 16)

systemctl stop taniumclient (Version 16)

service taniumclient start (Versions 14, 10)

service taniumclient stop (Version 14, 10)

(Optional) Install the Tanium Event Recorder Driver

Install the Tanium Event Recorder Driver to accurately capture process and command line events.

  1. From the Main menu, ask the question Get Tanium Driver Status from all machines and click Search.
  2. Select Install Recommended.
  3. From the Deploy Action page, select Install Tanium Driver.
  4. Validate successful installations by checking the validation query that runs at the end of the package installation.
  5. Collect the action logs from any endpoints that fail the validation query using Live Response.
  6. Run the action Remove Tanium Driver on any endpoints that return anything other than SERVICE_RUNNING for the Tanium Event Recorder Driver service status.

What to do next

See Getting started for more information about using the Client Recorder Extension.

Last updated: 9/10/2020 10:36 AM | Feedback