Client Recorder Extension requirements

Review the requirements before you install a module that includes the Client Recorder Extension.

Tanium dependencies

In addition to a license for a product module that contains the Client Recorder Extension, make sure that your environment also meets the following requirements.

Component	Requirement
Tanium Platform	7.2.314.3550 or later. For more information, see Tanium Core Platform Installation Guide: Installing Tanium Server.
Tanium Client	The Client Recorder Extension is supported on the same Linux and Mac endpoints as the Tanium Client. For Windows endpoints, you must have a minimum of Windows 7 or Windows Server 2008 R2. Windows 8.1 provides DNS event recording capability. For best results, the following Tanium Client versions are suggested: 7.2.314.3476 (Linux, MacOS, Windows) 7.2.314.3632 (Linux, MacOS, Windows) 7.4.1.1955 and later For more information about specific Tanium Client versions, see Client Management User Guide: Client host system requirements.
Tanium products	One or more of the following Tanium products: Tanium™ Threat Response Tanium™ Integrity Monitor Tanium™ Map

Component

Requirement

Tanium Platform

7.2.314.3550 or later.

For more information, see Tanium Core Platform Installation Guide: Installing Tanium Server.

Tanium Client

The Client Recorder Extension is supported on the same Linux and Mac endpoints as the Tanium Client. For Windows endpoints, you must have a minimum of Windows 7 or Windows Server 2008 R2. Windows 8.1 provides DNS event recording capability.

For best results, the following Tanium Client versions are suggested:

7.2.314.3476 (Linux, MacOS, Windows)
7.2.314.3632 (Linux, MacOS, Windows)
7.4.1.1955 and later

For more information about specific Tanium Client versions, see Client Management User Guide: Client host system requirements.

Tanium products

One or more of the following Tanium products:

Tanium™ Threat Response
Tanium™ Integrity Monitor
Tanium™ Map

Tanium Module Server

Modules that install the Client Recorder Extension are installed and run as a service on the Module Server host computer. The impact on Module Server is minimal and depends on usage.

Endpoints

The amount of free disk space that is required depends on the configuration of the Client Recorder Extension. 3GB is recommended.

The Client Recorder Extension supports Windows, Linux, and Mac endpoints. For Windows endpoints, you must have a minimum of Windows 7 or Windows Server 2008 R2. Windows 8.1 provides DNS event recording capability.

For Linux endpoints, you must:

Install the most recent stable version of the audit daemon and audispd-plugins before initializing endpoints. See the specific operating system documentation for instructions.
Be aware that when using immutable "-e 2" mode, the Client Recorder Extension adds Tanium audit rules to /etc/audit/rules.d/tanium.rules in front of the immutable flag. When using the -e 2 flag on Linux, the status sensor for each product that uses the Client Recorder Extension indicates if the service needs to be restarted.
Be aware that when using the failure "-f 2" mode, the Linux kernel panics in the event that auditd message is lost. The recorder does not add audit rules if this configuration is detected.

On SUSE 15 and Amazon Linux 2023 endpoints, make sure that /etc/audit/rules.d/audit.rules does not contain a rule added by default to suppress syscall auditing that displays as -a task,never. If this rule exists, remove it to ensure that events are recorded.

If SELinux is available and enforcing, the Client Recorder Extension attempts to install a policy when the Client Recorder Extension is installed or upgraded. If this policy is not installed - or not applied correctly - the following health check is returned:

SELinux is in enforcing mode but TaniumAuditPipe does not have the recorder SELinux policy applied.

If this health check is encountered, ensure that the semodule, restorecon, and semanage binaries are installed. Typically these binaries are installed in the same package; policycoreutils or policycoreutils-python. You can verify if these packages are installed by running a command such as yum provides <path>/semodule,

CO-RE is an abbreviation for Compile Once, Run Everywhere. When a kernel supports CO-RE, it can use the LibBPF library to configure BPF reporting. eBPF is supported on the following operating systems:

Operating system	Operating system version	Available Executables	eBPF supported	Notes
Oracle Enterprise Linux	8.3+ Standard Linux Kernel	x86-64	Yes - LibBPF (CO-RE)¹
	8.3+ UEK Kernel	x86-64	Yes - BCC²	Kernel-uek-devel
	7.8-8.2 Standard Linux Kernel	x86-64	Yes - BCC³	Kernel-devel, Kernel-headers
	7.8-8.2 UEK Kernel	x86-64	Yes - BCC²	Kernel-uek-devel
	8.7+/9.1+ UEK Kernel	ARM64	Yes - LibBPF (CO-RE)¹
RHEL 8, CentOS 8	8.2+	x86-64	Yes - LibBPF (CO-RE)¹
RHEL 8, CentOS 8	8.7+/9.1 UEK Kernel	ARM64	Yes - LibBPF (CO-RE)¹
RHEL 7, CentOS 7	7.8-8.1	x86-64	Yes - BCC³	Kernel-devel, Kernel-headers
Ubuntu	18.04-20.04	x86-64	Yes - BCC⁴	linux-headers
Rocky	8.x/9.x	x86-64	Yes - LibBPF (CO-RE)¹
Alma	8.x/9.x	x86-64	Yes - LibBPF (CO-RE)¹
Amazon Linux 2	2.0+	ARM64 x86-64	Yes - BCC³	Kernel-devel, Kernel-headers
SUSE, OpenSUSE, SUSE Linux Enterprise Server	12.4+	x86-64	Yes - BCC³	Kernel-devel, Kernel-headers
¹ = glibc version >= 2.28 is required ² = with Kernel-uek-devel installed ³ = with Kernel-devel and Kernel-headers installed ⁴ = with linux-headers installed

The kernel-headers package and kernel-devel package can be installed with YUM. The version of the packages must match the version of the running kernel:

yum install kernel-devel-$(uname -r)

yum install kernel-headers-$(uname -r)

If running the UEK kernel on OEL, install the kernel-uek-devel package:

yum install kernel-uek-devel-$(uname -r)

The linux-headers package (Ubuntu 18.04 and later) can be installed with APT. The version of the package must match the version of the running kernel:

sudo apt install -y linux-headers-$(uname -r)

The debugfs file system is required. By default this is mounted under sys/kernel/debug. Make sure that sys/kernel/debug is not unmounted. If you are building a custom kernel, make sure that the DEBUG_FS option is enabled.

To determine if endpoints support using eBPF, use the Recorder - Is BPF Supported Details sensor. See Resolve details returned by the Recorder - Is BPF Supported Details sensor for more information.

Disable raw logging before running the Client Recorder Extension on any Linux endpoint.

The Client Recorder Extension does not start on endpoints with a single logical core without updating the CX.recorder.EnableSingleCpuRequirement configuration setting to 0. To update CX.recorder.EnableSingleCpuRequirement to 0, edit the Recorder - Set Recorder Extension Setting [OS] package to add a parameter with the configuration key EnableSingleCpuRequirement and a value of 0, and deploy the package to appropriate endpoints. For more information about editing packages, see Tanium Console User Guide: Edit a Package. Alternatively, you can run the following command from the Tanium Client installation directory on endpoints to update this configuration setting:

(Windows) TaniumClient.exe config set CX.recorder.EnableSingleCpuRequirement 0
(Linux and macOS) ./TaniumClient config set CX.recorder.EnableSingleCpuRequirement 0

The Tanium Event Recorder Driver records process and command line events on supported Windows endpoints. The following operating systems support the Tanium Event Recorder Driver:

Windows 7
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows 8.1
Windows 10, build 1607 or later
Windows 11
Windows Server 2016
Windows Server 2019
Windows Server 2022

If the Tanium Event Recorder Driver is updated, endpoints require a reboot to ensure that all events are returned, to see the process tree in an alert, and to ensure that signals are working as intended. If you are deploying the 3.x version of Tanium Event Recorder Driver to endpoints for the first time, a reboot of endpoints is not required for the driver to capture events, but a reboot is required to view complete process tree data. If you are upgrading from Tanium Event Recorder Driver 2.x versions, endpoints require a reboot.

Support for macOS is the same as Tanium Client support.

The Recorder Client Extension is not supported on AIX or Solaris endpoints.

Notes:

Windows 7 and Windows Server 2008 R2 operating systems must have the following Microsoft KBs installed:
- KB3033929 - "Availability of SHA-2 code signing support for Windows 7 and Windows Server 2008 R2." For details regarding KB3033929, see https://support.microsoft.com/en-us/help/3033929/microsoft-security-advisory-availability-of-sha-2-code-signing-support.
- KB4490628 - "Servicing stack update for Windows 7 SP1 and Windows Server 2008 R2 SP1." For details regarding KB4490628, see https://support.microsoft.com/en-us/topic/servicing-stack-update-for-windows-7-sp1-and-windows-server-2008-r2-sp1-march-12-2019-b4dc0cff-d4f2-a408-0cb1-cb8e918feeba.
- KB4474419 - "SHA-2 code signing support update for Windows Server 2008 R2, Windows 7, and Windows Server 2008." For details regarding 4474419, see https://support.microsoft.com/en-us/topic/sha-2-code-signing-support-update-for-windows-server-2008-r2-windows-7-and-windows-server-2008-september-23-2019-84a8aad5-d8d9-2d5c-6d78-34f9aa5f8339.
- KB4534310 or KB4539601
  - KB4534310 - "January 14, 2020—KB4534310 (Monthly Rollup)" For details, see https://support.microsoft.com/en-au/topic/january-14-2020-kb4534310-monthly-rollup-9ce32b1b-77ef-9a17-7ecb-2bcebcaa9ff5.
  - KB4539601 - "January 31, 2020—KB4539601 (Preview of Monthly Rollup)" For details, see https://support.microsoft.com/en-gb/topic/january-31-2020-kb4539601-preview-of-monthly-rollup-1768e5a4-04bc-e964-a7a7-9509f91b0d1f.
The recorder forces a vacuum if the database size becomes too large to ensure that a continual vacuuming does not exist. A check to only vacuum once per day and at least one hour after system startup to make sure vacuum operations do not interfere with system boot.

Host and network security requirements

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Target Device	Exclusion Type	Exclusion
Windows endpoints	File	<Tanium Client>\extensions\TaniumRecorder.dll
	File	<Tanium Client>\extensions\TaniumRecorder.dll.sig
	File	<Tanium Client>\extensions\recorder\proc.bin
	File	<Tanium Client>\extensions\recorder\recorder.db
	File	<Tanium Client>\extensions\recorder\recorder.db-shm
	File	<Tanium Client>\extensions\recorder\recorder.db-wal
	File	<Tanium Client>\extensions\recorder\<sample_database>.json
Linux endpoints	File	<Tanium Client>/extensions/libTaniumRecorder.so
	File	<Tanium Client>/extensions/libTaniumRecorder.so.sig
	File	<Tanium Client>/extensions/recorder/proc.bin
	File	<Tanium Client>/extensions/recorder/recorder.db
	File	<Tanium Client>/extensions/recorder/recorder.db-shm
	File	<Tanium Client>/extensions/recorder/recorder.db-wal
	File	<Tanium Client>/extensions/recorder/<sample_database>.json
	File	<Tanium Client>/extensions/recorder/recorder.auditpipe
	File	/etc/audisp/plugins.d/tanium.conf
	File	<Tanium Client>/extensions/recorder/libTanuimBPF.so
	Process	<Tanium Client>/extensions/recorder/TaniumAuditPipe
	File	/etc/audit/rules.d/tanium.rules
macOS endpoints	File	<Tanium Client>/extensions/libTaniumRecorder.dylib
	File	<Tanium Client>/extensions/libTaniumRecorder.dylib.sig
	File	<Tanium Client>/extensions/recorder/proc.bin
	File	<Tanium Client>/extensions/recorder/recorder.db
	File	<Tanium Client>/extensions/recorder/recorder.db-shm
	File	<Tanium Client>/extensions/recorder/recorder.db-wal
	File	<Tanium Client>/extensions/recorder/<sample_database>.json