Client Recorder Extension requirements
Review the requirements before you install a module that includes the Client Recorder Extension.
Tanium dependencies
In addition to a license for a product module that contains the Client Recorder Extension, make sure that your environment also meets the following requirements.
| Component | Requirement |
|---|---|
| Tanium Platform | 7.2.314.3550 or later.
For more information, see Tanium Core Platform Installation Guide: Installing Tanium Server. |
| Tanium Client |
The Client Recorder Extension is supported on the same Linux and Mac endpoints as the Tanium Client. For Windows endpoints, you must have a minimum of Windows 7 or Windows Server 2008 R2. Windows 8.1 provides DNS event recording capability.
For best results, the following Tanium Client versions are suggested:
For more information about specific Tanium Client versions, see Client Management User Guide: Client host system requirements. |
| Tanium products |
One or more of the following Tanium products:
|
Tanium Module Server
Modules that install the Client Recorder Extension are installed and run as a service on the Module Server host computer. The impact on Module Server is minimal and depends on usage.
Endpoints
The amount of free disk space that is required depends on the configuration of the Client Recorder Extension. 3GB is recommended.
The Client Recorder Extension supports Windows, Linux, and Mac endpoints. For Windows endpoints, you must have a minimum of Windows 7 or Windows Server 2008 R2. Windows 8.1 provides DNS event recording capability.
For Linux endpoints, you must:
- Install the most recent stable version of the audit daemon and audispd-plugins before initializing endpoints. See the specific operating system documentation for instructions.
- Be aware that when using immutable "-e 2" mode, the Client Recorder Extension adds Tanium audit rules to /etc/audit/rules.d/tanium.rules in front of the immutable flag. When using the -e 2 flag on Linux, the status sensor for each product that uses the Client Recorder Extension indicates if the service needs to be restarted.
Be aware that when using the failure "-f 2" mode, the Linux kernel panics in the event that auditd message is lost. The recorder does not add audit rules if this configuration is detected.
If SELinux is available and enforcing, the Client Recorder Extension attempts to install a policy when the Client Recorder Extension is installed or upgraded. If this policy is not installed - or not applied correctly - the following health check is returned:
SELinux is in enforcing mode but TaniumAuditPipe does not have the recorder SELinux policy applied.
If this health check is encountered, ensure that the semodule, restorecon, and semanage binaries are installed. Typically these binaries are installed in the same package; policycoreutils or policycoreutils-python. You can verify if these packages are installed by running a command such as yum provides <path>/semodule,
CO-RE is an abbreviation for Compile Once, Run Everywhere. When a kernel supports CO-RE, it can use the LibBPF library to configure BPF reporting. eBPF is supported on the following operating systems:
| Operating system | Operating system version | eBPF supported | Notes |
|---|---|---|---|
| Oracle Enterprise Linux | 8.3+ Standard Linux Kernel | Yes - LibBPF (CO-RE) | |
| 8.3+ UEK Kernel | Yes - BCC1 | Kernel-uek-devel | |
| 7.8-8.2 Standard Linux Kernel | Yes - BCC2 | Kernel-devel, Kernel-headers | |
| 7.8-8.2 UEK Kernel | Yes - BCC1 | Kernel-uek-devel | |
| RHEL 8, CentOS 8 | 8.2+ | Yes - LibBPF (CO-RE) | |
| RHEL 7, CentOS 7 | 7.8-8.1 | Yes - BCC2 | Kernel-devel, Kernel-headers |
| Ubuntu | 18.04-20.04 | Yes - BCC3 | linux-headers |
| Amazon Linux 2 | 2.0+ | Yes - BCC2 | Kernel-devel, Kernel-headers |
| SUSE, OpenSUSE, SUSE Linux Enterprise Server | 12.4+ | Yes - BCC2 | Kernel-devel, Kernel-headers |
1 = with Kernel-uek-devel installed | |||
The kernel-headers package and kernel-devel package can be installed with YUM. The version of the packages must match the version of the running kernel:
yum install kernel-devel-$(uname -r)
yum install kernel-headers-$(uname -r)
If running the UEK kernel on OEL, install the kernel-uek-devel package:
yum install kernel-uek-devel-$(uname -r)
The linux-headers package (Ubuntu 18.04 and later) can be installed with APT. The version of the package must match the version of the running kernel:
sudo apt install -y linux-headers-$(uname -r)
The debugfs file system is required. By default this is mounted under sys/kernel/debug. Make sure that sys/kernel/debug is not unmounted. If you are building a custom kernel, make sure that the DEBUG_FS option is enabled.
To determine if endpoints support using eBPF, use the Recorder - Is BPF Supported Details sensor. See Resolve details returned by the Recorder - Is BPF Supported Details sensor for more information.
Disable raw logging before running the Client Recorder Extension on any Linux endpoint.
The Client Recorder Extension does not start on endpoints with a single logical core without updating the CX.recorder.EnableSingleCpuRequirement configuration setting to 0. To update CX.recorder.EnableSingleCpuRequirement to 0, edit the Recorder - Set Recorder Extension Setting [OS] package to add a parameter with the configuration key EnableSingleCpuRequirement and a value of 0, and deploy the package to appropriate endpoints. Alternatively, you can run the following command from the Tanium Client directory on endpoints to update this configuration setting:
- (Windows) TaniumClient.exe config set CX.recorder.EnableSingleCpuRequirement 0
- (Linux and macOS) ./TaniumClient config set CX.recorder.EnableSingleCpuRequirement 0
The Tanium Event Recorder Driver records process and command line events on supported Windows endpoints. The following operating systems support the Tanium Event Recorder Driver:
- Windows 7
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows 8.1
- Windows 10, build 1607 or later
- Windows 11
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
If the Tanium Event Recorder Driver is updated, endpoints require a reboot to ensure that all events are returned, to see the process tree in an alert, and to ensure that signals are working as intended. If you are deploying the 3.x version of Tanium Event Recorder Driver to endpoints for the first time, a reboot of endpoints is not required for the driver to capture events, but a reboot is required to view complete process tree data. If you are upgrading from Tanium Event Recorder Driver 2.x versions, endpoints require a reboot.
Support for macOS is the same as Tanium Client support.
The Recorder Client Extension is not supported on AIX or Solaris endpoints.
- Windows 7 and Windows Server 2008 R2 operating systems must have the following Microsoft KBs installed:
- KB3033929 - "Availability of SHA-2 code signing support for Windows 7 and Windows Server 2008 R2." For details regarding KB3033929, see https://support.microsoft.com/en-us/help/3033929/microsoft-security-advisory-availability-of-sha-2-code-signing-support.
- KB4490628 - "Servicing stack update for Windows 7 SP1 and Windows Server 2008 R2 SP1." For details regarding KB4490628, see https://support.microsoft.com/en-us/topic/servicing-stack-update-for-windows-7-sp1-and-windows-server-2008-r2-sp1-march-12-2019-b4dc0cff-d4f2-a408-0cb1-cb8e918feeba.
- KB4474419 - "SHA-2 code signing support update for Windows Server 2008 R2, Windows 7, and Windows Server 2008." For details regarding 4474419, see https://support.microsoft.com/en-us/topic/sha-2-code-signing-support-update-for-windows-server-2008-r2-windows-7-and-windows-server-2008-september-23-2019-84a8aad5-d8d9-2d5c-6d78-34f9aa5f8339.
-
The recorder forces a vacuum if the database size becomes too large to ensure that a continual vacuuming does not exist. A check to only vacuum once per day and at least one hour after system startup to make sure vacuum operations do not interfere with system boot.
Host and network security requirements
Security exclusions
If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
| Target Device | Process |
|---|---|
| Windows endpoints | <Tanium Client>\extensions\TaniumRecorder.dll |
| <Tanium Client>\extensions\TaniumRecorder.dll.sig | |
| <Tanium Client>\extensions\recorder\proc.bin | |
| <Tanium Client>\extensions\recorder\recorder.db | |
| <Tanium Client>\extensions\recorder\recorder.db-shm | |
| <Tanium Client>\extensions\recorder\recorder.db-wal | |
| <Tanium Client>\extensions\recorder\<sample_database>.json | |
| Linux endpoints | <Tanium Client>/extensions/libTaniumRecorder.so |
| <Tanium Client>/extensions/libTaniumRecorder.so.sig | |
| <Tanium Client>/extensions/recorder/proc.bin | |
| <Tanium Client>/extensions/recorder/recorder.db | |
| <Tanium Client>/extensions/recorder/recorder.db-shm | |
| <Tanium Client>/extensions/recorder/recorder.db-wal | |
| <Tanium Client>/extensions/recorder/<sample_database>.json | |
| <Tanium Client>/extensions/recorder/recorder.auditpipe | |
| /etc/audisp/plugins.d/tanium.conf | |
| <Tanium Client>/extensions/recorder/libTanuimBPF.so | |
| <Tanium Client>/extensions/recorder/TaniumAuditPipe | |
| /etc/audit/rules.d/tanium.rules | |
| macOS endpoints | <Tanium Client>/extensions/libTaniumRecorder.dylib |
| <Tanium Client>/extensions/libTaniumRecorder.dylib.sig | |
| <Tanium Client>/extensions/recorder/proc.bin | |
| <Tanium Client>/extensions/recorder/recorder.db | |
| <Tanium Client>/extensions/recorder/recorder.db-shm | |
| <Tanium Client>/extensions/recorder/recorder.db-wal | |
| <Tanium Client>/extensions/recorder/<sample_database>.json |
Last updated: 3/24/2023 10:27 AM | Feedback