Client Recorder Extension requirements

Review the requirements before you install a module that includes the Client Recorder Extension.

Tanium dependencies

In addition to a license for a product module that contains the Client Recorder Extension, make sure that your environment also meets the following requirements.

Component Requirement
Tanium Platform 7.2.314.3550 or later.

For more information, see Tanium Core Platform Installation Guide: Installing Tanium Server.

Tanium Client The Client Recorder Extension is supported on the same Linux and Mac endpoints as the Tanium Client. For Windows endpoints, you must have a minimum of Windows 7 or Windows Server 2008 R2. Windows 8.1 provides DNS event recording capability.

For best results, the following Tanium Client versions are suggested:

  • 7.2.314.3476 (Linux, MacOS, Windows)
  • 7.2.314.3632 (Linux, MacOS, Windows)

  • 7.4.1.1955 and later

For more information about specific Tanium Client versions, see Client Management User Guide: Client host system requirements.

Tanium products

One or more of the following Tanium products:

  • Tanium™ Threat Response
  • Tanium™ Integrity Monitor
  • Tanium™ Map

Tanium Module Server

Modules that install the Client Recorder Extension are installed and run as a service on the Module Server host computer. The impact on Module Server is minimal and depends on usage.

Endpoints

The amount of free disk space that is required depends on the configuration of the Client Recorder Extension. 3GB is recommended.

The Client Recorder Extension supports Windows, Linux, and Mac endpoints. For Windows endpoints, you must have a minimum of Windows 7 or Windows Server 2008 R2. Windows 8.1 provides DNS event recording capability.

For Linux endpoints, you must:

  • Install the most recent stable version of the audit daemon and audispd-plugins before initializing endpoints. See the specific operating system documentation for instructions.
  • Be aware that when using immutable "-e 2" mode, the Client Recorder Extension adds Tanium audit rules to /etc/audit/rules.d/tanium.rules in front of the immutable flag. When using the -e 2 flag on Linux, the status sensor for each product that uses the Client Recorder Extension indicates if the service needs to be restarted.
  • Be aware that when using the failure "-f 2" mode, the Linux kernel panics in the event that auditd message is lost. The recorder does not add audit rules if this configuration is detected.

On SUSE 15 and Amazon Linux 2023 endpoints, make sure that /etc/audit/rules.d/audit.rules does not contain a rule added by default to suppress syscall auditing that displays as -a task,never. If this rule exists, remove it to ensure that events are recorded.

If SELinux is available and enforcing, the Client Recorder Extension attempts to install a policy when the Client Recorder Extension is installed or upgraded. If this policy is not installed - or not applied correctly - the following health check is returned:

SELinux is in enforcing mode but TaniumAuditPipe does not have the recorder SELinux policy applied.

If this health check is encountered, ensure that the semodule, restorecon, and semanage binaries are installed. Typically these binaries are installed in the same package; policycoreutils or policycoreutils-python. You can verify if these packages are installed by running a command such as yum provides <path>/semodule,

CO-RE is an abbreviation for Compile Once, Run Everywhere. When a kernel supports CO-RE, it can use the LibBPF library to configure BPF reporting. eBPF is supported on the following operating systems:

Operating systemOperating system versionAvailable ExecutableseBPF supportedNotes
Oracle Enterprise Linux8.3+ Standard Linux Kernelx86-64Yes - LibBPF (CO-RE)1 
8.3+ UEK Kernelx86-64Yes - BCC2Kernel-uek-devel
7.8-8.2 Standard Linux Kernelx86-64Yes - BCC3Kernel-devel, Kernel-headers
7.8-8.2 UEK Kernelx86-64Yes - BCC2Kernel-uek-devel
8.7+/9.1+ UEK KernelARM64Yes - LibBPF (CO-RE)1 
RHEL 8, CentOS 88.2+x86-64Yes - LibBPF (CO-RE)1 
8.7+/9.1 UEK KernelARM64Yes - LibBPF (CO-RE)1 
RHEL 7, CentOS 77.8-8.1x86-64Yes - BCC3Kernel-devel, Kernel-headers
Ubuntu 18.04-20.04x86-64Yes - BCC4linux-headers
Rocky8.x/9.xx86-64Yes - LibBPF (CO-RE)1 
Alma8.x/9.xx86-64Yes - LibBPF (CO-RE)1 
Amazon Linux 22.0+ ARM64
x86-64
Yes - BCC3Kernel-devel, Kernel-headers
SUSE, OpenSUSE, SUSE Linux Enterprise Server12.4+x86-64Yes - BCC3Kernel-devel, Kernel-headers

1 = glibc version >= 2.28 is required
2 = with Kernel-uek-devel installed
3 = with Kernel-devel and Kernel-headers installed
4 = with linux-headers installed

The kernel-headers package and kernel-devel package can be installed with YUM. The version of the packages must match the version of the running kernel:

yum install kernel-devel-$(uname -r)

yum install kernel-headers-$(uname -r)

If running the UEK kernel on OEL, install the kernel-uek-devel package:

yum install kernel-uek-devel-$(uname -r)

The linux-headers package (Ubuntu 18.04 and later) can be installed with APT. The version of the package must match the version of the running kernel:

sudo apt install -y linux-headers-$(uname -r)

The debugfs file system is required. By default this is mounted under sys/kernel/debug. Make sure that sys/kernel/debug is not unmounted. If you are building a custom kernel, make sure that the DEBUG_FS option is enabled.

To determine if endpoints support using eBPF, use the Recorder - Is BPF Supported Details sensor. See Resolve details returned by the Recorder - Is BPF Supported Details sensor for more information.

Disable raw logging before running the Client Recorder Extension on any Linux endpoint.

The Client Recorder Extension does not start on endpoints with a single logical core without updating the CX.recorder.EnableSingleCpuRequirement configuration setting to 0. To update CX.recorder.EnableSingleCpuRequirement to 0, edit the Recorder - Set Recorder Extension Setting [OS] package to add a parameter with the configuration key EnableSingleCpuRequirement and a value of 0, and deploy the package to appropriate endpoints. For more information about editing packages, see Tanium Console User Guide: Edit a Package. Alternatively, you can run the following command from the Tanium Client installation directory on endpoints to update this configuration setting:

  • (Windows) TaniumClient.exe config set CX.recorder.EnableSingleCpuRequirement 0
  • (Linux and macOS) ./TaniumClient config set CX.recorder.EnableSingleCpuRequirement 0

The Tanium Event Recorder Driver records process and command line events on supported Windows endpoints. The following operating systems support the Tanium Event Recorder Driver:

  • Windows 7
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows 8.1
  • Windows 10, build 1607 or later
  • Windows 11
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022

If the Tanium Event Recorder Driver is updated, endpoints require a reboot to ensure that all events are returned, to see the process tree in an alert, and to ensure that signals are working as intended. If you are deploying the 3.x version of Tanium Event Recorder Driver to endpoints for the first time, a reboot of endpoints is not required for the driver to capture events, but a reboot is required to view complete process tree data. If you are upgrading from Tanium Event Recorder Driver 2.x versions, endpoints require a reboot.

Support for macOS is the same as Tanium Client support.

The Recorder Client Extension is not supported on AIX or Solaris endpoints.

Notes:

Host and network security requirements

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Target Device Notes Exclusion Type Exclusion
Windows endpoints   File <Tanium Client>\extensions\TaniumRecorder.dll
  File <Tanium Client>\extensions\TaniumRecorder.dll.sig
  File <Tanium Client>\extensions\recorder\proc.bin
  File <Tanium Client>\extensions\recorder\recorder.db
  File <Tanium Client>\extensions\recorder\recorder.db-shm
  File <Tanium Client>\extensions\recorder\recorder.db-wal
  File <Tanium Client>\extensions\recorder\<sample_database>.json
Linux endpoints   File <Tanium Client>/extensions/libTaniumRecorder.so
  File <Tanium Client>/extensions/libTaniumRecorder.so.sig
  File <Tanium Client>/extensions/recorder/proc.bin
  File <Tanium Client>/extensions/recorder/recorder.db
  File <Tanium Client>/extensions/recorder/recorder.db-shm
  File <Tanium Client>/extensions/recorder/recorder.db-wal
  File <Tanium Client>/extensions/recorder/<sample_database>.json
  File <Tanium Client>/extensions/recorder/recorder.auditpipe
  File /etc/audisp/plugins.d/tanium.conf
  File <Tanium Client>/extensions/recorder/libTanuimBPF.so
  Process <Tanium Client>/extensions/recorder/TaniumAuditPipe
  File /etc/audit/rules.d/tanium.rules
macOS endpoints   File <Tanium Client>/extensions/libTaniumRecorder.dylib
  File <Tanium Client>/extensions/libTaniumRecorder.dylib.sig
  File <Tanium Client>/extensions/recorder/proc.bin
  File <Tanium Client>/extensions/recorder/recorder.db
  File <Tanium Client>/extensions/recorder/recorder.db-shm
  File <Tanium Client>/extensions/recorder/recorder.db-wal
  File <Tanium Client>/extensions/recorder/<sample_database>.json