Client Recorder Extension requirements

Review the requirements before you install a module that includes the Client Recorder Extension.

Tanium dependencies

In addition to a license for a product module that contains the Client Recorder Extension, make sure that your environment also meets the following requirements.

Component Requirement
Tanium Platform 7.2.314.3550 or later.

For more information, see Tanium Core Platform Installation Guide: Installing Tanium Server.

Tanium Client The Client Recorder Extension is supported on the same Linux and Mac endpoints as the Tanium Client. For Windows endpoints, you must have a minimum of Windows 7 or Windows Server 2008 R2. Windows 8.1 provides DNS event recording capability.

For best results, the following Tanium Client versions are suggested:

  • 6.0.314.1540 (Windows)
  • 7.2.314.3211 (Linux, MacOS, Windows)
  • 7.2.314.3476 (Linux, MacOS, Windows)
  • 7.2.314.3518 (Linux, MacOS, Windows)
  • 7.2.314.3632 (Linux, MacOS, Windows)

  • 7.4.1.1955 and later

For more information about specific Tanium Client versions, see Tanium Client Deployment Guide: Client host system requirements.

Tanium products

One or more of the following Tanium products:

  • Tanium™ Threat Response
  • Tanium™ Integrity Monitor
  • Tanium™ Map

Tanium Module Server

Modules that install the Client Recorder Extension are installed and run as a service on the Module Server host computer. The impact on Module Server is minimal and depends on usage.

Endpoints

The amount of free disk space that is required depends on the configuration of the Client Recorder Extension. 3GB is recommended.

The Client Recorder Extension supports Windows, Linux, and Mac endpoints. For Windows endpoints, you must have a minimum of Windows 7 or Windows Server 2008 R2. Windows 8.1 provides DNS event recording capability.

For Linux endpoints, you must:

  • Install the most recent stable version of the audit daemon and audispd-plugins before initializing endpoints. See the specific operating system documentation for instructions.
  • Be aware that when using immutable "-e 2" mode, the Client Recorder Extension adds Tanium audit rules in front of the immutable flag. When using the -e 2 flag on Linux, the status sensor for each product that uses the Client Recorder Extension indicates if the service needs to be restarted.
  • Be aware that when using the failure "-f 2" mode, the Linux kernel panics in the event that auditd message is lost. The recorder does not add audit rules if this configuration is detected.

On SUSE 15 endpoints, make sure that /etc/audit/rules.d/audit.rules does not contain a rule added by default to suppress syscall auditing that displays as -a task,never. If this rule exists, remove it to ensure that events are recorded.

If SELinux is available and enforcing, the Client Recorder Extension attempts to install a policy when the Client Recorder Extension is installed or upgraded. If this policy is not installed - or not applied correctly - the following health check is returned:

SELinux is in enforcing mode but TaniumAuditPipe does not have the recorder SELinux policy applied.

If this health check is encountered, ensure that the semodule, restorecon, and semanage binaries are installed. Typically these binaries are installed in the same package; policycoreutils or policycoreutils-python. You can verify if these packages are installed by running a command such as yum provides <path>/semodule,

eBPF is supported on the following operating systems:

Operating systemOperating system versioneBPF supportedNotes
Oracle Enterprise Linux8.3+ Standard Linux KernelYes - LibBPF 
8.3+ UEK KernelYes - BCC1Kernel-uek-devel
7.8-8.2 Standard Linux KernelYes - BCC2Kernel-devel, Kernel-headers
7.8-8.2 UEK KernelYes - BCC1Kernel-uek-devel
RHEL 8, CentOS 88.2+Yes - LibBPF 
RHEL 7, CentOS 77.8-8.1Yes - BCC2Kernel-devel, Kernel-headers
1 = with Kernel-uek-devel installed
2 = with Kernel-devel and Kernel-headers installed

The kernel-headers package and kernel-devel package can be installed with YUM. The version of the packages must match the version of the running kernel:

yum install kernel-devel-$(uname -r)

yum install kernel-headers-$(uname -r)

If running the UEK kernel on OEL, install the kernel-uek-devel package:

yum install kernel-uek-devel-$(uname -r)

The Client Recorder Extension does not start on endpoints with a single logical core without updating the CX.recorder.EnableSingleCpuRequirement configuration setting to 0. To update CX.recorder.EnableSingleCpuRequirement to 0, edit the Recorder - Set Recorder Extension Setting [OS] package to add a parameter with the configuration key EnableSingleCpuRequirement and a value of 0, and deploy the package to appropriate endpoints. Alternatively, you can run the following command from the Tanium Client directory on endpoints to update this configuration setting:

  • (Windows) TaniumClient.exe config set CX.recorder.EnableSingleCpuRequirement 0
  • (Linux and macOS) ./TaniumClient config set CX.recorder.EnableSingleCpuRequirement 0

You can use the Tanium Event Recorder Driver to record process and command line events on supported Windows endpoints. The following operating systems support the Tanium Event Recorder Driver:

  • Windows 7
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows 8.1
  • Windows 10, build 1607 or later
  • Windows Server 2016
  • Windows Server 2019

If the Tanium Event Recorder Driver is updated, endpoints require a reboot to ensure that all events are returned, to see the process tree in an alert, and to ensure that signals are working as intended.

For Mac endpoints, macOS 10.11 or later is required.

The Recorder Client Extension is not supported on AIX or Solaris endpoints.

Notes:
  • Windows 7 and Windows Server 2008 R2 operating systems must have KB3033929 installed to ensure the Tanium signing certificates are trusted by the operating system. For details regarding KB3033929 , see https://support.microsoft.com/en-us/help/3033929/microsoft-security-advisory-availability-of-sha-2-code-signing-support.
  • Windows 10, build 1511, is not supported by the Tanium Event Recorder Driver.
  • The recorder forces a vacuum if the database size becomes too large to ensure that a continual vacuuming does not exist. A check to only vacuum once per day and at least one hour after system startup to make sure vacuum operations do not interfere with system boot.

Host and network security requirements

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference. See the module user guide for a complete reference of exclusions that must be put in place for the module to work as expected. The following table lists the exclusions required for the Client Recorder Extension.

Target Device Process
Module Server <Tanium Module Server>\services\<ProductName>\node.exe
Windows endpoints <Tanium Client>\extensions\TaniumRecorder.dll
<Tanium Client>\extensions\TaniumRecorder.dll.sig
<Tanium Client>\extensions\recorder\proc.bin
<Tanium Client>\extensions\recorder\recorder.db
<Tanium Client>\extensions\recorder\recorder.db-shm
<Tanium Client>\extensions\recorder\recorder.db-wal
<Tanium Client>\extensions\recorder\<sample_database>.json
Linux endpoints <Tanium Client>/extensions/libTaniumRecorder.so
<Tanium Client>/extensions/libTaniumRecorder.so.sig
<Tanium Client>/extensions/recorder/proc.bin
<Tanium Client>/extensions/recorder/recorder.db
<Tanium Client>/extensions/recorder/recorder.db-shm
<Tanium Client>/extensions/recorder/recorder.db-wal
<Tanium Client>/extensions/recorder/<sample_database>.json
<Tanium Client>/extensions/recorder/recorder.auditpipe
/etc/audisp/plugins.d/tanium.conf
<Tanium Client>/extensions/recorder/libTanuimBPF.so
<Tanium Client>/extensions/recorder/TaniumAuditPipe
/etc/audit/rules.d/tanium.rules
macOS endpoints <Tanium Client>/extensions/libTaniumRecorder.dylib
<Tanium Client>/extensions/libTaniumRecorder.dylib.sig
<Tanium Client>/extensions/recorder/proc.bin
<Tanium Client>/extensions/recorder/recorder.db
<Tanium Client>/extensions/recorder/recorder.db-shm
<Tanium Client>/extensions/recorder/recorder.db-wal
<Tanium Client>/extensions/recorder/<sample_database>.json