Client Recorder Extension requirements

Review the requirements before you install a module that includes the Client Recorder Extension.

Tanium dependencies

In addition to a license for a product module that contains the Client Recorder Extension, make sure that your environment also meets the following requirements.

Component Requirement
Tanium Platform 7.2.314.3550 or later.

For more information, see Tanium Core Platform Installation Guide: Installing Tanium Server.

Tanium Client The Client Recorder Extension is supported on the same Linux and Mac endpoints as the Tanium Client. For Windows endpoints, you must have a minimum of Windows 7 or Windows Server 2008 R2. Windows 8.1 provides DNS event recording capability.

For best results, the following Tanium Client versions are suggested:

  • 6.0.314.1540 (Windows)
  • 7.2.314.3211 (Linux, MacOS, Windows)
  • 7.2.314.3476 (Linux, MacOS, Windows)
  • 7.2.314.3518 (Linux, MacOS, Windows)

For more information about specific Tanium Client versions, see Tanium Client Deployment Guide: Client host system requirements.

One of the following Tanium modules:
Tanium Module
  • Tanium™ Threat Response
  • Tanium™ Integrity Monitor
  • Tanium™ Map

Tanium Module Server

Modules that install the Client Recorder Extension are installed and run as a service on the Module Server host computer. The impact on Module Server is minimal and depends on usage.

Endpoints

The Client Recorder Extension supports Windows, Linux, and Mac endpoints. For Windows endpoints, you must have a minimum of Windows 7 or Windows Server 2008 R2. Windows 8.1 provides DNS event recording capability. The amount of free disk space that is required depends on the configuration of the Client Recorder Extension. 3GB is recommended.

The CPU demand on the endpoint averages less than 1%. For full-functionality a minimum of two CPUs per endpoint is required.

A minimum of 4 GB RAM is required on each endpoint device. By default, the endpoint database for Threat Response is between 256 MB and 1 GB in size. There must be three times the maximum database size available in free disk space.

For Linux endpoints, you must:

  • Install the most recent stable version of the audit daemon and audispd-plugins before initializing endpoints. See the specific operating system documentation for instructions.
  • Be aware that when using immutable "-e 2" mode, the Client Recorder Extension adds Tanium audit rules in front of the immutable flag. When using the -e 2 flag on Linux, the status sensor for each product that uses the Client Recorder Extension indicates if the service needs to be restarted.
  • Be aware that when using the failure "-f 2" mode, the Linux kernel panics in the event that auditd message is lost. The recorder does not add audit rules if this configuration is detected.

If SELinux is available and enforcing, the Client Recorder Extension attempts to install a policy when the Client Recorder Extension is installed or upgraded. If this policy is not installed - or not applied correctly- the following health check is returned:

SELinux is in enforcing mode but TaniumAuditPipe does not have the recorder SELinux policy applied.

If this health check is encountered, ensure that the semodule, restorecon, and semanage binaries are installed. Typically these binaries are installed in the same package; policycoreutils or policycoreutils-python. You can verify if these packages are installed by running a command such as yum provides <path>/semodule.

You can use the Tanium Event Recorder Driver to record process and command line events on supported Windows endpoints. The following operating systems support the Tanium Event Recorder Driver:

  • Windows 7
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows 8.1
  • Windows 10, build 1607 or later
  • Windows Server 2016
  • Windows Server 2019

For Mac endpoints, macOS 10.11 or later is required.

The Recorder Client Extension is not supported on AIX or Solaris endpoints.

Notes:
  • Windows 7 and Windows Server 2008 R2 operating systems must have KB3033929 installed to ensure the Tanium signing certificates are trusted by the operating system. For details regarding KB3033929 , see https://support.microsoft.com/en-us/help/3033929/microsoft-security-advisory-availability-of-sha-2-code-signing-support.
  • Windows 10, build 1511, is not supported by the Tanium Event Recorder Driver.
  • The recorder forces a vacuum if the database size becomes too large to ensure that a continual vacuuming does not exist. A check to only vacuum once per day and at least one hour after system startup to make sure vacuum operations do not interfere with system boot.

Host and network security requirements

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference. See the module user guide for a complete reference of exclusions that must be put in place for the module to work as expected. The following table lists the exclusions required for the Client Recorder Extension.

Target Device Process
Module Server <Tanium Module Server>\services\<ProductName>\node.exe
Windows endpoints <Tanium Client>\extensions\TaniumRecorder.dll
<Tanium Client>\extensions\TaniumRecorder.dll.sig
<Tanium Client>\extensions\recorder\proc.bin
<Tanium Client>\extensions\recorder\recorder.db
<Tanium Client>\extensions\recorder\recorder.db-shm
<Tanium Client>\extensions\recorder\recorder.db-wal
<Tanium Client>\extensions\recorder\<sample_database>.json
Linux endpoints <Tanium Client>/extensions/libTaniumRecorder.so
<Tanium Client>/extensions/libTaniumRecorder.so.sig
<Tanium Client>/extensions/recorder/proc.bin
<Tanium Client>/extensions/recorder/recorder.db
<Tanium Client>/extensions/recorder/recorder.db-shm
<Tanium Client>/extensions/recorder/recorder.db-wal
<Tanium Client>/extensions/recorder/<sample_database>.json
<Tanium Client>/extensions/recorder/recorder.auditpipe
/etc/audisp/plugins.d/tanium.conf
macOS endpoints <Tanium Client>/extensions/libTaniumRecorder.dylib
<Tanium Client>/extensions/libTaniumRecorder.dylib.sig
<Tanium Client>/extensions/recorder/proc.bin
<Tanium Client>/extensions/recorder/recorder.db
<Tanium Client>/extensions/recorder/recorder.db-shm
<Tanium Client>/extensions/recorder/recorder.db-wal
<Tanium Client>/extensions/recorder/<sample_database>.json
<Tanium Client>/extensions/recorder/recorder.auditpipe
/etc/audisp/plugins.d/tanium.conf

Last updated: 9/10/2020 10:36 AM | Feedback