Requirements

Review the requirements before you install and use Trace.

Tanium dependencies

In addition to a license for the Trace product module, there are minimum requirements for other Tanium components.

Component Requirement
Tanium Platform 6.5 or later.

Enhanced functionality is available with version 7.0.314.6042 and later. Installing Tanium™ Interact is also suggested.

For more information, see Tanium Core Platform Installation Guide: Installing Tanium Server.

Tanium Client The event recorder is supported on the same Linux and Mac endpoints as the Tanium Client. For Windows endpoints, you must have a minimum of Windows 7 or Windows Server 2008 R2. Windows 8.1 provides DNS event recording capability.

For more information about specific Tanium Client versions, see Tanium Client Deployment Guide: Client host system requirements.

Tanium Connect 4.1.0 or later (optional).
Tanium Detect 2.4.2 or later (optional).
Tanium Incident Response 3.3.1 or later (optional).
Tanium Protect 1.0.1 or later (optional).
Tanium Trends 1.0 or later (optional).

For information about activating product licenses, see Tanium Knowledge Base: Licensing.

Endpoint hardware and software requirements

A minimum of 100 MB RAM is required on each endpoint device. By default, the endpoint database is 1 GB in size. There must be three times the maximum database size available in free disk space. The CPU demand on the endpoint averages less than 1%.

For Linux endpoints, you must:

  • Install the most recent stable version of the audit daemon and audispd-plugins before initializing endpoints. See the specific operating system documentation for instructions.
  • Be aware that when using immutable "-e 2" mode, the Linux event recorder adds Tanium audit rules in front of the immutable flag. When using the -e 2 flag on Linux, the endpoint must be restarted after the recorder is enabled.

Tanium Module Server computer resources

Trace is installed and runs as a service on the Module Server host computer. The impact on Module Server host computer sizing is minimal and depends on usage. Contact your Technical Account Manager (TAM) for details.

Third-party software

(Windows, Optional) Microsoft Sysmon

The latest supported version of Microsoft Sysmon is required to record process hashes and command-line information on Windows endpoints earlier than Windows 8 and Windows Server 2012 R2. For Windows 8 or later and Windows Server 2012 R2 or later, Sysmon is not required. For more information about the types of data recorded by Trace, see Trace recorder features.

To configure Sysmon on endpoints, see Configure Sysmon .

Host and network security requirements

Specific ports and processes are needed to run Trace.

Ports

The following ports are required for Trace communication.

Component Port number Direction Service Purpose
Module Server 17443 Inbound Trace service Support for uploading snapshots.
17444 Inbound Trace service Trace agents connecting to the Module Server for live connections to endpoints.
17449 Outbound Trace zone hub (Optional) Tanium Trace zone hub connection to Tanium Trace zone proxy.
Zone Server 17449 Inbound Trace zone proxy (Optional) Tanium Trace zone hub connection to Tanium Trace zone proxy.
17444 Inbound Trace zone proxy (Optional) Connections from Trace agents.
Tanium Client 17444 Outbound Tanium Client TaniumTraceWebsocketClient.exe connecting to the Module Server or the Trace zone proxy for live connections.

Security exclusions

A security administrator must create exclusions to allow the Tanium processes to run without interference if security software is in use in the environment to monitor and block unknown host system processes.

Target device Process
Tanium Module Server <Tanium Module Server>\services\trace\node.exe
Tanium Zone Proxy <Trace Zone Proxy>\proxy\node.exe
Windows x86 endpoints <Tanium Client>\Tools\Trace\TaniumTraceWebsocketClient.exe
<Tanium Client>\Tools\Trace\TaniumSQLiteQuery.exe
<Tanium Client>\Tools\Trace\TaniumExecWrapper.exe
<Installation Location>\sysmon.exe
Windows x64 endpoints <Tanium Client>\Tools\Trace\TaniumTraceWebsocketClient.exe
<Tanium Client>\Tools\Trace\TaniumSQLiteQuery.exe
<Tanium Client>\Tools\Trace\TaniumExecWrapper.exe
<Installation Location>\sysmon.exe
Mac OS endpoints <Tanium Client>/Tools/Trace/recorder
<Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient
<Tanium Client>/Tools/Trace/TaniumExecWrapper
Linux x86 endpoints <Tanium Client>/Tools/Trace/recorder
<Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient
<Tanium Client>/Tools/Trace/TaniumExecWrapper
Linux x64 endpoints <Tanium Client>/Tools/Trace/recorder
<Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient
<Tanium Client>/Tools/Trace/TaniumExecWrapper

Console roles and privileges

For Tanium Platform version 6.5 or 7.0, users with a minimum of Action User permission can perform all functions.

For version 7.1.314.3071 or later, use role-based access control (RBAC) permissions to restrict access to Trace functions.

Table 1:   Tanium 7.1 Trace User Role Privileges
Permission Trace Administrator Trace User Trace Read Only User

Show Trace

Access to the Trace workbench

* * *

Trace API Doc Read

View and list API Docs

Trace Deployment Read

View and list deployments

*

Trace Endpoint Configuration Read

View and list endpoint configurations

* * *

Trace Enterprise Hunting Read

View and list sensors for enterprise hunting

Trace Exports Read

View and list exported events

* *

Trace Exports Write

Create and delete exported events

Trace File Downloads Read

View and list file downloads from live endpoints

* *

Trace File Downloads Write

Download and delete files from live connections

Trace IOCs Read

View and list incidents of compromise

* *

Trace IOCs Write

Create, edit, and delete incidents of compromise

Trace Live Connections Read

View and list live endpoint connections

* *

Trace Live Connections Write

Add, remove, and connect to live endpoints

Trace Protect Rules Write

Create, edit, and delete Protect rules

Trace Saved Events Read

View and list saved events

* *

Trace Saved Events Write

Save events from live endpoint connections

Trace Snapshots Read

View and list snapshots

* *

Trace Snapshots Write

Capture and delete snapshots

Trace Use API

Perform Trace operations using the API

* * *

Trace Deployment Write

Deploy Trace to endpoints

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.

* Denotes an implied permission.

† Requires permissions for other modules or solutions to complete all tasks in other modules and see all content; such as Detect (version 3.0.6 or later), Protect (version 1.3.0 or later), Connect (version 4.3.0 or later), or Interact. You can assign a role for another product, or create a custom role that lists just the specific privileges needed.

‡ To install Trace, you must have the reserved role of Administrator.

Table 2:   Tanium 7.1 Advanced User Role Privileges
Permission Content Set for Permission Trace Administrator Trace User Trace Read Only User
Ask Dynamic Questions   * * *
Read Sensor Reserved * *
Read Sensor Trace Analysis * * *
Read Sensor Trace Deployment * *
Write Sensor Trace Deployment *
Write Action Trace Analysis * *
Write Action Trace Deployment *
Write Package Trace Analysis *
Write Package Trace Deployment *
Execute Plugin Trace Analysis * * *

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.

* Denotes an implied permission.

For example, to do everything in Trace and its features that integrate with other Tanium products, the user would need:

  • Trace Administrator role
  • Protect User role to pivot from Trace saved evidence into Protect rules
  • Connect Administrator role or just the Connect Reputation Read privilege to see reputation data
  • Show Interact role to view the status results of endpoints

To use Trace with Tanium IOC Detect 2.x, Trace roles must be assigned Legacy - Question Author permissions.

Last updated: 8/29/2018 11:21 AM | Feedback