Integrity Monitor requirements

Review the requirements before you install and use Integrity Monitor.

Core platform dependencies

Make sure that your environment meets the following requirements:

  • Tanium license that includes Integrity Monitor

  • Tanium™ Core Platform servers 7.3 or later

  • Tanium™ Client
    • Windows: 7.2.314.3584 or later
    • Linux, AIX, Solaris: Any supported version of Tanium Client

  • Any supported version of a Tanium Client

For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.

If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Computer group dependencies

When you first sign in to the Tanium Console after a fresh installation of Tanium Server 7.4.2 or later, the server Tanium Cloud automatically imports the computer groups that Integrity Monitor requires:

  • All Computers
  • All AIX
  • All Linux
  • All Solaris
  • All Windows Server 2019
  • All Windows Server 2016
  • All Windows Server 2012 R2
  • All Windows Server 2012
  • All Windows Server 2008 R2

Computer groups with manual membership are not supported in Integrity Monitor.

For earlier versions of the Tanium Server, or after upgrading from an earlier version, you must manually create the computer groups. See Tanium Console User Guide: Create a computer group.

Solution dependencies

Other Tanium solutions are required for Integrity Monitor to function (required dependencies) or for specific Integrity Monitor features to work (feature-specific dependencies). The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Integrity Monitor dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies and Feature-specific dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Integrity Monitor requires.

Tanium recommended installation

If you select Tanium Recommended Installation when you import Integrity Monitor, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.

Import specific solutions

If you select only Integrity Monitor to import, you must manually import dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Integrity Monitor has the following required dependencies at the specified minimum versions:

Feature-specific dependencies

Integrity Monitor has the following feature-specific dependencies at the specified minimum versions:

  • Tanium™ Connect 4.0 or later for event export
  • Tanium Connect 5.8.54 or later for watchlist data export

Client extensions

Tanium Endpoint Configuration installs client extensions for Integrity Monitor on endpoints. Client Extensions perform tasks that are common to certain Tanium solutions. The Tanium Client uses code signatures to verify the integrity of each client extension prior to loading the extension on the endpoint. Each client extension has recommended security exclusions to allow the Tanium processes to run without interference. See Security exclusions for more information. The following client extensions perform Integrity Monitor functions:

  • Core CX - Provides a management framework API for all other client extensions and exposes operating system metrics. Tanium Client Management installs this client extension.
  • Config CX - Provides installation and configuration of extensions on endpoints. Tanium Client Management installs this client extension.
  • Py CX - Provides a library that enables communication between Python-based client extensions and Core CX. Tanium Integrity Monitor, Tanium Reveal, or Tanium Threat Response installs this client extension.
  • Recorder CX - Provides the ability to save event data on each endpoint and monitor the endpoint kernel and other low-level subsystems to capture a variety of events. Tanium Integrity Monitor, Tanium Map, or Tanium Threat Response installs this client extension.

Endpoints

Supported operating systems

The following endpoint operating systems are supported with Integrity Monitor.

Operating System Version Notes
Windows

A minimum of Windows 7 SP1 or Windows Server 2008 R2 SP1 is required.

For Windows 7 or Windows Server 2008 R2 endpoints, update to Windows 7 SP2 or later or Windows Server 2008 R2 SP2 or later whenever possible. Windows 7 SP1 or Windows Server 2008 R2 SP1 requires Microsoft Windows Update KB2758857.

Linux

Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.

The Client Recorder Extension does not support CentOS and Red Hat Enterprise Linux versions 5.3 and earlier. Endpoints require version 5.4 or later of CentOS or Red Hat Enterprise Linux.

The Client Recorder Extension provides SELinux policies for the following distributions and versions:

  • Oracle Linux 5.x, 6.x, 7.x, and 8.x

    When SELinux is enabled, only process information is returned. This is a known issue and will be addressed in a future version of Integrity Monitor.

  • Red Hat Enterprise Linux (RHEL) 5.4 and later, 6.x, 7.x, and 8.x
  • CentOS 5.4 and later, 6.x, 7.x, and 8.x
  • Amazon Linux 2 LTS (2017.12)

At this time, SELinux is not supported on other Linux distributions.

On endpoints where the recorder is not supported, event monitoring is unavailable, and only hash monitoring is supported.

For Linux endpoints:

  • Install the most recent stable version of the audit daemon and audispd-plugins. For information on deprecated parameters in the audit daemon configuration, see Tanium Client Recorder Extension User Guide. See the specific operating system documentation for instructions.
  • Be aware that when using immutable "-e 2" mode, the recorder adds Tanium audit rules in front of the immutable flag. When using the -e 2 flag on Linux, the endpoint must be restarted after the recorder is enabled.
  • Be aware that when using the failure "-f 2" mode, the Linux kernel panics in the event that auditd message is lost. The recorder does not add audit rules if this configuration is detected.

AIX A minimum of AIX 7.1.4 is required. The IBM XL C++ runtime libraries file set (xlC.rte), version 16.1.0.0 or later, and the IBM LLVM runtime libraries file set (libc++.rte) must be installed. For installation instructions, see Tanium Client Management User Guide: Deploy the Tanium Client to AIX endpoints using a package file.
Solaris Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.  

Disk space requirements

On managed endpoints, Integrity Monitor requires at least 1 GB of disk space.

CPU and memory requirements

The CPU demand on the endpoint averages less than 1%.

The Client Recorder Extension does not start on endpoints with a single logical core without updating the CX.recorder.EnableSingleCpuRequirement configuration setting to 0. To update CX.recorder.EnableSingleCpuRequirement to 0, edit the Recorder - Set Recorder Extension Setting [OS] package to add a parameter with the configuration key EnableSingleCpuRequirement and a value of 0, and deploy the package to appropriate endpoints. Alternatively, you can run the following command from the Tanium Client directory on endpoints to update this configuration setting:

  • (Windows) TaniumClient.exe config set CX.recorder.EnableSingleCpuRequirement 0
  • (Linux) ./TaniumClient config set CX.recorder.EnableSingleCpuRequirement 0

A minimum of 4 GB RAM is recommended on each endpoint device.

Permission recording requirements

Linux endpoints do not have any special requirements to monitor the permission event type.

To monitor the permission event type on Windows endpoints, you must configure the Audit File System permission under Local Security Policy on the endpoint. For more information, see Prepare Endpoints.

Client Recorder Extension

Integrity Monitor uses the Tanium™ Client Recorder Extension to gather data from endpoints. For more information, see Client Recorder Extension User Guide.

Integrity Monitor does not use the Client Recorder Extension for Solaris and AIX endpoints.

Tanium Event Recorder Driver

Use the Tanium Event Recorder Driver to record registry events on supported Windows endpoints. For more information, see Tanium Client Recorder Extension User Guide: Installing the Tanium Event Recorder Driver.

The Tanium Event Recorder Driver is installed by default when you deploy a monitor that is configured to use it. For more information, see Create a new monitor.

If the Tanium Event Recorder Driver is updated, endpoints that use Integrity Monitor require a reboot to see the recorder status.

If you need to troubleshoot an issue with the Tanium Event Recorder Driver, see Manually install the Tanium Event Recorder Driver.

Third-party software

To integrate Integrity Monitor with an IT workflow in ServiceNow Change Management, ServiceNow Madrid or later is required.

Host and network security requirements

Specific ports and processes are needed to run Integrity Monitor.

Ports

The following ports are required for Integrity Monitor communication.

Source Destination Port Protocol Purpose
Module Server Tanium™ Cloud Module Server Tanium Cloud
(loopback)
17456 TCP Internal purposes; not externally accessible

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Integrity Monitor security exclusions
Target Device Notes Exclusion Type Process
Tanium Module Server   Process <Module Server>\services\integrity-monitor-service\node.exe
  Process <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Windows x86 and x64 endpoints   Process <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe
  Process <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
  Process <Tanium Client>\Tools\IM\TaniumSQLiteQuery.exe
  Process <Tanium Client>\Tools\IM\TaniumExecWrapper.exe
  File <Tanium Client>\extensions\TaniumRecorder.dll
  File <Tanium Client>\extensions\TaniumRecorder.dll.sig
  File <Tanium Client>\extensions\recorder\proc.bin
  File <Tanium Client>\extensions\recorder\recorder.db
  File <Tanium Client>\extensions\recorder\recorder.db-shm
  File <Tanium Client>\extensions\recorder\recorder.db-wal
  File <Tanium Client>\extensions\core\libTaniumPythonCx.dll
  File <Tanium Client>\extensions\core\libTaniumPythonCx.dll.sig
  File <Tanium Client>\TaniumClientExtensions.dll
  File <Tanium Client>\TaniumClientExtensions.dll.sig
7.2.x clients Process <Tanium Client>\Python27\TPython.exe
7.2.x clients Folder <Tanium Client>\Python27
7.4.x clients Process <Tanium Client>\Python38\TPython.exe
7.4.x clients Folder <Tanium Client>\Python38
  Process <Tanium Client>\TaniumCX.exe
Linux x86 and x64 endpoints   Process <Tanium Client>/TaniumAuditPipe
  Process <Tanium Client>/Tools/Trace/recorder
  Process <Tanium Client>/Tools/EPI/TaniumEndpointIndex
  Process <Tanium Client>/Tools/EPI/TaniumExecWrapper
  Process <Tanium Client>/Tools/IM/TaniumExecWrapper
7.2.x clients Process <Tanium Client>/python27/python
7.2.x clients Process <Tanium Client>/python27/bin/pybin
7.2.x clients Folder <Tanium Client>/python27
7.4.x clients Process <Tanium Client>/python38/python
7.4.x clients Folder <Tanium Client>/python38
  File <Tanium Client>/libTaniumClientExtensions.so
  File <Tanium Client>/libTaniumClientExtensions.so.sig
  File <Tanium Client>/extensions/recorder/proc.bin
  File <Tanium Client>/extensions/recorder/recorder.db
  File <Tanium Client>/extensions/recorder/recorder.db-shm
  File <Tanium Client>/extensions/recorder/recorder.db-wal
  File <Tanium Client>/extensions/recorder/recorder.auditpipe
  File <Tanium Client>/extensions/core/libTaniumPythonCx.so
  File <Tanium Client>/extensions/core/libTaniumPythonCx.so.sig
  Process <Tanium Client>/TaniumCX
Integrity Monitor security exclusions
Target Device Notes Exclusion Type Process
Windows x86 and x64 endpoints   Process <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe
  Process <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
  Process <Tanium Client>\Tools\IM\TaniumSQLiteQuery.exe
  Process <Tanium Client>\Tools\IM\TaniumExecWrapper.exe
  File <Tanium Client>\extensions\TaniumRecorder.dll
  File <Tanium Client>\extensions\TaniumRecorder.dll.sig
  File <Tanium Client>\extensions\recorder\proc.bin
  File <Tanium Client>\extensions\recorder\recorder.db
  File <Tanium Client>\extensions\recorder\recorder.db-shm
  File <Tanium Client>\extensions\recorder\recorder.db-wal
  File <Tanium Client>\extensions\core\libTaniumPythonCx.dll
  File <Tanium Client>\extensions\core\libTaniumPythonCx.dll.sig
  File <Tanium Client>\TaniumClientExtensions.dll
  File <Tanium Client>\TaniumClientExtensions.dll.sig
7.4.x clients Process <Tanium Client>\Python38\TPython.exe
7.4.x clients Folder <Tanium Client>\Python38
  Process <Tanium Client>\TaniumCX.exe
Linux x86 and x64 endpoints   Process <Tanium Client>/TaniumAuditPipe
  Process <Tanium Client>/Tools/Trace/recorder
  Process <Tanium Client>/Tools/EPI/TaniumEndpointIndex
  Process <Tanium Client>/Tools/EPI/TaniumExecWrapper
  Process <Tanium Client>/Tools/IM/TaniumExecWrapper
7.4.x clients Process <Tanium Client>/python38/python
  File <Tanium Client>/libTaniumClientExtensions.so
  File <Tanium Client>/libTaniumClientExtensions.so.sig
  File <Tanium Client>/extensions/recorder/proc.bin
  File <Tanium Client>/extensions/recorder/recorder.db
  File <Tanium Client>/extensions/recorder/recorder.db-shm
  File <Tanium Client>/extensions/recorder/recorder.db-wal
  File <Tanium Client>/extensions/recorder/recorder.auditpipe
  File <Tanium Client>/extensions/core/libTaniumPythonCx.so
  File <Tanium Client>/extensions/core/libTaniumPythonCx.so.sig
  Process <Tanium Client>/TaniumCX

Service account user

The Integrity Monitor service account requires certain privileges to run background jobs which include gathering endpoint statistics, sending labels to Connect, and evaluating rules. See Installing Integrity Monitor to create a service account user and configure the service account within Integrity Monitor.

User role requirements

The following tables list the role permissions required to use Integrity Monitor. To review a summary of the predefined roles, see Set up Integrity Monitor users.

For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.

Integrity Monitor user role permissions
Privilege Integrity Monitor Administrator1,2,5 Integrity Monitor Operator1,2,45 Integrity Monitor Author1 Integrity Monitor User1 Integrity Monitor Read Only User1 Integrity Monitor Service Account1,2,3,5 Integrity Monitor Endpoint Configuration Approver1,2

Integrity Monitor

View the Integrity Monitor workbench

SHOW
TROUBLESHOOTING

SHOW

SHOW

SHOW

SHOW

SHOW

Integrity Monitor Admin Settings

Set the service account and log level

WRITE

Integrity Monitor API

Perform Integrity Monitor operations using the API

EXECUTE

EXECUTE

EXECUTE

EXECUTE

EXECUTE

EXECUTE

EXECUTE

Integrity Monitor Deploy

MONITORS: Deploy monitors

RULES: Deploy rules

MONITORS
RULES

MONITORS
RULES

MONITORS
RULES

Integrity Monitor Endpoint Configuration

Approve Integrity Monitor configuration changes in Tanium Endpoint Configuration

APPROVE

Integrity Monitor Execute Scheduled

Run tasks in the IM service with the IM schedule plugin, including sending labeled events to Connect via a background scheduled task and scheduling the weekly day and time to generate reports; run and apply rules to events

TASK

TASK

Integrity Monitor Integrations

Create, edit, and schedule integrations with IT workflows

ADMIN

ADMIN

Integrity Monitor Labels

View, create, and edit labels

READ
WRITE

READ
WRITE

READ
WRITE

READ

READ

READ

Integrity Monitor Monitor Event Labels

View, create, edit, and delete monitor event labels and label notes
Send labeled events to Connect manually43

READ
WRITE
DELETE

READ
WRITE
DELETE

READ
WRITE

READ
WRITE

READ

Integrity Monitor Monitor Events

View monitor events

READ

READ

READ

READ

READ

Integrity Monitor Monitors

View, create, and edit monitors. View, download, enable, disable, or delete reports for a monitor.

READ
WRITE

READ
WRITE

READ
WRITE

READ

READ

READ

Integrity Monitor Rules

View, create, and edit rules

READ
WRITE

READ
WRITE

READ
WRITE

READ
WRITE

READ

Integrity Monitor Settings

View and update general settings, templates, and default labels

READ
WRITE

READ
WRITE

READ

READ

READ

Integrity Monitor Watchlists

View, create, and edit watchlists

READ
WRITE

READ
WRITE

READ
WRITE

READ

READ

READ

1 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

2 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

3 If you installed Tanium Client Management, Endpoint Configuration is installed, and by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

4To send labeled events to Tanium Connect, you must have Connect installed. You must also have the Integrity Monitor Monitor Event Labels Write permission and the Tanium Connect Connect Event Write permission, which is provided through the Connect roles. The least privileged Connect role that an Administrator can assign to grant this privilege is Connect User.

3To send labeled events to Tanium Connect, you must have Connect installed. You must also have the Integrity Monitor Monitor Event Labels Write permission and the Tanium Connect Connect Event Write permission, which is provided through the Connect roles. The least privileged Connect role that an Administrator can assign to grant this privilege is Connect User.

4 This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see the Tanium Interact User Guide: User role requirements.

5 This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see the Tanium Interact User Guide: User role requirements.




Provided Integrity Monitor administration and platform content permissions
Permission Permission Type Integrity Monitor Administrator1 Integrity Monitor Operator Integrity Monitor Author Integrity Monitor User Integrity Monitor Read Only User Integrity Monitor Service Account Integrity Monitor Endpoint Configuration Approver
Action Group Administration

READ

READ

READ

READ

READ

READ

READ

Action Platform Content

READ
WRITE

READ
WRITE

READ
WRITE

Filter Group Platform Content

READ

READ

READ

READ

READ

READ

READ

Own Action Platform Content

READ

READ

READ

Package Platform Content
READ
WRITE

READ
WRITE

READ
WRITE
Plugin Platform Content

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

Saved Question Platform Content

READ
WRITE

READ
WRITE

READ

READ

READ

READ
WRITE

Sensor Platform Content

READ

READ

READ

READ

READ

READ

You can view which content sets are granted to any role in the Tanium Console.

1 This role provides content set permissions for Tanium Trends. You can view which Trends content sets are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.