IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.
Release Notes Tanium Server (Version 7.3.314.4101)
(Redirected from Release Notes (Version 7.3.314.4101))
Thank you for choosing Tanium. The following Release Notes document changes between releases of the Tanium Server.
This platform release includes the release of both a Windows and Linux Tanium Server.
The previous version can be found here: Release Notes (Version 7.3.314.3668)
Tanium Server for Windows and Linux v7.3.314.4101
General Availability Release Date: Jul 2, 2019.
Special Notes
- Due to security issues against this release of Tanium Server, Tanium strongly recommends upgrading to at least v7.3.314.4324 if you are using this version.
New Features
- The Tanium Server API now supports granular Module role based access controls.
- The Tanium Server API now supports identity tokens, giving Tanium modules and other agents access to the interface without the use of schedule-plugins.
- The Tanium Server now uses the new and improved network stack introduced in 7.3 for client communications in its HTTPS service.
- The Tanium Server API now offers the
/metricsroute which exposes metrics compatible with Prometheus. - The Tanium Server installation now generates a SWIDTAG (software identification tag) file to comply with ISO/ IEC 19770-2.
Improvements
- The network reset that existed in previous versions has been completely removed.
- The Tanium Server API now supports a
single-use-requestroute that browsers can use to efficiently retrieve large file downloads like Solution module support bundles or Trace snapshots. - Within the new network stack,
AcceptOpsis no longer used. - The Tanium Server now offers NGiNX-style
http-accesslogs. - The Tanium Server API now supports retrieving a list of Saved Questions sorted by modification time, so this does not have to be done on the receiving client.
- The Tanium Server will now transmit TLS handshake error messages to incoming connections before closing, making clear the intent to stop the exchange, both to the incoming client and to anyone troubleshooting connection failures.
- The Global Setting
archive_database_cleanup_houris now5(for5:00am UTC) so TAMs and customers can benefit from this cleanup feature right out of the box. - The Tanium Server API now supports a "Synchronize Now" service for LDAP connections, in order to support that function in the CUIC.
- The Tanium Server API now provides support for the Sensor
max_stringssetting, allowing CUIC to expose this to users via the Tanium Console. - The Tanium Server API now supports the per-Sensor setting
max_string_age_minutes(Default =0/ disabled) which defines the amount of time that Sensor's strings will be kept in the system when they - Tanium Server response headers now use proper and expected casing, like
Content-Lengthinstead ofcontent-length. - The Tanium Server now supports TLS Session Ticket extensions which, in some uses, allows it to reduce the overhead of negotiating a new session every time it connects to the Tanium Module Server.
- Authentication calls to the Tanium Server APIs are no longer artificially delayed when they are successful, which makes the system more performant. Only failed authentications are delayed now.
- The Tanium Server
/infopage now provides information on the number of active connections being used by Tanium Client registrations. - The Tanium Server
/infopage now offers more detailed information about the type of Tanium Client messages that contribute to overall outgoing traffic. - The Tanium Server supports again the
registration_connection_limit(Server, Numeric) Global Setting with a default value of0(zero), which means "unlimited". This setting can be used in extremely large deployments to limit the number of concurrent Tanium Client connections used for registration, as a means to conserve bandwidth. - The Tanium Server REST API now offers the
audit_type_listto enumerate the list of available audit types that the system supports. - The Tanium Server REST API
importwill now ignore and drop<ignore_case>specifications in the select portion of a Question. - Improved the Tanium Server REST API
importto be able to handle older XML formats where<temp_sensor>objects may contain an empty<name>. - Modified the behavior of the Tanium Server API to return a
HTTP 204 No contentcode. instead ofHTTP 404when accessing/saml2/certificate.crtand no SAML certificate is set up in the system. - The Tanium Server is now more careful and conservative in validating database connections in its connection pools, using
SELECT 1to test them only everydatabase_connection_validation_interval_seconds(Server, Numeric, Default =30) instead of every time they are used. This brings efficiencies in database connection numbers and traffic. - The Tanium Server now uses a reduced amount of memory when loading Action History and Question History information from the database, resulting in important memory use improvements in legacy deployments with large databases.
- The command-line interface for
TaniumServer global-settings list-allnow displays whether a setting is applicable to Client or Server, to make it easier to distinguish between the two without need for the Tanium console display. - Added support for NTLM authentication to the REST API services.
- The Tanium Server API now supports creating new Questions from canonical question text, simplifying API use, by not having to POST to
parse_questionand then POST to create the Question object based on the results of the parse. - The Tanium Server API now supports creating new Computer Groups from canonical text in the same way that Question creation is now supported, simplifying API use.
- The concurrency of TDownloader Package file downloads is now controlled by the single setting
max_concurrent_downloads(Server, Numeric, Default =10), superseding the two settings used in prior versions:max_download_processes_per_batchandConcurrentPackageFileDownloadsLimit. - The Tanium Server and Zone Server
info.jsonpages now include metrics for bandwidth throttling queue delays, as are offered in the Tanium Console UI. - Added Use , View and Revoke micro-admin privileges to be applied to API tokens in that subsystem.
- Added full audit information to the API token subsystem.
- A Tanium Server deployment in an Active/ Active configuration now has the ability to store encrypted data in their shared database, allowing them to exchange protected information like credentials.
- The
/metricssubsystem now exposes online client information from System Status. - The
/metricssubsystem now exposes select system settings which can be used as points of reference to other real-time measurements.
Security Updates
- This release includes security updates. Details of the issues, including affected versions and mitigation information, can be obtained within Tanium's Support Portal or by contacting your TAM.
Bug Fixes
- A condition that could cause a Tanium Server crash associated with
ConcurrentJobQueueis now fixed in the handling of SOAP requests using the new and improved network stack. - Code responsible for crashes in
SACriticalSectionScope::SACriticalSectionScopehas been removed along with the network reset operation. - The Tanium Server
/infopage now supports NTLM again, resolving theHTTP-401andHTTP-500errors which some users have experienced in previous releases. - Fixed a problem in the management of Sensor statistics which could result in duplicate key violations on the
sensor_statstable, logging:ERROR: duplicate key value violates unique constraint "sensor_stats_pkey". - The Tanium Global Settings now include
EnableInternalPowershell=1as its default out of the box. - The Tanium Server
/infopage andinfo.jsonfiles now correctly populate the following data sections: Connections: Active-Active Incoming, Connections: Active-Active Outgoing and Connections: Hub Incoming. - Patched the behavior of the Postgres SQL API to avoid the harmless but constant
stdoutmessage that reads:WARNING: there is no transaction in progress. - The network stack rewrite has fixed a condition where a Tanium Server could stop listening on its HTTPs port.
- Fixed a failure in the Tanium Server insertion of rows into the
tanium_archivetables which could result in the log error:archiveThread: SQL Exception ERROR: function insert_archive_question() does not exist. - Fixed a condition within the Tanium Server where Question and Action messages were unnecessarily large, resulting in the log message:
error: assertion 'Narrow<unsigned>( buffer.Aft().size() ) >= octetsLeft' failed. - The Tanium Server will now keep audit records for Global Settings when they are added, changed or deleted through the
TaniumServer global-settingscommand line interface. - Fixed a problem in the Tanium Server API by which trying to create a Package with multiple local files, all without a source, the same content hash and different names, would result in Package objects missing some files. This impacted Solution modules like Threat Response which create "live packages" as a normal part of their operation.
- Fixed an issue in the propagation of XML namespaces when canonicalizing SAML requests.
- The
hashed_stringand hence the/stringURL route on the Tanium Server now require explicit Administrator RBAC permissions for access. - The Tanium Server installer now ensures that String cleaning is enabled by setting
enable_string_cap=1, and it also ensures thatmax_strings_totalandmax_strings_total_mbare set according to the amount of RAM available in the system. - Fixed an undesirable interaction with a dynamically linked LDAP library (
libldap) used by the PostgreSQL library (libpq.so), which would cause a crash when running:TaniumServer database upgrade. - Fixed an issue in the REST API when retrieving user detail which would return a nested
"user":entry in the result. - Fixed an issue in updating Actions which have not yet been started, where changing them would fail with the message
SOAP Processing Exception: UpdateSavedActionFailed. This issue is mostly seen in environments that use Action Approval. - Fixed an uncommon condition where a User object update (
UpdateObject) could result in a deadlock on theusers_meta_datatable, logging the error:Transaction was deadlocked on lock resources with another process and has been chosen as the deadlock victim. - Fixed a problem which could cause an endpoint to be omitted from the System Status page when its
Computer IDhad a collision/ duplicate in the system. The endpoint would be listed in theSystemStatus.txtfile, but not the System Status page. - Fixed a problem with the Tanium Server's
/infopage where theenable_string_capsetting was displayed as0(zero) when operating in its default value of1(one). - Fixed an issue with Tanium Platform components where they could fall in a state that consumed
100%of one CPU after running for some time. - Issues reported about problems with the network_reset_hour setting will no longer be applicable in the new network stack which does not use resets anymore.
- Fixed an authorization problem in the use of single use requests which would fail with the error message:
Invalid session supplied. Session ID doesn't match with existing session for this request. - The
taniumnsis.dllis now cryptographically signed so it does not trigger AV alerts. - Fix an issue where an out of the box Tanium Server installation would populate the Global Setting
disable_action_status_archive_flagas a Client setting instead of a Server setting. - Fixed an issue with LDAP synchronization auditing where locked out user accounts (with
locked_out=2) and deleted user groups (withdeleted_flag=1) would be reported repeatedly into theusers_auditwithaudit_text = locked out user from LdapSyncand theuser_groups_auditwithaudit_text = deleted user group from LdapSync, causing these tables to grow without bounds. - Fixed a condition in the Tanium Server code which could sporadically lead to a crash and core dump in the handling of
epoll_ctl, associated with the following log messages in the server logs:Linux::TheIOCP::DisAssociateSocket epoll_ctl failedandFailed to set socket non-blocking flag: EBADF: Bad file descriptor. - Fixed a condition in the management of certain
NULLvalues while migrating thequestions_subgroupstable that could result in an upgrade failure that logs:SQL upgrade step failed: Unexpected: not all questions were assigned a filter_group_id successfully. - The default behavior for the
EnableInternalPowershellis now1(one) and will revert to this value if and when the parameter is not declared in the system. - The Tanium Server installer now offers to install a Microsoft SQL Client capable of supporting TLS v1.2.
- Fixed a Tanium Server API issue where internal Group caches were accessed in a sub-optimal way, causing the Users, User Groups and Computer Groups console pages to time out and fail to display in environments with many and complex Group configurations.
- The Tanium Server now closes idle database connections according to the following new Global Settings which are all Server and Numeric:
database_connection_close_idle_interval_seconds
The amount of file after which a connection considered idle and can be closed. Default value:60.database_connection_max_connections
The number of database connections the server will hold open at any one time. Default value:1024.database_connection_periodic_job_interval_seconds
Determines how frequently idle connections are closed. Default value:30. - Fixed a Tanium Server API problem which would result in a
SensorNotFounderror when trying to edit theAll ComputersComputer Group. - Fixed an issue with the Tanium Server Import API when importing multiple sensors in a single request.
- Fixed a condition seen on the
/infopages in very large environments where the bandwidth numbers reported where often0(zero) when they should have had a positive value. - Changed the SAML implementation to ignore whitespace in Base64-encoded signatures to work with some providers like SiteMinder.
- Fixed a problem where the Tanium Server would update the Global Setting
last_archive_database_cleanup_dateeven when thetanium_archivecleanup procedure was not run, or failed in error. This Global Setting is now updated only when the procedure executes successfully. - Fixed a Package file download error which could happen sporadically, where files were downloaded successfully by TDownloader and found in the
/Downloads/Cache/folder of a Tanium Server, but the server and console behaved as if the file were still missing. This issue was caused by a cache refresh problem. - Changed the way the Tanium Server queries for Groups against a Microsoft SQL database to avoid the possibility of running into the error:
Maximum recursion limit reached. - The
importroute for the Tanium Server API now appropriately returnssuccess: falsewhen it encounters a conflict error. - Fixed a problem where Python Sensors imported using the Tanium Server Import API were incorrectly labeled of type
Linux Shell. - Fixed behavior of the Tanium Server when splitting results to correctly split on the full delimiter string rather than on any one of the listed characters when generating question text (as is used for display of "Starting Questions"). Note that this was a display bug only, as Actions are targeted using full string queries, not subcolumn-delimited ones. They are broken out by column in the display of "Starting Text" simply for clarity.
- The Tanium Server API will no longer accept Questions containing column filters when used with a Sensor that uses mulit-character column delimiters. The Tanium v314 protocol is not able to handle this correctly in all cases, and as such it is no longer allowed.
- Question
parse_jobrequests submitted through the REST API now return the parameter values extracted from the question text, as they do when using the SOAP API. - Fixed an issue in the Tanium Server API by which it would cache the value of Global Settings deleted from the console up until the next restart.
- Fixed an issue with where the Global Setting
max_download_processes_per_batch, which was interpreted to have a value of zero after being deleted in the Tanium Console, resulting in TDownloader never being executed by the system. - Fixed an issue with the Tanium Server Import API where it would not handle correctly when importing several Scheduled Actions with the same name in a single request, resulting in only one of them being handled correctly.
- Fixed a problem in the initialization of Python crypto which would cause failures of Action package command execution with the message:
TaniumCryptoLibraryCryptosystemAlreadyInitializeorFailedToSetCryptoExDataImplementation. - The Tanium Zone Server now has an improved mechanism to discard download requests that are abandoned by the requesting client, offering an improvement in memory consumption by not holding on to older requests which are no longer needed.
- Fixed an issue in the Tanium Server API where querying for Scheduled Actions could return
SavedActionNotFoundduring periods when Actions are deleted and recreated in rapid succession, which is the way that Solution modules like Trace create their deployment configurations. - Fixed a problem with the Tanium Server API that caused the new Advanced Filtering feature to return no results when parametrized Sensors were used.
- Fixed a problem with the Tanium Server Import API where importing signed solutions would be display as "unsigned" in the Tanium console.
- Fixed an issue where the Tanium Server Question Parser would fail to parse questions that used an
ORoperator as part of their filter expression. - Fixed an issue with the REST API route
/v2/session/loginwhich would return an error:InvalidJSONBody. - Fixed a problem in the population of Question result hashes which could produce empty results. This was sometimes visible in the status pages for Actions which would not display any information.
- Fixed the CAC authentication subsystem which needed to change with Tanium's new versions.
- Fixed a problem with the Tanium Server
/infopages andinfo.jsonfiles where counters with values above4 billionwere being displayed as0(zero). - Added missing
dbo.prefixes to database operations within the Tanium Server installer which would result in the error:Invalid object name 'version_history'. - The Tanium Server's
/infopage andinfo.jsonfiles now reflect faithfully the value of theenable_string_capsetting where before they reported a value of0(zero). - Improved the performance of the
GetObjectoperation foraction_groupswhich would often result in a slow loading of the Scheduled Actions console page on systems with large databases. - Improved the error message offered to users when trying to export a flattened CSV for a result set with a large, cross-product cardinality.
- Fixed an upgrade problem with the Tanium Server installer when old, duplicate user preferences data was found in the
dbo.meta_datatable, which would produce the error:Could not create constraint or index because a duplicate key was found. - Fixed an instrumentation error where per-Client thread connection counts in
info.jsonwere incorrect and diverged from the real number of incoming connections to the Tanium Server. - Fixed an issue where the Package cleanup procedure in the Tanium Server could remove package objects ignoring their dependencies, leading to Actions that would display missing parameters on the console.
- Fixed a condition where a Tanium Zone Server would fail to start when installed as a non-administrator account, logging the error:
Could not open key for reading: Software\Tanium\Tanium Server. - Fixed the Linux version of the Tanium Server where a timing problem in the
issue_seeding_actionstored procedure would fail to fire an Action dependent on a downloaded file parametrized from a sensor result. - Fixed a problem with the Tanium Server API where updating a
white_listed_urlseemed to work but actually didn't change any values.
Known Issues and Workarounds
- Login fails for LDAP-synchronized users when using
userPrincipalName.
Workaround: There is no workaround for this condition. - The Tanium Module Server will fail to register with the Tanium Server if installed on TanOS versions prior to v1.5.1.
Workaround: There is no workaround for this condition.
Additional Information
- This version of Tanium Server shipped with Common UI Components version 1.3.3.0133.