IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Tanium Server (Version 7.4.1.1939)

From Tanium Knowledge Base
(Redirected from Release Notes (Version 7.4.1.1939))
Jump to navigation Jump to search

Thank you for choosing Tanium.  The following Release Notes document changes between releases of the Tanium Server.
This platform release includes the release of both a Windows and Linux Tanium Server.
The previous version can be found here: Release Notes (Version 7.3.314.4250)


Tanium Server for Windows and Linux v7.4.1.1939

General Availability Release Date: Jan 28, 2020.

Special Notes

  • Due to security issues against this release of Tanium Server, Tanium strongly recommends upgrading to at least v7.4.5.1240 if you are using this version.
  • If deploying on a Tanium Appliance, you must upgrade to TanOS v1.5.5 or greater before installing Tanium Server v7.4 .
  • Tanium installers will not require a tanium-init.dat initialization bundle when upgrading a component for which a pki.db already exists.
  • Starting with v7.4 an installation of a Tanium Zone Server Hub will disable the local caching of file chunks.

Major Features

  • A new and extensible version of the Tanium communications protocol: v315 .
    • Offer asymmetric client to client communications encryption.
    • Root-Key rotation through creation of a new key and revocation of the current key. To learn more about this feature and how to implement, please review our documentation here: Keys Management
    • A secured Active/Active Tanium Server setup where private keys do not have to be copied from one server to another.
    • Forwarding of Protocol v315 messages within Tanium Client extensions (CXs).
    • On-the-wire compression of Sensor Definition and Client Settings messages.
  • Personas have been introduced to allow for users to have multiple profiles assigned to them that restrict the computers they have access to and the Roles that have been assigned.  Personas can be assigned to a User or User Group.  To learn more about this feature and how to implement, please review our documentation here: Manage Personas
  • Filter Groups have been introduced to support a new type of computer group to be utilized for filtering and targeting.  Having access to these groups will not affect the machines that a user has access to.  To learn more about this feature and how to implement, please review our documentation here: Managing Filter Groups
    • With the introduction of this new feature, computer groups visible in drop downs will now be limited to the computer groups assigned to the User as management rights and the filter groups in content sets a user has been granted Read\Write Filter Group on. All Computers and No Computers computer groups will always be visible.
  • New privileges added to support more granular Role-Based Access Control
    • Micro-Admin Privileges 
      • Import Signed Content allows for a user to be able to import signed content including accessing the Tanium Solutions page and importing content from there.  To understand what this new privilege provides, review the documentation here: Import Signed Content Permission
      • Read Action Group allows for a user to be able to view Action Groups.  Due to the privilege change, existing user permissions may need to be updated to include this new micro-admin privilege. To understand what this new privilege provides, review the documentation here: Action Group Permissions
      • Write Action Group allows for a user to be able to view and edit Action groups.
    • Advanced privileges - To learn more about these new advanced privileges, review the documentation here: Filter Group Permissions
      • Read Filter Group will allow a user to be able to see the Filter Groups in their assigned content set.  Due to the privilege change, existing user permissions may need to be updated to include this new Advanced privilege.
      • Write Filter Group will allow a user to view and create Filter Groups in the assigned content sets.  This permission was introduced to allow teams to create and share computer groups for filtering and targeting amongst themselves.
  • The Results Grid has been enhanced to add an icon which links to Asset information if Asset is installed and privileges have been granted.  To learn more about this feature, review the documentation here: Results Grid Asset Details view
  • Computer Groups can now be exported and imported from the Console. Review the documentation here: Import\Export Computer Groups
  • To improve, simplify and accelerate the Tanium Solutions page has introduced new features.  To learn more about these features, review the documentation here: Solution Import
    • Multi-Solution import is now supported in environments with a Lab License
    • Import Signed Content privilege has been introduced to allow for administration of solution import to be grant to users other than the users with the Administrator Role
    • Ability to export the imported solution version to a URL from one environment and import that solution version from a URL into another environment
  • Administration>Users page has been enhanced to be able to show and undelete users that have been previously deleted.  To learn more about how to use this feature, review the documentation here: Manage deleted users
  • Additional configurations have been added to the console to help reduce direct server modifications
    • The ability to upload a license file and view what is licensed and when it expires.  To learn how to manage your license files from the console, review the documentation here: Manage Tanium License
    • The ability to manage Tanium Server trusts.  Review the documentation here:  Tanium Server Trusts
    • The ability to manage Tanium Zone Server trusts.  Review the documentation here: Zone Server Trusts
    • The ability to download infrastructure configuration keys for the client. Review the documentation here: Infrastructure Configuration Keys
    • The ability to manage Root Keys. Review the documentation here: Key Management 
    • The ability to manage API Tokens. Review the documentation here: API Tokens
    • The ability to view and modify local server settings. Review the documentation here:  Console Tanium Server Settings
  • A user preference has been added to support translating the console to Japanese or French.  Review the documentation here: User Preferences
  • Module support through integrations, APIs and services.
    • PostgreSQL database support for modules in the Tanium Module Server.
    • Support for Python v3.8 .
  • Performance improvements.
    • Communications performance enhancements.
    • Improved performance in the loading of the Tanium console.

Improvements

  • Ability to revert the Console logo back to default.
  • Automatic change to Yes/ No style confirmation prompts under SAML configurations.
  • Disabling of proxy settings when the proxy type is set to None.
  • Friendlier configuration options for non-counting Saved Questions.
  • Support to synchronize individual members against LDAP.
  • Ability to pause the operation of individual LDAP-sunchronization connections without the need to disable them.
  • Ability to disable individual local accounts.
  • The Tanium Server API now offers the ability to export both Computer Groups and Whitelisted URLs.
  • The Tanium Server API now offers routes for the management of Filter Groups and Management Rights Groups.
  • The Tanium Server API now supports management_rights_groups SOAP/ REST objects that can be used to retrieve computer groups that have their management_rights_flag set.
  • The Tanium Server API now allows retrieving system_status for periods longer than 30 days.
  • The Tanium Server now supports authentication through JSON web-tokens, allowing it to integrate with Amazon Cognito for authentication.
  • The Tanium Server API now offers an option called filter_by_groups_with_tracking which allows a caller to specify a set of Computer Groups to specify the Computer IDs by which a question result should be filtered and, if necessary, aggregated. This is a much needed enhancement to be used by solution modules like Patch.
  • The Tanium Server now protects the privacy of API result snapshots by associating them with the User and Persona of the requester and not their Session ID. This allows for the user to be able to switch session identifiers without triggering the creation of a new snapshot.
  • The Tanium Server REST-API now offers a specific route to perform Action Approval.
  • The Tanium Server REST API now produces more consistent error messages when it fails to create both system and local settings.
  • TLS encryption on the Tanium Client is now controlled by a single numeric setting: TLSMode which defaults to 1 (which means "required").
    • The old RequireIncomingEncryption and ReportingTLSMode settings are deprecated starting with the v7.4 client.
    • The Tanium Server also honors two Global Settings require_client_tls_314_flag=0 and require_client_tls_315_flag=1 , which forces v315 clients to communicate over TLS but will still be compatible with older v314 clients without TLS support.
  • The Tanium Server REST API now offers a route /api/v2/session/current which now returns the current session's user and privilege information.
  • The Tanium Server now allows for the use of the Token API (/api_tokens/) without the having to provide a token ID.
  • The Tanium Server improves the API to retrieve Saved Question results so the QuestionID offered in the result corresponds to the correct open, ongoing question being asked. This change avoids the Question is expired seen in the execution of some Connect jobs.
  • The Tanium Server will now default to TLS v1.2 while negotiating connections on port 443 thus discouraging connections using lower versions.
  • Improved the cache management of plugin schedules on the Tanium Server, thus avoiding the intermittent error PluginScheduleExists right after its deletion.
  • The Tanium Server API now returns a property named signature when content imports are called with the analyze_conflicts_only . The value of this property will contain the signature associated with the content analyzed, or be empty when the content is not signed.
  • The Tanium Server REST API now consistently uses management_rights_flag instead of the previous shorthand: mr_flag .
  • The Tanium Server REST API now supports a route to retrieve a session's management rights: GET /api/v2/session/management_rights .
  • The pki show command can now take an optional tanium-init.dat or tanium.pub file, and print its content accordingly.
  • Improved the back-pressure handling of Package file chunks in the Tanium Zone Server Hub which could cause an increase in the ZSH memory footprint when communicating with dozens of ZSs over limited bandwidth links.
  • The Tanium Zone Server now implements the HubPriorityList as a local setting containing a comma separated list of Zone Server Hub IP addresses listed in descending preferred order of priority. This allows each Zone Server to specify which hubs it wishes to have affinity to until there is a need for a fail-over due to a hub failure.

Bug Fixes

  • The Tanium Server will no longer request endpoints to peer with IP addresses in their same /24 address space but detected to connect from a different NAT address. This will stop an endpoint with Network Location from Client=192.16.0.10 and Network Location from Server=130.35.19.12 with another that has Network Location from Client=192.168.0.11 but Network Location from Server=100.2.126.104 .
  • Fixed a problem in the Tanium Server API where fetching content_set_role_privilege_audit objects would result in an InvalidAuditType error.
  • Fixed an issue in the propagation of XML namespaces when canonicalizing SAML requests.
  • Fixed a Tanium Server issue in the handling of session tokens, where requests made to services in the base Platform would work properly but requests made of Solution module services would return an Unauthorized result indicating: Must provide valid Tanium session header .
  • Fixed a problem in the Tanium Server API where importing content with duplicate names and requesting the copy changing name behavior could cause the request to hang.
  • Updated the Tanium Server string hash resolution code to work again with the database schema layout of latest versions, and resolving a problem where every attempt at a hash resolution would log the message: Caught Exception in FlushAndSwap SQLStringHashes .
  • Fixed an issue in the Tanium Server by which it would refresh its SOAPGroupCache even when it was unnecessary to do so, thus slowing down servicing of the Saved Questions page on the console.
  • Fixed a problem found with deleted Content Sets which would cause SQL errors during startup in UpdateModuleImpliedPrivilegesWorker that would repeatedly log: Subquery returned more than 1 value .
  • Fixed an issue in the Package import API which would cause verification queries to be omitted in the imported package.
  • Fixed a Tanium Server issue when importing Package meta-data which would cause a failure when two packages with the same name exist on a system.
  • Fixed an issue with the Tanium Server API where querying for content_set_role_privilege erroneously returned a content_set_role_privilege_list structure instead.
  • Fixed an issue in the Tanium Server where it would not honor disabled_flag=1 on a Saved Question and would reissue it by its issue_seconds setting anyway.
  • Fixed an issue in the Tanium Server and Zone Server installers where trailing spaces filled into the names of servers would not be removed and cause failures to communicate after installation.
  • Fixed an issue when asking for column-filtered Question results through the REST API * /api/v2/questions using question_text , where the column-filter is effectively dropped.
  • Fixed an issue with the Tanium Server REST API which would not return a proper export identifier when trying to export Question results in CSV format using the export_flag=1 option.

Known Issues and Workarounds

  • The Tanium Server /info page may display a Zone Server Hub count of zero.
    Workaround: There is no workaround for this condition.
  • The Tanium Server /info page does not provide any feedback under a failed authentication.
    Workaround: There is no workaround for this condition.
  • Large manual Computer Groups fail to be recognized by the Tanium Server upon creation.
    Workaround: There is no workaround for this behavior. Avoid current Tanium Server v7.4 if your make use of very large manual Computer Groups until a fix is released. If you must create such large groups please plan accordingly, since you may very well require a Tanium Server restart after having created them. NOTE that this behavior does not affect existing Computer Groups or Question and Action targeting, only the Console display of such groups.

Additional Information

Product Documentation and Resources