IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Tanium Server (Version 7.5.2.3503)

From Tanium Knowledge Base
(Redirected from Release Notes (Version 7.5.2.3503))
Jump to navigation Jump to search

Thank you for choosing Tanium. The following Release Notes document changes between releases of the Tanium Server.
This platform release includes the release of both a Windows and Linux Tanium Server.
The previous version can be found here: Release Notes (Version 7.4.6.1056)


Tanium Server for Windows and Linux v7.5.2.3503

General Availability Release Date: October 26, 2021.

Special Notes

  • Due to security issues against this release of Tanium Server, Tanium strongly recommends upgrading to at least v7.5.2.3531 if you are using this version.
  • This version of Tanium Server shipped with: Console (Version 3.0.64.0000).
  • NOTE the solutions version dependency requirements for this upgrade documented in: kb:Console v3.0.64.
  • Tanium discourages new installations of this software version on Windows 2012 and 2012-R2 due to its scheduled End-Of-Life on 2023-10-10.

Security Updates

  • None.

New Features

  • The Tanium Server will now log SAML processing errors at LogVerbosityLevel=1 to make them easier to see and correct.
  • The Tanium Server's Sensor's schema and APIs have been refactored to offer variable hash size selection of its result encoding hashes.
  • Added the ability to configure TLS signature verification algorithms to be either RSA or elliptic key, even when both algorithms prove to be equally performant.
  • Implemented JSON serialization support for the next-generation GetResults operation in the Tanium Server API.
  • Built support for data merging on the Tanium Server to support the next-generation version of Question results.
  • The Tanium Server now implements special support for next-generation GetResultInfo and GetResultData operations for Action statuses.
  • The Tanium Server now implements new high-performance disk serialization formats for Sensor results, in preparation for next-generation results reporting from endpoints.
  • The system that filters results in the Tanium Server now has a parallel-processing implementation.
  • The Tanium Server now controls the maximum parallelism allowed for concurrent memory allocation operations through the Global Setting tbb_global_max_allowed_parallelism (Server, Numeric) which defaults to the number of CPU cores on the running system or 32, whichever is smaller. This setting will help avoid contention in memory allocations in some of the largest systems in the field and should rarely -if ever- need modification.
  • The Tanium Server has removed support for the SOAP APIGetAnyObject operation.
  • The min_active_question and min_active_action tables in the Tanium Server database are no longer used and have been dropped.
  • The Tanium Server SOAP API will invalidate its object caches for every object included in a create, update or delete operation. This is part of the implementation of its cache-synchronization and consistency strategy.
  • Improved the responsiveness and speed with which ThreadGroups will terminate in the Tanium Platform.
  • Removed code that is no longer used in the Tanium Server API for XML input parsing and output serialization.
  • Added functionality to the Tanium Server export/ import API to be able to serialize and deserialize objects represented in API format.
  • Modified the scope of memory allocations in threads to keep proper visibility into its activity and measures.
  • Tanium components will now use the TBBAllocator libraries in UTF-8 mode for better compatibility with Windows systems running in this mode.
  • Modified process information for Tanium components to be compatible with Windows systems running in UTF-8 encoded filesystems.
  • Tanium components will now handle properly Windows error messages reported in UTF-8 encoding.
  • The Tanium Server will invalidate a Question results live cache if its contents have changed by more than 1% instead of 10% to offer a better result retrieval experience.
  • The Tanium Server now uses TBB Allocator instead of malloc() when parsing XML structures for better memory accountability and control.
  • The Tanium Server does away without the most_recent_qid column in the saved_questions table and the whole sqid_triple_to_qid table itself, and uses direct SQL to return the best matching Question id for a Saved Question.
  • The new Tanium Server cache implementation does away with the old Active Question Cache internal structure and provides the same information using direct SQL in a way which is more efficient and performant.
  • The Tanium Server will no longer automatically issue "behind the scenes Action verification Questions" under the hood since this information has been provided by the Tanium Client for over seven years now.
  • The Tanium Server has an improved internal representation for Sensor and Question results to support next-generation results handling.
  • Tanium components now use TBB v2012.2 where the MSVC v2012 runtime is no longer needed and has been removed from the installer.
  • The new Tanium Server object cache implementation now uses direct SQL implementation for Question add and delete operations.
  • Tanium Platform components now use TBB's arena and task observer construct to be able to parallelize certain operations and still control their processor affinity.
  • The new Tanium Server object cache implementation now uses direct SQL implementation for Action add and delete operations.
  • The Tanium Server has improved RegEx matching performance which is beneficial when filtering large Question result sets.
  • The v315 protocol now augments its AddSensor messages with Sensor definition ids which will allow schema version identification in next-generation results reporting.
  • The Tanium Server now offers more lightweight wrappers around SSL hash functions to improve performance on cryptographic operations.
  • The new caching implementation in the Tanium Server now implements proper ordering of object dependencies when choosing refresh orderings.
  • The Tanium Server now has the infrastructure requirements for the implementation of next-generation String reports.
  • Platform components now use SQLite v3.35.5.
  • The Tanium Server now guards exceptions thrown by libexpat in handling of XML errors, now adequately halting parsing instead of propagating as upstream errors.
  • The Tanium Server now uses direct SQL for Content Set API request handling.
  • The Tanium Server Question History API now follows the improved cache implementation used by other objects, solving some read-after-write consistency problems.
  • The Tanium Server SOAP API has deprecate the GetSavedQuestions operation which is no longer in use by solution modules.
  • Simplified several places in the Tanium Server code which updated Question expiration values.
  • The Tanium Server API will now return the approver_persona_id and approver_persona_name for Saved Actions that required approval.
  • The Tanium Server's in-memory Action History cache now implements MVCC to control and guarantee consistency with other object caches.
  • Validated the mainline performance of the new cache implementations in the Tanium Server.
  • The Tanium Server no longer uses its old internal SOAPCacheRefresher which is unnecessary under the new caching design.
  • The Tanium Server HTTP instrumentation for requests now includes information about the timing of filter and sort operations used during processing.
  • Modified the Tanium Server's garbage collection mechanism on cache refreshes, improving its performance when operating over a large number of cached objects like Groups.
  • Improved the performance of cache-refresh queries in the system through an improved handling of sequence column values to filter the query results.
  • The Tanium Server during startup will now log the type and version of the operating system it is running on.
  • Tanium Platform components now ship a Bill of Materials (BOM) that specifies all third party software components and versions included in the binary build.
  • The Tanium Server improved performance when calculating RBAC visibility to a single Sensor through its API.
  • The Platform Components pki show command line now offers an optional --fingerprint <fingerprint> option to display a single certificate along with all of its parents in the certification chain.
  • The Tanium Server Packages API now supports a summary option which will omit file details in its result, reducing the size of the response sent to the caller.
  • Improved the granularity and readability for insufficient RBAC privilege errors when accessing Action Groups.
  • Changed be behavior of the Tanium Server's to allow visibility into all of the content objects owned by a User or Persona, which would otherwise impair the management of these objects.
  • The Tanium Server now offers a Global Setting default_global_language which is to be used to specify the default language/ locale for Console users, instead of using their browser's local setting.
  • The Tanium Server will no longer honor the grouped_action_offset_seconds which is deemed unnecessary in issuing new Actions.
  • The console_default_global_language Global Setting default value will now be set to "default" which best matches the desired Console behavior.
  • Tanium Platform components now use libexpat v2.4.1.
  • The Tanium Platform now uses and presents an EULA update for 2021-08-23.
  • The Tanium Platform components will now use Python v3.8.12.
  • Tanium Platform components now use OpenSSL v1.0.2zb.

Improvements

  • The api/v2/users route now returns the number of active sessions for each user as the attribute active_session_count. This count is produced directly from the authentication system and counts all non-expired sessions for valid users, which is why it might seem high.
  • The Tanium Server now offers the DELETE operation for /api/v2/server_trusts route, which makes it consistent with the GET and POST operations over the same route.
  • The Tanium Platform now offers the ability to limit the number of allowed connections in Site Throttles.
  • The Tanium Downloader has now been upgraded to use Curl v7.77.0.
  • Added clean-downloads CLI command to the TS, to allow manual cleaning of the download cache.
  • The Tanium Server now offers API routes (downloader_auth_users, downloader_auth_certs and downloader_trusted_certs) which will allow to programmatically configure TDownloader authentication settings to external systems.
  • The Tanium Server APIs now offer deeper sorting of nested object results through the cache_sort_order and sort_order request parameters.
  • The Tanium Platform now implements its own PKCS#11 engine which will offer the control necessary to better support a wider range of hardware security module (HSM) vendors.
  • The Tanium Server will now periodically update the contents of the tanium-init.dat file in its installation directory.
  • Platform components now use boost v1.75 libraries.
  • The Tanium Server will now enforce unique case-insensitive Group names.
  • The Tanium Server's LDAP synchronization API allows previewing the impact of deleting an LDAP connector by offering a list of Users and Groups that will be removed if a connector were to be removed. This will allow a better user experience on the Console.
  • Discontinued the use of the update_min_active_question stored procedure in the tanium database in favor of a new, more efficient method that uses the expiration_time from the questions database table.
  • The Tanium Server installer now makes id the primary key on the select_specs table in PostgreSQL, as a performance improvement.
  • Error messages "Failed TLS handshake unexpected EOF" are now logged at verbosity level 20 in order to reduce log-spamming on what is a rather common condition.
  • The Tanium Server and Zone Server components will no longer use Main for their main running thread, so this label does not appear anymore in debugging and monitoring tools which is confusing.
  • The Tanium Server API will now deduct Group types by their name and depending on the context in which they are used, so the caller is not forced to specify the <type> parameter with every call.
  • The Tanium Server caches implementation greatly reduces network traffic to its database and CPU consumption in the database server.
  • The Tanium Server REST API now supports a verify_signatures route, providing parity with the SOAP API.
  • The Tanium Server API now offers the possibility of embedding configuration parameters like ServerPort and/ or proxy settings in an exported tanium-init.dat bundle, offering better coverage for non-default client installations.
  • The Tanium Zone Server will now use a unique subject name every time it creates new TLS CA certificates.
  • The Zone Server messaging API has been extended, now allowing a Zone Server to report which Zone Server Hub is currently connected to it, also extending the Tanium Server API to return this information upon request to the Console UI.
  • As part of its new in-memory cache implementation the Tanium Server will now use multi-version concurrency control (MVCC) management to ensure referential integrity across caches.
  • The Tanium Server REST API now offers sub-routes to api/v2/content_set_roles/:id/membership which return the User and User Groups that are assigned to the Content Set.
  • The Tanium Server API will now return a content_set_roles property when querying User or User Group objects to list the roles directly assigned to them.
  • The Tanium Server API now produces information about object creation and modification for all RBAC objects.
  • Fixed a bug in the Tanium Server installer where it would install a Module Server of a different and incorrect version if that installer was found in its PATH.
  • The Tanium Server's in-memory Packages cache now implements MVCC to control and guarantee consistency with other object caches.
  • The Tanium Server API will now refuse to delete Personas with existing Saved Questions, Saved Actions or Plugins.
  • The Tanium Server's /metrics route now provides tanium_protocol_message_* measures for the amount of data exchanged with Zone Servers through their intermediary Zone Server Hub.
  • Separated the cached User and Persona information from other objects as part of the Tanium Server's new cache implementation.
  • The Tanium Server and Zone Server will now log Failed certificate re-verification at LogVerbosityLevel=51 for expired certificates (which are perfectly normal) and at LogVerbosityLevel=11 for all other re-verification reasons. These operations are also now tallied and reported in the pki_tls_reverification_failures metric counters.
  • The Tanium Server's /metrics subsystem can now identify and tag multiple external sources, allowing it to present the measures for multiple Zone Servers at a time.
  • Added Saved Question support to the new and upcoming GetResultDataV2 Tanium Server API.
  • The new Tanium Server object cache implementation now uses direct SQL implementation for Package add and delete operations.
  • Removed no longer used and unnecessary Action verification code from the Tanium Server.
  • Tanium components will now use the boost libraries in UTF-8 mode for better compatibility with Windows systems running in this mode.
  • The Tanium Server API now offers cache_filter functionality for both dashboards and dashboard_groups eliminating the need to do client-side filtering of request results on these objects.
  • Cryptographic keys used by the Platform are now ensured to expire one hour later than their specified renewal window to avoid their premature and repeated reissue.
  • The Tanium Server's personas API route now supports an include_persona_owned_object_ids_flag=1 that will return an owned_objects_id in the result, indicating the objects owned by the Persona.
  • The new Tanium Server object cache implementation now uses direct SQL implementation for Groups add and delete operations.
  • The new Tanium Server object cache implementation now uses direct SQL implementation for meta-data add and delete operations.
  • The Tanium Server executable now offers the command-line option show-guid to display the server's assigned GUID without the need to open the pki.db with SQLite.
  • The new Tanium Server object cache implementation now uses direct SQL implementation for Sensor add and delete operations.
  • The Tanium Server now adds primary keys and constraints to its content_set_role_membership and content_set_user_group_role_membership tables to guarantee a single row result in joining these tables.
  • Modified the letter case for platform names applicable to Sensors in the Tanium Server's export API, so these names read Linux instead of LINUX.
  • The Tanium Server API now allows modification of the max_strings and max_string_age_minutes properties of reserved Sensors.
  • When exporting Saved Questions that reference deleted Sensors the Tanium Server export API will still return an HTTP-404: SensorNotFound error, but the error wording now will include the name of the offending question so it can be examined in Console and dealt with appropriately.
  • The Tanium Server now enforces uniqueness over Sensor hashes to avoid the risk of collisions in this realm, thus confusing two different implementations.
  • Implemented cache-refresh ordering controls for their new implementation in the Tanium Server, respecting the data dependencies between these objects.
  • All audit table row insertions have now been normalized to use the same database server based time, instead of depending on the Tanium Server's clock for timestamps.
  • The Tanium Server now uses database transactions when inserting all types of RBAC objects.
  • The Tanium Server's in-memory Saved Actions cache now implements MVCC to control and guarantee consistency with other object caches.
  • The Tanium Server now exposes a /internal/monitoring/v1/dashboards route slated to return Grafana dashboard definitions compatible with the /metrics it offers.
  • The Tanium Server now offers its own PKCS implementation to improve and exceed the performance of third party implementations when working with cryptographic HSM modules.
  • The Tanium Server API will no longer append the string "deleted" to Saved Actions associated with (or authorized by) deleted users. No other object does this and the content transfer API is available to enumerate these cases.
  • The Tanium Server Platform Settings API now favors the created_time, modified_time and last_modified_by response fields as the correct source of modification history when requesting these parameters.
  • The Tanium Server will now fully handle Action Groups as part of its internal Groups cache implementation, simplifying much of their management requirements.
  • The Tanium Server's RBAC now implements privileges to control read and write access to the TDownloader authentication settings API.
  • The log rotation subsystem within Tanium components no longer spam their logs with repeated "Unable to remove log file" messages. This helps to keep I/O loads down during extreme low disk space conditions.
  • A Tanium Zone server will now log error messages when a Zone Server Hub of the wrong version connects to it.
  • The Tanium Downloader (TDownloader) now supports multiple sources for its authentication credentials and certificates: Auth, DownloaderUserAuth, DownloaderCertificateAuth and DownloaderTrustedCertificate.
  • The Tanium Downloader now offers audit tracking for its configuration settings: downloader_auth_user, downloader_auth_cert and downloader_trusted_cert.
  • The Tanium Downloader now supports password protected certificate private keys for authentication.
  • The default out of the box setting for Console confirmation prompts is now the expedient "Yes/ No" console_confirmation_prompt_type=1. New installations can still set this value to zero if they wish to revert to old-style username/ password confirmation prompts.
  • Changed the behavior of the Tanium Server's API so a request for Sensors with summary=1 will return a smaller summarized object that only omits the script implementation for the Sensor, which is the largest part of the result.
  • The Tanium Downloader (TDownloader) authentication to sources now allows certificate pinning as a means of validation.
  • The Tanium Server database has dropped a series of redundant indices in Global Settings, Packages, Saved Questions and Sensor audit tables.
  • The process of LDAP-synchronization will no longer generate duplicate audit records when not warranted, thus reducing the number of rows in the users_audit table.
  • The Tanium Server now presents a /metric named tanium_metrics_time which represents the process' running clock value at the time that metrics are reported.
  • Added sequence indices to the databases meta-data tables to improve the performance of the SQL queries used to refresh and cache their contents.
  • The Tanium Downloader will now log errors in parsing download endpoint revocation list URLs at LogVerbosityLevel=1 for better visibility.
  • The Tanium Server will now follow Windows active directory validation rules to avoid the use of incompatible user names containing the characters /\\\[]:;|=,+*?<>.
  • The TDownloader authentication settings API serviced by the Tanium Server now returns display_name and description string values to better service the Console user interface.
  • The Tanium Server and Zone Server now accept the Local Setting PKISubjectName will allows overriding the presence of a server's FQDN in exposed crypto materials with an alternate string.
  • The TDownloader authentication API serviced by the Tanium Server now supports display_name, subject_name, issuer_name, start_date and expiration properties in order to allow building a more user-friendly management user interface.
  • The Tanium Server and Client now implement special safeguards to avoid invalid updates to Sensor stats data which have been found to poison the Sensor Runtime information stored and displayed in the Console. A new log file invalid-stats has been created to capture events when these stats are found to be incorrect and keep a /metrics counter on the server for these invalid reports: tanium_sensor_stats_invalid_total.
  • The Tanium Server has a more efficient and fast way of loading Question objects on startup, greatly reducing the time needed to be ready for operation.
  • The Tanium Server has redesigned the way in which it interacts with the soap_sessions, drops the sessions_soap_archive table and now uses the users_last_login_time table to keep track of last login times for User accounts, simplifying database interactions and improving performance.
  • The Server-Timing HTTP reply headers in Tanium Server API for SOAPRequestSnapshot requests now share the same underlying session instrumentation objects as all other request types.
  • Improved the performance in the Tanium Server when re-verifying signatures of PKI objects. This is particularly important in improving the re-utilization of SSL session tickets.
  • The Tanium Server database now encodes the duration_in_second column in the data_purge_history table to allow for large values which were previously lost when inserting cleanup run rows.
  • Improved the execution times for the Tanium Server's cleanup of the select_specs table which could take a long time to complete and impair the ability to ask new Quesions while the cleanup operation was running.
  • The deleted_flag column in the package_files table is now forced to be NOT NULL which makes SQL queries more efficient in their execution.
  • The Tanium Server cleanup operation now uses a more efficient way than previously to determine the number of cleaned rows in each database table.
  • The Tanium Server's Personas API will now deleted entries when using the hidden_flag=1 option, which are needed by the Console content transfer page.
  • The Tanium Server API for TDownloader authentication settings will now trim white-space in the request data provided, to make it more user-friendly and avoid NoCertificateFound or x509 request results.
  • The Tanium Server will now log idle HTTP connection timeouts to LogVerbosityLevel=61 to reduce log spamming on a condition that is mostly benign.
  • The Tanium Server will cache writes to the sessions_soap table in order to reduce database interactions when validating sessions for every API request. Reads from sessions_soap are not cached.
  • The Tanium Server now offers an API route (effective_roles) that returns the effective Content Set roles for the current authenticated session.
  • Changed be behavior of the Tanium Server's to allow visibility into all of the content objects owned by a User or Persona, which would otherwise impair the management of these objects.
  • Refactored the code responsible for Action approval to use the same handler on both Microsoft SQL Server and PostgreSQL.
  • Compression of request results is now handled within API processing threads instead of network communications threads, allowing networking threads to accept and process other incoming requests. The response Server-Timings will also report time spent performing this compression.

Bug Fixes

  • The redesign of the Tanium Server's object cache management has resolved events where solution modules like Deploy would encounter the error SavedQuestionNameNotUnique when deleting and re-creating a Saved Question.
  • The Tanium Server has resolved read-after-write consistency issues in the Sensor API by a redesign of its internal cache management mechanisms.
  • Fixed the calculation of invalid and impossibly high Sensor runtimes which would appear in the Console displays.
  • Fixed an issue in the Tanium Server which would prevent the archive_soap_sessions stored procedure to be executed when the archive_soap_sessions_interval_hour Global Setting does not exist in the system. This can be confirmed when the archive_soap_sessions_last_run Global Setting never change its value and by the constant growth of the archive_soap_sessions table which is detrimental to performance.
  • Fixed an issue in the management of the Tanium Server's internal periodic jobs which might continue executing during a shutdown and reference objects which were already destroyed, resulting in process crashes during shutdown.
  • Fixed a read-after-write consistency problem with the Tanium Server User API which would result in HTTP-404 (Not Found) responses when looking up a user account by id right after creating it.
  • Normalized the treatment of Group uniqueness between the Tanium Server's Import and request API so they are evaluated in the same way for both.
  • Fixed a bug in the Tanium Server Groups API which would cause manual Filter Groups to always be created in the "Default Filter Groups" Content Set.
  • The Tanium Server has fixed the problem of reissuing Saved Questions and Actions, as well as scheduling Plugins for deleted Personas.
  • The refactored handling of internal caches in the Tanium Server fixed an issue where after deleting a Package it would still be returned as existing until the server was restarted.
  • Fixed an issue in the Tanium Server's Global Settings API where it would return a SQL "Arithmetic overflow error" error for large numerical values which cannot be converted to a float type.
  • Fixed a problem in the Tanium Server API route /api/v2/server_trusts which would fail when a server name in the result could not be resolved, returning an HTTP-500 error: ResolveHostFailed.
  • Fixed a condition where the Tanium Server would invalidate all in-memory caches when a User account was deleted, taking an unacceptably long time to perform the operation.
  • Fixed an omission by which the Tanium Server Export API would not include Sensor definitions used in Saved Questions when exporting Dashboards.
  • Fixed a condition in the Tanium Server where users with the Write Persona privilege could create a Persona but were unable to manage it due to missing privileges over other objects, resulting in RBACInsufficientPrivilege errors.
  • Fixed a problem in the Tanium Server's export API which would fail to produce Content Set or privileges when exporting a Role.
  • Fixed an issue with the Tanium Server's audit API which would return either incorrect or null values for the creation_time field.
  • The Tanium Server API no longer allows the creation of new Sensors in the reserved Content Set.
  • Fixed a behavior where the Tanium Server's API would not allow issuing an Action for a parametrized Package while also referencing it by name instead of id.
  • Added safeguards in both the Tanium Server and Client to fix the presence of invalid write_bytes values.
  • The Tanium Server's in-memory meta-data cache now implements MVCC to control and guarantee consistency with other object caches.
  • The Tanium Server's in-memory Groups cache now implements MVCC to control and guarantee consistency with other object caches.
  • The Tanium Server's in-memory Sensors cache now implements MVCC to control and guarantee consistency with other object caches.
  • Separated the cached Content Set information from other objects as part of the Tanium Server's new cache implementation.
  • Fixed a sporadic bug in the Tanium Server API User where creating a user might return a HTTP-500: SOAPUserNotFound error.
  • Fixed a bug in the way the Tanium Server registers Global Settings audit records where the id referencing the setting modified was always set to zero.
  • Fixed a bug in the Tanium Server that would cause failed authentications for accounts that have and provided UTF-8-encoded characters in their username or password.
  • Fixed an issue in the Tanium Server's Question Parser where it would fail to handle some filter conditions that used the same Sensor more than once and resulting in the error: parse_job group has unexpected number of filters.
  • Fixed an erroneous behavior in the Tanium Server API when creating a Manual Filter Group where the filter_flag would default to false instead of true.
  • Fixed a bug in the Tanium Server's instrumentation to fix double-counting of tanium_snapshots_total metrics.
  • Fixed a problem with the handling of Packages in the Tanium Server where Client download API operations would not progress beyond URLValidatedButNotYetAvailable when requesting a file with a known URL but a different upper/ lower case.
  • The Tanium Server API will no longer allow the creation of Sensors with names that begin with Linux: since this prefix is used internally by Tanium. In doing so it will return a more friendly error reminding the user that the prefix is not allowed, instead of returning an HTTP-404: SensorNotFound error.
  • The Tanium Server will now produce complete text representations for groups of Sensors, giving the user a full view of targeting expressions like Computer Name contains "X" or All Computers which would not be displayed explicitly before and could lead to targeting mistakes.
  • Changed the management of cached Package files in the Tanium Server database to ensure there are no more duplicate records stored in the server_package_files table.
  • The Tanium Server now offers the API route GET /api/v2/unregistered_clients which returns a list of endpoint clients which failed to register, most likely due to bad PKI (invalid keys) or failed server-challenge operations. This provides similar functionality to the old v314 "valid key" Client Status. The Server will track max_track_unregistered_clients (with a default of 100) to avoid this list from consuming too many resources.
  • Fixed an omission in the Tanium Server's export API where Sensors were missing their what_hash value.
  • The Tanium Server import API will now check for the All Computers in a case-insensitive way to avoid clobbering this special Group with a new definition.
  • Fixed a problem in the Tanium Server's management of User to Persona assignments where the sessions/as_persona/:id API would return an Invalid Persona error when the Persona id was assigned to more than one User.
  • The Tanium Server's groups API will no longer allow the creation or update of Action Groups which must be created using the action_groups route, because such groups did not contain all of the elements necessary in a proper Action Group definition.
  • The Tanium Server now enforces non-duplicate Package names in the database using a unique index over the name_hash column of the packages table.
  • The Tanium Server now uses a database unique index to enforce unique, case-insensitive Saved Question names.
  • Fixed a bug in the Tanium Server's import API that resulted in the error Filter groups must specify a name when importing previously exported Groups which contain other groups as part of their targeting expressions.
  • Fixed an issue in the Tanium Server authentication audit output where the returned results did not include the User identification for failed authentication attempts.
  • Fixed a bug in the Tanium Server API where deleting a Saved Actions would still show it as existing until the server was restarted and would even allow updates to the previously deleted object.
  • The Tanium Server will no longer close long-running API connections for as long as a request service handler is still associated with them. This implementation is considered preferable to the use of HTTP keep-alives.
  • The Tanium Server will no longer delete Packages associated with a regular expression Whitelisted URL when the URL's Expiration or Download interval meta-data is modified, but deleting the URL or changing its regular expression will trigger this deletion.
  • The new cache implementations fixes a bug where a single Computer Group assigned to a new User would not be returned in its management rights, but would be shown as soon as a second group was added,
  • Fixed a couple of typos in log messages for TransferNotAllowedForNonIdenticalUsers errors.
  • Fixed an edge-case behavior in the Tanium Server API where creating a new Saved Question that references a Question associated with another, the existing saved question definition would be broken by missing a question definition. This is not a problem that happens in Console but could be done through an API.
  • Fixed a problem in the Tanium Server installer which would fail when upgrading from databases with duplicate Sensor definitions, resulting in the error: Cannot insert duplicate key in object dbo.sensor_what_hashes.
  • Fixed an unreleased condition in the new Tanium Server caches implementation where background refreshes would not advance a cache MVCC version, resulting in unnecessary growth.
  • Fixed a bug in the propagation of cryptographic information to Zone Servers and Clients caused when a Tanium Server in an Active/ Active pair is revoked trust and decommissioned but its messages are still broadcast, resulting in Received untrusted signed PKITime broadcast: SignedMessageException messages being logged.
  • Fixed a bug in the Tanium Server installer database upgrade steps which could cause a failure in some environments with the error: relation "packages_available_time_idx" already exists.
  • The Tanium Server REST API now considers and treats JSON null values in the same way the SOAP API would treat an omitted tag in SOAP WSDL.
  • Fixed an issue in the Tanium Server when exporting and later importing a Package definition where it would not preserve its original "Ignore Action Lock" setting.
  • Fixed a bug in the Tanium Server Question API where it would return a zero Question id as the source for a Saved Question.
  • Fixed an issue where the Tanium Server would fail to synchronize its license information with the Module Server during networking failures and would halt its periodic synchronization. This would result in errors displaying module solutions on the Console.
  • Fixed a bug on the Tanium Server and Zone server where they would accept SSL session tickets from an endpoint after their cryptographic identities were expired, resulting in large numbers of Expired certificate log errors for these connections.
  • Fixed a Tanium Server database upgrade step which would result in log errors: ERROR: duplicate key value violates unique constraint: select_specs_pkey1 and impair the ability of the server to issue Questions.
  • Fixed an issue in the PKI handshake between Zone Servers and Tanium Server which would cause a multi-minute delay for them to register and show up as ready to establish trust.
  • The Tanium Server Group API will again allow the creation of Action Groups to support those solution modules which use this method.
  • Fixed the interpretation of source_id to take precedence over hash when specifying a parametrized Sensor in a way which services Console needs, even if this behavior will ultimately be deprecated.
  • Fixed a condition in the creation of database audit rows which would cause the rows to skip id numbers, which gave the impression of missing audit records.
  • Added some missing module dependencies in the Tanium Server's Python build necessary for the PAM module used in TanOS, which resulted in log errors like: No module named 'six'.
  • Tanium Packages which are cloned while issuing an Action are now marked as hidden_flag=1 and not returned by default in API requests. These Packages are deemed immutable and should be excluded from most operations.
  • Fixed an omission in the Tanium Server API by which Dashboard requests could not be sorted by id using the cache_sort_fields option.
  • Fixed a serialization issue in the Tanium Server's Saved Action API that would return an incorrect data structure and identification on creation and update operations.
  • The Tanium Server's API will now return a non-zero source_id value even if and when the original Package id has been deleted.
  • The Tanium Server's Sensor API will now ignore the request value source_id=0 and determine itself whether a temporary or source Sensor is referenced by the query.
  • Added back content_set_roles in the Tanium Server's Users API which had been omitted.
  • The Tanium Server will no longer issue overlapping Actions when their reissue time is shorter than their expiration time.
  • Fixed a bug in the Tanium Server API where performing a GetObject request on Saved Questions would return structures with multiple Question elements in a way that violated the WSDL definition for the request.
  • Fixed a problem where changes to a User's management rights would not produce associated audit records in the system.
  • The Tanium Server's API will now return records for issued Actions associated with deleted Scheduled Actions, which it did not in the past.
  • The Tanium Server now does a more strict checking on allowed request headers and their values and will reject the request accordingly.
  • The Tanium Server now performs more stringent checks on HTTP content-length headers and will reset the request on malformed headers or mismatched content length sizes.
  • Fixed a problem in the Tanium Installer which would duplicate Sensor columns when upgrading from previous versions of the software.
  • Fixed an omission in the Tanium Server's API by which Saved Actions could not be sorted by their next_start_time value and resulted in an Invalid sort field error.
  • Fixed a problem with the Tanium Server Saved Questions API where it would return no results.
  • Fixed an error in handling filters for Question History in the Tanium Server API that would result in an HTTP-500 error with Invalid datetime for Questions with a zero expiration setting.
  • Fixed a problem in the Tanium Server import API which would result in the error Default Computer Groups: unresolved conflicts when importing default Computer Groups content more than once.
  • Fixed and improved the Tanium Server interaction with the database to make Question retrieval faster and, among other things, reduce the startup readiness time in large or long-standing systems.
  • Fixed a bug in the Tanium Server Packages API where a request would not return source Packages when filtering for source_id=0.
  • Fixed a bug in the Tanium Server installer where it would not install or upgrade a local Module Server unless the ModuleServer parameter was set to 127.0.0.1. The installer will now trigger the Module Server installer whenever instructed to do so.
  • Changed the behavior of the Tanium Server's API to return a Package's definition by name when there exist more than one definition but one of them has hidden_flag=0.
  • Fixed an issue in the Tanium Server when transferring content to a different Persona for the same User, the result returned successfully but the content was not transferred.
  • Fixed a problem with the Tanium Server's Saved Question API which would return an HTTP-404: PersonaNotFound when the Persona associated with a Question had been deleted.
  • Fixed an issue in the Tanium Server's Question API to ignore a source_id parameter if not creating a temporary Sensor. This behavior was seen adding a pair of square brackets ([]) at the end of every Sensor name in a Question.
  • Changed the behavior of Tanium's downloader (TDownloader) to allow spaces in URLs so they do not have to forcibly be encoded as %20 and avoid a disallowed location error when parsing them.
  • Fixed a problem retrieving Question results when attempting to filter them over parametrized Sensors by their whatHash.
  • Fixed an issue on the Tanium Server by which some Actions returned in Action History were missing their name and Package name.
  • Modified the handling of past Question results in a way in which they improve the reporting of Action statuses for Action History up to seven days in the past, which is the default retention period for old results.
  • Fixed the handling of chunked transfers for Tanium Server Plugin requests.
  • Fixed an inefficient SQL query in the way the Tanium Server produces audit record reports for Tanium Connect.
  • Fixed the handling of the tanium-options HTTP header when calling the Tanium Server REST API in asynchronous mode.
  • Fixed a condition possible when creating Questions through the Tanium Server API where Question filters were not verified for proper constant data types, leading to an empty page when in their results UI.
  • Fixed a bug where Tanium Server Dashboards would not be updated when Saved Question were overwritten during an import operation, resulting in the dashboards loosing all of their Questions.
  • Fixed an issue in the Tanium Server Question Parser where question options like ignoreCase were unnecessarily added and with incorrect values.
  • Fixed a condition in managing RBAC User Roles constraints which would result in the SQL error: duplicate key value violates unique constraint: content_set_user_group_role_membership_unique_index being logged.
  • Fixed a problem where the Tanium Server session/current API would not return Personas assigned to the user through a User Group. This would impede switching to these Personas from a Console session.
  • Fixed a problem in the Tanium Server Question Parser where it would fail to identify parametrized Sensors in the current implementation and omit the parameters passed for parsing.
  • Fixed a bug in where creating a Question from query_text would append with not All Computers if no filter is specified.
  • Fixed a bug in the Tanium Server API where trying to create a new Package would return the error ParametrizedPackageMustMatchSource.
  • The new Tanium Server cache implementations resolved a condition where creating a User account would sporadically return a HTTP-500: SOAPUserNotFound error but still created the requested object.
  • Fixed an inconsistency in the Tanium Server's Persona and Group APIs where newly created objects would return a created_time and modified_time in 2001-01-01 instead of their actual creation or modification time.
  • Fixed an issue in the Tanium Server Group API which would sporadically fail an Action Group lookup immediately after it was edited.
  • Fixed an edge-case behavior in the Tanium Server API when a user requested an object without the necessary privilege would get an HTTP-200 response but with empty data. The API will now respond with an HTTP-403: Forbidden response.
  • Fixed a bug in the Tanium Server where references to parametrized/ temporary Sensors were not interpreted appropriately and would break the Reveal quick search interface.
  • Fixed an omission in the Tanium Server User Groups API which would not return creation and modification for objects for POST, PATCH and DELETE requests.
  • Fixed a problem in the Tanium Server's saved_actions API which would return non-recurring Actions instead of only those with a recurring issue_seconds.
  • Changed the behavior of the Tanium Server's import API to not flag conflicts on value_type fields specified on input.
  • Fixed a WSDL inconsistency in the Tanium Server's SOAP API which would return unexpected text elements for a group, which would cause problems in Console when displaying Action verification queries.
  • Fixed an XML serialization bug in the Tanium Server API for Users and Content Sets where <content_set> elements were nested when they should not be.
  • Fixed a bug in Personas assigned through a User Group which would return a Invalid persona for user error when trying to switch over to that identity.
  • Fixed a bug in the handling of metadata for the TDownloader settings API which would return an HTTP-500 error when including meta-data while creating an authentication user, and logging INSERT statement conflicted with a FOREIGN KEY constraint.
  • Fixed a bug in the handling of CAC/ PIV certificates on the Tanium Server login and authentication API routes.
  • Fixed some omitted parameters and settings in the Tanium Server's Package API which would break the reissuing of previously issued Actions.
  • Fixed an issue where an error message would be emitted when using the pki reset command was run on a Zone Server, even though the command completed successfully.
  • Fixed a bug where using the Module Server option to register against a Tanium Server would create duplicate registration entries for the TMS.
  • Fixed a bug in the Tanium Server's database access that would produce a SQL deadlock error when moving Scheduled Actions between Action Groups.
  • The Tanium Server now guarantees proper handling of the n-to-n relationships between Personas and Content Sets in its database tables.
  • Fixed an omission where the first user created in a Tanium Server deployment would not have a creation date.
  • Fixed a bug in the Tanium Server API which would throw an HTTP-500 error when requesting Actions sorted by creation_time.
  • Fixed a bug in the Tanium Server API which would throw an HTTP-500 error when requesting Actions sorted by issue_count.
  • Fixed a problem which would result in old private keys never being purged out of pki.db.
  • Fixed a problem in the Tanium Server's global-setting get command line where large numeric values would be returned in scientific notation.
  • Improved the way names and identifiers are treated for Content Sets to avoid a ContentSetNotFound error when importing sets with reserved names.
  • The Tanium Server will now allow for Sensor expressions in Questions with empty parameter lists ([]) and handle them properly depending on the definition of the source Sensor.
  • Fixed a bug in the Tanium Server's API that made it impossible to transfer content from a deleted Persona to another user, returning an HTTP-404: PersonaNotFound error response.
  • The TDownloader authentication API serviced by the Tanium Server will not return the expiration property for the downloader_auth_users request.
  • Fixed an error in the Tanium Server installer upgrade steps where it would incorrectly remove entries for User role assignments.
  • Fixed a bug in the Tanium Server management of Separated and Isolated Subnets in the database where it was possible that some definition rows would not be skipped until the server was restarted.
  • Fixed an issue in the Tanium Server which would cause an Action to loose its Action Group when disabled or enabled again, ending up associated with the default Action Group.
  • Fixed an omission where the Tanium Server failed to remove deleted Personas effective privilege values from its caches.
  • Fixed an observed SQL error in the Tanium's Server access of the database Content Set data which logged: ERROR: syntax error at or near ")" at character NNN when accessing content_set* tables.
  • Fixed a Tanium Server communication error which would result in the constant logging of unexpected 315 message: WireMessage.signed_string_retry/30 messages.
  • Fixed an omission by which the Tanium Server installation and upgrade would never populate the version and date in the version_history database table and introduced the TaniumServer database add-version-history command line option to do this.
  • Fixed an issue in the Tanium's RBAC API by which switching a user's Persona would not reflect a change in the content_set_roles and roles properties after the switch, even though the new RBAC permissions were being enforced correctly. The information returned now matches the actual enforcement under the new Persona identity.
  • Fixed an issue in the reading and interpretation of the Tanium Server's console.json configuration file which would log: Error occurred running job 'consoleSettingsThread': Value is not convertible to UInt.
  • Fixed an omission in the Tanium Server Package API to allow requests to be sorted by command value.
  • Fixed a condition in the evaluation of cryptographic communications by which when decommissioning Tanium Servers and adding other new ones to a deployment would result in logging the error message Received untrusted signed trusted roots for client connections that presented credentials from now untrusted servers.
  • Fixed an issue with the new content installation status API on the Tanium Server where it would not return the correct status for file download progress.
  • Fixed a bug in the Tanium Server which would cause it to crash when attempting to serialize to disk the contents of Question results with tens or hundreds of millions of results.
  • Fixed a behavior in Platform components where attempting to stop a process just after it exited naturally would unnecesarilly spam logs with messages "Failed to terminate process" because the process was no longer there.

Known Issues and Workarounds

  • The Tanium Downloader (TDownloader) fails to download files when expired certificates are present in a server's root-CA configuration. This issue negatively effects downloading files from some sites using "Let's Encrypt" root CA, which recently expired.
    • This issue can be worked around by removing the expired certificate from the server's root store.
  • The sensor preview functionality when creating or editing Sensors returns [CRU] errors.
    • No workaround is available, but this will be addressed in a future release.
  • The "Last Login" value for Tanium user is cleared out after an upgrade to v7.5.2.3503.
    • No workaround is available, however this is a data migration issue, and the data is still available. A future release will address this and repopulate the "Last Login" value for all users.

Product Documentation and Resources