IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Tanium Server and Tanium Client (Version 7.6.1.6334)

From Tanium Knowledge Base
(Redirected from Release Notes (Version 7.6.1.6334))
Jump to navigation Jump to search

Thank you for choosing Tanium. The following Release Notes document changes between releases of the Tanium Server and Tanium Client.
This platform release includes the release of both a Windows and Linux Tanium Server as well as the Tanium Client for all supported platforms.
The previous version can be found here: Server Release Notes (Version 7.5.6.1118) and Client Release Notes (Version 7.4.10.1067)


Tanium Server for Windows and Linux and Tanium Clients for all platforms v7.6.1.6334

  • Tanium Cloud availability date: October 31, 2023.
  • On-premises availability date: N/A.

Special Notes

  • This version of Tanium Server shipped with: Console (Version 3.6.37.0000).
  • Tanium discourages new installations of this software version on Windows 2012 and 2012-R2 given its End-Of-Life on 2023-10-10.

Security Updates

  • N/A.

New Features

  • The Tanium Server now offers a certificate management API to allow changing of its HTTPS certificate from a browser console.
  • The Tanium Server and Client now allow the tracking of successful and failed action exit codes.
  • The Tanium Server will now push notifications of new questions without the need for a registration from the client, making responsiveness even faster than it already was.
  • The Tanium Client will now use SIGTERM on long running Sensors and Actions before issuing a SIGKILL signal.
  • Enables file chunk downloading in non-leader endpoint clients when a linear chain ChunkRequest has not been serviced in over PeerChunkRequestTimeout. After these many seconds (default 300) a non-leader endpoint will request chunks directly from a server unless RequestChunksFromServerOnTimeout is set to the value of zero.
  • The Tanium Server will now reflects its isolated status where it has no peers to connect with. The Status.IsIsolated setting will help solutions decide how to operate most efficiently according to this state value.
  • Tanium Clients will now report its ActionLock status so it can be presented in the browser console Action Status summary user interface.
  • Tanium Servers will now immediately close new incoming connections when bandwidth throttle delays are larger than leader_max_schedule_delay_seconds.
  • Added a new permission manage zone servers to grant Zone Server management rights to non-Admin users.
  • Implements low, normal and high priority settings for Platform questions, where high priority questions should be reserved for interactive interface questions and low priority should be used for data pipeline harvesting questions.
  • Tanium components now use SetThreadDescription on Windows versions where it is available, to name different threads, which is helpful for all manner of debugging tools.
  • Implements a new API api/v2/upload_file_stream which accepts either an application/octet-stream or a multipart/form-data upload to improve performance in uploading large files to the Tanium Server.
  • Exposes the Tanium Client internal metrics through the TaniumCX get-metrics CLI command.
  • Tanium Client installation packages for Solaris v11 are now provided in Image Packaging System (IPS) format.
  • The Tanium Client now replaces its original Tanium Client -m process with TaniumCX run-framework.
  • Implements direct-download functionality on the Tanium Client, where the client will still be allowed to request chunks from its peers but any missing chunks must be downloaded by the interested client instead of the backward leader in a chain.
  • Implements support for Tanium Server configured bandwidth throttles in Tanium Client initiated direct CPMS downloads.
  • Implements the EnableCDNDownloads Tanium Client setting to enable CPMS-hosted downloads when in conjunction with the appropriate Tanium Server support and configuration.
  • The TaniumPython.dll file now contains version information on the file's metadata.
  • Tanium Platform components will now provide settings for LogVerbosityLevel on a per-log basis to allow for increased logging where necessary instead of increasing verbosity across the board for all logs.
  • Allows the Tanium Server API to manage the locked_out status of user accounts.
  • Adds the ability for the Tanium Client to communicate the execution result of a deployed action.
  • Offers a new server_health API route on the Tanium Server which returns information about disk space available on the different servers in a deployment.
  • The Tanium Client will now use its stable leader connection to send results reports to the server, instead of opening a new ephemeral connection as it did in legacy clients.
  • Adds HTTPv2 support for outgoing requests from the Tanium Server which can now be used when communicating with the Tanium Module Server and other systems.
  • Added the TaniumExtractor binary utility to Tanium's suite of tools in order to replace other extractors like 7z.
  • Adds the read_server_host micro-privilege to control access to the server_host API route used by TDS, so that service does not need to run with administrator privileges.
  • Allows an API Token session to invalidate the token that it is using, logging out the session that is using it and all further access with this operation.
  • The Tanium Client now requires a session token to be presented in API request headers and not in the SOAP request body when RequireClientAPISessionInHeaders is set. This avoids the parsing of XML when a proper session token is not presented up front.
  • The Tanium Client will no longer reset CX extensions according to MonitorResetIntervalInHours. Extensions will now be reset only if and when the Tanium Client performs its own reset.
  • Limits the size of allowable sensor results to be cached to avoid unrestricted memory growth of the Tanium Client when running poorly written sensors. The maximum allowed result size can be controlled with the SensorMaxResultSize configuration parameter.
  • The Tanium Server authentication system now supports Online Certificate Status Protocol (OCSP) for Common Access Card (CAC) authentication.
  • The Tanium Server now offers an API route to temporarily override logging levels on all server components. Posting to internal/monitoring/v1/log/levels with data that specifies {"text": "DEBUG", "duration": 60} will set the logging level to "DEBUG" on all servers for the next 60 minutes. The logging levels available are: FATAL, ERROR, WARN, INFO, DEBUG, TRACE, which correspond to LogVerbosityLevel settings 1, 11, 21, 41, 61 and 91, respectively.
  • Tanium component zipped logs will now contain the same older log files renamed with a date and time suffix (YYYY-MM-DD-hhmmss) which will make their names unique when unzipped.
  • The Tanium Server now has the capability to upload to a Content Delivery Network (CDN). This improvement supports the Improved Client Downloads initiative.
  • The Tanium Server no longer honors the legacy max_strings_total_mb setting but instead calculates the amount of strings memory to use every startup based on its string_memory_percentage setting, which defaults to 33.33 percent.
  • Adds support for filtering of groups based on its subgroups, allowing for action group queries with filters like: action.action_group.groups[].name.
  • Implements Tanium Client peer-to-peer bandwidth throttling no longer controlled in terms of messages per second but by the PeerBandwidthThrottleBytesPerSecond client setting.
  • Disallows disabling of active LDAP synchronization connectors, which will only be allowed with a connector is paused or deleted. This is to avoid synchronization operations with a connector in disabled state which would remove RBAC assignments that are no longer being provided.
  • Implements the ability on the Tanium Client to extract the contents of ISO images, which is necessary to support use cases in the Deploy solution module.
  • The Tanium Client will now execute Python sensors in a dedicated process labeled as TaniumClient --python-sensor which will avoid the common need to restart the TaniumClient -a process.
  • Implements the direct reporting of results for sensors that use the sensitive data flag in Tanium Client v7.6.
  • The Tanium Client will now persist into a database and load known actions on initial registration.
  • The Tanium Client will now persist and read action statuses from its action database.
  • Implements the migration of existing actions and their statuses into the Tanium Client's new actions.db.
  • Implements new Tanium Server metrics for the number of successes and failures of database connection attempts: dbconnectionpool_db_connect_success and dbconnectionpool_db_connect_failure.
  • Implements the Tanium Server plugins necessary to interface and operate with the System User Service, which can be controlled using the enable_system_user_compatibility setting.
  • Implements the StateProtectedFlag=1 feature on the new Tanium Client actions database.
  • Implements the tanium_authenticator_non_system_users_last_login Tanium Server metric to indicate the last time users logged into the system.
  • Adds a "read solutions" privilege to control access to the API solutions route. 
  • Implements auditing information for changes to the system's bandwidth throttle settings.
  • Ensures the timely execution of built-in sensors like Action Statuses which now follow maxAge rules like any other non-reserved sensor.
  • Implements multiple and parallel chunk downloads for the Tanium Client when fetching files from CPMS.
  • Ensures that v7.6 Tanium Clients will not peer with earlier versions, given that their communications are not compatible.
  • Changes the behavior of the Zone Server Hub to resolve the DNS names for its Zone Servers each time it connects to them. This allows for better live response to Zone Server IP address changes without a service restart.
  • Implements Tanium Client http_downloads_* metrics for CDN downloads.
  • Implements a mechanism in the Tanium Client where it will back-off issuing download requests when its Tanium Server is exceeding its configured bandwidth limits and incurring on high queue delays.
  • The Tanium Server will now delete all users and groups associated with a SCIM provider when that provider is deleted. This is done for integrity and to avoid ending up with users and groups which can no longer be managed, not through Console nor SCIM.
  • Increases the default value of max_force_registrations_per_second to 10,000 now that this operation has become less costly thanks to other server to client communication improvements.
  • The Tanium Client now saves and flushes the contents of its question and action databases during shutdown.
  • The Tanium Module Server no longer uses HTTP Basic-Auth when registering with the Tanium Server, because this authentication method is now disabled on the Tanium Server bu default.
  • Tanium servers will now communicate their version to clients during registration, allowing new and future clients to determine if they have connected to a system of a compatible version.
  • Implements a property named "t" on the result rows from the Tanium Server GetResultData API to indicate whether a particular row can be used as a target filter based on its values. The include_targetable_flag has to be included in the request for this property to be emitted.
  • Enforces unique names for dashboard definitions in the Tanium Server which would otherwise produce solution import errors.
  • Removes support of legacy FNV hashes in the Tanium Server's string APIs.
  • Forces a Tanium Client to isolate if its server message buffer limits are exceeded, to allow it to process its own pending messages over those received from its peers.
  • The Tanium Server history export APIs now offer a mode query parameter to specify the format of the export to be either csv or json.
  • The Tanium Server question and action history export API now allows filtering which supports the ability of the console to export only selected items.
  • Implements backing up the original values for those temporary environment variables the Tanium Client now manages for its sub-processes. The original values are stored in variables named with the BACKUP prefix.
  • Implements client side handling of sensor execution priorities to complement the new question priority feature in coordination with CX requests.
  • Implements the Tanium Client settings SensorPenaltyThresholdMilliseconds=100 to specify which sensors are considered long-running, and SensorPenaltyMaxMilliseconds=2000 to control the stalling of the evaluation pipeline.
  • Adds the priority field to the Tanium Server's question API.
  • Implements "cx_channel_response_*" metrics that tally the number of messages and bytes exchanged across the Tanium Client to CX communications channel.
  • Ensures that built-in sensors skip the evaluation queue in the Tanium Client since their fast execution allows them to be preempted quickly.
  • Implements a priority setting for the action API on the Tanium Server.
  • The reserved Tanium Client internal sensor Action Statuses will now not return more than ActionStatusSensorLimit recent action statuses.
  • Implements metrics counters on the Tanium Server to track the number of valid and invalid API token requests received.
  • Ensures that the plugins/group/questions returns an HTTP-503 result code until the Tanium Server is fully ready for operation.
  • The windows client uninstaller will now kill the client if it does not stop within 20 minutes. This allows the upgrade to work even if the client process is hung.
  • The Tanium Client now implements a tanium_sensor_queue_wait_seconds histogram metric that tracks the distribution of queue wait times for the execution of every sensor.
  • Disables sensor execution penalties on the Tanium Client by making SensorPenaltyThresholdMilliseconds=0 the out of the box default setting value.
  • Sensor results in the new Platform are now forced to be encoded using SHA-256 in support of future capabilities.

Improvements

  • The Tanium Client will now immediately remove an action folder after the action finishes running
  • The Tanium Server will no longer perform any deduplication of client records in Client Status to avoid confusion over endpoints which answer questions but do not appear in this listing. Clients will be identified solely by their ComputerID.
  • The Tanium Client will now periodically vacuum its SQLite databases.
  • Tanium Clients will now synchronize their sensor definitions based on a unique ID field.
  • Implements a new schema for the Tanium Client result cache that matches the new SensorReport format.
  • The Tanium Server will now reuse rows in its sensor_definition database table when Sensor update operations have not changed their code implementation.
  • The Tanium Client will now only re-execute Sensors when their results maxAge value is reached and no longer perform maxAge/2 additional executions.
  • Improved database code efficiency when updating action start times.
  • The Tanium Server now constructs client-bound messages from the contents of its database caches which are guaranteed synchronized and consistent. This will reduce workload on the database for these operations.
  • The pki show --fingerprint command now accepts short-form PKI fingerprint specifications like the ones displayed in Console.
  • Implements the serialization of the new direct_download_flag for package file definitions in the Tanium Client.
  • Adds a communications message for a Zone Server to acquire a batch of new computer IDs from the Tanium Server, to be assigned to new Tanium Clients.
  • Defines a new namespace and version scheme used by the next generation of ComputerID assignment to endpoints.
  • Introduces a Tanium Server sequencing counter for active/ active pair messages about incoming Tanium Client registrations in order to support next-generation ComputerID assignments.
  • Implements broadcasting of registration sequences between Tanium Servers in active/ active pairs and Zone Servers in order to support the next-generation ComputerID assignments to Tanium Clients.
  • The Tanium Client now uses fully asynchronous communications when establishing its connections to servers and peers.
  • Zone Servers will now log at the lowest verbosity level when they find a local JSON throttle definition in their filesystem, and also log the result of loading said local configuration.
  • Drops support for loading TaniumTrace DLLs which are no longer used and necessary.
  • Refactors the in-memory handling of package file hashes as hash values instead of strings which can be more prone to bugs in their handling.
  • Modifies the pki show command line in Tanium components to work for tanium-init.dat files without the presence of a pki.db. The command now assumes that the file name parameter is a tanium-init.dat file unless its extension is .db in which case it will be read as a pki.db database.
  • The Tanium Server now allows for more granular scheduling of database clean up and maintenance activities by offering the clean_database_hour and clean_database_minute global settings.
  • Refactors the Tanium Client SSL session store to track session tickets by IP address and implements the eviction of expired records.
  • Implements a new metric tanium_pki_unknown_trusted_roots as a counter for the number of registration requests received with unknown keys.
  • Adds a new ModuleContentSigning key type to be used by the new content signing API offered by the Tanium Server.
  • Implements a new API that allows solution modules to have byte blobs of data signed by the Tanium Server.
  • Removes unnecessary hashing of individual string columns in multi-column sensor results.
  • The Tanium Server will now detect inactive servers in an Active/ Active configuration and update its Downloads/upload_hosts.txt file. This will avoid unnecessary attempts to download files from a Tanium Server that is not up and running.
  • Implements HTTP proxy client connections over the improved asynchronous communications model.
  • Simplifies the organization and flow of ServerName selection, resolution and proxy connections in the Tanium Client.
  • Improves the Tanium Server question parser to avoid creating excessive sub-groupings for multiple expressions joined with OR operators.
  • Adds the user id for failed authentications to authentication_audit records returned by the Tanium Server API.
  • Adds the ability to export saved actions by ID, necessary when attempting to export actions with duplicate names.
  • The Tanium Server will no longer create "Legacy-*" RBAC roles in new installations. These roles are now deprecated for new deployments.
  • Updates the allowed TLS cipher suite to match Mozilla's intermediate compatibility recommendation.
  • The Tanium Client installer now provides a more specific firewall rule just for the communications port of the TaniumClient.exe binary.
  • The Tanium Client now handles results in its ClientResultCache based on the immutable sensor ID that produced them.
  • Improves on the reported status for packages on the Tanium Server to reduce information leakage on error reports.
  • The Tanium Server now uses a column named error_details in its server_package_files to store error messages encountered when trying to download and cache package files.
  • The Tanium Client will now clearly log when the DisableTrace flag is set on an endpoint.
  • The Tanium Module Server will now clean its temporary directory on startup, removing files left behind which are no longer used.
  • Adds validation to regular expressions used in the creation of groups to avoid syntax errors which may later occur downstream at the Tanium Client with the log message: error occurred while parsing the regular expression.
  • Adds support for outgoing GRPC requests to the Tanium Client for CPMS integration.
  • Adds the ability to read Tanium Client settings from an extension process.
  • Implements increased resilience to corrupt plugins.json files in a Module Server configuration by doing a fallback to previous backup versions of the file.
  • The Tanium Server will now use one single connection when working through database upgrade steps.
  • The v7.6 Tanium Client is no longer sensitive to time drifts that can cause [CRU] results.
  • Removes unused settings for string error flags and prefixes: error_string_prefix, error_string_regex and generic_error_string_flag.
  • The RBAC API will no longer return a content set element for groups that are not designated as filters and not associated with a content set.
  • The TaniumCX binary will now verify the signatures of the third party libraries it uses before loading them.
  • Implements sensor and action communication pipes which CXs will use to communicate with the Tanium Client instead of using disk-based mailboxes.
  • The Tanium Client will now log active script begin and end messages at LogVerbosityLevel>10 to reduce log spam.
  • The Tanium Client can now handle several sequential download requests over the same connection instead of opening a new one. Idle download connections will be closed after thirty seconds of inactivity.
  • Enforces a limit of 5,000 as the maximum allowable value for string_retry_hash_limit that can be sent to the Tanium Client at one time.
  • Adds ability for Tanium Client created temporary files to use Windows attribute FILE_ATTRIBUTE_TEMPORARY which prevents the file being written to disk whenever possible.
  • Created separate db query plans in the Tanium Server for initial cache loading and incremental cache loads to reduce the number of time SQL has to compile query plans. This reduces CPU load on the SQL server as well as increasing API performance.
  • Updated the way message size metrics are captured to improve efficiency of processing large messages.
  • The Tanium Client will try to cast sensor results into a number value even when the definition does not define the result value as numeric. This allows for better handling of data types even for sensors which were created incorrectly.
  • Reduced the LiveSnapshotAlwaysUseSeconds from 4 to 1 second to improve user experience for returned question results.
  • Added serialization code efficiencies in multiple Tanium Platform components, making future feature updates and REST API handling more effective.
  • Added a more efficient means to gather client configuration path information from the Tanium Client.
  • Unifies the handling of sensor results and their results cache between the Tanium Client and extension processes.
  • Added arguments to the Tanium Client that lightens the touch on an RPM database to support Software Manager functionality.
  • Combines the execution of the packages and download file cleaning operations into a single thread in the Tanium Server, thus reducing contention between them as well as database resource utilization.
  • Added an additional API call, /api/v2/user_groups/by-name/{name}, to get user groups by their text name.
  • Tanium Client will retrieve the computer name directly without caching on all operations except for sensor and client evaluations to reduce the chance of caching interference.
  • Tanium Client connections will now follow a 60 second timeout instead of the historic 3 seconds. This should benefit busy systems with less than ideal network connectivity.
  • Removed the old concept of slow peers that is deprecated by other mechanisms already in the Tanium Client.
  • Updated API tokens with the associated person's name along with the id with displayed with a GET for /api/v2/api_tokens.
  • Includes additional logging of https header names when capturing error parsing http response log entries.
  • The Tanium Server /metrics route will now omit per-thread metrics unless the enumerate_server_threads_for_metrics_flag setting is enabled. This reduces the cardinality of metrics in monitoring systems.
  • The value of info_export_interval_minutes and info_export_max_age_days global settings will now honored by zone servers.
  • The Tanium Server will no longer log "No PKI clock offset for fingerprint" which is an expected server condition.
  • The Tanium Client now persists the ids of sensor statistics requests as not to respond repeatedly to the same request across client restarts.
  • The Tanium Client's subsystem in charge of download requests now cleans its file buffer cache periodically to reduce the number of file descriptors it keeps open.
  • Implements environment-specific content security policy headers for the Tanium Server replies.
  • The Tanium Client will now run with a question_check_diffs_seconds=60 default.
  • The Tanium Client will now restore the environment of its sensor evaluation process instead of restarting it if a sensor execution has modified it.
  • Removes Tanium Server client registration settings which are no longer used.
  • Tanium Clients will now re-evaluate sensors when checking actions for targeting criteria.
  • Implements the cleaning of expired action logs in the new Tanium Client.
  • Implements the cleaning of expired action folders in the new Tanium Client.
  • Implements the cleanup of expired actions from the Tanium Client's actions.db database.
  • Implements referential integrity cascaded deletions on in action.db for stopped actions.
  • Implements expiration times for a Tanium's Server root keys to be 99991231235959Z as recommended by RFC-5280.
  • Drops the value_system_flag column from the global_settings database table, since it is no longer used.
  • Implements the necessary functionality for a Tanium Server to de-register a deleted package file with CPMS.
  • Improves the logged messages in the Tanium Server's package-download.txt log.
  • The content set API on the Tanium Server will no longer return deleted records.
  • Tanium Platform components now ship with xz v5.2.9 compression libraries.
  • The Tanium Server will now log errors encountered while updating users and groups during an LDAP synchronization operation, such as SQL errors.
  • Improves the text of audit records to include the previous and new name of objects in rename operations, offering more readable audit records for Tanium Server objects.
  • Enables the tracking of encryption key ids in the management of Tanium Client databases when StateProtectedFlag is enabled.
  • The Tanium Server's global setting audit API will now return audit text that contains the original value that was changed as well as the new value it was changed to.
  • The Tanium Server API will now reject the assignment of invalid RBAC privileges, where before it would allow it but strip them off whenever calculating an account's effective privileges. Now the assignment itself will no longer be allowed.
  • Adds the display_name field to the Tanium Server's API requests when this information is available for a user account. This will allow Console to display this information in user pages.
  • The Tanium Server will now log API HTTP request headers only at LogVerbosityLevel=61 and above.
  • Upgrades the PAM library on the Tanium Server to v1.5.2.
  • Tanium Platform components now ship with TBB v2021.7.
  • Implements server-side streaming export of question and action histories, reducing browser wait times and resources.
  • Improves the performance of TLS session ticket verification in all Tanium Platform components.
  • Implements faster client to server re-connections when there are pending downloads waiting completion.
  • Implements WAL-mode operation for the platform's pki.db database.
  • The Tanium Client installer on Windows will no longer remove and add again the Tanium Client service unless deemed necessary. It will just replace the service's binary instead.
  • Improves the performance and resource utilization of PKI operations by not re-verifying certificate chains immediately after they are issued.
  • Improves the performance of the Tanium Server system status and client count APIs which is important to deployments with a very large number of endpoints.
  • Implements WAL-mode operation for the platform's config.db database.
  • Implements periodic save and cleanup operations on the Tanium Client's SQLite databases.
  • Implements a quicker delivery of isolated and separated subnet information from the Tanium Server to the Tanium Client. This allows informing the endpoint if it should be isolated or the separated subnet it belongs to, along with a list of candidate peers.
  • Relaxes the permissions required to access the preview_content_set_role_detailed on the Tanium Server API as a prerequisite to enable customer content features.
  • The Tanium Server and Tanium Zone Server will now free memory in their client processing threads every client_thread_clean_memory_seconds=300 interval.
  • The Tanium Client now uses a timed, periodic enforcement of its StateProtectedFlag instead of doing this on every settings update event.
  • The Tanium Client will now execute its downloads database maintenance cleanup every hour instead of every ten minutes. This interval can be controlled using the CleanDownloadDBInterval client setting expressed in seconds.
  • Avoids a sensor cache lookup in the Tanium Client when resolving hashes in preparing question results.
  • Implements an idle timeout command line option (--idle-timeout) for TDownloader which will specify the maximum amount of time a download stream can stall before it is considered failed. The default timeout will be 60 seconds.
  • Improves the audit information for content set roles in the Tanium Server to return only the information of elements which were changed instead of the effective result of the changes.
  • The Tanium Client will now log "No valid servers are configured" if its ServerName and ServerNameList settings are not configured.
  • The Tanium Client will now not fail to start if it cannot access Powershell on its running endpoint. It will simply log "PowerShell not accessible" and continue to run without it. This may render content and solutions unusable but the client will not stop.
  • Receives incoming messages for the Tanium Client from the CX framework subsystem and honors any restart requests received.
  • The Tanium Server API now supports and expects a GET method request for its action and question export routes.
  • The Tanium Client will no longer perform an epoch reset when DatabaseEpoch changes from an empty or missing value to an actual epoch value. This prevents performing a reset on first install.
  • The Tanium Client will promptly refresh the return value for the Action Statuses sensor whenever an action is completed. This speeds up action status reporting on the Tanium Console.
  • Improves Tanium Client question processing by not emitting changing results when the changed data is omitted through a select filter. This is an optimization aimed at questions like: Get Action Statuses starts with 27477 from all machines.
  • The Tanium Server API now supports exporting multiple saved action IDs with the export-by-id route.
  • Implements support for diskless mailbox execution for Visual Basic script sensors in the Tanium Client.
  • Implements support for diskless mailbox execution for shell-script sensors in the Tanium Client.
  • The Tanium Client will now return a maximum of 10,000 result rows as controlled by the SensorMaxResultRowCount client configuration setting.
  • The Tanium Server now logs the reason for authentication failures at LogVerbosityLevel=0 in its auth.log.
  • Client download API requests now copy files into a .tmpcopy sub-folder on the destination path, to avoid the requesting agent to detect partially downloaded files.
  • Adds additional information in replies to requests with expired JWT tokens to inform why the request was rejected.
  • Honors the Tanium Client MessageBufferByteLimit setting.
  • Implements use of the TANIUM_TRUSTED_MESH environment variable to allow the Tanium Server API to run on clear text HTTP instead of HTTPS.
  • Implements the cache_ref_id in the rows returned when calling GetResultData which can be used in conjunction with a cache_id to call the build_target_group API on the Tanium Server.
  • The Tanium Server API now offers a build_target_group route which allows defining groups from a result cache and its reference IDs.
  • Removes support for ComputerID tracking in saved question which underpinned the recent results Tanium Server API feature which is not in use anymore.
  • Adds a guided_onboarding setting to allow tracking of onboarding activities in Tanium Cloud.
  • Removes the previously needed but now superfluous file_name parameter which was used in action and question history exports.
  • Changes the API to export both action and question histories so they will provide default CSV columns and JSON elements to be returned when none are specified beyond the export mode parameter.
  • Makes module server solution registrations to be unique both in their id and name.
  • Changes the threshold for incorrect sensor statistics from 1GB to 1TB for bytes read, give that it is possible that a sensor would read that amount of data to produce its results.
  • Changes the Tanium Server history export API to return a JSON object instead of a simple array, which is best for compatibility.
  • Implements new Tanium Server metrics on the configuration of CPMS integration and upload successes and failures to that subsystem.
  • Improves the Tanium Client logging of the failure conditions for HTTP downloads.
  • Adds logging to the ClientAPIFileCopy subsystem in the Tanium Client to allow for easier troubleshooting.
  • Fixes a problem in the Tanium Client for AIX to detect when AIXSetLibPaths setup would fail on startup, resulting in the error: module libcrypto.so could not be loaded.
  • Loads the allowed root certificate authorities in the MacOS Tanium Client in support of CPMS-hosted downloads.
  • Allows questions and their results to persist beyond their expiration time and for as long as max_result_cache_grace_period_seconds if they are still being referenced by API requests.
  • Reduces the processing cost of content imports in the Tanium Server API by delaying signature verification until the flag for a concurrent import is confirmed.
  • Reduces the memory utilization on the Tanium Client by clearing its question cache after it is persisted to disk.
  • The Tanium Server question API now disallows the creation of saved questions from counting questions.
  • Enforces the execute plugin privilege when routing module service API requests.
  • Implements additional logging around sensor evaluation in the Tanium Client at higher LogVerbosityLevel>60 settings.
  • Raises the LogVerbosityLevel at which the Tanium Client issues "Sensors failed verification" in order to reduce log spam.
  • Improves the performance and memory footprint of the Tanium Client by making use of better SQL queries to load its initial state.
  • Implements WAL operation mode on the Tanium Client's manual_groups and url_requests databases, which reduces the amount of filesystem activity.
  • Implements improved handling of UTF-8 encoded sensor results in the Tanium Client.
  • Ensures that the Tanium Client internal sensor cache keeps synchronized with the verifiable contents of its sensor database.
  • Changes the behavior of sensor results parsing in the Tanium Client where it will ignore a configured delimiter in the sensor definition if it has no declared columns. This improves the behavior of sensors that incorrectly declare a delimiter for a single column.
  • Improves the messages logged by a Zone Server when publishing a snapshot to include the highest question and action IDs contained in the snapshot.
  • The Tanium Server and Client now offer higher sensor result limits for the benefit of data-intensive applications: SensorMaxResultSize=10,485,760 (in bytes), SensorMaxResultRowCount=100,000 and sensor_max_allowed_result_rows=100,000.
  • The Tanium Server will now log "Malformed session" when authentication fails due to a malformed session value.
  • Adds additional logging for the state of downloads requested through the Tanium Client API.
  • Adds logging to the Tanium Client around start and stop operations over the CX execution framework.
  • Adds logging of incorrect SOAP sessions to the Tanium Client API when the value is provided in the message body, as is done when presented as a request header.
  • Reduces log spamming in the Tanium Client on a disabled or unavailable client extension framework.
  • For compliance with RFCs and compatibility with more SCIM providers the Tanium Server now treats the externalId attribute as optional in users like it does in groups.
  • The Tanium Server will now check the health state of its database connections before returning them to its connection pool.
  • Ensures that old expired and revoked certificates are cleaned up from the pki.db database.
  • Reduces the CPU utilization in the Tanium Server when serializing user privilege information in API requests.
  • The Tanium Server will no longer refresh all sensor definitions when questions and actions change, and will only refresh the definitions of sensors that have changed since their validation can be expensive.

Bug Fixes

  • Fixed an issue where the Tanium Server Question Parser failed to parse computer groups names in a question filter clause when the groups were expressed in terms of parametrized Sensors.
  • Fixed a condition on the Tanium Client where setting local configuration values with the same name but different case would result in the error InvalidParentKey and break the TaniumClient config command line option.
  • Fixed an issue in the Tanium Client in interpreting Package file download network messages where it would sometimes log assertion 'hash.size() > 0 && hash.size() <= kMaxHashSize' failed when requesting a client API download and running with LogVerbosityLevel=41 or higher.
  • Fixes the permissions of a server's license file on disk when they are incorrect, avoiding the repeated "FailedToVerifyLicense" message in logs even when the loaded license is valid.
  • Fixes an OpenSSL random number generator initialization problem that would result in the error "SSLEAY_RAND_BYTES:PRNG not seeded" which is innocuous but should not happen anymore.
  • Fixes a condition in the Tanium Server by which policy-based saved actions would fire more often than they actually had to because they would not target any online endpoints anyway.
  • Fixed a bug in the Tanium Server where a LDAP user's modified time field is updated every time LDAP synchronizes.
  • Fixes an issue where API tokens would fail to be authenticated with IPv6 trusted addresses.
  • Fixes an issue where the Tanium Server API would throw an HTTP-404 error when trying to export content sets that reference objects which had been removed from the system.
  • Fixed a bug where the install log on the Tanium Client will continually add a new log every time a client is installed/upgraded. This is resolved by adding install-backup-[date].log rotation.
  • The Tanium Client will now use database locks when applying StateProtectedFlag configurations, to avoid conflicts while applying the implied encryption of contents.
  • Adds a missing transaction to the periodic package and package files cleaner maintenance operation in the Tanium Server.
  • Fixed a bug where Last Modified was not updated on a user when adding or removing groups and roles.
  • Fixes an HTTP-500 error returned by the user_groups API when referencing invalid user IDs.
  • Fixes a bug where if the Client Extension (CX) or TaniumClient process dies and there is a partially written CX message, the CX connection fails until the TaniumClient service is restarted. This supports the CX Sensor improvement initiative.
  • Fixes a bug where a Client Extension sensor request will hang if the TaniumClient -c process is restarted. This supports the CX Sensor improvement initiative.
  • Fixes a bug where a Client Extension sensor request will hang if a response is dropped. This supports the CX Sensor improvement initiative.
  • Fixes an issue where the Tanium Client may not rotate log files correctly.
  • Revised a memory configuration to increase performance while accessing sqlite databases on the Tanium Client.
  • Resolves an issue where the Tanium Server's metrics would report higher client counts than Client Status due to not filtering records with ComputerID=0.
  • Fixes a rare condition where a Tanium Server could miss manual groups and sensor updates for a short period of time. This condition has never been observed in the field due to its small probability of happening.
  • Fixes the routing of the package_file update API in the Tanium Server which would previously throw a "InvalidObjectTypeForUpdate" error for PATCH requests.
  • Fixes a problem where the Tanium Client would fail to execute Python code with the log message "not enclosed in Tanium Client folder" when the downloads folder is relocated.
  • Changes the behavior of the Tanium Server solution import API so it will not throw an exception and reply with an error when referenced saved questions are missing.
  • Fixes an issue in the Tanium Client where cleaning of action logs and folders would not honor the CleanActionLogsIntervalInDays global setting.
  • Fixes an issue with the Tanium Server groups API which results in the incomplete error HTTP-500 'Invalid group field name: ' when trying to filter the request results.
  • Fixes an ordering-of-operations error when importing both roles and privileges into the Tanium Server on the same operation, which could result in a ContentSetPrivilegeNotFound error.
  • Fixes an omission in the Tanium Server content set role API which would not account for restricted privileges during a preview request. The API will now throw InvalidCustomerPrivilegeForContentSet when an incorrect privilege is included.
  • Fixes a problem in the Tanium Server preview content set role API which would not return deny-type roles. Issuing a request with a deny_flag=1 will now return these roles.
  • Fixes an issue in the Tanium Server when importing a package without attached files and overwrite an existing package with files, the file references would not be removed.
  • Fixes a crash in the Tanium Server when it received a stop request while still waiting for its database connections to be available.
  • Fixes the mode settings on the Tanium Client's taniumclient.service file to avoid the error message: Configuration file taniumclient.service is marked executable.
  • Fixes a condition that produces revocation hash mismatches across active/ active Tanium Servers after importing legacy v314 protocol keys.
  • Fixes an issue by which content administrator users cannot read all content on the system, which impairs the role's ability.
  • Fixes incorrect instructions in the Zone Server RPM installer on Linux which described the need to configure the ServerName setting, which is not necessary unless installing a Zone Server Hub.
  • Fixes an issue in the Tanium Server audit log API for user groups where the details entry would be empty.
  • Fixes the error response returned by the action group Tanium Server API when searching a non-existing group by name, which would return an invalid ID number instead of the group name provided in the request.
  • Fixes an issue in the Tanium Server RBAC API which would return InvalidCustomerPrivilegeForContentSet when attempting to request detailed content set previews over content sets with configured restrictions.
  • Fixes an omission in the Tanium Client where Windows COM errors were not properly encoded as UTF-8 strings.
  • Fixes a problem where the Tanium Client would not honor a properly set ValidateAllLibrarySignatures=0 in its CX execution framework.
  • Fixes an issue on the Tanium Zone Server where the info_export_max_age_days global setting would not be honored.
  • Fixed a cosmetic issue in the Action Statuses sensor that showed the string "\n" in its description.
  • Policy-based actions in the Tanium Server will no longer consider and count error results like [CRU] and [RCU] when evaluating whether to trigger or not.
  • Fixes an omission where the Tanium Server would fail when configured to listen on port 65,535 which is a valid port number.
  • Fixes a Tanium Server issue were the TaniumServer.exe database sqlserver2postgres command would fail with the error message "Unhandled column type: real" when the data_purge_history table contains any rows.
  • Fixes an issue with the TaniumReceiver.exe database sqlserver2postgres feature where the generated output cannot be imported into a PostgreSQL database if the servers table in Microsoft SQL Server has negative guid values.
  • Fixes an issue in the handling of single-use requests as used for export operations where request parameters were not being passed along to streaming handlers. This would impair the new streaming versions of action and question API requests.
  • Fixes a filtering problem in the Tanium Server action API where it would return the status for multiple actions when only one of them was requested.
  • Fixes an issue where enforcing the uniqueness of saved question names was not filtering out entries which were already deleted in the system.
  • Fixes an omission where the Tanium Server RBAC API would not exclude privileges from deleted content sets.
  • Fixes an issue in the removal of expired PKI keys in the Tanium Client which would show as repeating duplicate "Erasing expired key" messages in pki.log.
  • The Tanium Server's question API will now return the exception "Counting questions cannot be merged" if requested to merge a counting question.
  • Fixes a problem where the Tanium Server question result data API would not respond to the export_flag parameter.
  • Fixes a delay when fetching the Tanium Server info page, observed when the module server service is stopped.
  • Fixes a condition where internal sensors could stall question results on MacOS Tanium Clients.
  • Ensures that built-in reserved sensors honor their configured maxAge setting.
  • Fixes the operation of the ActionFolderRetentionMinutes setting on the Tanium Client to keep action folders for this period of time, as long as disk space on the endpoint does not fall below minimum levels.
  • Reduces the logging of the SQLite "Failed to reset statement" message which is neither significant nor important.
  • Fixes import failures of default computer groups into a newly built Tanium Server returning an HTTP-404: SensorNotFound error.
  • Fixes the logout workflow in the Tanium Server for Azure environments, which would leave console sessions with an invalid JWT token and unable to log in again.
  • Fixes the Tanium Server dbconnectionpool_db_connect_failure metric which would not reflect the correct count of connection errors.
  • Fixes the parsing and output representation of sensors that contain square bracket characters ([]) in their name
  • Adds a database upgrade step to the Tanium Server install sequence which will fix incorrect legacy package file hashes which would result in errors like "Invalid package file hash value: class NotAHexDigit" and prevent logins at the console.

Known Issues and Workarounds

  • The Tanium Client will fail to parse a PAC proxy file referenced by ProxyAutoConfigAddress when more than one proxy server is defined, logging "Failed to parse proxy name. Too many colons" at LogVerbosityLevel=41.
    Workaround: None. A fix for this issue is will be released with a new version of the Tanium Client post-v7.6.1.6432.
  • On upgrade from v7.4 clients v7.6.1 client releases may display an incompatibility with older OpenSSL v1 dependent client extensions. Tanium strongly encourages installation and upgrades to the latest release of v7.6.2+ clients, starting with 7.6.2.1204.

Product Documentation and Resources