Release Notes Initial Content (Version 7.1.14)
Thank you for choosing Tanium. This document is intended to document changes between releases of Tanium Initial Content.
Tanium Initial Content 7.11.14
Release Date: Aug 27, 2019
- Initial Content - Base: 7.1.14.0000
- Initial Content - Cloud: 7.1.14.0005
- Initial Content - Hardware: 7.1.14.0000
- Initial Content - Network: 7.1.14.0000
- Initial Content - Operating System: 7.1.14.0002
- Initial Content - Registry: 7.1.14.0000
- Initial Content - Security: 7.1.14.0001
- Initial Content - Software: 7.1.14.0002
The previous version can be found here: Release Notes Initial Content (Version 7.1.12)
Enhancements:
Tanium Initial Content Base
- A Dashboard, Virtual Client Optimization, is available for monitoring and configuring Tanium Client settings which are more appropriate for VDI or other heavily shared infrastructure. Scheduled Actions that set the Client Settings appropriate for Virtual Infrastructure are not automatically created on import, and the recommendation is to create Scheduled Actions based on existing packages that set the values described in the document here: https://docs.tanium.com/client/client/os_imaging.html#VDI
- The Subnet Mask sensor now reports IPV6 subnet lengths on all platforms, by using the prefix inet6:/
Tanium Initial Content Hardware
- The CPU sensor on macOS is faster.
- The Bios Release Date sensor will now display as year-month-date so that it is sortable.
Tanium Initial Content Security
- The No Screensaver Password sensor on Windows will now consider group policy settings in addition to local settings. However, results are available only for users which are currently logged in.
Tanium Initial Content Software
- The Installed Applications Exists sensor on AIX will now do a partial string match of the input string, as it does on all other platforms.
- Improvements to Installed Applications sensor's version parsing logic. Previously, certain rare types of version strings were not recognized as versions, and would only appear in the name of the application, and not in the version column.
- Performance increase of the Running Processes Memory Usage sensor on Linux.
Bug Fixes:
Tanium Initial Content Base
- The Tanium File Exists sensor on non-Windows platforms could potentially have called a directory service (such as Active Directory or OpenLDAP) while listing files. Additionally, on non-windows platforms, files with spaces in them are now correctly handled.
- The Is Virtual and Virtual Platform sensors are expanded to cover Nutanix, Xen, and Docker. If it is a docker container managed by Kubernetes, Kubernetes is additionally reported.
- Fixed an issue where the Subnet Mask sensor on Solaris, in rare cases, would not have produced a result.
- Fixed an issue that caused Quarantined Sensors sensor to not function correctly on Solaris.
- The Tanium Client Dump Files sensor, on Windows, now correctly uses the modified date instead of the created date. This provides accurate data in the cases where a dump file is re-used.
- The Tanium Client Subnet sensor and Subnet Mask sensors are improved for non-US locales.
Tanium Initial Content Hardware
- Fixed the CPU sensor on Linux to remove a leading space.
- The Total Memory sensor on Windows will now report total memory when running on AWS instances.
Tanium Initial Content Network
- Fixed an issue where the Firewall Status sensor on Windows was not considering private network profiles.
- Fixed an issue where the TCP Connections and UDP Connections sensors on Linux could, rarely, display 'ESTABLISHED' instead of the process name responsible for the connection, and could shift all resulting columns leftward.
Tanium Initial Content OS
- Fixed an issue with the Free Memory sensor on Solaris to improve accuracy of results.
Tanium Initial Content Software
- Fixed an issue where the Running Processes Sensor, on Linux and AIX, could cause communication to a directory service
such as Active Directory or OpenLDAP.
- Fixed the Installed Applications sensor's hidden column for uninstall string, which is used with the package Uninstall MSI. Previously, the flag /noreboot was passed. It is now /norestart.
- The Running Processes Memory Usage sensor on will print the process name, not path, to conform to other implementations. Additionally, on AIX, improve accuracy by changing means of measuring memory used by process.
- Fixed an issue which causes the Computer Serial Number sensor on Solaris to fail to report the serial number in some cases.
Added Sensors or Sensor Implementations:
Tanium Initial Content Base
- The Subnet Mask sensor now has Linux, Mac, and AIX implementations. Previously, only Windows and Solaris were supported.
Tanium Initial Content Cloud
The Initial Content Cloud solution is newly available. The goal is to enable retrieval of metadata from instances running on cloud providers. For now, Amazon AWS, Azure, and Google Cloud platform are supported. The new sensors, which run on Linux and Windows cloud instances, are:
- Cloud EC2 Instance IAM Role
- Cloud EC2 Instance VPC ID
- Cloud Instance Account
- Cloud Instance ID
- Cloud Instance Image
- Cloud Instance Provider
- Cloud Instance Public IP
- Cloud Instance Public Keys
- Cloud Instance Region
- Cloud Instance Tags
- Cloud Instance Type
- Cloud Instance Zone
These sensors require distribution of files in a new package called Initial Content - Tools. Three new Scheduled Actions are created on import of Initial Content - Cloud, one for Mac, Windows, and Linux, which distribute supporting tools automatically.
Tanium Initial Content Software
- New Sensor Process Count which lists the number of processes that match the input filter string.
Removed Sensors or Content:
Tanium Initial Content Security
- Password Policy Details, which was previously nulled out, is now actively deleted on import.
Tanium Initial Content Operating System
- The sensors Local Administrators Without Groups and Logged in User Details, which were previously nullified, have had the Windows implementations of the sensors removed.
- The sensor Last Date of Local Administrator Login, which was previously nullified, is actively deleted.
- The sensor Logged in User Details, whose Windows implementation was previously nullified, is now actively deleted.
- The saved question Local User Information, which used Logged in User Details, is now actively deleted.
- The dashboard Proactive User Security now uses the saved question User Information instead of Local User Information.
- The saved question User Information no longer uses the deleted sensor Last Date of Local Administrator Login.
Additional Information
Known Issues and Workarounds
- The Installed Applications sensor on Windows requires an uninstall string to be set in the Registry. Without a registry value holding any data representing an Uninstall String, the Application will not list as installed. A workaround for the issue can be provided by your TAM, however the data returned may be noisier than what is desired. Carefully consider whether to Clone the sensor.
- All Initial Content - Cloud sensors running on OpenStack Nova instances will falsely report Amazon EC2 as the platform. This is because of the default Amazon EC2 metadata service compatibility. This will be disambiguated in an upcoming release.
- The Cloud Instance Tags sensor does not yet support Google Cloud Platform.
- The Cloud Instance Tags sensor requires AWS IAM configured so that instances themselves have an IAM role assigned that has a policy which allows it to read tags. A naive policy to be applied to instances might look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeTags",
"ec2:DescribeInstances",
],
"Resource": "*"
}
]
}
IAM Policy creation is beyond the scope of the document, but it is important to expect failure of the Cloud Instance Tags sensor until policy is configured on the account. The sensor 'EC2 Instance IAM Role' may be helpful in determining which EC2 instances can read tags.