Release Notes Initial Content (Version 7.1.18)
Thank you for choosing Tanium. This document is intended to document changes between releases of Tanium Initial Content.
Tanium Initial Content 7.1.18
Release Date: Jan 28, 2020
- Initial Content - AD 7.1.18.0005
- Initial Content - Base: 7.1.18.0005
- Initial Content - File System: 7.1.18.0005
- Initial Content - Hardware: 7.1.18.0005
- Initial Content - Network: 7.1.18.0005
- Initial Content - Operating System: 7.1.18.0005
- Initial Content - Registry: 7.1.18.0005
- Initial Content - Software: 7.1.18.0005
The previous version can be found here: Release Notes Initial Content (Version 7.1.17)
Enhancements:
Tanium Initial Content Base
- Renamed the Machines unable to Execute VBScript saved question to Machines Unable to Execute VBScript or Shell. The saved question now finds machines that cannot seem to run shell scripts, as well as machines that are unable to run VBScript. The new saved question, Machines Unable to Execute VBScript or Shell, displays in the Client Core Health dashboard.
- The Tanium Component Versions saved question now reports Tanium Module Server versions for Windows.
- The Is Virtual and Virtual Platform sensors now recognize Parallel virtual machines.
Tanium Initial Content Hardware
- The Hyperthreading Enabled sensor now has a Linux implementation.
- Added implementations for Solaris, Linux, and AIX to the Number of Processor Cores sensor. There is now an implementation on all supported platforms.
- The Chassis Type sensor now recognizes Parallel virtual machines and will report Virtual on Mac, Linux, and Windows.
Tanium Initial Content Operating System
- The Disk IOPS sensor no longer displays the thousands separator character (a comma) when the number is greater than 999.
- Updated the System UUID sensor on Linux to work on newer VMWare hardware versions (see VMWare KB article 53609).
- The output for the Last Reboot sensor is now sortable in the Tanium Console and filterable through the question parser. The result is now accurate to the second on all platforms except Solaris, and all platforms report in RFC 822 format (for example, Tue, 14 Jan 2020 18:37:13 -0800).
Tanium Initial Content Registry
- The following registry sensors now correctly accept and interpret registry paths that contain Wow6432Node when appropriate. Previously, an input string that contained Wow6432Node would cause a failure, as the sensor is designed to examine the registry in both 64-bit and 32-bit modes. However, as the paths are typically seen on screen with the string Wow6432Node in them when appropriate, the following sensors will now work when given a path with Wow6432Node in it:
- Registry Key Exists
- Registry Key Subkeys
- Registry Key Value Exists
- Registry Key Value Data
- Registry Key Value Names
- Registry Key Value Names with Data
When Wow6432Node is accepted as input only when the path is known to be redirected. Successful redirection depends on the operating system version and registry hive. See https://docs.microsoft.com/en-us/windows/win32/winprog64/shared-registry-keys
Additionally, each of the listed sensors now accept any user hive string (HKEY_CURRENT_USER, HKEY_USERS, HKCU, HKU) without requiring that the hive input be uppercase.
Bug Fixes:
Tanium Initial Content Base
- The Operating System Generation sensor more correctly stacks and normalizes Red Hat Enterprise Linux 7.
- The Operating System Generation sensor now considers all Windows Server 2003 editions (R2, Storage) to be the same OS Generation. The editions are all reported simply as "Windows Server 2003"
- The Tanium Client Installation Date and Tanium Client Installation Time sensors now report software on newer Oracle Linux systems.
Tanium Initial Content File System
- The Path Permissions sensor now works when given paths that include the trailing backslash.
Tanium Initial Content Hardware
- Improved the accuracy of counting CPUs, cores, and logical cores on Linux. This affects the following sensors:
- CPU Details
- Number of Processors
- Number of Processor Cores
Tanium Initial Content Network
- Fixed issue which caused the Established Ports by Application sensor on macOS to fail to produce results.
- The Number of Processors sensors now contains an implementation for AIX.
- The Model sensor now correctly detects the model on IBM/Lenovo Servers.
- The Computer Serial Number sensor now more reliably retrieves the serial number on Solaris.
Tanium Initial Content Network
- The output for the Listen Ports sensor is clean of error strings in certain conditions on macOS. Additionally, macOS output now matches the Windows output.
Tanium Initial Content Operating System
- Updated the output of the Operating System sensor to omit certain characters that were not really standard whitespace, but were visually indistinguishable.
- The System Disk Free Space sensor now reports results in gibibytes (1024*1024*1024)=1GB instead of metric gigabytes (1000*1000*1000)=1GB, which is the least surprising measure when working with disk storage.
- The Disk Free Space sensor is now more accurate on Solaris.
Tanium Initial Content Software
- On Linux, the Running Service sensor no longer sends error strings when a serviced service is in a broken state.
- The Installed Applications, Installed Applications Exists, and Installed Applications Version sensors now report software on newer Oracle Linux systems.
Additional Information
- The AD Computer Groups, AD User Groups, and Cached AD Logins sensors in Initial Content - AD, which were previously nullified, are now forcibly deleted on import. If these sensors are still actively used in your environment, consider not installing Initial Content - AD until the sensors are exported and then re-imported after each update, or the sensors are duplicated with a different name.
- As announced in the previous release, the UDP Connections and TCP Connections sensors in Initial Content - Network are now removed. Use the IP Connections sensor instead.
Announcements
- The Machines Unable to Execute VBScript saved question, which was replaced with Machines Unable to Execute VBScript or Shell, may be forcibly deleted from servers on import in an upcoming release.
- The next Initial Content release will be a reorganization.
- Initial Content - Base, the solution that installs by default on all new servers, will be renamed to "Default Content".
- The following Initial Content prefixed solutions will all be combined into a solution called Core Content:
- Initial Content - AD
- Initial Content - File System
- Initial Content - Hardware
- Initial Content - Network
- Initial Content - Operating System
- Initial Content - Registry
- Initial Content - Security
- Initial Content - Software
- Initial Content - Tags
- Initial Content - Cloud
- The old solutions that these replace will be removed from the list of installable solutions.
- The following solutions will remain separately released, but renamed:
- Initial Content - MSSQL -> Core MSSQL Content
- Initial Content - ADQuery -> Core ADQuery Content
Known Issues and Workarounds
- All Initial Content - Cloud sensors that run on OpenStack Nova instances will falsely report Amazon EC2 as the platform. This is because of the default Amazon EC2 metadata service compatibility. This will be disambiguated in an upcoming release.
- The Cloud Instance Tags sensor does not yet support Google Cloud Platform.
- The Cloud Instance Tags sensor requires AWS IAM configured so that instances themselves have an IAM role assigned that has a policy which allows instances to read tags on themselves. A naive policy to be applied to instances might look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeTags",
"ec2:DescribeInstances",
],
"Resource": "*"
}
]
}
IAM policy creation is beyond the scope of the document, but it is important to expect failure of the Cloud Instance Tags sensor until policy is configured on the account. You may find the EC2 Instance IAM Role sensor to be helpful to determine which EC2 instances can read tags.