IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Integrity Monitor (Version 1.4)

From Tanium Knowledge Base
Jump to navigation Jump to search

Thank you for choosing Tanium. This document is intended to document the release of Tanium Integrity Monitor.

Tanium Integrity Monitor 1.4.3

Release Date: Nov 20, 2018

Resolved Issues

  • Fixes to AIX and Solaris content.
    • Fixes an issue where deploying updated watchlists generated false create and delete events.
    • Fixes an issue where paths in watchlists that do not specify any exclusions caused hashing to hang.
    • Fixes an issue where event sensors detected zero events but failed to report "No Integrity Violations".
    • Fixes an issue where event sensors timed out when a large number of events existed on the endpoint.
    • Fixes an issue where temporary files during hashing were not properly removed.

Tanium Integrity Monitor 1.4.2

Release Date: Nov 6, 2018

Resolved Issues

  • Fixes an issue where the wrong priority monitors ran on new endpoints until the Integrity Monitor Endpoint Tools were installed.
  • Fixes to AIX and Solaris content.
    • Fixes an issue with the Exclude path for watchlist file exclusions by removing incorrectly inserted end of line characters.
    • Fixes an issue with falsely reported create and delete events when new files were found or old files were no longer found.


Tanium Integrity Monitor 1.4.1

Release Date: Oct 23, 2018

Resolved Issues

  • Fixes an issue on the Home page where sections were no longer dismissible after hovering over them.
  • Fixes an issue on the pages to create or edit monitors where the watchlist selection drop-down menu could expand beyond the viewable window.
  • Fixes an issue on some modals where the old color palette was being used.
  • Updates endpoint utilities to have better compatibility with the release of macOS Mojave (Version 10.14); however, Integrity Monitor still does not support macOS.
    • Upgrades Tanium Index to Version 2.3.2.0005.
    • Upgrades Linux recorder to Version 0.7.34.32.


Security Update

This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your Technical Account Manager (TAM).


Tanium Integrity Monitor 1.4.0

Release Date: Oct 10, 2018

Feature Improvements

  • Adds a mode configuration option for Linux monitors to detect changes based on events or periodic hashing.
    • Event mode detects file changes based on events from the operating system.
    • Hash mode detects file changes based on periodic hash comparisons.
      • Adds Integrity Monitor endpoint process to manage file changes from Tanium Index.
      • Adds Integrity Monitor endpoint database to store file changes.
      • Adds Tanium core python for Linux.
        • Adds logging for actions or sensors that have been converted to use Core Python. Logs can be found on the endpoint in the Tanium Client directory under Tools/IM/data.
    • Adds Integrity Monitor Start Process [Linux] package to ensure the new endpoint process is running. This saved action is scheduled to deploy every half hour as needed.
    • Replaces Integrity Monitor Endpoint Tools [Linux] and Integrity Monitor Endpoint Tools Removal [Linux] packages with Integrity Monitor - Tools [Linux] and Integrity Monitor - Remove Tools [Linux] packages respectively.
    • Deploys Tanium Index on Linux in Integrity Monitor-only mode.
    • Updates Integrity Monitor Endpoint Tools Status sensor.
      • Reports on state of event mode and hash mode.
      • Reports if Index is running when in hash mode.
      • Reports health status of last event from Integrity Monitor endpoint database in hash mode.
  • Updates Integrity Monitor Endpoint Config Monitor Status sensor to include hash mode monitors in the isRecording results.
  • Updates Tanium Client for Linux and Tanium Client for Windows templates to reduce noise by watching critical Tanium Index files instead of the entire Tanium Index tools directory.
  • Sorts watchlist exclusions alphabetically.
  • Updates Integrity Monitor File Events Details to accept blank monitor ID parameter to return results for all endpoints.
  • Updates Integrity Monitor Endpoint Config Status sensor to report consistency results across all operating systems when monitor ID does not exist.
    • AIX and Solaris endpoints no longer report -1 for the monitor ID when it is not present. A result of Not Found is reported instead.
  • Updates event based Linux monitors to default raw logging option to no change.


Resolved Issues

  • Fixes an issue where Integrity Monitor Endpoint Config [Linux] action would not execute on some versions of Linux where dash is the default shell like Ubuntu.
  • Fixes reports and sending labeled events to Tanium Connect to include notes applied by rules.
  • Fixes an issue where Deploy Monitors creates Integrity Monitor Endpoint Config saved actions that don’t target endpoints on initial scheduled action execution. This fix may extend the time that deploying monitors takes up to five minutes as package files are cached to the Tanium Server.
  • Fixes an issue where the drill down in the current results grid of the monitors view does not have a Remove Drill-down link.
  • Fixes an issue where an action group named All Computers would prevent creation of the Integrity Monitor action group.
  • Fixes an issue where image load events where being recorded on the Windows recorder in Integrity Monitor-only mode.
  • Fixes to the Integrity Monitor Endpoint Tools Status sensor.
    • All platforms now report the message, Integrity Monitoring Status is OK, when everything is working as expected.
    • Fixes an issue where the sensor was not properly reporting when a recorder disabled itself.
    • Fixes an issue where Event recorder is Not running is the status for Linux endpoints when auditd is off.
    • Fixes the Windows sensor to no longer report an error about outdated tools when there are no tools. It will still report Install Needed.
  • Fixes an issue where Windows recorder was recording non-Integrity Monitor events in Integrity Monitor-only mode.
  • Adds Tanium Index v2.3.1.0003.
  • Upgrades Windows recorder to v1.0.31.1358.
    • Fixes an issue where file events were recorded for paths not specified in a watchlist in Integrity Monitor only mode.
    • Fixes an issue with shutting down during restart which prevented the recorder from registering with ETW for events.
  • Upgrades Linux recorder to v0.7.34.30.
    • Fixes issue where the recorder was not shutting down cleanly.
    • Fixes cases where events were overwritten in queue causing a memory leak.
    • Delete corrupt databases to prevent downtime.
    • Fixes missing events from rm -rf command.
    • Fixes issue where recorder could crash with a configuration change.
    • Fixes recorder to stop recording file events that do not match the watchlist.
    • Fixes an issue where the recorder could be running multiple instances.
    • Fixes an issue where duplicate process events were being created.
    • Fixes kill switch to prevent the recorder from ignoring the kill command and continuing to run.
    • Fixes thread safety which reduces CPU usage.
    • Reduces the likelihood of process path being reported as Unknown.


Additional Information

Known Issues and Workarounds

  • For Window endpoints only, Tanium Integrity Monitor events can be turned off if Tanium Trace file events are turned off.
  • When deleting a monitor using the All Events Connection with Tanium Connect v4.0.7, the remaining All Events connection will not show the delete option in the workbench. Workaround is to delete the remaining all events connection using the Delete Connection Tanium Connect API.
  • For Linux endpoints only, when upgrading from Integrity Monitor v1.1.1 or older to this release, the Deploy Monitors action could encounter the fixed issue where the Linux event recorder stops in some cases. The issue will resolve once the latest tools are deployed to the endpoint. To avoid this issue, deploy the Integrity Monitor tools manually before deploying monitors.
  • The Endpoints Recording count always reports 0 when not viewing with Tanium Administrator permissions.
  • Deploying updated watchlists to AIX and Solaris endpoints can result in falsely reported create and delete events.


Requirements

  • Tanium Platform 7.0.314.6422 and above.
    • For older 7.0 builds, please consult your Technical Account Manager for assistance.
  • Tanium Platform 7.1.314.3071 and above for RBAC support.
  • Tanium Connect 4.0 and above.
  • Legacy Windows support requires Tanium Index 1.6.0 and above.
  • Monitoring permission change events.
    • Windows NT 6.1 (Windows 7 / Windows Server 2008 R2) or above requires enabling System Audit Policies.
    • Windows NT 6.0 (Windows Server 2008 / Windows Vista) or below requires setting Tanium Index config setting ScanFilePermissions=on.

Supported Tanium Platforms

Tanium Server 7.0, 7.1, 7.2

Product Documentation and Resources

Integrity Monitor Documentation