IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Integrity Monitor (Version 1.7)

From Tanium Knowledge Base
Jump to navigation Jump to search

Thank you for choosing Tanium. This document is intended to document the release of Tanium Integrity Monitor.

Important Note

The releases of Tanium Trace 2.9.0.0035, Threat Response 1.2.0.0037, Map 1.1.1.0006, and Integrity Monitor 1.7.0.0035 all include a significant update to how the endpoint recorder technology is distributed and managed. This update requires that if any one of the products is updated in an active environment, all of the others should be updated to at least the minimum versions specified above at the same time. Failure to do so may result in degraded functionality and potentially erroneous sensor results from those products that have not been updated. Tanium avoids the introduction of dependencies between product releases whenever possible, but it is required in this circumstance to support significant new functionality enhancements.

Tanium Integrity Monitor 1.7.1

Release Date: Apr 23, 2019

Resolved Issues

  • Fixes an issue where importing watchlists from multiple Tripwire configurations fails in cases where they have identical rule names but different set of paths.
  • Fixes an issue where the Integrity Monitor Tools Status on Windows would report Tanium Index config.ini was missing instead of Tanium Index im_index_config.ini.
  • Fixes an issue where Linux file ownership change events are not correlated in hybrid mode in certain situations.
  • Fixes a regression where CPU threshold is reported incorrectly by the Integrity Monitor Tools Status sensor.
  • Updates the management content of the Tanium Client Recorder Extension to address potential errors if a timeout occurs during installation.
  • Upgrades Tanium Index 2.4.2.0002.
    • Fixes an issue where file ownership change events were not reporting human readable user and group names.
    • Fixes an issue on Windows where constraint violations would cause slower than expected initial index passes.

Tanium Integrity Monitor 1.7.0

Release Date: Apr 9, 2019

Feature Improvements

  • All actions in the Integrity Monitor action group are disabled when the product is uninstalled.
  • Hybrid mode events from recorder will be seen faster in scenarios where there is no event in Index with which to correlate.
  • Renames Integrity Monitor Endpoint Tools [Windows] package to Integrity Monitor - Tools [Windows].
  • Renames Integrity Monitor Endpoint Tools Removal [Windows] to Integrity Monitor - Remove Tools [Windows]
  • Updates to enable or disable recorder packages.
    • Replaces Integrity Monitor Endpoint or Disable Event Recorder [Windows] with two packages, Enable Tanium Recorder [Windows] and Disable Tanium Recorder [Windows].
    • Replaces Integrity Monitor Endpoint or Disable Event Recorder [Linux] with two packages, Enable Tanium Recorder [Linux] and Disable Tanium Recorder [Linux].
    • These newly named packages will be consistent packages used and delivered with any module that uses the Tanium Recorder.
  • Removes Integrity Monitor Is Legacy Supported and Integrity Monitor Is Recorder Supported sensors.
    • These sensors are no longer used during targeting. The logic has been pushed down to the Windows endpoints.
    • The sensors are no longer imported with the solution but the contents of the scripts have been removed from previous installations.
  • Adds python to Integrity Monitor - Tools [Windows] package to allow for similar content behavior in the future for Windows and Linux endpoints.
    • Moves Windows Integrity Monitor Endpoint Config Needed sensor implement to use python.
    • Moves Windows install endpoint config logic to python.
    • Moves Windows install tools logic to python.
  • Updates to Integrity Monitor Tools Status sensor.
    • Integrity Monitor Tools Status sensor is now best run in tandem with Integrity Monitor - Tools Version sensor for Windows and Linux endpoints.
    • Moves reporting of recorder version to the Integrity Monitor - Tools Version sensor.
    • Integrity Monitor Tools Status sensor still reports Install Needed, but it is no longer used for targeting tools. Targeting for tools uses Integrity Monitor - Tools Version.
      • The Windows and Linux targeting now looks for Windows Package Required or Linux Package Required messages respectively.
  • RBAC additions
    • Adds Tanium Recorder Administrator role.
    • Adds Tanium Recorder content set to manage enable and disable recorder packages.
  • Adds Details column to Integrity Monitor Endpoint Config Needed and Negative Config needed sensors to provide reasons why config is needed.
  • Updates targeting of actions generated during deploy monitors.
    • Integrity Monitor Endpoint Tools actions now target based on the Integrity Monitor - Tools Version sensor.
    • Integrity Monitor Endpoint Tools actions no longer target based on Is Legacy or Is Recorder sensors. That switch is determined at the endpoint.
  • Adds logging of Integrity Monitor actions and sensor executing that exists on the Linux endpoints today.
  • Adds distribution of Index to any endpoint within a Windows or Windows Legacy monitor.
    • Adds distribution of im_index_config.ini to endpoints within a Windows Legacy monitor.
      • Note: the Index process itself must be started using the content from Index on Windows Legacy.

Resolved Issues

  • Fixes an issue where watchlists column is empty in some cases from Windows endpoints.
  • Fixes an issue where updating a watchlist name does not mark monitors using that watchlist as needing deployment.
  • Fixes an issue where creating a Tanium Connect connection from a monitor with no description would generate a connection description with null in it.
  • Fixes an issue where legacy linux options were not allowed into the config overrides file.
  • Fixes an issue where Windows initial deployments could install the wrong monitor config.
  • Fixes an issue where the IM process on a linux endpoint would restart the index process too often when recorder was disabled.
  • Upgrades Linux and Windows Index to 2.4.1.0024
    • Fixes an issue where Index on Windows would throw a constraint violation during install of Windows Updates.
    • Reduces CPU usage of Index when processing large Integrity Monitor watchlists.
    • Fixes an issue where Index would emit IM events with zero-value timestamps.
    • Fixes an issue where Index on Windows would not purge bad entries in the database.
    • Fixes an issue where Index on Linux would not correctly emit Integrity Monitor delete events.
    • Fixes an issue where Index on Windows would unnecessarily abort Indexing if file info was incomplete.
    • Improves clarity of log messages around volume hashing.
  • Upgrades Linux Recorder to 1.0.34.10
    • Fixes high CPU issue when using path filters as well as other performance and accuracy fixes
    • Fixes an issue where audit rules are not removed when recorder exists on error causing /var/log/audit to fill up.
    • Add `<unknown>` if part of path missing for certain events
  • Upgrades Windows Recorder to 1.1.31.3417
    • Improved command line mappings.
    • Enable running Recorder through Client Extensions

Additional Information

Known Issues and Workarounds

  • The Endpoints Recording count always reports 0 when not viewing with Tanium Administrator permissions.

Requirements

  • Tanium Platform 7.0.314.6422 and above.
    • For older 7.0 builds, please consult your Technical Account Manager for assistance.
  • Tanium Platform 7.1.314.3071 and above for RBAC support.
  • Tanium Connect 4.0 and above.
  • Legacy Windows support requires Tanium Index 1.6.0 and above.
  • Monitoring permission change events.
    • Windows NT 6.1 (Windows 7 / Windows Server 2008 R2) or above requires enabling System Audit Policies.
    • Windows NT 6.0 (Windows Server 2008 / Windows Vista) or below requires setting Tanium Index config setting ScanFilePermissions=on.

Supported Tanium Platforms

Tanium Server 7.0, 7.1, 7.2, 7.3

Product Documentation and Resources

Integrity Monitor Documentation