Release Notes Integrity Monitor (Version 1.8)
Thank you for choosing Tanium. This document is intended to document the release of Tanium Integrity Monitor.
Important Notes
The releases of Tanium Trace 2.9.0.0035, Threat Response 1.2.0.0037, Map 1.1.1.0006, and Integrity Monitor 1.7.0.0035 all include a significant update to how the endpoint recorder technology is distributed and managed. This update requires that if any one of the products is updated in an active environment, all of the others should be updated to at least the minimum versions specified above at the same time. Failure to do so may result in degraded functionality and potentially erroneous sensor results from those products that have not been updated. Tanium avoids the introduction of dependencies between product releases whenever possible, but it is required in this circumstance to support significant new functionality enhancements.
Integrity Monitor 1.8.1.0013 includes updated sqlite routines which are required for a pending revision of sqlite which is bundled in Tanium's core python content. Modules using core python will begin to include the updated content 6/25/2019. Integrity Monitor must be upgraded to 1.8.1+ prior to importing or upgrading any module or content pack leveraging this updated content. Please seek guidance from your TAM with any questions regarding this.
Tanium Integrity Monitor 1.8.2.0005
Release Date: July 2nd, 2019
Resolved Issues
- Fixes to address process stacking on the endpoint.
- Updates python to fix failure of restoring suspended threads to prevent process stacking.
- Added process group protection to Integrity Monitor Enable or Disable Endpoint Process, Integrity Monitor Endpoint Config, and Integrity Monitor Endpoint Config Negative. This was done as another layer of protection from process stacking.
- Install Tools, Install Config, and Integrity Monitor Enable or Disable Endpoint Process actions no longer start the Integrity Monitor process on Window and Linux. If a restart is necessary, they will kill the current process and the Integrity Monitor Endpoint Process Start action will restart it within 10 minutes.
Tanium Integrity Monitor 1.8.1.0013
Release Date: June 18th, 2019
Resolved Issues
- Fixes an issue where the Integrity Monitor Endpoint Process Start action was triggered unnecessarily when a large amount of events were being processed on the endpoint.
- Fixes an issue where the browser cache of the Tanium console user needed to be cleared after upgrade in order for the Integrity Monitor workbench to load strings properly.
- Fixes an issue where Windows and Windows Legacy monitors created prior to version 1.6 were not set to the correct configuration on upgrade to 1.8.0.
- Fixes an issue where Integrity Monitor Endpoint Config Needed and Integrity Monitor Endpoint Negative Config Needed sensors would always return "True|Tools out of date"
- Fixes an issue where Integrity Monitor - Remove Tools [Linux] would not remove Index when appropriate to do so.
- Fixes an issue where Integrity Monitor Endpoint Config [Windows] package could stack python processes.
- Upgrades Tanium Recorder on Windows to 1.1.31.3703
- Fixes an issue where DNS events were blocked from being recorded when Integrity Monitor was installed beside Trace, Threat Response, or Map
- Fixes an issue where ConfirmFileWrites would cause files to be locked.
- Fixes an issue where signature verification would cause issues by keeping files open.
- Upgrades Client Extensions to 2.0.1.3682
- Fixes an issue where unread mailbox requests were not properly removed if no longer needed, which could result in a large number of files being present on the endpoint.
- Upgrades lib-tanium-cx to 0.0.1.49
- Fixes an issue where some client extension requests took longer than the default timeout allowed, resulting in false positives for inactive listeners.
- Fixes an issue where client extension requests were not being timed out correctly.
- Fixes an issue where previous client extension install failures were not being cleaned up properly.
- Fixes an issue where the Tanium Client was causing client extension installation failures due to keeping TaniumTrace.dll open.
Tanium Integrity Monitor 1.8.0.0067
Release Date: May 28, 2019
Feature Improvements
- Adds a mode configuration option for Windows monitors to detect changes based on events or periodic hashing.
- Event mode detects file changes based on events from the operating system.
- Hash mode detects file changes based on periodic hash comparisons.
- Adds Integrity Monitor Endpoint Process Start [Windows] package to ensure the endpoint process is running. This saved action is scheduled to deploy every 10 minutes as needed.
- Improves Integrity Monitor upgrade reliability by removing dependency directories on upgrade.
- Adds a message to the Integrity Monitor home page when changes to configuration overrides require a restart.
- Service account changes
- Adds a new Service Account tab to the Settings page for a consistent look and behavior across products.
- Updates the ‘Service account is not set’ warning on the Integrity Monitor Home page to link to the new Service Account tab.
- Adds a Home page wizard step for configuring the service account.
- Adds an empty state to the General Settings tab on the Settings page when the service account has not been set.
- Dynamically show rbac/non-rbac permissions needed on the service account description text.
- Updates Integrity Monitor Tools Status sensor.
- Single sourced into Python for Linux and Windows.
- Status messages updates
- ‘Integrity Monitor is healthy’ indicates everything is working correctly.
- ‘Integrity Monitor needs attention - Subsystem: {subSystemName}’ indicates there is an issue to investigate. The subsystems that could be mentioned here are Tanium Index, Tanium Recorder, or the endpoint Integrity Monitor process.
- Tanium Index and Tanium Recorder specific errors are now prefixed with Index and Recorder respectively.
- Will no longer report status on dependencies like Python and auditd when everything is OK. Messages will be reported if there are errors with those dependencies.
- Legacy Windows monitors will now start Index in addition to previously deploying it.
Resolved Issues
- Fixes an issue where events for a Windows monitor would return an error if it contained a watchlist name containing the ‘&’ character.
- Fixes an issue in hybrid monitoring mode (both Event Monitoring and Hash Monitoring) when trying to retrieve many permission events during correlation.
- Fixes an issue where open Integrity Monitor - Tools actions for Linux and Windows actions should be stopped when monitors are deployed.
- Fixes an issue where open Integrity Monitor Endpoint Process Start actions should not be stopped when monitors are deployed.
- Fixes an issue where deploying monitors after staging all monitors for deletion causes an error.
- Fixes an issue where making changes to the configuration overrides was not prompting the user to restart the service.
- Fixes an issue where disabling the Linux Tanium Recorder would stop auditd on target machines.
- Fixes to AIX and Solaris content.
- Updates Tanium Index to 2.4.4.0003.
- Fixes an issue where Index would throw "Database is locked" exceptions at the end of initial indexing on Windows.
- Updates the crash dump size on Windows to be the smallest possible value to reduce excessive disk space use.
- Fixes an issue where watchlist exclusions were not being honored.
- Fixes an issue where create and write events could not be turned off per path.
- Fixes an issue where symbolic link updates had `(directory)` in the detail.
- Updates Linux Tanium Recorder to 1.0.34.0013.
- Fixes an issue where disabling Recorder could result in empty auditd.conf.
- Updates Windows Tanium Recorder to 1.1.31.3624.
- Fixes a regression in filtering all registry and some network events. This issue was causing CPU usage and buffer space for events that Integrity Monitor does not currently use.
Security Update
This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.
Additional Information
Known Issues and Workarounds
- The Endpoints Recording count always reports 0 when not viewing with Tanium Administrator permissions.
- Installing Integrity Monitor together with Trace or Threat Response will stop DNS events from being recorded by Trace or Threat Response.
Requirements
- Tanium Connect 4.0 and above.
- Monitoring permission change events.
- Windows NT 6.1 (Windows 7 / Windows Server 2008 R2) or above requires enabling System Audit Policies.
Supported Tanium Platforms
Tanium Server 7.2, 7.3