Release Notes Integrity Monitor (Version 1.9)
Thank you for choosing Tanium. This document is intended to document the release of Tanium Integrity Monitor.
Important Notes
Integrity Monitor 1.9.0.0057 includes a resolved issue for connections made on Legacy Windows monitors. Any connections made prior to this version will need to be deleted and remade if they are using either of the Integrity Monitor Legacy File Event Details/Overview Saved Questions. This includes connections made via the button within the Integrity Monitor interface on the monitor page.
Integrity Monitor 1.8.1.0013 includes updated sqlite routines which are required for a pending revision of sqlite which is bundled in Tanium's core python content. Modules using core python will begin to include the updated content 6/25/2019. Integrity Monitor must be upgraded to 1.8.1+ prior to importing or upgrading any module or content pack leveraging this updated content. Please seek guidance from your TAM with any questions regarding this.
The releases of Tanium Trace 2.9.0.0035, Threat Response 1.2.0.0037, Map 1.1.1.0006, and Integrity Monitor 1.7.0.0035 all include a significant update to how the endpoint recorder technology is distributed and managed. This update requires that if any one of the products is updated in an active environment, all of the others should be updated to at least the minimum versions specified above at the same time. Failure to do so may result in degraded functionality and potentially erroneous sensor results from those products that have not been updated. Tanium avoids the introduction of dependencies between product releases whenever possible, but it is required in this circumstance to support significant new functionality enhancements.
Tanium Integrity Monitor 1.9.4.0002
Release Date: October 15th, 2019
Resolved Issues
- Resolves an issue where the Integrity Monitor Endpoint Process Start package could fail to start the Correlation Engine on Windows endpoints because of a race condition.
Tanium Integrity Monitor 1.9.3.0006
Release Date: September 24th, 2019
Resolved Issues
- Exposed recorder audisp and auditd settings via config overrides.
- Fixes an issue where PIDs that at one point belonged to the IM process and had since been recycled could be wrongfully terminated in the "Integrity Monitor - Install Tools" and "Integrity Monitor Endpoint Config" packages.
- Upgrades Tanium Python to 1.0.3.2
- Upgrades Windows Tanium Recorder to 1.1.31.3920
- Upgrades Tanium Endpoint Index to 2.4.5.0009
- Fixes issues where Index was not properly honoring Integrity Monitor Exclusions
- Fixes an issue where Created and Modified times were swapped on Windows
- Fixes an issue where Integrity Monitor deletion records could be duplicated.
Tanium Integrity Monitor 1.9.2.0003
Release Date: September 3rd, 2019
Resolved Issues
- Mitigates an issue where deployment of monitors would fail due to Microsoft SQL Server related deadlock resolutions when using a Microsoft SQL Server database. This issue has been most prevalent on Tanium Server 7.3.314.4101+.
- Resolves an issue where the Integrity Monitor Correlation Engine process on Windows could keep file handles open, causing a hung Tanium Client on versions prior to 7.2.314.3518.
Tanium Integrity Monitor 1.9.1.0007
Release Date: August 13th, 2019
Resolved Issues
- Fixes an issue where the Integrity Monitor endpoint process could cause high CPU utilization when pruning a large number of events.
- Upgrades Tanium Recorder on Linux to version 1.0.34.15
- Allows for the use of q_depth setting in auditd configuration when running in Integrity Monitor only mode.
Security Update
This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.
Tanium Integrity Monitor 1.9.0.0057
Release Date: July 30th, 2019
Feature Improvements
- Adds the ability to enable hash and event mode together for Windows endpoints.
- Gets real time events correlated to interval-based hash checking.
- Finds and ignores real time false writes by checking if the file hash changed.
- Real time events that do not correlate to a hash based event within 6 hours will be surfaced without a hash. Until that 6 hour timeout, the real time event will not be visible.
Resolved Issues
- Fixes an issue where Integrity Monitor would try to start the endpoint process continuously when no config was present.
- Fixes an issue where Integrity Monitor Config Needed and Integrity Monitor Negative Config Needed sensors would return text that was not parseable into columns based on the sensor configuration when running the sensor before any tools had been installed on the endpoint.
- Fixes an issue where importing a watchlist file that resulted in a conflict would cause every import after that to report a conflict unless the page was refreshed.
- Fixes an issue where a large number recorder events could cause transient incorrect correlation of index and recorder events.
- Fixes an issue where upgrading IM without deploying monitors causes tools actions to target machines incorrectly.
- Note: The fix will take effect upon the next deployment after upgrading to 1.9.0.
- Fixes an issue where Legacy Windows monitors Connect integration for all events was using a the Integrity Monitor Legacy File Event Details Saved Questions as a source.
- This connection now correctly uses the Integrity Monitor File Event Details Saved Question.
- Note: Any current connections will need to be deleted and remade if they are using either of the Integrity Monitor Legacy File Event Details/Overview Saved Questions.
- Fixes an issue where users without the privileges to create/modify a monitor could use the Create and Prioritize buttons on the monitors page.
- Fixes an issue where Integrity Monitor - Remove Tools would fail to remove all intended files when the endpoint process was currently running.
- Upgrades Index to version 2.4.4.0012
- Now uses the USN Journal timestamp for delete events to allow for more accurate correlation of events.
- Allows for setting the synchronous mode of the sqlite database Index uses via the config.ini.
- Previously, this was defaulted to FULL. It will now be defaulted to NORMAL.
- Existing installations will be updated to use NORMAL.
- You can read more about this pragma here: https://www.sqlite.org/pragma.html#pragma_synchronous
- Upgrades Client Extensions to version 2.0.1.3737
- Activates basic logging of extension activity by default instead of zero logging.
- Updates Tanium Recorder for Windows to version 1.1.31.3768
- Fixes an issue where permission events could lose permission strings on recorder upgrade.
- Updates Tanium Recorder for Linux to version 1.0.34.14
- Fixes an issue where using a symlink for the Tanium Recorder binary would cause monitoring of the Tanium Recorder process resource utilization, and subsequent killswitch operation, to function improperly.
Notes
- This release removes most API endpoints from the documentation available within the Integrity Monitor workbench and removes request samples from that UI page. This was done to more properly depict what are meant to be external facing API's vs those that are not supported for external use.
Security Update
This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.
Additional Information
Known Issues and Workarounds
- The Endpoints Recording count always reports 0 when not viewing with Tanium Administrator permissions.
- Hybrid/Hashing mode on Windows can have issues when changing watchlists, including reporting events incorrectly.
Requirements
- Tanium Connect 4.0 and above.
- Monitoring permission change events.
- Windows NT 6.1 (Windows 7 / Windows Server 2008 R2) or above requires enabling System Audit Policies.
Supported Tanium Platforms
Tanium Server 7.2, 7.3