IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Integrity Monitor (Version 2.1)

From Tanium Knowledge Base
Jump to navigation Jump to search

Thank you for choosing Tanium. This document is intended to document the release of Tanium Integrity Monitor.

Important Notes

Integrity Monitor 2.1.0.0057 includes an update to the AIX/Solaris tooling that filters out any files that are not regular files or directories (e.g. named pipes). This requires a new baseline to be established, which means that when upgrading to this version, the first install of tools can potentially have a number of false events reported. After this, there should be no more false events. Talk with your TAM if you would like to know more or would like a workaround for not receiving these false events.

The releases of Tanium Threat Response 2.0, Integrity Monitor 2.0, and Map 2.0 all include a significant update to the Client Recorder Extension. This upgrade does not require that all three products be updated at the same time, but when more than one impacted product is deployed to an endpoint, conditional logic is applied to determine whether to upgrade the recorder component from 1.x to 2.0 versions. Please consult your Technical Account Manager to better understand how to best plan for your deployments if you have more than one impacted product installed.

Integrity Monitor 1.9.0.0057 includes a resolved issue for connections made on Legacy Windows monitors. Any connections made prior to this version will need to be deleted and remade if they are using either of the Integrity Monitor Legacy File Event Details/Overview Saved Questions. This includes connections made via the button within the Integrity Monitor interface on the monitor page.

Integrity Monitor 1.8.1.0013 includes updated sqlite routines which are required for a pending revision of sqlite which is bundled in Tanium's core python content. Modules using core python will begin to include the updated content 6/25/2019. Integrity Monitor must be upgraded to 1.8.1+ prior to importing or upgrading any module or content pack leveraging this updated content. Please seek guidance from your TAM with any questions regarding this.


The Tanium Integrity Monitor product team is announcing that as of March 31, 2020, Integrity Monitor will be removing support for the following features: Legacy Windows support (Windows older than Windows 7 / Server 2008R2) Tanium Event Recorder 1.X

Tanium Integrity Monitor versions released after 3/31/20 will no longer contain these features. After 3/31/20 the product team will continue to support any existing customers who are still using Integrity Monitor versions released prior to this date and will provide guidance to customers who need assistance with migration to the latest releases. Prior versions containing these features would continue to be supported per your support agreement with Tanium.

If you have concerns regarding this and would like to discuss this in detail please contact your Tanium Integrity Monitor SME.

Tanium Integrity Monitor 2.1.2.0004

Release Date: January 2, 2020

Resolved Issues

  • Resolves an issue where a single process that triggered events on files that were included and excluded from the watchlist would cause some events to be missing process and user information.
  • Updated Tanium Index to 2.5.2.0003
    • Resolves an issue where index could report the wrong path or operation type for an Integrity Monitor event.
    • Resolves an issue where the Index db could be corrupted when IM is configured to watch the Tanium Client directory.
    • Resolves an issue where index scan timings would be persisted as timestamps from far in the future.
  • Updated Tanium Client Recorder Extension 2.0 to 2.0.1.4067
    • Resolves an issue where the Recorder - Extension Settings package did not include a way to adjust ResourceMonitorCPUPercent
    • Allows for resource monitor threshold retries to be attempted. Speak with your TAM for guidance on how and when to use this.

Known Issues

  • If the Integrity Monitor - Remove Tools [Linux] package is run against existing Tanium Integrity Monitor enabled endpoints and Integrity Monitor is later reinstalled the required TaniumAuditPipe process may fail to restart. Stopping and restarting auditd will resolve this. Initial installation and client upgrades are not affected by this. This is prioritized for a hotfix which will be released shortly.

Tanium Integrity Monitor 2.1.1.0002

Release Date: December 10, 2019

Feature Improvements

  • Includes new packages for interacting with Client Recorder Extension 2.0. Please consult with your TAM before using these packages.
    • Recorder - Set Recorder Extension Setting (Linux and Windows)
    • Recorder - Clear Recorder Extension Setting (Linux and Windows)
    • Recorder - Enable Recorder Extension (Linux and Windows)
    • Recorder - Disable Recorder Extension (Linux and Windows)
    • Recorder - Enable Sysmon Event Source [Windows]

Resolved Issues

  • Resolves an issue where the Recorder - Reset Resource Monitor [Linux] package would error on usage.
  • Resolves an issue where Integrity Monitor - Tools [Linux] package would fail to upgrade the Client Recorder Extension if the Linux distribution did not use SELinux.


Tanium Integrity Monitor 2.1.0.0057

Release Date: December 3, 2019

Feature Improvements

  • Adds watchlist path wildcards and includes
    • Watchlist paths can now have wildcards in them. For watchlist paths, a wildcard (*) will match anything within the encasing characters, but not across path separator boundaries. You can also use a (?) to match any single character.
    • Watchlist paths can now have associated includes. These includes pare down what will be monitored on the given path. For includes, a wildcard(*) will match anything, including across path separator boundaries (similar to wildcards for file excludes). You can also use a (?) to match any single character.
    • Watchlist path excludes have been slightly reworked. There are no longer directory excludes, only file excludes. The file excludes work as they did previously. Directory excludes that existed previously have been migrated to be equivalent file exclude pairs.
    • For more information and examples of how these work in tandem, visit the documentation within Tanium Docs
  • Updates the watchlist templates to be less noisy and utilize new wildcard and include functionality.
  • Adds support for importing includes from TripWire paths.
  • Updates the hexagon stats to gather data only from monitored computer groups at the last time of deployment.
  • Adds two packages for deleting the debug zip file made on an endpoint
    • Integrity Monitor Endpoint Delete Debug Zip [Windows]
    • Integrity Monitor Endpoint Delete Debug Zip [Linux]
  • Adds a clean up of the debug zip generated by the Integrity Monitor Endpoint Debug Zip packages within the correlation engine. This will clean up debug zip files older than a week, and checks for this every 6 hours.
  • Adds more files to the debug zip generated by the Integrity Monitor Endpoint Debug Zip packages, including Client Recorder Extension 2.0 configuration information related to Integrity Monitor, as well as the extension logs.
  • Adds a max string age setting of 48 hours to the following sensors. Note: this setting only applies for those running Tanium Server 7.3.314.4101+
    • Integrity Monitor File Events Details
    • Integrity Monitor File Events Overview
    • Integrity Monitor Legacy File Events Details
    • Integrity Monitor Legacy File Events Overview
  • Allows no monitor id to be supplied to Integrity Monitor Legacy File Events Details and Overview sensors in AIX and Solaris. When no monitor id is supplied, all appropriate endpoints will return their data.

Resolved Issues

  • Resolves an issue where large numbers of events in the index database can cause very slow performance in the correlation engine.
  • Resolves an issue where, when changing watchlists while in hash only or hybrid mode, the correlation engine would erroneously allow false events from Index to surface.
  • Resolves a few issues where the correlation engine could create and use large numbers of previous watchlists used to filter false index events, causing performance degradation.
  • Resolves an issue where Integrity Monitor would erroneously report permission change events on files that were not previously watched for permission changes when using hash only or hybrid mode.
  • Resolves an issue where endpoints using Client Recorder Extension 2.0 were not reporting the status of the endpoints audit policy required for permission auditing when the policy was not set correctly.
  • Resolves an issue where the content category for Integrity Monitor - Tools Version sensor was set incorrectly.
  • Resolves an issue where AIX endpoints would report false writes.
  • Resolves an issue where AIX and Solaris endpoints would report false creates when the watchlists were changed.
  • Resolves an issue where the Integrity Monitor Endpoint Config Priority sensor would return different results on Linux and Windows vs AIX and Solaris.
  • Resolves an issue where watchlists with conflicting excludes in the same monitor would not be honored properly.
  • Resolves an issue where TripWire imports with stop points were not being imported properly.
  • Resolves an issue where uninstallation of Integrity Monitor tools on a Linux or Windows endpoint could fail in some cases.
  • Resolves an issue where installation of Integrity Monitor tools on a Linux or Windows endpoint could fail in some cases.
  • Updated Tanium Index to 2.5.1.0003
    • Resolves an issue where the Index Status sensor incorrectly report an error when reading from the Recorder.
    • Resolves an issue where Index would not wait the entire Rescan Interval between scans.
    • Resolves an issue where Index on Windows would emit many incorrect IM events.
    • Resolves an issue where Index on Windows would emit a constraint violation error when Firefox or Chrome browsers were upgraded.
  • Updated Tanium Client Recorder Extension 2.0 to 2.0.1.4052
    • Resolves an issue where permission events caused by the use of chmod on Linux endpoints were not captured correctly.
    • Resolves an issue where upgrades from Client Recorder Extension 1.0 to 2.0 did not properly respect previous auditd raw logging configurations in some cases, as well as updates to work with older versions of auditd to configure raw logging.
    • Resolves an issue where monitoring permission events for files on Windows endpoints would cause the audit bit on the file to be set hourly.

Notes

  • This release requires Linux endpoints to have Tanium Client version 7.2.314.3211 or greater installed. Installation of Integrity Monitor tools on a Linux endpoint with a Tanium Client version below this will fail.

Security Update

This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.

Additional Information

Known Issues and Workarounds

  • The Endpoints Recording count always reports 0 when not viewing with Tanium Administrator permissions.
  • Hybrid/Hashing mode can have issues when changing watchlists, including reporting events incorrectly.
  • Some delete events may not contain the entire path on Linux endpoints.

Requirements

  • Tanium Connect 4.0 and above.
  • Monitoring permission change events.
    • Windows NT 6.1 (Windows 7 / Windows Server 2008 R2) or above requires enabling System Audit Policies.

Supported Tanium Platforms

Tanium Server 7.2, 7.3

Product Documentation and Resources

Integrity Monitor Documentation