Release Notes Integrity Monitor (Version 2.2)
Thank you for choosing Tanium. This document is intended to document the release of Tanium Integrity Monitor.
Announcements
The Tanium Integrity Monitor product team is announcing that as of March 31, 2020, Integrity Monitor will be removing support for the following features: Legacy Windows support (Windows older than Windows 7 / Server 2008R2) Tanium Event Recorder 1.X
Tanium Integrity Monitor versions released after 3/31/20 will no longer contain these features. After 3/31/20 the product team will continue to support any existing customers who are still using Integrity Monitor versions released prior to this date and will provide guidance to customers who need assistance with migration to the latest releases. Prior versions containing these features would continue to be supported per your support agreement with Tanium.
If you have concerns regarding this and would like to discuss this in detail please contact your Tanium Integrity Monitor SME.
Important Notes
Integrity Monitor 2.2.0.0064 adds support for the 7.4 version of the Tanium Client, including updates to the python runtime version and supporting libraries.
Integrity Monitor 2.1.0.0057 includes an update to the AIX/Solaris tooling that filters out any files that are not regular files or directories (e.g. named pipes). This requires a new baseline to be established, which means that when upgrading to this version, the first install of tools can potentially have a number of false events reported. After this, there should be no more false events. Talk with your TAM if you would like to know more or would like a workaround for not receiving these false events.
The releases of Tanium Threat Response 2.0, Integrity Monitor 2.0, and Map 2.0 all include a significant update to the Client Recorder Extension. This upgrade does not require that all three products be updated at the same time, but when more than one impacted product is deployed to an endpoint, conditional logic is applied to determine whether to upgrade the recorder component from 1.x to 2.0 versions. Please consult your Technical Account Manager to better understand how to best plan for your deployments if you have more than one impacted product installed.
Tanium Integrity Monitor 2.2.1.0011
Release Date: February 25, 2020
Feature Improvements
- Import and automatically configure default settings and dependencies for Integrity Monitor with Tanium Core Platform 7.4.2 or later.
- Automatic configuration does the following:
- Sets up a service account
- Sets up an action group
- Sets up watchlists for all supported OSes, based on the critical OS watchlist templates
- Sets up a monitor for each supported OS targeting:
- Windows: All Windows Servers 2008 R2 and up
- Linux: All Linux endpoints
- AIX: All AIX endpoints
- Solaris: All Solaris Endpoints
- Deploys the monitors
- Note: When using automatic configuration with Integrity Monitor, there can be a slight delay between when configuration finishes and seeing actions being created for the deployment. The Deploy Now banner can also be showing for a short period of time. This is because the deployment starts during automatic configuration but is not awaited. We are looking to improve this user experience in the future.
- Automatic configuration does the following:
Resolved Issues
- Resolves an issue where client extension errors unrelated to Integrity Monitor could show up when using the Integrity Monitor Endpoint Tools Status sensor.
Known Issues
- There is a slight discrepancy between the text shown when importing and automatically configuring Integrity Monitor and the actions taken during that configuration. The text says that monitors are deployed only after an administrator deploys them manually, but the monitors are deployed automatically through the configuration process, if no errors occur. The text will be updated in the next release.
- The on endpoint database used to store events (im.db) is limited in the number of events it will keep but not in the amount of baseline data, which can cause large databases, particularly when there are a large number of files captured by the watchlist definition. There are a couple of issues being resolved for this and the hotfix will be available shortly.
Dependencies
- Index 2.5.3.0005
- Resolves a couple issues around unsubscribing from Client Recorder Extension 2 when Index is uninstalled.
- Resolves an issue where Index would stop indexing files if Firefox’s SafeBrowsing database was updated.
- Tanium Client Recorder Extension: 2.1.0.1679
- Resolves an issue where Client Recorder Extension 2 was not installing properly on SELinux systems set to enforce.
- Resolves an issue where uninstalling Client Recorder Extension 2 could leave orphaned subscriptions, and subsequent installs would take an auditd reboot to fix.
- Resolves an issue where installation could take a large amount of time and cause issues with action timeouts because of excessive logging.
- Tanium Python Version (2.7): 1.2.0.2
- Tanium Python Version (3.8): 1.2.0.2
- Tanium Client Extensions: 2.0.1.3930
Tanium Integrity Monitor 2.2.0.0064
Release Date: February 6, 2020
Feature Improvements
- Adds Tanium Client 7.4 and Python 3.8 compatibility
- Python 3.8 is currently used only for sensors on Windows endpoints that have Tanium client version 7.4
- A number of performance improvements were made, particularly when dealing with a large number of index events being present as well as when dealing with events that are processed out of order.
- Adds Previous Hash and Current Hash columns to AIX/Solaris event sensors
- Further watchlist template enhancements
- Adds an override capability to force a distribute over time on all Integrity Monitor Endpoint Config actions, if needed.
- Please consult with your TAM on how to apply this setting
Resolved Issues
- Resolves an issue where it was possible to spawn background work on the Tanium Module Server that would never finish.
- Resolves an issue with the Integrity Monitor Endpoint Config Status sensor where the sensor was not checking for the correlation engine to be running as part of the Is Recording column answer.
- Resolves an issue where the Integrity Monitor Endpoint Debug Zip package would stop collecting files if one failed to be collected.
- Resolves an issue where some recorder events would take longer than necessary to show up in event sensors if no index information was also present for the event when in hybrid mode.
- Resolves an issue where using event only or hybrid mode could spike CPU usage for some time while a new watchlist config was installed on an endpoint in certain cases.
- Resolves an issue where in event only mode, deploying any configuration would result in restarting index on the endpoint, even when Integrity Monitor was not configured to use it.
- Resolves an issue where Integrity Monitor Endpoint Tools Status would show an error for file permission auditing being disabled, even though nothing in the watchlist for that endpoint requested permission changes.
- Resolves an issue where some recorder events would be dropped erroneously due to an improper subscription to events with Client Recorder Extension 2.0
- Resolves an issue where users with the Integrity Monitor Administrator role did not have access to the Integrity Monitor Endpoint Debug Zip packages for troubleshooting and log gathering
- This package will now be in the Integrity Monitor Troubleshooting content set
- Upgrades to this version will require checking the Overwrite Content Set checkbox on import or manually moving the packages to this content set to realign the content.
Security
- This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.
Known Issues
- If the Integrity Monitor - Remove Tools [Linux] package is run against existing Tanium Integrity Monitor enabled endpoints and Integrity Monitor is later reinstalled the required TaniumAuditPipe process may fail to restart. Stopping and restarting auditd will resolve this. Initial installation and client upgrades are not affected by this. This is prioritized for a hotfix which will be released shortly.
- The on endpoint database used to store events (im.db) is limited in the number of events it will keep but not in the amount of baseline data, which can cause large databases, particularly when there are a large number of files captured by the watchlist definition. There are a couple of issues being resolved for this and the hotfix will be available shortly.
Dependencies
- Tanium Index: 2.5.2.0003
- Tanium Client Recorder Extension: 2.0.1.4070
- Tanium Python Version (2.7): 1.2.0.2
- Tanium Python Version (3.8): 1.2.0.2
- Tanium Client Extensions: 2.0.1.3930
Additional Information
Known Issues and Workarounds
- The Endpoints Recording count always reports 0 when not viewing with Tanium Administrator permissions.
- Hybrid/Hashing mode can have issues when changing watchlists, including reporting events incorrectly.
- Some delete events may not contain the entire path on Linux endpoints.
Requirements
- Tanium Connect 4.0 and above.
- Monitoring permission change events.
- Windows NT 6.1 (Windows 7 / Windows Server 2008 R2) or above requires enabling System Audit Policies.
Supported Tanium Platforms
Tanium Server 7.2, 7.3, 7.4