IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Tanium Server (Version 7.3.314.4101)

From Tanium Knowledge Base
Jump to navigation Jump to search

Thank you for choosing Tanium.  The following Release Notes document changes between releases of the Tanium Server.
This platform release includes the release of both a Windows and Linux Tanium Server.
The previous version can be found here: Release Notes (Version 7.3.314.3668)


Tanium Server for Windows and Linux v7.3.314.4101

General Availability Release Date: Jul 2, 2019.

Special Notes

  • Due to security issues against this release of Tanium Server, Tanium strongly recommends upgrading to at least v7.3.314.4324 if you are using this version.

New Features

  • The Tanium Server API now supports granular Module role based access controls.
  • The Tanium Server API now supports identity tokens, giving Tanium modules and other agents access to the interface without the use of schedule-plugins.
  • The Tanium Server now uses the new and improved network stack introduced in 7.3 for client communications in its HTTPS service.
  • The Tanium Server API now offers the /metrics route which exposes metrics compatible with Prometheus.
  • The Tanium Server installation now generates a SWIDTAG (software identification tag) file to comply with ISO/ IEC 19770-2.

Improvements

  • The network reset that existed in previous versions has been completely removed.
  • The Tanium Server API now supports a single-use-request route that browsers can use to efficiently retrieve large file downloads like Solution module support bundles or Trace snapshots.
  • Within the new network stack,  AcceptOps  is no longer used.
  • The Tanium Server now offers NGiNX-style http-access logs.
  • The Tanium Server API now supports retrieving a list of Saved Questions sorted by modification time, so this does not have to be done on the receiving client.
  • The Tanium Server will now transmit TLS handshake error messages to incoming connections before closing, making clear the intent to stop the exchange, both to the incoming client and to anyone troubleshooting connection failures.
  • The Global Setting archive_database_cleanup_hour is now 5 (for 5:00am UTC ) so TAMs and customers can benefit from this cleanup feature right out of the box.
  • The Tanium Server API now supports a "Synchronize Now" service for LDAP connections, in order to support that function in the CUIC.
  • The Tanium Server API now provides support for the Sensor max_strings setting, allowing CUIC to expose this to users via the Tanium Console.
  • The Tanium Server API now supports the per-Sensor setting max_string_age_minutes  (Default = 0 / disabled) which defines the amount of time that Sensor's strings will be kept in the system when they
  • Tanium Server response headers now use proper and expected casing, like Content-Length instead of  content-length.
  • The Tanium Server now supports TLS Session Ticket extensions which, in some uses, allows it to reduce the overhead of negotiating a new session every time it connects to the Tanium Module Server.
  • Authentication calls to the Tanium Server APIs are no longer artificially delayed when they are successful, which makes the system more performant.  Only failed authentications are delayed now.
  • The Tanium Server /info page now provides information on the number of active connections being used by Tanium Client registrations.
  • The Tanium Server /info page now offers more detailed information about the type of Tanium Client messages that contribute to overall outgoing traffic.
  • The Tanium Server supports again the registration_connection_limit  (Server, Numeric) Global Setting with a default value of 0 (zero), which means "unlimited". This setting can be used in extremely large deployments to limit the number of concurrent Tanium Client connections used for registration, as a means to conserve bandwidth.
  • The Tanium Server REST API now offers the audit_type_list to enumerate the list of available audit types that the system supports.
  • The Tanium Server REST API import will now ignore and drop <ignore_case> specifications in the select portion of a Question.
  • Improved the Tanium Server REST API import to be able to handle older XML formats where <temp_sensor> objects may contain an empty <name>.
  • Modified the behavior of the Tanium Server API to return a HTTP 204 No content code. instead of HTTP 404 when accessing /saml2/certificate.crt and no SAML certificate is set up in the system.
  • The Tanium Server is now more careful and conservative in validating database connections in its connection pools, using SELECT 1 to test them only every database_connection_validation_interval_seconds (Server, Numeric, Default = 30 ) instead of every time they are used. This brings efficiencies in database connection numbers and traffic.
  • The Tanium Server now uses a reduced amount of memory when loading Action History and Question History information from the database, resulting in important memory use improvements in legacy deployments with large databases.
  • The command-line interface for TaniumServer global-settings list-all now displays whether a setting is applicable to Client or Server, to make it easier to distinguish between the two without need for the Tanium console display.
  • Added support for NTLM authentication to the REST API services.
  • The Tanium Server API now supports creating new Questions from canonical question text, simplifying API use, by not having to POST to parse_question and then POST to create the Question object based on the results of the parse.
  • The Tanium Server API now supports creating new Computer Groups from canonical text in the same way that Question creation is now supported, simplifying API use.
  • The concurrency of TDownloader Package file downloads is now controlled by the single setting max_concurrent_downloads (Server, Numeric, Default = 10 ), superseding the two settings used in prior versions: max_download_processes_per_batch and ConcurrentPackageFileDownloadsLimit.
  • The Tanium Server and Zone Server info.json pages now include metrics for bandwidth throttling queue delays, as are offered in the Tanium Console UI.
  • Added Use , View and Revoke micro-admin privileges to be applied to API tokens in that subsystem.
  • Added full audit information to the API token subsystem.
  • A Tanium Server deployment in an Active/ Active configuration now has the ability to store encrypted data in their shared database, allowing them to exchange protected information like credentials.
  • The /metrics subsystem now exposes online client information from System Status.
  • The /metrics subsystem now exposes select system settings which can be used as points of reference to other real-time measurements.

Security Updates

  • This release includes security updates. Details of the issues, including affected versions and mitigation information, can be obtained within Tanium's Support Portal or by contacting your TAM.

Bug Fixes

  • A condition that could cause a Tanium Server crash associated with ConcurrentJobQueue is now fixed in the handling of SOAP requests using the new and improved network stack.
  • Code responsible for crashes in SACriticalSectionScope::SACriticalSectionScope  has been removed along with the network reset operation.
  • The Tanium Server /info page now supports NTLM again, resolving the HTTP-401 and HTTP-500 errors which some users have experienced in previous releases.
  • Fixed a problem in the management of Sensor statistics which could result in duplicate key violations on the sensor_stats table, logging: ERROR: duplicate key value violates unique constraint "sensor_stats_pkey".
  • The Tanium Global Settings now include EnableInternalPowershell=1 as its default out of the box.
  • The Tanium Server /info page and info.json files now correctly populate the following data sections: Connections: Active-Active Incoming, Connections: Active-Active Outgoing and Connections: Hub Incoming.
  • Patched the behavior of the Postgres SQL API to avoid the harmless but constant stdout message that reads: WARNING: there is no transaction in progress.
  • The network stack rewrite has fixed a condition where a Tanium Server could stop listening on its HTTPs port.
  • Fixed a failure in the Tanium Server insertion of rows into the tanium_archive tables which could result in the log error: archiveThread: SQL Exception ERROR: function insert_archive_question() does not exist.
  • Fixed a condition within the Tanium Server where Question and Action messages were unnecessarily large, resulting in the log message:  error: assertion 'Narrow<unsigned>( buffer.Aft().size() ) >= octetsLeft' failed.
  • The Tanium Server will now keep audit records for Global Settings when they are added, changed or deleted through the TaniumServer global-settings command line interface.
  • Fixed a problem in the Tanium Server API by which trying to create a Package with multiple local files, all without a source, the same content hash and different names, would result in Package objects missing some files. This impacted Solution modules like Threat Response which create "live packages" as a normal part of their operation.
  • Fixed an issue in the propagation of XML namespaces when canonicalizing SAML requests.
  • The hashed_string and hence the /string URL route on the Tanium Server now require explicit Administrator RBAC permissions for access.
  • The Tanium Server installer now ensures that String cleaning is enabled by setting enable_string_cap=1 , and it also ensures that max_strings_total and max_strings_total_mb are set according to the amount of RAM available in the system.
  • Fixed an undesirable interaction with a dynamically linked LDAP library ( libldap ) used by the PostgreSQL library ( libpq.so ), which would cause a crash when running: TaniumServer database upgrade.
  • Fixed an issue in the REST API when retrieving user detail which would return a nested "user":  entry in the result.
  • Fixed an issue in updating Actions which have not yet been started, where changing them would fail with the message SOAP Processing Exception: UpdateSavedActionFailed. This issue is mostly seen in environments that use Action Approval.
  • Fixed an uncommon condition where a User object update ( UpdateObject ) could result in a deadlock on the users_meta_data table, logging the error: Transaction was deadlocked on lock resources with another process and has been chosen as the deadlock victim.
  • Fixed a problem which could cause an endpoint to be omitted from the System Status page when its Computer ID  had a collision/ duplicate in the system. The endpoint would be listed in the SystemStatus.txt file, but not the System Status page.
  • Fixed a problem with the Tanium Server's /info page where the enable_string_cap setting was displayed as 0 (zero) when operating in its default value of 1 (one).
  • Fixed an issue with Tanium Platform components where they could fall in a state that consumed 100% of one CPU after running for some time.
  • Issues reported about problems with the network_reset_hour setting will no longer be applicable in the new network stack which does not use resets anymore.
  • Fixed an authorization problem in the use of single use requests which would fail with the error message: Invalid session supplied. Session ID doesn't match with existing session for this request.
  • The taniumnsis.dll is now cryptographically signed so it does not trigger AV alerts.
  • Fix an issue where an out of the box Tanium Server installation would populate the Global Setting  disable_action_status_archive_flag as a Client setting instead of a Server setting.
  • Fixed an issue with LDAP synchronization auditing where locked out user accounts (with locked_out=2 ) and deleted user groups (with deleted_flag=1 ) would be reported repeatedly into the users_audit with audit_text = locked out user from LdapSync and the user_groups_audit with audit_text = deleted user group from LdapSync , causing these tables to grow without bounds.
  • Fixed a condition in the Tanium Server code which could sporadically lead to a crash and core dump in the handling of epoll_ctl , associated with the following log messages in the server logs: Linux::TheIOCP::DisAssociateSocket epoll_ctl failed and Failed to set socket non-blocking flag: EBADF: Bad file descriptor.
  • Fixed a condition in the management of certain  NULL values while migrating the questions_subgroups table that could result in an upgrade failure that logs: SQL upgrade step failed: Unexpected: not all questions were assigned a filter_group_id successfully .
  • The default behavior for the  EnableInternalPowershell is now 1 (one) and will revert to this value if and when the parameter is not declared in the system.
  • The Tanium Server installer now offers to install a Microsoft SQL Client capable of supporting TLS v1.2.
  • Fixed a Tanium Server API issue where internal Group caches were accessed in a sub-optimal way, causing the Users, User Groups and Computer Groups console pages to time out and fail to display in environments with many and complex Group configurations.
  • The Tanium Server now closes idle database connections  according to the following new Global Settings which are all Server and Numeric:
    database_connection_close_idle_interval_seconds
    The amount of file after which a connection considered idle and can be closed. Default value: 60.
    database_connection_max_connections
    The number of database connections the server will hold open at any one time. Default value: 1024.
    database_connection_periodic_job_interval_seconds
    Determines how frequently idle connections are closed. Default value: 30.
  • Fixed a Tanium Server API problem which would result in a SensorNotFound error when trying to edit the All Computers Computer Group.
  • Fixed an issue with the Tanium Server Import API when importing multiple sensors in a single request.
  • Fixed a condition seen on the /info pages in very large environments where the bandwidth numbers reported where often 0 (zero) when they should have had a positive value.
  • Changed the SAML implementation to ignore whitespace in Base64-encoded signatures to work with some providers like SiteMinder.
  • Fixed a problem where the Tanium Server would update the Global Setting last_archive_database_cleanup_date even when the tanium_archive cleanup procedure was not run, or failed in error. This Global Setting is now updated only when the procedure executes successfully.
  • Fixed a Package file download error which could happen sporadically, where files were downloaded successfully by TDownloader and found in the /Downloads/Cache/ folder of a Tanium Server, but the server and console behaved as if the file were still missing. This issue was caused by a cache refresh problem.
  • Changed the way the Tanium Server queries for Groups against a Microsoft SQL database to avoid the possibility of running into the error: Maximum recursion limit reached.
  • The import  route for the Tanium Server API now appropriately returns success: false when it encounters a conflict error.
  • Fixed a problem where Python Sensors imported using the Tanium Server Import API were incorrectly labeled of type Linux Shell.
  • Fixed behavior of the Tanium Server when splitting results to correctly split on the full delimiter string rather than on any one of the listed characters when generating question text (as is used for display of "Starting Questions"). Note that this was a display bug only, as Actions are targeted using full string queries, not subcolumn-delimited ones. They are broken out by column in the display of "Starting Text" simply for clarity.
  • The Tanium Server API will no longer accept Questions containing column filters when used with a Sensor that uses mulit-character column delimiters. The Tanium v314 protocol is not able to handle this correctly in all cases, and as such it is no longer allowed.
  • Question parse_job  requests submitted through the REST API now return the parameter values extracted from the question text, as they do when using the SOAP API.
  • Fixed an issue in the Tanium Server API by which it would cache the value of Global Settings deleted from the console up until the next restart.
  • Fixed an issue with where the Global Setting max_download_processes_per_batch , which was interpreted to have a value of zero after being deleted in the Tanium Console, resulting in TDownloader never being executed by the system.
  • Fixed an issue with the Tanium Server Import API where it would not handle correctly when importing several Scheduled Actions with the same name in a single request, resulting in only one of them being handled correctly.
  • Fixed a problem in the initialization of Python crypto which would cause failures of Action package command execution with the message: TaniumCryptoLibraryCryptosystemAlreadyInitialize or FailedToSetCryptoExDataImplementation.
  • The Tanium Zone Server now has an improved mechanism to discard download requests that are abandoned by the requesting client, offering an improvement in memory consumption by not holding on to older requests which are no longer needed.
  • Fixed an issue in the Tanium Server API where querying for Scheduled Actions could return  SavedActionNotFound during periods when Actions are deleted and recreated in rapid succession, which is the way that Solution modules like Trace create their deployment configurations.
  • Fixed a problem with the Tanium Server API that caused the new Advanced Filtering feature to return no results when parametrized Sensors were used.
  • Fixed a problem with the Tanium Server Import API where importing signed solutions would be display as "unsigned" in the Tanium console.
  • Fixed an issue where the Tanium Server Question Parser would fail to parse questions that used an OR operator as part of their filter expression.
  • Fixed an issue with the REST API route /v2/session/login which would return an error: InvalidJSONBody.
  • Fixed a problem in the population of Question result hashes which could produce empty results. This was sometimes visible in the status pages for Actions which would not display any information.
  • Fixed the CAC authentication subsystem which needed to change with Tanium's new versions.
  • Fixed a problem with the Tanium Server /info pages and info.json files where counters with values above 4 billion were being displayed as 0 (zero).
  • Added missing dbo. prefixes to database operations within the Tanium Server installer which would result in the error: Invalid object name 'version_history'.
  • The Tanium Server's /info page and info.json files now reflect faithfully the value of the enable_string_cap setting where before they reported a value of 0 (zero).
  • Improved the performance of the GetObject operation for action_groups which would often result in a slow loading of the Scheduled Actions console page on systems with large databases.
  • Improved the error message offered to users when trying to export a flattened CSV for a result set with a large, cross-product cardinality.
  • Fixed an upgrade problem with the Tanium Server installer when old, duplicate user preferences data was found in the dbo.meta_data table, which would produce the error: Could not create constraint or index because a duplicate key was found.
  • Fixed an instrumentation error where per-Client thread connection counts in info.json were incorrect and diverged from the real number of incoming connections to the Tanium Server.
  • Fixed an issue where the Package cleanup procedure in the Tanium Server could remove package objects ignoring their dependencies, leading to Actions that would display missing parameters on the console.
  • Fixed a condition where a Tanium Zone Server would fail to start when installed as a non-administrator account, logging the error: Could not open key for reading: Software\Tanium\Tanium Server.
  • Fixed the Linux version of the Tanium Server where a timing problem in the issue_seeding_action stored procedure would fail to fire an Action dependent on a downloaded file parametrized from a sensor result.
  • Fixed a problem with the Tanium Server API where updating a white_listed_url seemed to work but actually didn't change any values.

Known Issues and Workarounds

  • Login fails for LDAP-synchronized users when using userPrincipalName.
    Workaround: There is no workaround for this condition.
  • The Tanium Module Server will fail to register with the Tanium Server if installed on TanOS versions prior to v1.5.1.
    Workaround: There is no workaround for this condition.


Additional Information

Product Documentation and Resources