IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Tanium Server (Version 7.6.2.1204)

From Tanium Knowledge Base
Jump to navigation Jump to search

Thank you for choosing Tanium. The following Release Notes document changes between releases of the Tanium Server.
This platform release includes the release of both a Windows and Linux Tanium Server.
The previous version can be found here: Release Notes Tanium Server (Version 7.5.6.1137)


Tanium Server for Windows and Linux v7.6.2.1204

  • Tanium Cloud availability date: April 24, 2024.
  • On-premises availability date: May 1, 2024.

Special Notes

  • Updates the End User License Agreement (EULA) for Tanium Platform products to its latest 2024-05 version.
  • The Tanium Server now uses Console (Version 3.7.8.0000).
  • Tanium discourages new installations of this software version on Windows 2012 and 2012-R2 given its End-Of-Life on 2023-10-10.

Security Updates

  • N/A.

New Features

  • The Tanium Server now offers a certificate management API to allow changing of its HTTPS certificate from a browser console.
  • The Tanium Server and Client now allow the tracking of successful and failed action exit codes.
  • The Tanium Server will now push notifications of new questions without the need for a registration from the client, making responsiveness even faster than it already was.
  • Tanium Servers will now immediately close new incoming connections when bandwidth throttle delays are larger than leader_max_schedule_delay_seconds.
  • Added a new permission manage zone servers to grant Zone Server management rights to non-Admin users.
  • Implements low, normal and high priority settings for Platform questions, where high priority questions should be reserved for interactive interface questions and low priority should be used for data pipeline harvesting questions.
  • Tanium components now use SetThreadDescription on Windows versions where it is available, to name different threads, which is helpful for all manner of debugging tools.
  • Implements a new API api/v2/upload_file_stream which accepts either an application/octet-stream or a multipart/form-data upload to improve performance in uploading large files to the Tanium Server.
  • Tanium protocol communications now uses the TLS v1.3 Certificate Authorities extension instead of the SNI indicator available in previous TLS implementations. This should benefit users who find it difficult to disable or manipulate the SNI inspection of their security software.
  • Tanium Platform components will now provide settings for LogVerbosityLevel on a per-log basis to allow for increased logging where necessary instead of increasing verbosity across the board for all logs.
  • Allows the Tanium Server API to manage the locked_out status of user accounts.
  • Offers a new server_health API route on the Tanium Server which returns information about disk space available on the different servers in a deployment.
  • Adds HTTPv2 support for outgoing requests from the Tanium Server which can now be used when communicating with the Tanium Module Server and other systems.
  • Added the TaniumExtractor binary utility to Tanium's suite of tools in order to replace other extractors like 7z.
  • Adds the read_server_host micro-privilege to control access to the server_host API route used by TDS, so that service does not need to run with administrator privileges.
  • Allows an API Token session to invalidate the token that it is using, logging out the session that is using it and all further access with this operation.
  • The Tanium Server authentication system now supports Online Certificate Status Protocol (OCSP) for Common Access Card (CAC) authentication.
  • The Tanium Server now offers an API route to temporarily override logging levels on all server components. Posting to internal/monitoring/v1/log/levels with data that specifies {"text": "DEBUG", "duration": 60} will set the logging level to "DEBUG" on all servers for the next 60 minutes. The logging levels available are: FATAL, ERROR, WARN, INFO, DEBUG, TRACE, which correspond to LogVerbosityLevel settings 1, 11, 21, 41, 61 and 91, respectively.
  • Tanium component zipped logs will now contain the same older log files renamed with a date and time suffix (YYYY-MM-DD-hhmmss) which will make their names unique when unzipped.
  • Tanium components now ship with FIPS-certified OpenSSL v3.
  • The Tanium Server now has the capability to upload to a Content Delivery Network (CDN). This improvement supports the Improved Client Downloads initiative.
  • The Tanium Server no longer honors the legacy max_strings_total_mb setting but instead calculates the amount of strings memory to use every startup based on its string_memory_percentage setting, which defaults to 33.33 percent.
  • Adds support for filtering of groups based on its subgroups, allowing for action group queries with filters like: action.action_group.groups[].name.
  • Disallows disabling of active LDAP synchronization connectors, which will only be allowed with a connector is paused or deleted. This is to avoid synchronization operations with a connector in disabled state which would remove RBAC assignments that are no longer being provided.
  • Implements new Tanium Server metrics for the number of successes and failures of database connection attempts: dbconnectionpool_db_connect_success and dbconnectionpool_db_connect_failure.
  • Implements the Tanium Server plugins necessary to interface and operate with the System User Service, which can be controlled using the enable_system_user_compatibility setting.
  • Implements the tanium_authenticator_non_system_users_last_login Tanium Server metric to indicate the last time users logged into the system.
  • Adds a "read solutions" privilege to control access to the API solutions route.
  • Implements auditing information for changes to the system's bandwidth throttle settings.
  • Ensures that v7.6 Tanium Clients will not peer with earlier versions, given that their communications are not compatible.
  • Changes the behavior of the Zone Server Hub to resolve the DNS names for its Zone Servers each time it connects to them. This allows for better live response to Zone Server IP address changes without a service restart.
  • The Tanium Server will now delete all users and groups associated with a SCIM provider when that provider is deleted. This is done for integrity and to avoid ending up with users and groups which can no longer be managed, not through Console nor SCIM.
  • Increases the default value of max_force_registrations_per_second to 10,000 now that this operation has become less costly thanks to other server to client communication improvements.
  • The Tanium Module Server no longer uses HTTP Basic-Auth when registering with the Tanium Server, because this authentication method is now disabled on the Tanium Server bu default.
  • Tanium servers will now communicate their version to clients during registration, allowing new and future clients to determine if they have connected to a system of a compatible version.
  • Implements a property named "t" on the result rows from the Tanium Server GetResultData API to indicate whether a particular row can be used as a target filter based on its values. The include_targetable_flag has to be included in the request for this property to be emitted.
  • Enforces unique names for dashboard definitions in the Tanium Server which would otherwise produce solution import errors.
  • Removes support of legacy FNV hashes in the Tanium Server's string APIs.
  • The Tanium Server now implements a cell_row_count API option that limits the maximum number of rows returned for result cells, allowing the caller to limit the amount of data returned when there is a large number of results in each cell.
  • The Tanium Server history export APIs now offer a mode query parameter to specify the format of the export to be either csv or json.
  • The Tanium Server question and action history export API now allows filtering which supports the ability of the console to export only selected items.
  • Adds the priority field to the Tanium Server's question API.
  • Brings back support and distribution of the runasuser.exe binary utility which is needed by some pieces of custom content.
  • Implements a priority setting for the action API on the Tanium Server.
  • Implements metrics counters on the Tanium Server to track the number of valid and invalid API token requests received.
  • Ensures that the plugins/group/questions returns an HTTP-503 result code until the Tanium Server is fully ready for operation.
  • Adds the tanium_dropped_connections metric to the Tanium Server and Zone Server which reflects the number and type of connections dropped by configured global throttles.
  • Sensor results in the new Platform are now forced to be encoded using SHA-256 in support of future capabilities.
  • Implements chunk cache use metrics in the Tanium Zone Server.
  • Implements a metric to track non-handled exceptions in the communication in Tanium Servers and Zone Servers.
  • The Tanium Server now offers a metric to track the number of retried question reports received from Tanium Clients.
  • Adds a metric to the Tanium Server to reflect the number of legacy FNV hash collisions detected in the system.
  • Adds support for a disabled_flag setting for user accounts in the Tanium Server, which can be set manually to enable or disable a user in the system.
  • The Tanium Server now implements the tanium_string_retry_pending_count metric to reflect the number of outstanding legacy client string retries.
  • The Tanium Server now defaults disable_client_cdn_downloads=1 to make client CDN downloads an opt-in feature instead of being enabled by default.
  • The Tanium Server API now offers the deduplicate_by_name_flag option for system_status and unregistered_clients requests, which will then return a list of endpoints where their Computer Name as been de-duplicated.
  • The Tanium Server offers a new counter metric to reflect the number of bytes that clients have downloaded from CDN: tanium_client_external_download_bytes_read.
  • Adds periodic cleanup of the Tanium Server client status cache in memory which previously would only be cleaned up during shutdown and startup.
  • The Tanium Server reverts the pre-v7.6 behavior of forcing client registrations of v7.4 and earlier clients to 1,000 per second and implements the new max_server_hash_messages_per_second=10,000 for newer clients.
  • The Tanium Server now offers the tanium_client_count_history_full metric to reflect the non-duplicated thirty day client count in a deployed system.
  • The Tanium Server adds the metric counters tanium_dropped_question_reports_total and tanium_dropped_string_reports_total to track dropped question and string reports.
  • The Tanium Server now enforces a maximum value of four hours for the max_console_idle_seconds setting.
  • Extends the build_target_group API in the Tanium Server to allow a filters specification which offers better control to the caller on the results that will be returned by the new filter.
  • The Tanium Server API will no longer reply with SQLException messages to the caller but will continue to log these exceptions for troubleshooting purposes.
  • Updates the EULA wording in Tanium components to its 2024 version.
  • The Tanium Server will now allow the auto-creation of users without an assigned user group instead of returning an error. This allows for these user accounts to effectively log into the system even if they have no assigned permissions.
  • The Tanium Server's manifest URLs have been changed to support the new semi-annual release process at Tanium, making them: content.tanium.com/files/initialcontent/2024H1/manifest.xml and content.tanium.com/files/initialcontent/2024H1/labs_manifest.xml.
  • Updates the wording of the Tanium Platform EULA.
  • Adds Tanium Server settings to support the semi-annual release model.
  • The Tanium Module Server installer on Windows will update its RDB database to PostgreSQL v16.
  • Deprecates the parametrized group API in the Tanium Server will which no longer honor the source_id property when creating a new group.
  • The Tanium Server and Module Server will now honor the TLSSessionDurationSeconds global setting that specifies the maximum session duration for a TLS connection.
  • The Tanium Server now offers metrics that reflect the number of TLS sessions it has established against the Module Server.
  • Updates the End User License Agreement (EULA) for Tanium Platform products to its latest 2024-05 version.
  • Adds further details to the memory allocation statistics generated by the UseTBBAllocatorStats on the Tanium Server, to provide more granular visibility into duties and uses where memory is being consumed which would otherwise simply be marked as "Other" in previous versions.

Improvements

  • The Tanium Server will no longer perform any deduplication of client records in Client Status to avoid confusion over endpoints which answer questions but do not appear in this listing. Clients will be identified solely by their ComputerID.
  • Tanium Clients will now synchronize their sensor definitions based on a unique ID field.
  • The Tanium Server will now reuse rows in its sensor_definition database table when Sensor update operations have not changed their code implementation.
  • The Tanium Server now constructs client-bound messages from the contents of its database caches which are guaranteed synchronized and consistent. This will reduce workload on the database for these operations.
  • The pki show --fingerprint command now accepts short-form PKI fingerprint specifications like the ones displayed in Console.
  • Defines a new namespace and version scheme used by the next generation of ComputerID assignment to endpoints.
  • Introduces a Tanium Server sequencing counter for active/ active pair messages about incoming Tanium Client registrations in order to support next-generation ComputerID assignments.
  • Implements broadcasting of registration sequences between Tanium Servers in active/ active pairs and Zone Servers in order to support the next-generation ComputerID assignments to Tanium Clients.
  • Zone Servers will now log at the lowest verbosity level when they find a local JSON throttle definition in their filesystem, and also log the result of loading said local configuration.
  • Refactors the in-memory handling of package file hashes as hash values instead of strings which can be more prone to bugs in their handling.
  • Modifies the pki show command line in Tanium components to work for tanium-init.dat files without the presence of a pki.db. The command now assumes that the file name parameter is a tanium-init.dat file unless its extension is .db in which case it will be read as a pki.db database.
  • The Tanium Server now allows for more granular scheduling of database clean up and maintenance activities by offering the clean_database_hour and clean_database_minute global settings.
  • Implements a new metric tanium_pki_unknown_trusted_roots as a counter for the number of registration requests received with unknown keys.
  • Adds a new ModuleContentSigning key type to be used by the new content signing API offered by the Tanium Server.
  • Implements a new API that allows solution modules to have byte blobs of data signed by the Tanium Server.
  • Removes unnecessary hashing of individual string columns in multi-column sensor results.
  • The Tanium Server will now detect inactive servers in an Active/ Active configuration and update its Downloads/upload_hosts.txt file. This will avoid unnecessary attempts to download files from a Tanium Server that is not up and running.
  • Improves the Tanium Server question parser to avoid creating excessive sub-groupings for multiple expressions joined with OR operators.
  • Adds the user id for failed authentications to authentication_audit records returned by the Tanium Server API.
  • Adds the ability to export saved actions by ID, necessary when attempting to export actions with duplicate names.
  • The Tanium Server will no longer create "Legacy-*" RBAC roles in new installations. These roles are now deprecated for new deployments.
  • Updates the allowed TLS cipher suite to match Mozilla's intermediate compatibility recommendation.
  • Improves on the reported status for packages on the Tanium Server to reduce information leakage on error reports.
  • The Tanium Server now uses a column named error_details in its server_package_files to store error messages encountered when trying to download and cache package files.
  • The Tanium Module Server will now clean its temporary directory on startup, removing files left behind which are no longer used.
  • Improves the Tanium Server throttling API by validating the values allowed for bandwidth limits to adhere to positive integer values.
  • Adds validation to regular expressions used in the creation of groups to avoid syntax errors which may later occur downstream at the Tanium Client with the log message: error occurred while parsing the regular expression.
  • Implements increased resilience to corrupt plugins.json files in a Module Server configuration by doing a fallback to previous backup versions of the file.
  • The Tanium Server will now use one single connection when working through database upgrade steps.
  • Removes unused settings for string error flags and prefixes: error_string_prefix, error_string_regex and generic_error_string_flag.
  • The RBAC API will no longer return a content set element for groups that are not designated as filters and not associated with a content set.
  • Enforces a limit of 5,000 as the maximum allowable value for string_retry_hash_limit that can be sent to the Tanium Client at one time.
  • Created separate db query plans in the Tanium Server for initial cache loading and incremental cache loads to reduce the number of time SQL has to compile query plans. This reduces CPU load on the SQL server as well as increasing API performance.
  • Updated the way message size metrics are captured to improve efficiency of processing large messages.
  • Reduced the LiveSnapshotAlwaysUseSeconds from 4 to 1 second to improve user experience for returned question results.
  • Added serialization code efficiencies in multiple Tanium Platform components, making future feature updates and REST API handling more effective.
  • Combines the execution of the packages and download file cleaning operations into a single thread in the Tanium Server, thus reducing contention between them as well as database resource utilization.
  • Added an additional API call, /api/v2/user_groups/by-name/{name}, to get user groups by their text name.
  • Includes additional logging of https header names when capturing error parsing http response log entries.
  • The Tanium Server /metrics route will now omit per-thread metrics unless the enumerate_server_threads_for_metrics_flag setting is enabled. This reduces the cardinality of metrics in monitoring systems.
  • The value of info_export_interval_minutes and info_export_max_age_days global settings will now honored by zone servers.
  • The Tanium Server will no longer log "No PKI clock offset for fingerprint" which is an expected server condition.
  • Implements environment-specific content security policy headers for the Tanium Server replies.
  • Removes Tanium Server client registration settings which are no longer used.
  • Implements expiration times for a Tanium's Server root keys to be 99991231235959Z as recommended by RFC-5280.
  • Drops the value_system_flag column from the global_settings database table, since it is no longer used.
  • Improves the logged messages in the Tanium Server's package-download.txt log.
  • The content set API on the Tanium Server will no longer return deleted records.
  • Tanium Platform components now ship with xz v5.2.9 compression libraries.
  • The Tanium Server will now log errors encountered while updating users and groups during an LDAP synchronization operation, such as SQL errors.
  • Improves the text of audit records to include the previous and new name of objects in rename operations, offering more readable audit records for Tanium Server objects.
  • The Tanium Server's global setting audit API will now return audit text that contains the original value that was changed as well as the new value it was changed to.
  • The Tanium Server API will now reject the assignment of invalid RBAC privileges, where before it would allow it but strip them off whenever calculating an account's effective privileges. Now the assignment itself will no longer be allowed.
  • Adds the display_name field to the Tanium Server's API requests when this information is available for a user account. This will allow Console to display this information in user pages.
  • The Tanium Server will now log API HTTP request headers only at LogVerbosityLevel=61 and above.
  • Upgrades the PAM library on the Tanium Server to v1.5.2.
  • Tanium Platform components now ship with TBB v2021.7.
  • Implements server-side streaming export of question and action histories, reducing browser wait times and resources.
  • Improves the performance of TLS session ticket verification in all Tanium Platform components.
  • Implements WAL-mode operation for the platform's pki.db database.
  • Improves the performance and resource utilization of PKI operations by not re-verifying certificate chains immediately after they are issued.
  • Improves the performance of the Tanium Server system status and client count APIs which is important to deployments with a very large number of endpoints.
  • Implements WAL-mode operation for the platform's config.db database.
  • Implements a quicker delivery of isolated and separated subnet information from the Tanium Server to the Tanium Client. This allows informing the endpoint if it should be isolated or the separated subnet it belongs to, along with a list of candidate peers.
  • Relaxes the permissions required to access the preview_content_set_role_detailed on the Tanium Server API as a prerequisite to enable customer content features.
  • The Tanium Server and Tanium Zone Server will now free memory in their client processing threads every client_thread_clean_memory_seconds=300 interval.
  • Implements an idle timeout command line option (--idle-timeout) for TDownloader which will specify the maximum amount of time a download stream can stall before it is considered failed. The default timeout will be 60 seconds.
  • Improves the audit information for content set roles in the Tanium Server to return only the information of elements which were changed instead of the effective result of the changes.
  • The Tanium Server API now supports and expects a GET method request for its action and question export routes.
  • The Tanium Server API now supports exporting multiple saved action IDs with the export-by-id route.
  • The Tanium Server now logs the reason for authentication failures at LogVerbosityLevel=0 in its auth.log.
  • Adds additional information in replies to requests with expired JWT tokens to inform why the request was rejected.
  • Implements use of the TANIUM_TRUSTED_MESH environment variable to allow the Tanium Server API to run on clear text HTTP instead of HTTPS.
  • Implements the cache_ref_id in the rows returned when calling GetResultData which can be used in conjunction with a cache_id to call the build_target_group API on the Tanium Server.
  • The Tanium Server API now offers a build_target_group route which allows defining groups from a result cache and its reference IDs.
  • Removes support for ComputerID tracking in saved question which underpinned the recent results Tanium Server API feature which is not in use anymore.
  • Removes the previously needed but now superfluous file_name parameter which was used in action and question history exports.
  • Changes the API to export both action and question histories so they will provide default CSV columns and JSON elements to be returned when none are specified beyond the export mode parameter.
  • Ensures that plain-text communications between the Tanium Server and modules is only possible when running in a TRUSTED_MASH_FLAG=1 configuration.
  • Makes module server solution registrations to be unique both in their id and name.
  • Changes the threshold for incorrect sensor statistics from 1GB to 1TB for bytes read, give that it is possible that a sensor would read that amount of data to produce its results.
  • Changes the Tanium Server history export API to return a JSON object instead of a simple array, which is best for compatibility.
  • Allows questions and their results to persist beyond their expiration time and for as long as max_result_cache_grace_period_seconds if they are still being referenced by API requests.
  • Reduces the processing cost of content imports in the Tanium Server API by delaying signature verification until the flag for a concurrent import is confirmed.
  • The Tanium Server question API now disallows the creation of saved questions from counting questions.
  • Enforces the execute plugin privilege when routing module service API requests.
  • Changes the behavior of sensor results parsing in the Tanium Client where it will ignore a configured delimiter in the sensor definition if it has no declared columns. This improves the behavior of sensors that incorrectly declare a delimiter for a single column.
  • Improves the messages logged by a Zone Server when publishing a snapshot to include the highest question and action IDs contained in the snapshot.
  • The Tanium Server and Client now offer higher sensor result limits for the benefit of data-intensive applications: SensorMaxResultSize=10,485,760 (in bytes), SensorMaxResultRowCount=100,000 and sensor_max_allowed_result_rows=100,000.
  • The Tanium Server will now log "Malformed session" when authentication fails due to a malformed session value.
  • The Tanium Server will now generate a 3,072-bit key certificate for SOAPServer.crt by default, instead of 2,048-bits as it did in previous versions.
  • Tanium Platform components now ship with SQLite v3.42.0.
  • For compliance with RFCs and compatibility with more SCIM providers the Tanium Server now treats the externalId attribute as optional in users like it does in groups.
  • The Tanium Server will now check the health state of its database connections before returning them to its connection pool.
  • Ensures that old expired and revoked certificates are cleaned up from the pki.db database.
  • Reduces log spam in the Tanium Server by issuing "Failed to build question" and "Failed to build action" only once.
  • Reduces the CPU utilization in the Tanium Server when serializing user privilege information in API requests.
  • The Tanium Server will no longer refresh all sensor definitions when questions and actions change, and will only refresh the definitions of sensors that have changed since their validation can be expensive.
  • Makes the TaniumExtractor tool more resilient to errors as to allow it to continue processing whenever possible.
  • Improves the performance of the Tanium Server in computing cache sizes reported in its /metrics route.
  • Improves the Tanium Server performance in calculating snapshots of new information transmitted out to Zone Server Hubs.
  • Adds support for incoming HTTP2 connections initiated with prior knowledge and an correct connection preface.
  • Changes the logging level for HTTP2 closed pipe log messages to a higher level, since they are not really error conditions.
  • Improves the http-access logging of data retrieval SOAP requests to the Tanium Server by logging the type and ID in the request, like: GetResultInfo:question/501.
  • Implements limits for the new Tanium Server question result and string hash retry caches to keep them at a reasonable size.
  • The Tanium Server will now delay file downloads on startup until its web services are fully operational. This allows for quicker startup times.
  • Reduces the latency in processing CDN download requests at the Zone Server by transmitting them in batches up to the Tanium Server.
  • The Tanium Server will periodically log its progress when uploading files to CDN at LogVerbosityLevel=41.
  • The Tanium Server now enforces maximum strings and maximum strings age for results received from new v7.6 clients.
  • The tanium_dropped_connections metric now identifies whether the connection was dropped due to a global or a site subnet limit configuration.
  • Implements support in the new Tanium Server for the max_strings setting in legacy strings.
  • Changes the management of the Tanium Server string retry queue to operate under a LIFO policy, given that newer hashes are easier and faster to resolve than older ones.
  • Changes the systemd unit file TimeoutStopSec=90 for the Tanium Server to avoid it being forcibly killed during shutdown.
  • The Tanium Server now uses different default values for resolution of legacy string hashes set at string_retry_hash_limit=2,000 and string_retry_pending_limit=10,000 to reduce the size of the pending set and accelerate the rate at which it is resolved.
  • Global settings have been adjusted to allow Tanium Clients to re-play their sensor result string to hash mappings every twenty four hours instead of every week, as a means to reduce retry workloads on the Tanium Server.
  • The Tanium Server now applies configured download throttles with every chunk request instead of when the connection is first established. This allows immediately enforcing changes to throttle values, instead of having to wait until for the tear-down and reestablishment of existing connections.
  • New versions of the Tanium Server will deduplicate Client Status counts when presenting the tanium_client_count_history metric. The endpoint lists presented in Client Status will not be deduplicated, but its numeric count figure will be.
  • The Tanium Server binary now offers an export-strings command line option which will export the contents of the new format strings file into a SQLite database for inspection.
  • Refactors the management of sensor string files in the Tanium Server to remove them not only when they are deleted but also when they have not been used and loaded into memory for a long time, as compared with their maximum age settings.
  • Implements the unloading of sensors from Tanium Server memory when they are deleted or have been idle and not referenced by the internal result cache.
  • The Tanium Server will now load its result data cache in a background thread during startup, to improve the time from when it is started up to the moment when it is responsive to other tasks.
  • The Tanium Server no longer requires a restart when changing its disable_client_cdn_downloads setting.
  • Ensures that the process_cache_batch_threads setting on a Tanium Server is assigned a value equal to the number of CPU cores divided by eight, but never a value larger than eight.
  • Tanium Platform components now use Curl v8.5.0 libraries.
  • The Tanium Server increases the size of allowable filter specifications to avoid the error "MaximumFilterSpecRegexLengthExceeded" when working with drill-down operations in the console that contain large amounts of data.
  • Improves the logging of RunModulePlugin API requests to the Tanium Server.
  • Upgrades Tanium components to use JsonCpp v1.9.5.
  • The Tanium Server now logs all SCIM errors at LogVerbosityLevel=1 and above to make it easier to troubleshoot failures without changing logging configurations.
  • Improves the logging of session errors in the Tanium Server authorization log which in the past would only offer a very terse "Invalid session supplied" message.
  • The Tanium Server will now offer api_locked_out metrics for locked out user accounts and IP addresses, as well as requests from the Tanium Module Server.
  • API requests to the Tanium Server now use internal cache structures instead of SQL queries to improve their response timing performance.
  • Reduces the number of places where SHA hashes of keys are calculated by using their previously calculated fingerprints instead, improving code efficiency and performance.
  • Adds TLS Client Authentication and Server Authentication extended key usage values to all certificates generated.
  • Tanium components now disable SHA-1 and SHA-224 signature schemes in the TLS protocol.
  • Improves the logging of missing sensor definitions in the Tanium Server, where SensorNotFound log messages would not specify which saved questions were responsible for referencing them.
  • These Platform components now ship with SQLite v3.45.1.
  • Tanium Platform components now ship with OpenSSL v1.0.2zj.
  • The Tanium Server will no longer automatically fall back on its FQDN when forming a SAML assertion consumer service (ACS) URL and instead log an exception, to make it patently clear this mapping is missing from the configuration.
  • The Tanium Server will not duplicate entries in the database's computer_specs table anymore, reducing its size and improving performance for large numbers of manual computer groups.
  • Platform components are now built with libExpat v2.6.0.
  • The Tanium Server now sets specific auto-vacuum scale factors for select PostgreSQL tables that grow quickly within the database.
  • The WorkbenchesManager plugin in the Tanium Server has been updated to only keep the latest thirty copies of workbenches_*.json.
  • The Module Server installer on Windows now forces a recalculation of the PostgreSQL database statistics after an upgrade, to improve database performance after a version migration.
  • The Tanium Server now merges "[too many results]" records received from v7.6 and legacy clients to present a unified count across the whole system.
  • Fixes a problem in the Tanium Server RBAC API when creating a role with access to all content sets would return an empty content_set_role_privileges list.
  • Tanium components now ship with OpenSSL v3.2.1 and v3.0.9 when using FIPS support.
  • Reduces the access rights requested by Tanium installers on Windows in order to minimize failures due to hardening on the operating system.
  • The Tanium Module server installer on Windows tests that the installing user account has access to its database directories and contents. This mitigates the risk of a failed PostgreSQL upgrade.
  • Removes the duplicate "tanium" word from the Tanium Server memory allocation metric names.
  • The Tanium Server now allows enabling its TBB allocator statistics by adding a file named UseTBBAllocatorStats in the server's main installation directory. This is in addition to using the setting of the same name as an environment variable but is easier to persist across upgrades.

Bug Fixes

  • Fixed an issue where the Tanium Server Question Parser failed to parse computer groups names in a question filter clause when the groups were expressed in terms of parametrized Sensors.
  • Fixes the permissions of a server's license file on disk when they are incorrect, avoiding the repeated "FailedToVerifyLicense" message in logs even when the loaded license is valid.
  • Fixes an OpenSSL random number generator initialization problem that would result in the error "SSLEAY_RAND_BYTES:PRNG not seeded" which is innocuous but should not happen anymore.
  • Fixes a condition in the Tanium Server by which policy-based saved actions would fire more often than they actually had to because they would not target any online endpoints anyway.
  • Fixed a bug in the Tanium Server where a LDAP user's modified time field is updated every time LDAP synchronizes.
  • Fixes an issue where API tokens would fail to be authenticated with IPv6 trusted addresses.
  • Fixes an issue where the Tanium Server API would throw an HTTP-404 error when trying to export content sets that reference objects which had been removed from the system.
  • Adds a missing transaction to the periodic package and package files cleaner maintenance operation in the Tanium Server.
  • Fixes an HTTP-500 error returned by the user_groups API when referencing invalid user IDs.
  • Fixes an incorrect parsing of incoming SAML identity provider data in the Tanium Server which would trigger the error "SAML authentication failed: Invalid namespace prefix 'xmlns:xsi' for attribute" when InclusiveNamespaces were used.
  • Resolves an issue where the Tanium Server's metrics would report higher client counts than Client Status due to not filtering records with ComputerID=0.
  • Fixes a rare condition where a Tanium Server could miss manual groups and sensor updates for a short period of time. This condition has never been observed in the field due to its small probability of happening.
  • Fixes the routing of the package_file update API in the Tanium Server which would previously throw a "InvalidObjectTypeForUpdate" error for PATCH requests.
  • Changes the behavior of the Tanium Server solution import API so it will not throw an exception and reply with an error when referenced saved questions are missing.
  • Fixes an issue with the Tanium Server groups API which results in the incomplete error HTTP-500 'Invalid group field name: ' when trying to filter the request results.
  • Fixes an ordering-of-operations error when importing both roles and privileges into the Tanium Server on the same operation, which could result in a ContentSetPrivilegeNotFound error.
  • Fixes an omission in the Tanium Server content set role API which would not account for restricted privileges during a preview request. The API will now throw InvalidCustomerPrivilegeForContentSet when an incorrect privilege is included.
  • Fixes a problem in the Tanium Server preview content set role API which would not return deny-type roles. Issuing a request with a deny_flag=1 will now return these roles.
  • Fixes an issue in the Tanium Server when importing a package without attached files and overwrite an existing package with files, the file references would not be removed.
  • Fixes a crash in the Tanium Server when it received a stop request while still waiting for its database connections to be available.
  • Fixes a condition that produces revocation hash mismatches across active/ active Tanium Servers after importing legacy v314 protocol keys.
  • Fixes an issue by which content administrator users cannot read all content on the system, which impairs the role's ability.
  • Fixes incorrect instructions in the Zone Server RPM installer on Linux which described the need to configure the ServerName setting, which is not necessary unless installing a Zone Server Hub.
  • Fixes an issue in the Tanium Server audit log API for user groups where the details entry would be empty.
  • Fixes the error response returned by the action group Tanium Server API when searching a non-existing group by name, which would return an invalid ID number instead of the group name provided in the request.
  • Fixes an issue in the Tanium Server RBAC API which would return InvalidCustomerPrivilegeForContentSet when attempting to request detailed content set previews over content sets with configured restrictions.
  • Fixes an issue on the Tanium Zone Server where the info_export_max_age_days global setting would not be honored.
  • Fixed a cosmetic issue in the Action Statuses sensor that showed the string "\n" in its description.
  • Policy-based actions in the Tanium Server will no longer consider and count error results like [CRU] and [RCU] when evaluating whether to trigger or not.
  • Fixes an omission where the Tanium Server would fail when configured to listen on port 65,535 which is a valid port number.
  • Fixes a Tanium Server issue were the TaniumServer.exe database sqlserver2postgres command would fail with the error message "Unhandled column type: real" when the data_purge_history table contains any rows.
  • Fixes an issue with the TaniumReceiver.exe database sqlserver2postgres feature where the generated output cannot be imported into a PostgreSQL database if the servers table in Microsoft SQL Server has negative guid values.
  • Fixes an issue in the handling of single-use requests as used for export operations where request parameters were not being passed along to streaming handlers. This would impair the new streaming versions of action and question API requests.
  • Fixes a filtering problem in the Tanium Server action API where it would return the status for multiple actions when only one of them was requested.
  • Fixes an issue where enforcing the uniqueness of saved question names was not filtering out entries which were already deleted in the system.
  • Fixes an omission where the Tanium Server RBAC API would not exclude privileges from deleted content sets.
  • The Tanium Server's question API will now return the exception "Counting questions cannot be merged" if requested to merge a counting question.
  • Fixes a problem where the Tanium Server question result data API would not respond to the export_flag parameter.
  • Refactors parts of the SCIM requests handling in the Tanium Server that could result in user group memberships being removed from RBAC configurations.
  • Fixes a delay when fetching the Tanium Server info page, observed when the module server service is stopped.
  • Reduces the logging of the SQLite "Failed to reset statement" message which is neither significant nor important.
  • Fixes import failures of default computer groups into a newly built Tanium Server returning an HTTP-404: SensorNotFound error.
  • Fixes the logout workflow in the Tanium Server for Azure environments, which would leave console sessions with an invalid JWT token and unable to log in again.
  • Fixes the Tanium Server dbconnectionpool_db_connect_failure metric which would not reflect the correct count of connection errors.
  • Fixes the parsing and output representation of sensors that contain square bracket characters ([]) in their name
  • Fixes the handling of legitimate h2c connection closures.
  • Adds a database upgrade step to the Tanium Server install sequence which will fix incorrect legacy package file hashes which would result in errors like "Invalid package file hash value: class NotAHexDigit" and prevent logins at the console.
  • Fixes a behavior in the Tanium Server where it would fail to cancel abandoned connections in its HTTP connection pool, and didn't release them until they completed their maximum number of retries.
  • This change separates the processing of active-active Tanium Server and Zone Server message streams, as well as supporting concurrent client streams over the same connection. This solves a number of communications issues observed characterized by the logged errors: "unexpected exception: Can't queue callback that is connected somewhere else", "unexpected exception: Source is already connected to another callback" and "assertion 'm_downloadThrottle' failed" and will also resolve "cdn-config: ignoring request because too many are pending".
  • Fixes a problem in the Tanium Server by which it would not issue TLS session tickets to connected clients.
  • Fixes an incorrect count of endpoints presented by the Tanium Server when deploying an action to machines with the same computer name.
  • Fixes a problem in the Tanium Server integration with SCIM that could result in the error message: SQLException: duplicate key value violates unique constraint groups_name_hash_normal_group_unique_index.
  • Fixes an issue in the Tanium Server handling of action status questions which could sporadically result in the SQL exception: SQLException: duplicate Key=History for action ids already exists.
  • Fixes incorrect determination of hash collisions in the Tanium Server when receiving results from case-insensitive sensors from legacy clients.
  • The Tanium Server question API will now return empty results for GetResultInfo and GetResultData requests on expired questions, being that such requests cannot be fulfilled anyway and would result in "Question cache not found" errors being logged for them.
  • Fixes a condition where the very first client connections to a Tanium server would operate without their configured throttles. Now the Tanium servers will refuse incoming client connections during startup until all throttle configurations are loaded and operational.
  • Fixes a problem in the Tanium Server serialization of its newly designed result cache.
  • Fixes an issue by which [RCU] errors would not be included and shown for counting questions issued by the Tanium Server.
  • Fixes an omission in the Tanium Server where it would not process incoming server_health_update messages received from zone servers.
  • Fixes a condition where the Tanium Server might corrupt its new string cache bitmaps.
  • Fixes an omission by which the Tanium Server would not reflect updates received from legacy endpoints when an [RCU] resolution was received or a legacy hash collision was detected.
  • Implements a re-processing of sensor string files in the Tanium Server during upgrade to avoid case insensitive string hash mismatches which would cause [RCU] errors in question results.
  • Fixes a mismatch between server and client in the treatment of case insensitive sensor string hashing which would result in [RCU] errors which would never resolve in question results.
  • Fixes an omission in the Tanium Server where delayed/ future string reports would not be noticed in the resolution of missing strings.
  • Adds necessary field keys in the new Tanium Server results cache needed to implement the required behavior for letter-case folding in sensor results.
  • Forces the Tanium Server to re-read and interpret a sensor's string files when the case-insensitive flag in the sensor definition is changed. This is to avoid the [RCU] errors that this change can produce.
  • Fixes a problem in the SCIM integration in the Tanium Server when paginating through users requests would return an invalid value for totalResults.
  • The Tanium Server will now sometimes re-read and re-interpret the contents of sensor string files. This change ensures that reinterpretation is immediately serialized back to disk.
  • Ensures that the current definition of a sensor is used by the Tanium Server when receiving question results, fixing the [RCU]] errors observed against v7.4 when changes to the "Ignore case in result values" for a sensor was modified.
  • Fixes a misspelling in the tanium_result_retry_count metric of the Tanium Server.
  • Fixes an issue in the Tanium Server which would calculate incorrect hashes for active-active string retries, which would result in constant hash collision errors in question results.
  • Fixed an issue in the Tanium Server where the timestamp of some results received from clients would not be updated, resulting in the possibility of them being garbage collected and produced [RCU] errors.
  • Fixes an issue where the Tanium Client is not informed to backoff under situations where the download queue is full.
  • The Tanium Server build_question_text and build_group_text APIs now support references to existing temporary sensors, in addition to the source sensors which have always been supported.
  • Fixes an issue in the Tanium Server that would cause the error "HTTP-500: Saved Question metadata not found" when refreshing the status of a deployed action.
  • Fixed a condition where Tanium Clients reporting through a NAT address in an intentional subnet configuration would peer outside their /24 subnet. This fix ensures that peering is contained within /24 IP ranges.
  • Fixes an issue where the Tanium Server would not report the X-Forwarded-Fox address of the requestor in its http-access logs.
  • Fixes a problem where the Tanium Server would not reissue a TLS v1.3 session ticket on session resumption, resulting in more full handshake sequences than necessary.
  • Fixes an issue where the json_input_flag was not being recognized or honored correctly when importing content into the Tanium Server.
  • Fixes the garbage collection of old Questions results in the Tanium Server which would otherwise result in a large TS/Strings/saved-questions.dat files.
  • Fixes an issue in the Tanium Server in the lookup and handling of questions results which would result in the error: resultDataThread] Error: assertion 'current.size() == toCompare.size()' failed.
  • Fixes a problem in the Tanium Module Server which would not initialize its cryptographic subsystem in FIPS mode regardless of its FIPSMode setting.
  • Fixes an issue in the Tanium Server where in order to request action status a user needed the "read saved question" privilege over the Reserved content set or would otherwise receive an "Error creating and getting question" message in response.
  • Fixes an issue in TDownloader that handled URLs with embedded spaces incorrectly.
  • Fixes an issue in the Tanium Server in the handling of high-cardinality sensors with too many results where partial data under the result limit would fail to be reported to the caller.
  • Fixes a missing Content-Type header in the execution of POST plugin requests from the Tanium Server to the Module Server.
  • Fixes an issue in the Tanium Server while importing module plugin definitions.
  • Fixes a type name infringement in the handling of SCIM schemas in the Tanium Server which read "bool" instead of "boolean".
  • Fixes an omission in the Zone Server installer for Linux where library binaries were missing, resulting in the fatal error: TaniumZoneServer: error while loading shared libraries: libtbb.
  • Fixes an omission where the sensitive_data_flag in XML content imports to the Tanium Server was not being honored as expected.
  • Fixes a problem in the Tanium Server where the license file value persisted into the database produced an incorrect JSON serialization, rendering it invalid.
  • Fixed an incorrect handling of the "read_solutions" RBAC privilege in the Tanium Server which was evaluated as "read_solution" instead.
  • Fixed an issue where the LogVerbosityLevel setting was not honored in the Tanium Module Server and treated as a value of zero instead.
  • Fixes an omission in the Tanium Server user API where the serialize_authorization_flag option would not be honored correctly when also requesting include_user_details=1.
  • Fixes a conflict in the Tanium Server during evaluation of RBAC privileges implied by solution module configurations.
  • Fixes an issue in the Tanium Server treatment of LDAP filters in synchronization connectors on Linux where filters like objectClass=user would work but (objectClass=user) would not work and result in a "Bad search filter" exception thrown.
  • Fixes an issue in the Tanium Server calculation and enforcement of site throttles where the full allotted bandwidth was not delivered as configured.
  • Changes the handling of connection close logic to try and ensure all send data has been read from a socket before closing it, thus allowing termination TLS alerts to be received by the far end.
  • Fixed an issue in the Tanium Server which would fail to create an auto-provisioned user account if one with the same name had existed before and then deleted.
  • Fixes a problem in the content set roles API in the Tanium Server where the created and modified time and user id fields would return incorrect default values.
  • Fixes a memory increase observed in the Tanium Module Server caused by the treatment of connections session tickets in TLS v1.3.
  • Adjusts the treatment of TLS v1.3 which are expected to be single-use and would cause extra handshakes and tickets created when not managed correctly.
  • Fixes an incorrect user ownership and permission settings on the fips.log file deployed by the Tanium Module Server installer which would result in the error "Failed to open file "/opt/Tanium/TaniumModuleServer/fips.log": EACCES: Permission denied" when upgrading a server running in FIPS-enabled mode.

Known Issues and Workarounds

  • There is a problem in the TLS v1.3 interface that makes the storage of SOAPServer certificate keys in an HSM unusable in this Platform version. Upgrade to v7.6.2.1220 instead of using this version if you have an HSM-enabled Tanium server.
  • The Tanium Server has a problem in the unlikely event that different package files that happen to share identical chunks, leaving clients unable to download one or more of these files.
    Workaround: A definitive fix is being prepared to be made available in an upcoming SAR update, and in the meantime it has been established that a restart of the Tanium Servers in a deployment will clear up this condition.

Product Documentation and Resources