IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Tanium Server and Tanium Client (Version 7.4.4.1362)

From Tanium Knowledge Base
Jump to navigation Jump to search

Thank you for choosing Tanium. The following Release Notes document changes between releases of the Tanium Server and Tanium Client.
This platform release includes the release of both a Windows and Linux Tanium Server and Tanium Client binaries for all supported platforms.
The previous version can be found here: Release Notes (Version 7.4.4.1250)


Tanium Server for Windows and Linux v7.4.4.1362

General Availability Release Date: February 9, 2021.

Tanium Client for all Platforms v7.4.4.1362

General Availability Release Date: February 9, 2021.

Special Notes

  • Due to security issues against this release of Tanium Server, Tanium strongly recommends upgrading to at least v7.4.5.1240 if you are using this version.
  • The Tanium Server now uses Console (Version 2.0.248.0000).

Security Updates

  • This release includes security updates. Details of the issues, including affected versions and mitigation information, can be obtained within Tanium's Support Portal or by contacting your TAM.

New Features

  • The Tanium Server will only keep a 30 day record of known endpoints in SystemStatus.txt while in the past this file was never flushed of old records, which would allow it to grow without bounds and turn specially large in environments with non-persistent and volatile clients. Deployments with a need to keep a longer record of past endpoints are suggested to use Connect and, only when strictly necessary, use the configuration parameter system_status_client_age_limit_days to extend this retention period.
  • The Tanium Server and Zone Server now expose a metric named app_version_info with information about the running binary version.
  • Introduced performance improvements to the Tanium Server in the way it references columns in result rows for SQL queries.
  • The Tanium Server now offers a host of measures through its /metrics route regarding the operation of protocol v315 TLS communications. All of these new measure names begin with the tanium_pki_tls prefix.
  • The Tanium Server now offers a Global Setting (Server, Numeric) named server_timing_visibility which when enabled will include a Server-Timing HTTP header entry in all API responses, offering visibility into the multiple internal execution timings for the request; everywhere from cache refreshes to RBAC evaluation. The possible values for this setting are 0 (zero) to disable the header, 1 (one) to include the header only in Administrator user requests, or 2 to include the header on requests made by all users.
  • The new Server Timing header included in HTTP responses to API calls against the Tanium Server will now also provide data on the timing of any internal cache refreshes executed while servicing the request.
  • The Tanium Server now provides granular controls for the assignment of thread types to ProcessorGroups when SetThreadAffinityFlag=1 . This is only applicable to Windows platforms and allows granular control when balancing workloads in extremely high-load and high-CPU count environments. These thread assignments are also now exposed on the TS/info route.
  • The Tanium Server now offers the default_max_string_age_minutes Global Setting as a means to set a default Max String Age for all Sensors in the system.
  • A Tanium Zone Server will no longer present a v314 certificate when connected to and scanned if enable_protocol_314_flag is disabled in Global Settings.
  • Tanium platform components now use OpenSSL v1.0.2x.
  • The Tanium Client v7.4 and higher now expresses a dependency on libc++ for endpoints running AIX v7.2 and above.
  • The Tanium Server now supports filtering Question results on columns which are declared as hidden in their Sensor definitions. This now enables better filtering in the Console results grid.
  • The Tanium Server's logging into action-scheduler.txt now responds to three different settings for LogVerbosityLevel=[1, 41, 91] , reserving levels 1 (one) and 41 for error reporting and 91 for every other normal operation messages.
  • The Tanium Platform now introduces an improved tracking of connection states which allows tightening of the security involved in handling incoming connections, including potential rogue sources.
  • The installer for the Tanium Server has modified its End User License Agreement (EULA).
  • The Tanium Server now offers a Global Setting tls_session_duration_seconds that defaults to 3,600 seconds, forcing a full TLS handshake every hour instead of reusing session tickets.

Improvements

  • The Tanium Server now introduces additional checks when reading and writing its SensorDiffHistory file, both reducing the amount of I/O in its reads and writes and validating the entries read from the file. This helps avoid a condition where incorrect entries could cause premature client registration failures with the message: Client registration failed: Client registration connection shutdown.
  • The Tanium Server will now emit tanium_client_count_history as part of its /metrics output, representing the 30 day endpoint registration count often consulted in the Client Status page.
  • The Tanium Server has dropped the input column from the import_jobs table in the database to reduce storage needs for its sometimes large contents.
  • Improved logging on the Tanium Server to offer a significant message when failing to parse a PKI bundle to read: Failed to parse PKI bundle instead of logging just a BasicException that did not identify the source of the exception thrown.
  • Introduced changes to the Tanium Server to improve performance and reduce overhead when receiving results from SQL queries.
  • Introduced handshake performance improvements during TLS session ticket reuse for the Taniunm Server and Zone Servers. These allow for validation of the cryptographic information of thousands of incoming client connections with reduced CPU resource consumption.
  • Introduced efficiencies in the way the Tanium Server running threads manipulate cryptographic objects using the OpenSSL libraries to reduce lock contentions and improve high-scale performance in large systems.
  • Introduced a performance improvement in the instantiation of SSL objects which will help to increase CPU processing efficiency in large Tanium deployments.
  • Values set for Max Strings and Max String Age on a _Sensor will no longer be overwritten during content imports.
  • Both the Tanium Server and Zone Server will now persist TLS session tickets in a file named ssl-session-ticket-keys.dat so they can be reused across restarts, thus reducing the incidence of new session negotiations on startup.
  • The Tanium Server API for Saved Questions now honors the context_id filter condition even when it does not have a reissue interval.
  • The Tanium Server and Zone Server now streamline the cryptographic verification of incoming Tanium Client connections, reducing the CPU workload required for this duty.
  • The Tanium Server now allows invoking a solution's uninstall more than once to allow it to be removed from both servers in an Active/ Active configuration.
  • The Tanium Server's SOAP and REST APIs now support fetching Local Settings audit records.
  • The Tanium Server API now allows administrator users to retrieve the definition of Packages with their deleted_flag=1 when referenced by id.
  • The Tanium Server now implements more efficient code to verify client cryptographic credentials and reduces this CPU overhead on incoming connections.
  • The Tanium Server will now refuse to spawn TDownloader to fetch and store a file if this would result in a low disk storage condition, as defined by the MinFreeSpaceInMB setting which defaults to 1,024MB.
  • Introduced performance optimizations in the way the Tanium Server and Zone Server manage endpoint client connection authorization, thus reducing the amount of CPU resources consumed by each individual connection.
  • Changed the way in which the Tanium Server queries URL hashes for Package files defined in the system to improve SQL performance.
  • The Tanium Server now uses the tls_client_reverify_interval_seconds with a default value of 300 seconds as the maximum amount of time allowed before an incoming TLS connection will be re-verified.
  • The Tanium Server has improved efficiencies in by using incremental loads of Question definitions from its database, resulting in faster API response times.
  • Tanium Zone Servers will now persist client connection information in a way that endpoint clients can re-use their session information when the server is restarted.
  • Reduced some thread contention associated with cryptographic operations which will benefit very large customers that need to run many dozens of client connection service threads.
  • The Tanium Platform servers on Windows will use a faster random number generator to accelerate cryptographic processing of incoming client connections.
  • The Tanium Server's database-upgrade log will now include the server version along with the Starting database upgrade message to indicate the upgrade release.
  • As a performance improvement the Tanium Server will no longer load old and deleted (status=2) Saved Actions from the database and into its internal cache.
  • The Tanium Server has improved the way it evaluates RBAC privileges for Scheduled Action visibility, resulting in API request performance improvements.
  • Introduced a performance improvement in the way the Tanium Server queries its database for Saved Actions and their associated Package to enforce RBAC permissions.
  • Added and index to the implied_privileges_working_table_idx in the Tanium Server database which improves the performance of operations on Content Set Role Privileges across the system.
  • Introduced an optimization in the management of Content Set Role Privileges that brings performance improvements over a range of RBAC-related operations in the Tanium Server database.

Bug Fixes

  • The Tanium Server SSL unexpected EOF messages which are generally harmless are now logged at LogVerbosityLevel=11 to avoid unnecessary spam entries.
  • Fixed an incorrect interaction of the Tanium Server with PostgreSQL databases which would sporadically cause Saved Questions to be displayed as Get Number of Machines instead of their correct definition. This fix also includes the command line option reset-sequences which will repair database contents where this condition appears,
  • Fixed a limitation in the Tanium Client installer on Windows by which it failed managing the permissions of the installation directory when the local Users group had been renamed, throwing the error: Unable to revoke permissions for Users group: Cannot build new access control list.
  • Fixed a bug with the management of the Tanium Server's internal user cache which would cause some accounts to display a Last Login time years in the past (e.g. 1999-12-31) after the periodic LDAP-synchronization made changes in the system.
  • Fixed an issue in the Tanium Downloader where concurrent access to CRL lists in its SQLite database could produce the error SQLiteDatabase: gave up on busy handler after waiting 5s and fail a download and subsequent solution installation or upgrade.
  • Resolved an issue which resulted in an incorrect SAML Reply URL being created on TanOS in some configurations. 
  • Fixed a problem in the Tanium Client that would fail to persist the state of an Action verification across client restarts, prolonging the Action Verification phase.
  • Fixed a problem with the Tanium Server's /single-use-request downloads API that would fail when accessed using an authorization token instead of a session id.
  • Fixed a problem with the management of expired cryptographic keys on the Tanium Client which would cause peering errors when operating in an Active/ Active Tanium Server configuration.
  • Fixed a bug in the Tanium Server which caused Scheduled Actions to be issued under their old account ownership after they had been transferred to another user, typically when managing non-active user content from the Tanium Console.
  • Fixed an issue with the Tanium Server import API by which Saved Questions with associated Actions (packages) were not being linked together when importing new content.
  • Fixed an issue with the Tanium Client installer on Windows that prevented it from recognizing the command line setting for ServerAddress.
  • Fixed a bug in the Tanium Server in the handling of Saved Question metadata that would trigger the Console error duplicate key value violates unique constraint "saved_questions_meta_data_unique" when importing content.
  • The Tanium Server REST API has been fixed to support some missing audit types from those listed as supported in /api/v2/audit_types.
  • Fixed an issue with the Tanium Server installer where when installing a local PostgreSQL database instance, the Tanium Postgres service would fail to start due to missing access controls on its installation directories.
  • Fixed an issue with the Tanium Server's audit API where the details field for audit records could be empty, not specifying the details for an audited change.
  • Fixed a Tanium Server installer bug during upgrades which would result in the error message: Cannot insert the value NULL into column ‘package_id’, table ‘tanium.dbo.saved_actions’; column does not allow nulls , when upgrading from v7.4.3 to v7.4.4.
  • The Tanium Server REST API now normalizes access to objects audit records through the api/v2/*_audit routes.
  • Fixed an issue in the Tanium Server logging of action-scheduler.txt where the Action ID logged was incorrect.
  • The Tanium Server now displays the database reset-sequences command help when using the database --help command line option.
  • Fixed an issue in the Tanium Server where the use of sequence column values in some tables could produce repeated error messages reading: there is no transaction in progress.
  • Fixed a Tanium Server problem where users assigned the special Content Set Administrator role were not having their other privileges revoked, which is the way this role should work.
  • Fixed a bug in the Tanium Server that caused Isolated Subnet definitions from loading when the sequence column in their database row has a value of 0 (zero).
  • Removed the logging of cryptographic fingerprint values on client connection failures.
  • The Tanium Server installer on Windows will grant ownership and permissions to SYSTEM on the installation directory, this is to fix access settings on deployments which may have used inherited permissions in the past.

Known Issues and Workarounds

  • N/A.

Product Documentation and Resources