IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.
Release Notes Tanium Server and Tanium Client (Version 7.6.2.1204)
Thank you for choosing Tanium. The following Release Notes document changes between releases of the Tanium Server and Tanium Client.
This platform release includes the release of both a Windows and Linux Tanium Server and Tanium Client binaries for all supported platforms.
The previous version of Tanium Server can be found here: Release Notes Tanium Server (Version 7.5.6.1137)
The previous version of Tanium Client can be found here: Release Notes Tanium Client (Version 7.4.10.1086)
Tanium Server for Windows and Linux and Tanium Clients v7.6.2.1204
- Tanium Cloud availability date: April 24, 2024.
- On-premises availability date: May 1, 2024.
Special Notes
- This Tanium Server version will not support HSM-enabled deployments. See known issues.
- The use of TLS v1.3 in the Tanium server makes it incompatible with RSA keys shorter than 1024-bits, given that 2048-bits is the minimum security specification in this version of the TLS protocol. A Tanium server will fail to communicate with older external systems that are still using shorter key lengths.
- Starting with the first release of the v7.6.2 Tanium Client, the SNI value in TLS
ClientHellomessages will contain the name or IP address of theServerNamebeing targeted for connection. Tanium Client communications in environments where SNI inspection is enabled, and where bespoke SNI values were whitelisted will have to be configured to allow for targets inServerNameListto be allowed instead. - Updates the End User License Agreement (EULA) for Tanium Platform products to its latest 2024-05 version.
- The Tanium Server now uses Console (Version 3.7.8.0000).
- Tanium discourages new installations of this software version on Windows 2012 and 2012-R2 given its End-Of-Life on
2023-10-10.
Security Updates
- N/A.
New Features
- The Tanium Server now offers a certificate management API to allow changing of its HTTPS certificate from a browser console.
- The Tanium Server and Client now allow the tracking of successful and failed action exit codes.
- The Tanium Server will now push notifications of new questions without the need for a registration from the client, making responsiveness even faster than it already was.
- The Tanium Client will now use
SIGTERMon long running Sensors and Actions before issuing aSIGKILLsignal. - Enables file chunk downloading in non-leader endpoint clients when a linear chain
ChunkRequesthas not been serviced in overPeerChunkRequestTimeout. After these many seconds (default300) a non-leader endpoint will request chunks directly from a server unlessRequestChunksFromServerOnTimeoutis set to the value of zero. - The Tanium Server will now reflects its isolated status where it has no peers to connect with. The
Status.IsIsolatedsetting will help solutions decide how to operate most efficiently according to this state value. - Tanium Clients will now report its
ActionLockstatus so it can be presented in the browser console Action Status summary user interface. - Tanium Servers will now immediately close new incoming connections when bandwidth throttle delays are larger than
leader_max_schedule_delay_seconds. - Offers a new encoding for names in the Tanium Client
ServerNameListwhere individual names can be prefixed by a number and an underscore (e.g.1_servername) to specify a priority group. Connections to servers will be prioritized by their group number and then randomized within it to choose a destination to connect to. - Added a new permission
manage zone serversto grant Zone Server management rights to non-Admin users. - Implements
low,normalandhighpriority settings for Platform questions, wherehighpriority questions should be reserved for interactive interface questions andlowpriority should be used for data pipeline harvesting questions. - Tanium components now use
SetThreadDescriptionon Windows versions where it is available, to name different threads, which is helpful for all manner of debugging tools. - Implements a new API
api/v2/upload_file_streamwhich accepts either anapplication/octet-streamor amultipart/form-dataupload to improve performance in uploading large files to the Tanium Server. - Exposes the Tanium Client internal metrics through the
TaniumCX get-metricsCLI command. - Tanium Client installation packages for Solaris v11 are now provided in Image Packaging System (IPS) format.
- The Tanium Client now replaces its original
Tanium Client -mprocess withTaniumCX run-framework. - Implements direct-download functionality on the Tanium Client, where the client will still be allowed to request chunks from its peers but any missing chunks must be downloaded by the interested client instead of the backward leader in a chain.
- Tanium protocol communications now uses the TLS v1.3
Certificate Authoritiesextension instead of the SNI indicator available in previous TLS implementations. This should benefit users who find it difficult to disable or manipulate the SNI inspection of their security software. - The
TaniumPython.dllfile now contains version information on the file's metadata. - Tanium Platform components will now provide settings for
LogVerbosityLevelon a per-log basis to allow for increased logging where necessary instead of increasing verbosity across the board for all logs. - Allows the Tanium Server API to manage the
locked_outstatus of user accounts. - Adds the ability for the Tanium Client to communicate the execution result of a deployed action.
- Offers a new
server_healthAPI route on the Tanium Server which returns information about disk space available on the different servers in a deployment. - The Tanium Client will now use its stable leader connection to send results reports to the server, instead of opening a new ephemeral connection as it did in legacy clients.
- Adds HTTPv2 support for outgoing requests from the Tanium Server which can now be used when communicating with the Tanium Module Server and other systems.
- Added the
TaniumExtractorbinary utility to Tanium's suite of tools in order to replace other extractors like7z. - Adds the
read_server_hostmicro-privilege to control access to theserver_hostAPI route used by TDS, so that service does not need to run with administrator privileges. - Allows an API Token session to invalidate the token that it is using, logging out the session that is using it and all further access with this operation.
- The Tanium Client now requires a session token to be presented in API request headers and not in the SOAP request body when
RequireClientAPISessionInHeadersis set. This avoids the parsing of XML when a proper session token is not presented up front. - The Tanium Client will no longer reset
CXextensions according toMonitorResetIntervalInHours. Extensions will now be reset only if and when the Tanium Client performs its own reset. - Limits the size of allowable sensor results to be cached to avoid unrestricted memory growth of the Tanium Client when running poorly written sensors. The maximum allowed result size can be controlled with the
SensorMaxResultSizeconfiguration parameter. - The Tanium Server authentication system now supports Online Certificate Status Protocol (OCSP) for Common Access Card (CAC) authentication.
- The Tanium Server now offers an API route to temporarily override logging levels on all server components. Posting to
internal/monitoring/v1/log/levelswith data that specifies {"text": "DEBUG", "duration": 60} will set the logging level to "DEBUG" on all servers for the next 60 minutes. The logging levels available are:FATAL,ERROR,WARN,INFO,DEBUG,TRACE, which correspond toLogVerbosityLevelsettings 1, 11, 21, 41, 61 and 91, respectively. - Tanium component zipped logs will now contain the same older log files renamed with a date and time suffix (
YYYY-MM-DD-hhmmss) which will make their names unique when unzipped. - Tanium components now ship with FIPS-certified OpenSSL v3.
- The Tanium Server no longer honors the legacy
max_strings_total_mbsetting but instead calculates the amount of strings memory to use every startup based on itsstring_memory_percentagesetting, which defaults to33.33percent. - Adds support for filtering of groups based on its subgroups, allowing for action group queries with filters like:
action.action_group.groups[].name. - Implements Tanium Client peer-to-peer bandwidth throttling no longer controlled in terms of messages per second but by the
PeerBandwidthThrottleBytesPerSecondclient setting. - Disallows disabling of active LDAP synchronization connectors, which will only be allowed with a connector is paused or deleted. This is to avoid synchronization operations with a connector in disabled state which would remove RBAC assignments that are no longer being provided.
- Implements the ability on the Tanium Client to extract the contents of ISO images, which is necessary to support use cases in the Deploy solution module.
- The Tanium Client will now execute Python sensors in a dedicated process labeled as
TaniumClient --python-sensorwhich will avoid the common need to restart theTaniumClient -aprocess. - Implements the direct reporting of results for sensors that use the sensitive data flag in Tanium Client v7.6.
- The Tanium Client will now persist into a database and load known actions on initial registration.
- The Tanium Client will now persist and read action statuses from its action database.
- Implements the migration of existing actions and their statuses into the Tanium Client's new
actions.db. - Implements new Tanium Server metrics for the number of successes and failures of database connection attempts:
dbconnectionpool_db_connect_successanddbconnectionpool_db_connect_failure. - Implements the Tanium Server plugins necessary to interface and operate with the System User Service, which can be controlled using the
enable_system_user_compatibilitysetting. - Implements the
StateProtectedFlag=1feature on the new Tanium Client actions database. - Implements the
tanium_authenticator_non_system_users_last_loginTanium Server metric to indicate the last time users logged into the system. - Adds a "
read solutions" privilege to control access to the APIsolutionsroute. - Implements auditing information for changes to the system's bandwidth throttle settings.
- Ensures the timely execution of built-in sensors like
Action Statuseswhich now followmaxAgerules like any other non-reserved sensor. - Ensures that v7.6 Tanium Clients will not peer with earlier versions, given that their communications are not compatible.
- Changes the behavior of the Zone Server Hub to resolve the DNS names for its Zone Servers each time it connects to them. This allows for better live response to Zone Server IP address changes without a service restart.
- Implements a mechanism in the Tanium Client where it will back-off issuing download requests when its Tanium Server is exceeding its configured bandwidth limits and incurring on high queue delays.
- The Tanium Server will now delete all users and groups associated with a SCIM provider when that provider is deleted. This is done for integrity and to avoid ending up with users and groups which can no longer be managed, not through Console nor SCIM.
- Increases the default value of
max_force_registrations_per_secondto 10,000 now that this operation has become less costly thanks to other server to client communication improvements. - The Tanium Client now saves and flushes the contents of its question and action databases during shutdown.
- The Tanium Module Server no longer uses HTTP Basic-Auth when registering with the Tanium Server, because this authentication method is now disabled on the Tanium Server by default.
- Tanium servers will now communicate their version to clients during registration, allowing new and future clients to determine if they have connected to a system of a compatible version.
- Implements a property named "
t" on the result rows from the Tanium ServerGetResultDataAPI to indicate whether a particular row can be used as a target filter based on its values. Theinclude_targetable_flaghas to be included in the request for this property to be emitted. - Enforces unique names for dashboard definitions in the Tanium Server which would otherwise produce solution import errors.
- Removes support of legacy FNV hashes in the Tanium Server's string APIs.
- Forces a Tanium Client to isolate if its server message buffer limits are exceeded, to allow it to process its own pending messages over those received from its peers.
- The Tanium Server now implements a
cell_row_countAPI option that limits the maximum number of rows returned for result cells, allowing the caller to limit the amount of data returned when there is a large number of results in each cell. - The Tanium Server history export APIs now offer a
modequery parameter to specify the format of the export to be eithercsvorjson. - The Tanium Server question and action history export API now allows filtering which supports the ability of the console to export only selected items.
- Implements backing up the original values for those temporary environment variables the Tanium Client now manages for its sub-processes. The original values are stored in variables named with the
BACKUPprefix. - Implements client side handling of sensor execution priorities to complement the new question priority feature in coordination with CX requests.
- Implements the Tanium Client settings
SensorPenaltyThresholdMilliseconds=100to specify which sensors are considered long-running, andSensorPenaltyMaxMilliseconds=2000to control the stalling of the evaluation pipeline. - Adds the
priorityfield to the Tanium Server's question API. - Implements "
cx_channel_response_*" metrics that tally the number of messages and bytes exchanged across the Tanium Client to CX communications channel. - Brings back support and distribution of the
runasuser.exebinary utility which is needed by some pieces of custom content. - Ensures that built-in sensors skip the evaluation queue in the Tanium Client since their fast execution allows them to be preempted quickly.
- Implements a priority setting for the action API on the Tanium Server.
- The reserved Tanium Client internal sensor
Action Statuseswill now not return more thanActionStatusSensorLimitrecent action statuses. - Implements metrics counters on the Tanium Server to track the number of valid and invalid API token requests received.
- Ensures that the
plugins/group/questionsreturns anHTTP-503result code until the Tanium Server is fully ready for operation. - The windows client uninstaller will now kill the client if it does not stop within 20 minutes. This allows the upgrade to work even if the client process is hung.
- The Tanium Client now implements a
tanium_sensor_queue_wait_secondshistogram metric that tracks the distribution of queue wait times for the execution of every sensor. - Disables sensor execution penalties on the Tanium Client by making
SensorPenaltyThresholdMilliseconds=0the out of the box default setting value. - Adds the
tanium_dropped_connectionsmetric to the Tanium Server and Zone Server which reflects the number and type of connections dropped by configured global throttles. - Sensor results in the new Platform are now forced to be encoded using
SHA-256in support of future capabilities. - Implements chunk cache use metrics in the Tanium Zone Server.
- Implements a metric to track non-handled exceptions in the communication in Tanium Servers and Zone Servers.
- New Tanium Clients now honor the global setting
ResultsEpochwhich when changed will reset their strings and question results data only. This is a subset of what a change inDatabaseEpochwould do, offering the benefit that this new operation will not reset the endpoint'sComputerID. - The Tanium Server now offers a metric to track the number of retried question reports received from Tanium Clients.
- Adds a metric to the Tanium Server to reflect the number of legacy FNV hash collisions detected in the system.
- Adds support for a
disabled_flagsetting for user accounts in the Tanium Server, which can be set manually to enable or disable a user in the system. - The Tanium Server now implements the
tanium_string_retry_pending_countmetric to reflect the number of outstanding legacy client string retries. - The Tanium Client will now present a small sized message when requesting file chunks, to reduce the amount of upstream traffic in systems where the limit of download connections has been reached.
- The Tanium Server API now offers the
deduplicate_by_name_flagoption forsystem_statusandunregistered_clientsrequests, which will then return a list of endpoints where theirComputer Nameas been de-duplicated. - Adds periodic cleanup of the Tanium Server client status cache in memory which previously would only be cleaned up during shutdown and startup.
- The Tanium Server reverts the pre-v7.6 behavior of forcing client registrations of v7.4 and earlier clients to
1,000 per secondand implements the newmax_server_hash_messages_per_second=10,000for newer clients. - Adds client setting
ClientMinTLSVersionwith default value of "1.2". - The Tanium Server now offers the
tanium_client_count_history_fullmetric to reflect the non-duplicated thirty day client count in a deployed system. - The Tanium Server adds the metric counters
tanium_dropped_question_reports_totalandtanium_dropped_string_reports_totalto track dropped question and string reports. - The Tanium Server now enforces a maximum value of four hours for the
max_console_idle_secondssetting. - Extends the
build_target_groupAPI in the Tanium Server to allow afiltersspecification which offers better control to the caller on the results that will be returned by the new filter. - The Tanium Server API will no longer reply with
SQLExceptionmessages to the caller but will continue to log these exceptions for troubleshooting purposes. - Updates the EULA wording in Tanium components to its 2024 version.
- The
TaniumExecWrapper.exefor Windows clients is now delivered as a signed binary. - The Tanium Server will now allow the auto-creation of users without an assigned user group instead of returning an error. This allows for these user accounts to effectively log into the system even if they have no assigned permissions.
- The Tanium Server's manifest URLs have been changed to support the new semi-annual release process at Tanium, making them:
content.tanium.com/files/initialcontent/2024H1/manifest.xmlandcontent.tanium.com/files/initialcontent/2024H1/labs_manifest.xml. - Updates the wording of the Tanium Platform EULA.
- Adds Tanium Server settings to support the semi-annual release model.
- The Tanium Module Server installer on Windows will update its RDB database to PostgreSQL v16.
- Deprecates the parametrized group API in the Tanium Server will which no longer honor the
source_idproperty when creating a new group. - The Tanium Server and Module Server will now honor the
TLSSessionDurationSecondsglobal setting that specifies the maximum session duration for a TLS connection. - The Tanium Server now offers metrics that reflect the number of TLS sessions it has established against the Module Server.
- Updates the End User License Agreement (EULA) for Tanium Platform products to its latest 2024-05 version.
- Adds further details to the memory allocation statistics generated by the
UseTBBAllocatorStatson the Tanium Server, to provide more granular visibility into duties and uses where memory is being consumed which would otherwise simply be marked as "Other" in previous versions.
Improvements
- The Tanium Client will now immediately remove an action folder after the action finishes running
- The Tanium Server will no longer perform any deduplication of client records in Client Status to avoid confusion over endpoints which answer questions but do not appear in this listing. Clients will be identified solely by their
ComputerID. - The Tanium Client will now periodically vacuum its SQLite databases.
- Tanium Clients will now synchronize their sensor definitions based on a unique
IDfield. - Implements a new schema for the Tanium Client result cache that matches the new
SensorReportformat. - The Tanium Server will now reuse rows in its
sensor_definitiondatabase table when Sensor update operations have not changed their code implementation. - The Tanium Client will now only re-execute Sensors when their results
maxAgevalue is reached and no longer performmaxAge/2additional executions. - Improved database code efficiency when updating action start times.
- The Tanium Server now constructs client-bound messages from the contents of its database caches which are guaranteed synchronized and consistent. This will reduce workload on the database for these operations.
- The
pki show --fingerprintcommand now accepts short-form PKI fingerprint specifications like the ones displayed in Console. - Implements the serialization of the new
direct_download_flagfor package file definitions in the Tanium Client. - Defines a new namespace and version scheme used by the next generation of
ComputerIDassignment to endpoints. - Introduces a Tanium Server sequencing counter for active/ active pair messages about incoming Tanium Client registrations in order to support next-generation
ComputerIDassignments. - Implements broadcasting of registration sequences between Tanium Servers in active/ active pairs and Zone Servers in order to support the next-generation
ComputerIDassignments to Tanium Clients. - The Tanium Client now uses fully asynchronous communications when establishing its connections to servers and peers.
- Zone Servers will now log at the lowest verbosity level when they find a local JSON throttle definition in their filesystem, and also log the result of loading said local configuration.
- Drops support for loading
TaniumTraceDLLs which are no longer used and necessary. - Refactors the in-memory handling of package file hashes as hash values instead of strings which can be more prone to bugs in their handling.
- Modifies the
pki showcommand line in Tanium components to work fortanium-init.datfiles without the presence of apki.db. The command now assumes that the file name parameter is atanium-init.datfile unless its extension is.dbin which case it will be read as apki.dbdatabase. - The Tanium Server now allows for more granular scheduling of database clean up and maintenance activities by offering the
clean_database_hourandclean_database_minuteglobal settings. - Refactors the Tanium Client SSL session store to track session tickets by IP address and implements the eviction of expired records.
- Implements a new metric
tanium_pki_unknown_trusted_rootsas a counter for the number of registration requests received with unknown keys. - Adds a new
ModuleContentSigningkey type to be used by the new content signing API offered by the Tanium Server. - Implements a new API that allows solution modules to have byte blobs of data signed by the Tanium Server.
- Removes unnecessary hashing of individual string columns in multi-column sensor results.
- The Tanium Server will now detect inactive servers in an Active/ Active configuration and update its
Downloads/upload_hosts.txtfile. This will avoid unnecessary attempts to download files from a Tanium Server that is not up and running. - Implements HTTP proxy client connections over the improved asynchronous communications model.
- Simplifies the organization and flow of
ServerNameselection, resolution and proxy connections in the Tanium Client. - Improves the Tanium Server question parser to avoid creating excessive sub-groupings for multiple expressions joined with
ORoperators. - Adds the user id for failed authentications to
authentication_auditrecords returned by the Tanium Server API. - Adds the ability to export saved actions by
ID, necessary when attempting to export actions with duplicate names. - The Tanium Server will no longer create "
Legacy-*" RBAC roles in new installations. These roles are now deprecated for new deployments. - Updates the allowed TLS cipher suite to match Mozilla's intermediate compatibility recommendation.
- The Tanium Client installer now provides a more specific firewall rule just for the communications port of the
TaniumClient.exebinary. - The Tanium Client now handles results in its
ClientResultCachebased on the immutable sensorIDthat produced them. - Improves on the reported status for packages on the Tanium Server to reduce information leakage on error reports.
- The Tanium Server now uses a column named
error_detailsin itsserver_package_filesto store error messages encountered when trying to download and cache package files. - The Tanium Client will now clearly log when the
DisableTraceflag is set on an endpoint. - The Tanium Module Server will now clean its temporary directory on startup, removing files left behind which are no longer used.
- Improves the Tanium Server throttling API by validating the values allowed for bandwidth limits to adhere to positive integer values.
- Adds validation to regular expressions used in the creation of groups to avoid syntax errors which may later occur downstream at the Tanium Client with the log message:
error occurred while parsing the regular expression. - Adds the ability to read Tanium Client settings from an extension process.
- Implements increased resilience to corrupt
plugins.jsonfiles in a Module Server configuration by doing a fallback to previous backup versions of the file. - The Tanium Server will now use one single connection when working through database upgrade steps.
- The v7.6 Tanium Client is no longer sensitive to time drifts that can cause
[CRU]results. - Removes unused settings for string error flags and prefixes:
error_string_prefix,error_string_regexandgeneric_error_string_flag. - The RBAC API will no longer return a content set element for groups that are not designated as filters and not associated with a content set.
- The
TaniumCXbinary will now verify the signatures of the third party libraries it uses before loading them. - Implements sensor and action communication pipes which CXs will use to communicate with the Tanium Client instead of using disk-based mailboxes.
- The Tanium Client will now log active script begin and end messages at
LogVerbosityLevel>10to reduce log spam. - The Tanium Client can now handle several sequential download requests over the same connection instead of opening a new one. Idle download connections will be closed after thirty seconds of inactivity.
- Enforces a limit of
5,000as the maximum allowable value forstring_retry_hash_limitthat can be sent to the Tanium Client at one time. - Adds ability for Tanium Client created temporary files to use Windows attribute
FILE_ATTRIBUTE_TEMPORARYwhich prevents the file being written to disk whenever possible. - Created separate db query plans in the Tanium Server for initial cache loading and incremental cache loads to reduce the number of time SQL has to compile query plans. This reduces CPU load on the SQL server as well as increasing API performance.
- Updated the way message size metrics are captured to improve efficiency of processing large messages.
- The Tanium Client will now uses a
SHA-256hash for the identification of contents in direct download requests. - The Tanium Client will try to cast sensor results into a number value even when the definition does not define the result value as numeric. This allows for better handling of data types even for sensors which were created incorrectly.
- Reduced the
LiveSnapshotAlwaysUseSecondsfrom 4 to 1 second to improve user experience for returned question results. - Added serialization code efficiencies in multiple Tanium Platform components, making future feature updates and REST API handling more effective.
- Added a more efficient means to gather client configuration path information from the Tanium Client.
- Unifies the handling of sensor results and their results cache between the Tanium Client and extension processes.
- Added arguments to the Tanium Client that lightens the touch on an RPM database to support Software Manager functionality.
- Combines the execution of the packages and download file cleaning operations into a single thread in the Tanium Server, thus reducing contention between them as well as database resource utilization.
- Added an additional API call,
/api/v2/user_groups/by-name/{name}, to get user groups by their text name. - Tanium Client will retrieve the
computer namedirectly without caching on all operations except for sensor and client evaluations to reduce the chance of caching interference. - The Tanium Client will no longer truncate VBScript sensor results to a limit of
64KB. - Tanium Client connections will now follow a
60 secondtimeout instead of the historic3 seconds. This should benefit busy systems with less than ideal network connectivity. - Removed the old concept of slow peers that is deprecated by other mechanisms already in the Tanium Client.
- Updated API tokens with the associated person's name along with the id with displayed with a
GETfor/api/v2/api_tokens. - Includes additional logging of https header names when capturing
error parsing http responselog entries. - The Tanium Server
/metricsroute will now omit per-thread metrics unless theenumerate_server_threads_for_metrics_flagsetting is enabled. This reduces the cardinality of metrics in monitoring systems. - The value of
info_export_interval_minutesandinfo_export_max_age_daysglobal settings will now honored by zone servers. - The Tanium Server will no longer log "
No PKI clock offset for fingerprint" which is an expected server condition. - The Tanium Client now persists the ids of sensor statistics requests as not to respond repeatedly to the same request across client restarts.
- The Tanium Client's subsystem in charge of download requests now cleans its file buffer cache periodically to reduce the number of file descriptors it keeps open.
- Implements environment-specific content security policy headers for the Tanium Server replies.
- The Tanium Client will now run with a
question_check_diffs_seconds=60default. - The Tanium Client will now restore the environment of its sensor evaluation process instead of restarting it if a sensor execution has modified it.
- Removes Tanium Server client registration settings which are no longer used.
- Tanium Clients will now re-evaluate sensors when checking actions for targeting criteria.
- Implements the cleaning of expired action logs in the new Tanium Client.
- Implements the cleaning of expired action folders in the new Tanium Client.
- Implements the cleanup of expired actions from the Tanium Client's
actions.dbdatabase. - Implements referential integrity cascaded deletions on in
action.dbfor stopped actions. - Implements expiration times for a Tanium's Server root keys to be
99991231235959Zas recommended by RFC-5280. - Drops the
value_system_flagcolumn from theglobal_settingsdatabase table, since it is no longer used. - Improves the logged messages in the Tanium Server's
package-download.txtlog. - The content set API on the Tanium Server will no longer return deleted records.
- Tanium Platform components now ship with xz v5.2.9 compression libraries.
- The Tanium Server will now log errors encountered while updating users and groups during an LDAP synchronization operation, such as SQL errors.
- Improves the text of audit records to include the previous and new name of objects in rename operations, offering more readable audit records for Tanium Server objects.
- Enables the tracking of encryption key ids in the management of Tanium Client databases when
StateProtectedFlagis enabled. - The Tanium Server's global setting audit API will now return audit text that contains the original value that was changed as well as the new value it was changed to.
- The Tanium Server API will now reject the assignment of invalid RBAC privileges, where before it would allow it but strip them off whenever calculating an account's effective privileges. Now the assignment itself will no longer be allowed.
- Adds the
display_namefield to the Tanium Server's API requests when this information is available for a user account. This will allow Console to display this information in user pages. - The Tanium Server will now log API HTTP request headers only at
LogVerbosityLevel=61and above. - Upgrades the PAM library on the Tanium Server to v1.5.2.
- Tanium Platform components now ship with TBB v2021.7.
- Implements server-side streaming export of question and action histories, reducing browser wait times and resources.
- Improves the performance of TLS session ticket verification in all Tanium Platform components.
- Implements faster client to server re-connections when there are pending downloads waiting completion.
- Implements WAL-mode operation for the platform's
pki.dbdatabase. - The Tanium Client installer on Windows will no longer remove and add again the
Tanium Clientservice unless deemed necessary. It will just replace the service's binary instead. - Improves the performance and resource utilization of PKI operations by not re-verifying certificate chains immediately after they are issued.
- Improves the performance of the Tanium Server system status and client count APIs which is important to deployments with a very large number of endpoints.
- Implements WAL-mode operation for the platform's
config.dbdatabase. - Implements periodic save and cleanup operations on the Tanium Client's SQLite databases.
- Implements a quicker delivery of isolated and separated subnet information from the Tanium Server to the Tanium Client. This allows informing the endpoint if it should be isolated or the separated subnet it belongs to, along with a list of candidate peers.
- Relaxes the permissions required to access the
preview_content_set_role_detailedon the Tanium Server API as a prerequisite to enable customer content features. - The Tanium Server and Tanium Zone Server will now free memory in their client processing threads every
client_thread_clean_memory_seconds=300interval. - The Tanium Client now uses a timed, periodic enforcement of its
StateProtectedFlaginstead of doing this on every settings update event. - The Tanium Client will now execute its downloads database maintenance cleanup every hour instead of every ten minutes. This interval can be controlled using the
CleanDownloadDBIntervalclient setting expressed in seconds. - Avoids a sensor cache lookup in the Tanium Client when resolving hashes in preparing question results.
- Implements an idle timeout command line option (
--idle-timeout) for TDownloader which will specify the maximum amount of time a download stream can stall before it is considered failed. The default timeout will be60 seconds. - Improves the audit information for content set roles in the Tanium Server to return only the information of elements which were changed instead of the effective result of the changes.
- The Tanium Client will now log "
No valid servers are configured" if itsServerNameandServerNameListsettings are not configured. - The Tanium Client will now not fail to start if it cannot access Powershell on its running endpoint. It will simply log "
PowerShell not accessible" and continue to run without it. This may render content and solutions unusable but the client will not stop. - Receives incoming messages for the Tanium Client from the CX framework subsystem and honors any restart requests received.
- The Tanium Server API now supports and expects a
GETmethod request for its action and question export routes. - The Tanium Client will no longer perform an epoch reset when
DatabaseEpochchanges from an empty or missing value to an actual epoch value. This prevents performing a reset on first install. - The Tanium Client will promptly refresh the return value for the
Action Statusessensor whenever an action is completed. This speeds up action status reporting on the Tanium Console. - Improves Tanium Client question processing by not emitting changing results when the changed data is omitted through a select filter. This is an optimization aimed at questions like:
Get Action Statuses starts with 27477 from all machines. - The Tanium Server API now supports exporting multiple saved action
IDswith theexport-by-idroute. - Implements support for diskless mailbox execution for Visual Basic script sensors in the Tanium Client.
- Implements support for diskless mailbox execution for shell-script sensors in the Tanium Client.
- The Tanium Client will now return a maximum of
10,000result rows as controlled by theSensorMaxResultRowCountclient configuration setting. - The Tanium Server now logs the reason for authentication failures at
LogVerbosityLevel=0in itsauth.log. - Client download API requests now copy files into a
.tmpcopysub-folder on the destination path, to avoid the requesting agent to detect partially downloaded files. - Adds additional information in replies to requests with expired JWT tokens to inform why the request was rejected.
- Honors the Tanium Client
MessageBufferByteLimitsetting. - Implements use of the
TANIUM_TRUSTED_MESHenvironment variable to allow the Tanium Server API to run on clear text HTTP instead of HTTPS. - Implements the
cache_ref_idin the rows returned when callingGetResultDatawhich can be used in conjunction with acache_idto call thebuild_target_groupAPI on the Tanium Server. - The Tanium Server API now offers a
build_target_grouproute which allows defining groups from a result cache and its referenceIDs. - Removes support for
ComputerIDtracking in saved question which underpinned the recent results Tanium Server API feature which is not in use anymore. - Removes the previously needed but now superfluous
file_nameparameter which was used in action and question history exports. - Changes the API to export both action and question histories so they will provide default CSV columns and JSON elements to be returned when none are specified beyond the export
modeparameter. - Ensures that plain-text communications between the Tanium Server and modules is only possible when running in a
TRUSTED_MASH_FLAG=1configuration. - Makes module server solution registrations to be unique both in their
idandname. - Changes the threshold for incorrect sensor statistics from
1GBto1TBfor bytes read, give that it is possible that a sensor would read that amount of data to produce its results. - Changes the Tanium Server history export API to return a JSON object instead of a simple array, which is best for compatibility.
- Improves the Tanium Client logging of the failure conditions for HTTP downloads.
- Adds logging to the
ClientAPIFileCopysubsystem in the Tanium Client to allow for easier troubleshooting. - Fixes a problem in the Tanium Client for AIX to detect when
AIXSetLibPathssetup would fail on startup, resulting in the error:module libcrypto.so could not be loaded. - Allows questions and their results to persist beyond their expiration time and for as long as
max_result_cache_grace_period_secondsif they are still being referenced by API requests. - Reduces the processing cost of content imports in the Tanium Server API by delaying signature verification until the flag for a concurrent import is confirmed.
- Reduces the memory utilization on the Tanium Client by clearing its question cache after it is persisted to disk.
- The Tanium Server question API now disallows the creation of saved questions from counting questions.
- Enforces the execute plugin privilege when routing module service API requests.
- Implements additional logging around sensor evaluation in the Tanium Client at higher
LogVerbosityLevel>60settings. - Raises the
LogVerbosityLevelat which the Tanium Client issues "Sensors failed verification" in order to reduce log spam. - Improves the performance and memory footprint of the Tanium Client by making use of better SQL queries to load its initial state.
- Implements WAL operation mode on the Tanium Client's
manual_groupsandurl_requestsdatabases, which reduces the amount of filesystem activity. - Implements improved handling of UTF-8 encoded sensor results in the Tanium Client.
- Ensures that the Tanium Client internal sensor cache keeps synchronized with the verifiable contents of its sensor database.
- Changes the behavior of sensor results parsing in the Tanium Client where it will ignore a configured delimiter in the sensor definition if it has no declared columns. This improves the behavior of sensors that incorrectly declare a delimiter for a single column.
- Improves the messages logged by a Zone Server when publishing a snapshot to include the highest question and action IDs contained in the snapshot.
- The Tanium Server and Client now offer higher sensor result limits for the benefit of data-intensive applications:
SensorMaxResultSize=10,485,760(in bytes),SensorMaxResultRowCount=100,000andsensor_max_allowed_result_rows=100,000. - The Tanium Server will now log "
Malformed session" when authentication fails due to a malformed session value. - The Tanium Client will now compress large question result reports as controlled by its
EnableReportCompressionandReportCompressionThresholdwhich defaults to1,024 bytes. - Adds additional logging for the state of downloads requested through the Tanium Client API.
- Changes the
tanium_sensor_runtime_secondsmetric in the Tanium Client to be presented as a histogram instead of a counter, offering more granular insights into these measures. - Adds logging to the Tanium Client around start and stop operations over the CX execution framework.
- Adds logging of incorrect SOAP sessions to the Tanium Client API when the value is provided in the message body, as is done when presented as a request header.
- The Tanium Server will now generate a 3,072-bit key certificate for
SOAPServer.crtby default, instead of 2,048-bits as it did in previous versions. - Tanium Platform components now ship with SQLite v3.42.0.
- Reduces log spamming in the Tanium Client on a disabled or unavailable client extension framework.
- For compliance with RFCs and compatibility with more SCIM providers the Tanium Server now treats the
externalIdattribute as optional in users like it does in groups. - The Tanium Server will now check the health state of its database connections before returning them to its connection pool.
- Ensures that old expired and revoked certificates are cleaned up from the
pki.dbdatabase. - Reduces log spam in the Tanium Server by issuing "
Failed to build question" and "Failed to build action" only once. - Reduces the CPU utilization in the Tanium Server when serializing user privilege information in API requests.
- The Tanium Server will no longer refresh all sensor definitions when questions and actions change, and will only refresh the definitions of sensors that have changed since their validation can be expensive.
- Makes the TaniumExtractor tool more resilient to errors as to allow it to continue processing whenever possible.
- Improves the performance of the Tanium Server in computing cache sizes reported in its
/metricsroute. - Improves the Tanium Server performance in calculating snapshots of new information transmitted out to Zone Server Hubs.
- Adds support for incoming HTTP2 connections initiated with prior knowledge and an correct connection preface.
- Changes the logging level for HTTP2 closed pipe log messages to a higher level, since they are not really error conditions.
- The Tanium Client offers better handling of long timeouts when communicating with its client extension components, which could happen during endpoint sleep cycles.
- Improves the error handling and resilience of the communications between the Tanium Client and the client extension framework when receiving oversized messages through. their communications channel.
- Improves the
http-accesslogging of data retrieval SOAP requests to the Tanium Server by logging the type and ID in the request, like:GetResultInfo:question/501. - Implements limits for the new Tanium Server question result and string hash retry caches to keep them at a reasonable size.
- The Tanium Client will now send verbatim sensor result values if their length is shorter than that of the hash that would be used to represent the value itself.
- Ensures that URL to chunk mappings known to the Tanium Client are not just saved periodically but also on shutdown to avoid any loss of data.
- The Tanium Client now reduces
ReflectionConnectMaxRetryInSecondsdown to sixty seconds instead of five minutes to make its back-off interval shorter, and also resets its back-off interval after achieving a connection to a server, even if the connection does not close cleanly. This allows endpoints to be more resilient in their attempts to secure a server connection under adverse network conditions. - The Tanium Server will now delay file downloads on startup until its web services are fully operational. This allows for quicker startup times.
- Improved the coordination between the Tanium Client and the extension execution framework startup and shutdown, which also fixes the unexpected log message "
Couldn't get version of TaniumCX" when stopping the client. - The Tanium Server now enforces maximum strings and maximum strings age for results received from new v7.6 clients.
- The
tanium_dropped_connectionsmetric now identifies whether the connection was dropped due to a global or a site subnet limit configuration. - Implements support in the new Tanium Server for the
max_stringssetting in legacy strings. - Changes the management of the Tanium Server string retry queue to operate under a LIFO policy, given that newer hashes are easier and faster to resolve than older ones.
- Changes the systemd unit file
TimeoutStopSec=90for the Tanium Server to avoid it being forcibly killed during shutdown. - The Tanium Server now uses different default values for resolution of legacy string hashes set at
string_retry_hash_limit=2,000andstring_retry_pending_limit=10,000to reduce the size of the pending set and accelerate the rate at which it is resolved. - Global settings have been adjusted to allow Tanium Clients to re-play their sensor result string to hash mappings every twenty four hours instead of every week, as a means to reduce retry workloads on the Tanium Server.
- The Tanium Server now applies configured download throttles with every chunk request instead of when the connection is first established. This allows immediately enforcing changes to throttle values, instead of having to wait until for the tear-down and reestablishment of existing connections.
- New versions of the Tanium Server will deduplicate Client Status counts when presenting the
tanium_client_count_historymetric. The endpoint lists presented in Client Status will not be deduplicated, but its numeric count figure will be. - The Tanium Server binary now offers an
export-stringscommand line option which will export the contents of the new format strings file into a SQLite database for inspection. - Refactors the management of sensor string files in the Tanium Server to remove them not only when they are deleted but also when they have not been used and loaded into memory for a long time, as compared with their maximum age settings.
- Implements the unloading of sensors from Tanium Server memory when they are deleted or have been idle and not referenced by the internal result cache.
- The Tanium Server will now load its result data cache in a background thread during startup, to improve the time from when it is started up to the moment when it is responsive to other tasks.
- Ensures that the
process_cache_batch_threadssetting on a Tanium Server is assigned a value equal to the number of CPU cores divided by eight, but never a value larger than eight. - Tanium Platform components now use Curl v8.5.0 libraries.
- The Tanium Server increases the size of allowable filter specifications to avoid the error "
MaximumFilterSpecRegexLengthExceeded" when working with drill-down operations in the console that contain large amounts of data. - Improves the logging of
RunModulePluginAPI requests to the Tanium Server. - Upgrades Tanium components to use JsonCpp v1.9.5.
- Changes the behavior of ranked-selection of servers in the Tanium Client, where now in a setting like "
ServerNameList: 1_TSa,1_TSb,2_ZSa,2_ZSb,ZSc",TSaandTSbwill still be given priority overZSaandZSband the non-prefixedZScentry will have the lowest priority. - The Tanium Server now logs all SCIM errors at
LogVerbosityLevel=1and above to make it easier to troubleshoot failures without changing logging configurations. - Improves the logging of session errors in the Tanium Server authorization log which in the past would only offer a very terse "
Invalid session supplied" message. - Renames the OpenSSL v3 libraries in the AIX Tanium Client to
libssl-3.soandlibcrypto-3.soto allow having both v1 and v3 libraries to be deployed. - The Tanium Server will now offer
api_locked_outmetrics for locked out user accounts and IP addresses, as well as requests from the Tanium Module Server. - API requests to the Tanium Server now use internal cache structures instead of SQL queries to improve their response timing performance.
- Reduces the number of places where SHA hashes of keys are calculated by using their previously calculated fingerprints instead, improving code efficiency and performance.
- Adds TLS
Client AuthenticationandServer Authenticationextended key usage values to all certificates generated. - Tanium components now disable
SHA-1andSHA-224signature schemes in the TLS protocol. - Improves the logging of missing sensor definitions in the Tanium Server, where
SensorNotFoundlog messages would not specify which saved questions were responsible for referencing them. - These Platform components now ship with SQLite v3.45.1.
- Tanium Platform components now ship with OpenSSL v1.0.2zj.
- The Tanium Client will now report back partial data when a sensor result it too large.
- The Tanium Server will no longer automatically fall back on its FQDN when forming a SAML assertion consumer service (ACS) URL and instead log an exception, to make it patently clear this mapping is missing from the configuration.
- The Tanium Server will not duplicate entries in the database's
computer_specstable anymore, reducing its size and improving performance for large numbers of manual computer groups. - Platform components are now built with libExpat v2.6.0.
- The Tanium Server now sets specific auto-vacuum scale factors for select PostgreSQL tables that grow quickly within the database.
- The
WorkbenchesManagerplugin in the Tanium Server has been updated to only keep the latest thirty copies ofworkbenches_*.json. - The Module Server installer on Windows now forces a recalculation of the PostgreSQL database statistics after an upgrade, to improve database performance after a version migration.
- The Tanium Server now merges "
[too many results]" records received from v7.6 and legacy clients to present a unified count across the whole system. - Fixes a problem in the Tanium Server RBAC API when creating a role with access to all content sets would return an empty
content_set_role_privilegeslist. - Tanium components now ship with OpenSSL v3.2.1 and v3.0.9 when using FIPS support.
- Reduces the access rights requested by Tanium installers on Windows in order to minimize failures due to hardening on the operating system.
- The Tanium Module server installer on Windows tests that the installing user account has access to its database directories and contents. This mitigates the risk of a failed PostgreSQL upgrade.
- Removes the duplicate "
tanium" word from the Tanium Server memory allocation metric names. - The Tanium Server now allows enabling its TBB allocator statistics by adding a file named
UseTBBAllocatorStatsin the server's main installation directory. This is in addition to using the setting of the same name as an environment variable but is easier to persist across upgrades.
Bug Fixes
- Fixed an issue where the Tanium Server Question Parser failed to parse computer groups names in a question filter clause when the groups were expressed in terms of parametrized Sensors.
- Fixed a condition on the Tanium Client where setting local configuration values with the same name but different case would result in the error
InvalidParentKeyand break theTaniumClient configcommand line option. - Fixed an issue in the Tanium Client in interpreting Package file download network messages where it would sometimes log
assertion 'hash.size() > 0 && hash.size() <= kMaxHashSize' failedwhen requesting a client API download and running withLogVerbosityLevel=41or higher. - Fixes the permissions of a server's license file on disk when they are incorrect, avoiding the repeated "
FailedToVerifyLicense" message in logs even when the loaded license is valid. - Fixes an OpenSSL random number generator initialization problem that would result in the error "
SSLEAY_RAND_BYTES:PRNG not seeded" which is innocuous but should not happen anymore. - Fixes a condition in the Tanium Server by which policy-based saved actions would fire more often than they actually had to because they would not target any online endpoints anyway.
- Fixed a bug in the Tanium Server where a LDAP user's modified time field is updated every time LDAP synchronizes.
- Fixes an issue where API tokens would fail to be authenticated with IPv6 trusted addresses.
- Fixes an issue where the Tanium Server API would throw an
HTTP-404error when trying to export content sets that reference objects which had been removed from the system. - Fixed a bug where the install log on the Tanium Client will continually add a new log every time a client is installed/upgraded. This is resolved by adding
install-backup-[date].logrotation. - The Tanium Client will now use database locks when applying
StateProtectedFlagconfigurations, to avoid conflicts while applying the implied encryption of contents. - Adds a missing transaction to the periodic package and package files cleaner maintenance operation in the Tanium Server.
- Fixed a bug where
Last Modifiedwas not updated on a user when adding or removing groups and roles. - Fixes an
HTTP-500error returned by theuser_groupsAPI when referencing invalid userIDs. - Fixes a bug where if the Client Extension (CX) or TaniumClient process dies and there is a partially written CX message, the CX connection fails until the TaniumClient service is restarted. This supports the CX Sensor improvement initiative.
- Fixes a bug where a Client Extension sensor request will hang if the
TaniumClient -cprocess is restarted. This supports the CX Sensor improvement initiative. - Fixes a bug where a Client Extension sensor request will hang if a response is dropped. This supports the CX Sensor improvement initiative.
- Fixes an issue where the Tanium Client may not rotate log files correctly.
- Fixes an incorrect parsing of incoming SAML identity provider data in the Tanium Server which would trigger the error "
SAML authentication failed: Invalid namespace prefix 'xmlns:xsi' for attribute" when InclusiveNamespaces were used. - Revised a memory configuration to increase performance while accessing sqlite databases on the Tanium Client.
- Resolves an issue where the Tanium Server's metrics would report higher client counts than Client Status due to not filtering records with
ComputerID=0. - Fixes a rare condition where a Tanium Server could miss manual groups and sensor updates for a short period of time. This condition has never been observed in the field due to its small probability of happening.
- Fixes the routing of the
package_fileupdate API in the Tanium Server which would previously throw a "InvalidObjectTypeForUpdate" error forPATCHrequests. - Fixes a problem where the Tanium Client would fail to execute Python code with the log message "
not enclosed in Tanium Client folder" when the downloads folder is relocated. - Changes the behavior of the Tanium Server solution import API so it will not throw an exception and reply with an error when referenced saved questions are missing.
- Eliminates trimming from registry
MULTI_SZvalues to preserve data where whitespace is significant. - Fixes an issue in the Tanium Client where cleaning of action logs and folders would not honor the
CleanActionLogsIntervalInDaysglobal setting. - Fixes an issue with the Tanium Server groups API which results in the incomplete error
HTTP-500 'Invalid group field name: 'when trying to filter the request results. - Fixes an ordering-of-operations error when importing both roles and privileges into the Tanium Server on the same operation, which could result in a
ContentSetPrivilegeNotFounderror. - Fixes an omission in the Tanium Server content set role API which would not account for restricted privileges during a preview request. The API will now throw
InvalidCustomerPrivilegeForContentSetwhen an incorrect privilege is included. - Fixes a problem in the Tanium Server preview content set role API which would not return deny-type roles. Issuing a request with a
deny_flag=1will now return these roles. - Fixes an issue in the Tanium Server when importing a package without attached files and overwrite an existing package with files, the file references would not be removed.
- Fixes a crash in the Tanium Server when it received a stop request while still waiting for its database connections to be available.
- Fixes the mode settings on the Tanium Client's
taniumclient.servicefile to avoid the error message:Configuration file taniumclient.service is marked executable. - Fixes a condition that produces revocation hash mismatches across active/ active Tanium Servers after importing legacy v314 protocol keys.
- Fixes an issue by which content administrator users cannot read all content on the system, which impairs the role's ability.
- Fixes incorrect instructions in the Zone Server RPM installer on Linux which described the need to configure the
ServerNamesetting, which is not necessary unless installing a Zone Server Hub. - Fixes an issue in the Tanium Server audit log API for user groups where the
detailsentry would be empty. - Fixes the error response returned by the action group Tanium Server API when searching a non-existing group by name, which would return an invalid ID number instead of the group name provided in the request.
- Fixes an issue in the Tanium Server RBAC API which would return
InvalidCustomerPrivilegeForContentSetwhen attempting to request detailed content set previews over content sets with configured restrictions. - Fixes an omission in the Tanium Client where Windows COM errors were not properly encoded as UTF-8 strings.
- Fixes a problem where the Tanium Client would not honor a properly set
ValidateAllLibrarySignatures=0in its CX execution framework. - Fixes an issue on the Tanium Zone Server where the
info_export_max_age_daysglobal setting would not be honored. - Fixed a cosmetic issue in the
Action Statusessensor that showed the string "\n" in its description. - Policy-based actions in the Tanium Server will no longer consider and count error results like
[CRU]and[RCU]when evaluating whether to trigger or not. - Fixes an omission where the Tanium Server would fail when configured to listen on port
65,535which is a valid port number. - Fixes a Tanium Server issue were the
TaniumServer.exe database sqlserver2postgrescommand would fail with the error message "Unhandled column type: real" when thedata_purge_historytable contains any rows. - Fixes an issue with the
TaniumReceiver.exe database sqlserver2postgresfeature where the generated output cannot be imported into a PostgreSQL database if theserverstable in Microsoft SQL Server has negativeguidvalues. - Fixes an issue in the handling of single-use requests as used for export operations where request parameters were not being passed along to streaming handlers. This would impair the new streaming versions of action and question API requests.
- Fixes a filtering problem in the Tanium Server action API where it would return the status for multiple actions when only one of them was requested.
- Fixes an issue where enforcing the uniqueness of saved question names was not filtering out entries which were already deleted in the system.
- Fixes an omission where the Tanium Server RBAC API would not exclude privileges from deleted content sets.
- Fixes an issue in the removal of expired PKI keys in the Tanium Client which would show as repeating duplicate "
Erasing expired key" messages inpki.log. - The Tanium Server's question API will now return the exception "
Counting questions cannot be merged" if requested to merge a counting question. - Fixes a problem where the Tanium Server question result data API would not respond to the
export_flagparameter. - Refactors parts of the SCIM requests handling in the Tanium Server that could result in user group memberships being removed from RBAC configurations.
- Fixes a delay when fetching the Tanium Server
infopage, observed when the module server service is stopped. - Fixes a condition where internal sensors could stall question results on MacOS Tanium Clients.
- Ensures that built-in reserved sensors honor their configured
maxAgesetting. - Fixes the operation of the
ActionFolderRetentionMinutessetting on the Tanium Client to keep action folders for this period of time, as long as disk space on the endpoint does not fall below minimum levels. - Reduces the logging of the SQLite "
Failed to reset statement" message which is neither significant nor important. - Fixes import failures of default computer groups into a newly built Tanium Server returning an
HTTP-404: SensorNotFounderror. - Fixes the logout workflow in the Tanium Server for Azure environments, which would leave console sessions with an invalid JWT token and unable to log in again.
- Fixes the Tanium Server
dbconnectionpool_db_connect_failuremetric which would not reflect the correct count of connection errors. - Fixes the parsing and output representation of sensors that contain square bracket characters (
[]) in their name - Fixes the handling of legitimate
h2cconnection closures. - Adds a database upgrade step to the Tanium Server install sequence which will fix incorrect legacy package file hashes which would result in errors like "
Invalid package file hash value: class NotAHexDigit" and prevent logins at the console. - Fixes a behavior in the Tanium Server where it would fail to cancel abandoned connections in its HTTP connection pool, and didn't release them until they completed their maximum number of retries.
- This change separates the processing of active-active Tanium Server and Zone Server message streams, as well as supporting concurrent client streams over the same connection. This solves a number of communications issues observed characterized by the logged errors: "
unexpected exception: Can't queue callback that is connected somewhere else", "unexpected exception: Source is already connected to another callback" and "assertion 'm_downloadThrottle' failed". - Fixes a problem in the Tanium Server by which it would not issue TLS session tickets to connected clients.
- Fixes an incorrect count of endpoints presented by the Tanium Server when deploying an action to machines with the same computer name.
- Fixes a problem in the Tanium Server integration with SCIM that could result in the error message:
SQLException: duplicate key value violates unique constraint groups_name_hash_normal_group_unique_index. - Fixes an issue in the Tanium Server handling of action status questions which could sporadically result in the SQL exception:
SQLException: duplicate Key=History for action ids already exists. - Fixes incorrect determination of hash collisions in the Tanium Server when receiving results from case-insensitive sensors from legacy clients.
- The Tanium Server question API will now return empty results for
GetResultInfoandGetResultDatarequests on expired questions, being that such requests cannot be fulfilled anyway and would result in "Question cache not found" errors being logged for them. - Fixes a condition where the very first client connections to a Tanium server would operate without their configured throttles. Now the Tanium servers will refuse incoming client connections during startup until all throttle configurations are loaded and operational.
- Fixes a problem in the Tanium Server serialization of its newly designed result cache.
- Fixes an issue by which
[RCU]errors would not be included and shown for counting questions issued by the Tanium Server. - Fixes an issue with the Tanium Client where it may log "
assertion '!m_resetRequired && !m_challengeRequired' failed" and then stop right after completing a server challenge. - Fixes a timing condition in the Tanium Client which would make it wait for longer than necessary when stopping the CX execution framework, giving the impression that they system was idling unnecessarily.
- Fixes an error in the instrumentation of the Tanium Client which would prevent the client from starting with the message:
Metric result_retries_received already registered. - Fixes a behavior in the Tanium Client by which it would always deliver its sensor statistics information to its reporting server instead of forwarding them to its connected peer.
- Fixes an omission in the Tanium Server where it would not process incoming
server_health_updatemessages received from zone servers. - Modified the output of the
TaniumClient quarantine listcommand to match that of legacy versions, because there exist content sensors and packages that depend on the format of this output. - Fixes a condition where the Tanium Server might corrupt its new string cache bitmaps.
- Fixes an omission by which the Tanium Server would not reflect updates received from legacy endpoints when an
[RCU]resolution was received or a legacy hash collision was detected. - Implements a re-processing of sensor string files in the Tanium Server during upgrade to avoid case insensitive string hash mismatches which would cause
[RCU]errors in question results. - Fixes a mismatch between server and client in the treatment of case insensitive sensor string hashing which would result in
[RCU]errors which would never resolve in question results. - Introduces controls on the Tanium Client to determine the structure and content of string hash reports.
- Fixes an omission in the Tanium Server where delayed/ future string reports would not be noticed in the resolution of missing strings.
- Fixes a condition in the Tanium Client where it would incorrectly send a throttle control command which would risk breaking its established connections.
- Adds necessary field keys in the new Tanium Server results cache needed to implement the required behavior for letter-case folding in sensor results.
- Forces the Tanium Server to re-read and interpret a sensor's string files when the case-insensitive flag in the sensor definition is changed. This is to avoid the
[RCU]errors that this change can produce. - Fixes a problem in the SCIM integration in the Tanium Server when paginating through users requests would return an invalid value for
totalResults. - Fixes an issue in the way the Tanium Client services sensor evaluation requests from the client extension framework, where it would return a "
Sensor not found" failure during sensor synchronization operations. The Tanium Client will now enqueue these requests until the synchronization is completed. - Fixes an error condition in the state handling of outgoing HTTP connections from the Tanium Client which would produce the log error:
assertion 'm_state == kStateEstablished' failed. - The Tanium Server will now sometimes re-read and re-interpret the contents of sensor string files. This change ensures that reinterpretation is immediately serialized back to disk.
- Ensures that the current definition of a sensor is used by the Tanium Server when receiving question results, fixing the
[RCU]]errors observed against v7.4 when changes to the "Ignore case in result values" for a sensor was modified. - Fixes a misspelling in the
tanium_result_retry_countmetric of the Tanium Server. - Fixes an issue in the initialization of Tanium Client throttles which would result in the log error:
assertion 'm_count < kMaxThrottles' failed. - Fixes an omission in the Tanium Client mechanism which should stop its client extension framework which would cause the log error:
assertion 'm_channel' failedwhile stopping or during a CX restart. - Fixes an issue in the Tanium Server which would calculate incorrect hashes for active-active string retries, which would result in constant hash collision errors in question results.
- Fixes a problem in the Tanium Client when parsing proxy PAC file configurations referenced by
ProxyAutoConfigAddressand which contain more than onePROXYentry definition, resulting in the logged message "Failed to parse proxy name. Too many colons" atLogVerbosity=41and failing to select a proxy to communicate with a Tanium Server. - The Tanium Client now registers all temporary sensors requested for evaluation by the extensions subsystems and treats them in the same way as client-initiated evaluations, to avoid extension group failures that would be logged with "
Group evaluation failed. Sensor not found. Skipping item". - Fixed an issue in the Tanium Server where the timestamp of some results received from clients would not be updated, resulting in the possibility of them being garbage collected and produced
[RCU]errors. - Improves the Tanium Client logging in
log-script-child.txtwhen a Python sensor is executed from a process which does not have the client as a parent process, stating "Sensor child process has invalid parent" which is something that happens in Kubernetes environments when using Intel binaries on Apple silicon. - Fixes an issue where the Tanium Client is not informed to backoff under situations where the download queue is full.
- Fixes an issue in the Tanium Client by where configurations without a
ListenPortconfiguration setting would result in using theProxyPortsetting to listen on. This would mostly affect servers where the value of the proxy port in use could block other services from binding. - The Tanium Server
build_question_textandbuild_group_textAPIs now support references to existing temporary sensors, in addition to the source sensors which have always been supported. - Fixes an omission in the latest client version where its download API did not report the percentage completion of the
Downloadingrequests in progress. - Fixes an issue in the Tanium Server that would cause the error "
HTTP-500: Saved Question metadata not found" when refreshing the status of a deployed action. - Fixes an issue where the Tanium Client would attempt to validate the signature of library files no longer available in the system, like OpenSSL v1, and cause failures to start.
- Fixed a condition where Tanium Clients reporting through a NAT address in an intentional subnet configuration would peer outside their
/24subnet. This fix ensures that peering is contained within/24IP ranges. - Fixes a problem in the Tanium Client by which it would not honor its
ClientCacheLimitInMBsetting and only allocate100MBof storage for its downloads chunk cache. - Fixes an issue where the Tanium Server would not report the
X-Forwarded-Foxaddress of the requestor in itshttp-accesslogs. - Fixes a problem where the Tanium Server would not reissue a TLS v1.3 session ticket on session resumption, resulting in more full handshake sequences than necessary.
- Fixes an issue where the
json_input_flagwas not being recognized or honored correctly when importing content into the Tanium Server. - Fixes the garbage collection of old Questions results in the Tanium Server which would otherwise result in a large
TS/Strings/saved-questions.datfiles. - Fixes an issue in the Tanium Server in the lookup and handling of questions results which would result in the error:
resultDataThread] Error: assertion 'current.size() == toCompare.size()' failed. - Fixes a problem in the Tanium Module Server which would not initialize its cryptographic subsystem in FIPS mode regardless of its
FIPSModesetting. - Fixes an issue in the Tanium Server where in order to request action status a user needed the "read saved question" privilege over the Reserved content set or would otherwise receive an "Error creating and getting question" message in response.
- Fixes an issue in TDownloader that handled URLs with embedded spaces incorrectly.
- Fixes an issue in the Tanium Server in the handling of high-cardinality sensors with too many results where partial data under the result limit would fail to be reported to the caller.
- Adds a missing
fips.solibrary to the Tanium Client installer for AIX. - Fixes a missing
Content-Typeheader in the execution ofPOSTplugin requests from the Tanium Server to the Module Server. - Fixes an issue in the Tanium Server while importing module plugin definitions.
- Fixes a type name infringement in the handling of SCIM schemas in the Tanium Server which read "
bool" instead of "boolean". - Fixes an omission in the Zone Server installer for Linux where library binaries were missing, resulting in the fatal error:
TaniumZoneServer: error while loading shared libraries: libtbb. - Fixes an omission where the
sensitive_data_flagin XML content imports to the Tanium Server was not being honored as expected. - Increases the size of the number of sensors allowed to queue for evaluation between the extensions subsystem and the Tanium Client, to avoid running into the condition indicated by the "
[client.sensors] Error: Maximum write queue reached" error. - Fixes a dependency of Python v3.8 on SQL libraries which was missing and would result in the Tanium Client logging "
sqlite3 - undefined symbol: sqlite3_errstr" and causing dependent operations like patching to fail on some Linux platforms. - Fixes a problem in the Tanium Server where the license file value persisted into the database produced an incorrect JSON serialization, rendering it invalid.
- Fixed an incorrect handling of the "
read_solutions" RBAC privilege in the Tanium Server which was evaluated as "read_solution" instead. - Fixed an issue where the
LogVerbosityLevelsetting was not honored in the Tanium Module Server and treated as a value of zero instead. - Fixes an omission in the Tanium Server
userAPI where theserialize_authorization_flagoption would not be honored correctly when also requestinginclude_user_details=1. - Modified the handling of temporary sensor evaluations requested by the extensions subsystem to the Tanium Client, to avoid an elevated number of requests observed.
- Fixes a conflict in the Tanium Server during evaluation of RBAC privileges implied by solution module configurations.
- Fixes an issue in the Tanium Server treatment of LDAP filters in synchronization connectors on Linux where filters like
objectClass=userwould work but(objectClass=user)would not work and result in a "Bad search filter" exception thrown. - The client will retry binding to the soap api port.
- Fixes an issue in the Tanium Server calculation and enforcement of site throttles where the full allotted bandwidth was not delivered as configured.
- The Tanium Server implements the setting
PeerReceiveTimeout2=30for v7.6 clients and above, while keepingPeerReceiveTimeout=10for the benefit of v7.2 clients which depend on peer keep-alive messages based on this shorter duration. - Changes the handling of connection close logic to try and ensure all send data has been read from a socket before closing it, thus allowing termination TLS alerts to be received by the far end.
- Fixed an issue in the Tanium Server which would fail to create an auto-provisioned user account if one with the same name had existed before and then deleted.
- Fixes an issue in the Tanium Client where it would not update its known IP address when switching from one network to another, displaying its old address in client status and failing to update its own detected configuration settings.
- Older OpenSSL1 binaries are no longer saved in the Tanium Client
Backupdirectory on client upgrade. - Fixes a problem in the content set roles API in the Tanium Server where the created and modified time and user
idfields would return incorrect default values. - Fixes a memory increase observed in the Tanium Module Server caused by the treatment of connections session tickets in TLS v1.3.
- Fixes an issue in the serialization of temporary sensor evaluation requests made by the extension framework to the Tanium Client. This issue could cause negative targeting errors for systems like Endpoint Configuration.
- Adjusts the treatment of TLS v1.3 which are expected to be single-use and would cause extra handshakes and tickets created when not managed correctly.
- Fixes an incorrect user ownership and permission settings on the
fips.logfile deployed by the Tanium Module Server installer which would result in the error "Failed to open file "/opt/Tanium/TaniumModuleServer/fips.log": EACCES: Permission denied" when upgrading a server running in FIPS-enabled mode.
Known Issues and Workarounds
- There is a problem in the TLS v1.3 interface that makes the storage of
SOAPServercertificate keys in an HSM unusable in this Platform version. Upgrade to v7.6.2.1220 instead of using this version if you have an HSM-enabled Tanium server. - The Tanium Server has a problem in the unlikely event that different package files that happen to share identical chunks, leaving clients unable to download one or more of these files.
Workaround: A definitive fix is being prepared to be made available in an upcoming SAR update, and in the meantime it has been established that a restart of the Tanium Servers in a deployment will clear up this condition.