05-10-2021

Tanium Python Package Runner

Review the requirements before you install and use Map.

Tanium Client Is A Trojan
Tanium Cx High Disk Usage
Tanium Python Package Runner Pdf

Tanium dependencies

In addition to a license for the Map product module, make sure that your environment also meets the following requirements.

Create a new directory for storing PyTan: mkdir /tanium. Extract the PyTan ZIP file you downloaded to /tanium: cd /tanium unzip pytan-2.1.8.zip. Verify that your OSX install has Python 2.7.x installed and that your PYTHONPATH points to 2.7.x: python -V python -c “import sys; print sys.path”.
Run lintings (flake8, mypy, pylint, bandit) and pytest. Pylint and pytest will run within all the docker images of an integration/script. Meant to be used with integrations/scripts that use the folder (package) structure.
External Python Packages¶ Tanium HAT depends on a large number of open source python packages, all of which are included in the tool in order to provide the ability to unzip and run. Some of the python packages Tanium HAT depends on are pure python, and they live in the libsexternals/any directory.

Component	Requirement
Tanium™ Core Platform	7.3.314.4250 or later 7.4.1.1939 or later
Tanium™ Client	For more information about specific Tanium Client versions, see Tanium Client Management User Guide: Client host system requirements. One of the following Tanium Client versions is required, depending on OS: (Linux, macOS, Windows) Any supported version of Tanium Client (macOS 10.15.x and later) 7.2.314.3608 or later = macOS earlier than 10.15.x Catalina Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements. If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.
Tanium solutions	If you selected Tanium Recommended Installation when you installed Map, the Tanium Server automatically installed all your licensed solutions at the same time. Otherwise, you must manually install the Tanium solutions that Map requires to function, as described under Tanium Console User Guide: Import, re-import, or update specific solutions. Tanium solutions at the following minimum versions are required: Tanium Endpoint Configuration 1.2 or later (installed as part of Tanium Client Management 1.5 or later) The following Tanium solutions are optional, but Map requires the specified minimum versions to work with them: Tanium Trends 3.6.310 or later

Component

Requirement

Tanium™ Core Platform

7.3.314.4250 or later
7.4.1.1939 or later

Tanium™ Client

For more information about specific Tanium Client versions, see Tanium Client Management User Guide: Client host system requirements.

One of the following Tanium Client versions is required, depending on OS:

(Linux, macOS*, Windows) Any supported version of Tanium Client
(macOS 10.15.x and later) 7.2.314.3608 or later

* = macOS earlier than 10.15.x Catalina

Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.

If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Tanium solutions

If you selected Tanium Recommended Installation when you installed Map, the Tanium Server automatically installed all your licensed solutions at the same time. Otherwise, you must manually install the Tanium solutions that Map requires to function, as described under Tanium Console User Guide: Import, re-import, or update specific solutions.

Tanium solutions at the following minimum versions are required:

Tanium Endpoint Configuration 1.2 or later (installed as part of Tanium Client Management 1.5 or later)

The following Tanium solutions are optional, but Map requires the specified minimum versions to work with them:

Tanium Trends 3.6.310 or later

Tanium™ Module Server

Map is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.

The Predefined Package Gallery page lists predefined software package templates that you can import. Use the Predefined Package Gallery to import third-party software package templates to install, update, or remove software on a set of target computers. Tanium does not repackage or redistribute third-party software installers.

Endpoints

Supported internet protocols

Map is currently only supported with IPv4 networks.

Supported operating systems

The following endpoint operating systems are supported with Map. Map uses the Tanium™ Client Recorder Extension to gather data from endpoints.

Operating System	Version	Notes
Windows	Windows 7 SP1 or later Windows Server 2008 R2 with SP1 or later	For Windows 7 endpoints, update to Windows 7 SP2 or later whenever possible. Windows 7 SP1 requires Microsoft Windows Update KB2758857.
macOS	Same as Tanium Client support. See Tanium Client Management User Guide: Host system requirements.
Linux	Red Hat Enterprise Linux 5.4 or later CentOS 5.4 or later For other Linux version support, see Tanium Client Management User Guide: Host system requirements.	The Client Recorder Extension does not support CentOS and Red Hat Enterprise Linux versions 5.3 and earlier. Endpoints require version 5.4 or later of CentOS or Red Hat Enterprise Linux. The Client Recorder Extension provides SELinux policies for the following distributions and versions: Oracle Linux 5.x, 6.x, 7.x, and 8.x When SELinux is enabled, only process information is returned. This is a known issue and will be addressed in a future version of Map. Red Hat Enterprise Linux (RHEL) 5.4 and later, 6.x, 7.x, and 8.x CentOS 5.4 and later, 6.x, 7.x, and 8.x Amazon Linux 2 LTS (2017.12) At this time, SELinux is not supported on other Linux distributions. For Linux endpoints: Install the most recent stable version of the audit daemon and audispd-plugins. For information on deprecated parameters in the audit daemon configuration, see Tanium Client Recorder Extension User Guide. See the specific operating system documentation for instructions. Be aware that when using immutable '-e 2' mode, the recorder adds Tanium audit rules in front of the immutable flag. When using the -e 2 flag on Linux, the endpoint must be restarted after the recorder is enabled. Be aware that when using the failure '-f 2' mode, the Linux kernel panics in the event that auditd message is lost. The recorder does not add audit rules if this configuration is detected.

Operating System

Version

Notes

Windows

Windows 7 SP1 or later
Windows Server 2008 R2 with SP1 or later

For Windows 7 endpoints, update to Windows 7 SP2 or later whenever possible. Windows 7 SP1 requires Microsoft Windows Update KB2758857.

macOS

Same as Tanium Client support. See Tanium Client Management User Guide: Host system requirements.

Linux

Red Hat Enterprise Linux 5.4 or later
CentOS 5.4 or later

For other Linux version support, see Tanium Client Management User Guide: Host system requirements.

The Client Recorder Extension does not support CentOS and Red Hat Enterprise Linux versions 5.3 and earlier. Endpoints require version 5.4 or later of CentOS or Red Hat Enterprise Linux.

The Client Recorder Extension provides SELinux policies for the following distributions and versions:

Oracle Linux 5.x, 6.x, 7.x, and 8.x
When SELinux is enabled, only process information is returned. This is a known issue and will be addressed in a future version of Map.
Red Hat Enterprise Linux (RHEL) 5.4 and later, 6.x, 7.x, and 8.x
CentOS 5.4 and later, 6.x, 7.x, and 8.x
Amazon Linux 2 LTS (2017.12)

At this time, SELinux is not supported on other Linux distributions.

For Linux endpoints:

Install the most recent stable version of the audit daemon and audispd-plugins. For information on deprecated parameters in the audit daemon configuration, see Tanium Client Recorder Extension User Guide. See the specific operating system documentation for instructions.
Be aware that when using immutable '-e 2' mode, the recorder adds Tanium audit rules in front of the immutable flag. When using the -e 2 flag on Linux, the endpoint must be restarted after the recorder is enabled.
Be aware that when using the failure '-f 2' mode, the Linux kernel panics in the event that auditd message is lost. The recorder does not add audit rules if this configuration is detected.

Disk space requirements

The Map database on each endpoint contains a record of the TCP connections from the past 24 hours. The size of this database depends on the number of TCP connections. In most cases, the maximum size of the database is 200 MB.

CPU and memory requirements

The CPU demand on the endpoint averages less than 1%. A minimum of two CPU cores per endpoint is required. The Tanium Client Recorder Extension cannot operate on fewer than 2 CPU cores.

A minimum of 4 GB RAM is recommended on each endpoint device.

Host and network security requirements

Specific processes are needed to run Map.

Ports

The following ports are required for Map communication.

Source	Destination	Port	Protocol	Purpose
Module ServerTanium as a Service	Module ServerTanium as a Service (loopback)	17504	TCP	Internal purposes; not externally accessible.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

For Tanium as a Service ports, see Tanium as a Service Deployment Guide: Host and network security requirements.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Map security exclusions
Target Device	Notes	Exclusion Type	Exclusion
Module Server	Process	<Module Server>servicesmap-servicenode.exe
Process	<Module Server>servicesendpoint-configuration-serviceTaniumEndpointConfigService.exe
Process	<Module Server>servicesmap-service[email protected]postgresqllibwin32binpostgres.exe
Process	<Module Server>servicesmap-service[email protected]postgresqllibwin32binpg_ctl.exe
Windows endpoints	7.2.x clients	Process	<Tanium Client>Python27TPython.exe
	7.4.x clients	Process	<Tanium Client>Python38TPython.exe
	7.4.x clients	Folder	<Tanium Client>Python38
	Process	<Tanium Client>TaniumCX.exe
macOS endpoints	Process	<Tanium Client>/TaniumCX
Linux endpoints	7.2.x clients	Process	<Tanium Client>/python27/bin/pybin
	7.4.x clients	Process	<Tanium Client>/python38/python
	Process	<Tanium Client>/TaniumCX

Map security exclusions
Target Device	Notes	Exclusion Type	Process
Windows endpoints	7.4.x clients	Process	<Tanium Client>Python38TPython.exe
	7.4.x clients	Folder	<Tanium Client>Python38
	Process	<Tanium Client>TaniumCX.exe
macOS endpoints	Process	<Tanium Client>/TaniumCX
Linux endpoints	7.4.x clients	Process	<Tanium Client>/python38/python
Linux endpoints	Folder	<Tanium Client>/TaniumCX

User role requirements

The following tables list the role permissions required to use Map. To review a summary of the predefined roles, see Set up Map users.

For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.

Map user role permissions
Permission	Map Administrator^1,2,3	Map Operator^1,2,3	Map Read Only User¹	Map Service Account^1,2,4
Map Access Map workbench	SHOW	SHOW	SHOW	SHOW
Map API Perform Map operations using the API	EXECUTE
Map Application Definition Read and write map application definitions	READ WRITE	READ WRITE	READ
Map Application Configuration Register, use, write endpoint configuration items for Map	SERVICE
Map Operator Settings Read or write most map settings	READ WRITE	READ WRITE	READ
Map Settings Read or write all map settings	READ WRITE	READ WRITE
Map Endpoint Configuration Approve endpoint configuration items for Map	APPROVE
¹ This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements. ² This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements. ³ This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions. ⁴If you installed Tanium Client Management, Endpoint Configuration is installed, and by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

Provided Map administration and platform content permissions
Permission	Role Type	Map Administrator ¹	Map Operator ¹	Map Read Only User ¹	Map Service Account ¹	Map Endpoint Configuration Approver ¹
Action Group	Administration	READ WRITE	READ WRITE	READ
Computer Group	Administration	READ WRITE	READ WRITE	READ	READ WRITE
Action	Platform Content	WRITE	WRITE	WRITE
Action For Saved Question	Platform Content	WRITE	WRITE	WRITE
Own Action	Platform Content	READ	READ	READ
Package	Platform Content	READ WRITE	READ WRITE	READ WRITE
Plugin	Platform Content	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE
Saved Question	Platform Content	READ WRITE	READ WRITE	READ	READ WRITE
Sensor	Platform Content	READ	READ	READ
You can view which content sets are granted to any role in the Tanium Console. ¹ This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

Tanium HAT depends on a large number of open source python packages, all of which are included in the tool in order to provide the ability to unzip and run.

Some of the python packages Tanium HAT depends on are pure python, and they live in the libs_externals/any directory.

Some of the python packages Tanium HAT depends on are python mixed with platform specific binaries, and those are found in either libs_externals/osx for OS X platforms, or libs_externals/win for Windows platforms.

Note

No other platforms are supported out of the box, but if you have a different platform and have installed these python packages for your platform, you can still run Tanium HAT. Take a peek in one of the platform specific packages directory to see which packages you would need to install.

Tanium Client Is A Trojan

10.3.1. Module: libs_external¶

Adds paths to the PYTHONPATH so normal import usage can occur for external packages.

There are three directories under this package:

any: contains pure, non binary python packages that work for any OS
osx: contains mixed binary/python packages that work only for OS X
win: contains mixed binary/python packages that work only for Windows

After importing this package, you should be able to do:

libs_external.ANY_DIR = u'any'¶

Non-platform specific directory for this system.

libs_external.ANY_PATH = u'/Users/daniel.loffredo/proj/that/tanium_hat/libs_external/any'¶

The non-platform specific library path, ala /github/tanium_hat/libs_external/any

libs_external.PKGS = [u'Pillow-3.4.2', u'lxml-3.6.4', u'cffi-1.11.5', u'numpy-1.11.2+mkl', u'pandas-0.19.1', u'cryptography-2.4.2']¶

List of platform specific binary packages.

libs_external.PKGS_TXT = u'Pillow-3.4.2, lxml-3.6.4, cffi-1.11.5, numpy-1.11.2+mkl, pandas-0.19.1, cryptography-2.4.2'¶

String list of platform specific binary packages.

libs_external.PLATFORM_DIR = u'osx'¶

Platform specific directory for this system.

libs_external.PLATFORM_MAP = {u'windows': u'win', u'darwin': u'osx', u'linux': u'linux'}¶

Mapping of platform.system().lower() to platform specific library directories.

libs_external.PLATFORM_PATH = u'/Users/daniel.loffredo/proj/that/tanium_hat/libs_external/osx'¶

The platform specific library path, ala /github/tanium_hat/libs_external/osx

libs_external.THIS_FILE = '/Users/daniel.loffredo/proj/that/tanium_hat/libs_external/__init__.pyc'¶

Tanium Cx High Disk Usage

This file, ala /github/tanium_hat/libs_external/__init__.py

libs_external.THIS_PATH = '/Users/daniel.loffredo/proj/that/tanium_hat/libs_external'¶

The path from this file, ala /github/tanium_hat/libs_external

libs_external.THIS_PLATFORM = 'darwin'¶

Tanium Python Package Runner Pdf

Platform for this system.