Configuring Patch

If you did not install Patch with the Apply Tanium recommended configurations, you must enable and configure certain features.

Configure global settings

You can configure the Tanium platform for optimal delivery of larger payloads, which are typically associated with patching activity.

  1. From the Main menu, click Administration > Global Settings.
  2. To increase the client cache size, click New Setting, provide the following information, and click Save.
    Setting Name: ClientCacheLimitInMB
    Setting Value: 2048
    Affects: Client
    Value TypeNumeric
  3. To increase the hot cache percentage, click New Setting, provide the following information, and click Save.
    Setting Name: HotCachePercentage
    Setting Value: 80
    AffectsClient
    Value TypeNumeric

Changes to global settings can take up to five hours to propagate to clients.

Install and configure Configure Tanium End-User Notifications

With the Tanium End-User Notifications solution, you can create a notification message with your deployment to notify the user that the system is going to restart, and give the user the option to postpone the restart.

For more information, see Tanium End-User Notifications User Guide: End-User Notifications overview.

Disable Windows Update restart prompts

The Windows Update Agent automatically prompts users to restart their machine when an update is installed from any user or source. The following Windows Local/Group Policies should be configured to allow Tanium End-User Notifications to control endpoint restarts.

  1. In the Windows Local Group Policy Editor, go to Computer Configuration > Administrative Templates > Windows Components > Windows Update.

  2. Enable the No auto-restart for scheduled Automatic Updates installations parameter.

  3. Disable the Re-prompt for restart with scheduled installations parameter.

Enable and configure Windows features

Before you can use certain Patch features for Windows endpoints, you must enable or configure them:

Enable and configure Tanium Scan for Windows

For more information about Tanium Scan for Windows, see Tanium Scan.

  1. From the Patch Home page, click Settings .
  2. In the Tanium Scan for Windows tab, select Enable Tanium Scan for Windows and click Save.
  3. Click Perform Initial Synchronization to perform the required initial synchronization.
  4. Select products to include in scans or select Available Products to select all current and future products.

    Synchronize all products, regardless of which products are present in the environment. Selectively choosing products can cause gaps in patch visibility.

  5. Select update classifications or select Available Classifications to select all classifications.

    Select Critical Updates, Security Updates, Service Packs, and Update Rollups.

  6. Select Enable Daily Synchronization if you want to synchronize daily and click Save.

    Click Synchronize Now after you save any changes.

Configure Tanium Scan for Windows

  1. Select products to include in scans or select Available Products to select all current and future products.

    Synchronize all products, regardless of which products are present in the environment. Selectively choosing products can cause gaps in patch visibility.

  2. Select update classifications or select Available Classifications to select all classifications.

    Select Critical Updates, Security Updates, Service Packs, and Update Rollups.

  3. Select Enable Daily Synchronization if you want to synchronize daily and click Save.

    Click Synchronize Now after you save any changes.

Configure WSUS Scan

  1. Add the WSUS Server URL.
    1. From the Patch Home page, go to Settings .
    2. In the Configuration Settings tab, WSUS Server Configuration section, enter the URL and click Submit.
    3. A regular expression for the URL is generated and added. Click View Whitelisted URLs, or go to Administration > Whitelisted URLs to view the entry that was added.
  2. On the WSUS server, change the following settings:
    • Set the intranet URL for detecting updates and the statistics server to: http://<WSUS server URL>:<port>.
    • Disable the Configure Automatic Updates setting.

Enable direct patch downloads from Microsoft

For Windows scan configurations, you can enable direct patch downloads from Microsoft to isolated remote endpoints. This option reduces the impact on network resources. If the direct download fails, the endpoint downloads patches from the Tanium Server.

Cautions and considerations

Endpoints must be in a list of virtual private network (VPN) subnets or allowed Zone Servers that you configure. Configure VPN ranges only where clients have a direct path to the Microsoft URLs that are listed in Internet URLs . The following configurations are recommended:

  • Define the IP address ranges that are used by endpoints that connect to Tanium over a split-tunnel VPN. Use for split-tunnel VPN ranges with a separate route to download patches from the Internet. Isolated endpoints within the defined ranges attempt to download patches directly from Microsoft.
  • Define the public IP addresses or Internet-resolvable fully qualified domain names of Internet-facing Zone Servers. Isolated Tanium Clients that are connected to these Zone Servers attempt to download patches directly from Microsoft.

Do not specify the following VPNs or Zone Servers:

  • Split-tunnel VPNs where endpoints still send traffic bound for Microsoft URLs through the internal corporate network
  • Full-tunnel VPNs
  • Zone Servers that are used in an internal security zone

Clients that use WSUS Scan configuration leverage the location that is defined by WSUS. Unless the WSUS server is configured to download patches from Microsoft instead of storing them locally, do not enable direct downloads for a WSUS Scan configuration. For more information about how to specify where updates are stored, see Microsoft article Update storage options.

  1. From the Patch Home page, click Settings and then click Configuration Settings if needed.
  2. In the Patch Direct Downloads section, specify network information:
    1. Select VPN Networks, Zone Servers, or both.
    2. Add one or more networks or servers, or, if previously created, choose from the list.
  3. Click Save.

Tracking direct download status

Review current and past patch downloads directly from Microsoft over the Internet.

  1. In Interact, ask the Get Patch - Direct Downloads Statuses from all machines question.
  2. Choose the time period in hours; for example, downloads in the last three hours.
  3. Choose whether to include in-progress downloads in the results.
  4. Choose whether to include failed downloads in the results.
  5. Click Ask Question.

The results grid displays a row for each download attempt and its status.

Enable and configure Linux features

Before you can use certain Patch features for Linux endpoints, you must enable or configure them:

Enable Patch for Linux endpoints

Before you begin, ensure that you meet the prerequisites listed Tanium dependencies.

  1. From the Patch Home page, click Settings .
  2. In the Operating Systems tab, select RedHat, CentOS, Oracle, Amazon and click Save.

    After you enable this option, you cannot disable it.

  3. In the Configuration Settings tab, set the Patch List Applicability Bin Count value in the Saved Question Settings section to 10, and click Save. For more information about how to fine-tune this setting, consult your TAM.
  4. (Optional) In the Yum Repositories tab, add any custom Yum repositories.
  5. (Optional) In the Yum Repositories tab, create snapshots of Yum repositories. For more information, see Manage Linux repository snapshots.

(Red Hat endpoints) Configuring TDownloader to use certification authentication

For Tanium as a Service, contact your TAM to configure TDownloader to use certificate authentication for downloads from the Red Hat Satellite server.

To use Patch on Red Hat Linux endpoints, you must configure Tanium Downloader (TDownloader) to use certificate authentication for downloads from the Red Hat Satellite server.

The available scanning techniques include Repository Scan and Tanium Scan. For the Repository Scan technique, you can use all repositories from which an endpoint can pull. For the Tanium Scan technique, you must use Red Hat Content Delivery Network, Red Hat Satellite 6 or later, or custom repositories.

For best results, create separate scan configurations for each major operating system. For more information, see Red Hat Linux endpoints stuck in Waiting for Initial Scan status.

Before you begin

Ensure that you meet the following prerequisites:

Configure TDownloader on Taniumâ„¢ Appliance

  1. Upload the SSL client private key and client certificate to your Tanium Appliance. Use SFTP with the tancopy account and copy the files to the /incoming folder.
  2. Using the TanOS menu, verify that the Tanium Server can reach cdn.redhat.com or the Red Hat Satellite server by name:
    1. Enter 3 to go to the Tanium Support menu.
    2. Enter 4 to go to the Run Network Diagnostics menu.
    3. Enter 1 to select the Ping Remote System option.
  3. On each Tanium Server, add the CA root certificate for the Red Hat Satellite or content delivery network (CDN) server:
    1. Enter 2 to go to the Tanium Operations menu.
    2. Enter 2 to go to the Tanium Configuration Settings menu.
    3. Enter 13 to go to the Control RedHat CA Cert menu.
    4. Enter 2 to select the Install redhat-uep.pem option.
  4. On each Tanium Server, add the Red Hat Entitlement client certificate and key:
    1. Enter 2 to go to the Tanium Operations menu.
    2. Enter 2 to go to the Tanium Configuration Settings menu.
    3. Enter 4 to select the Add Tanium Server TDL Auth Cert option.
    4. Enter the URL (https://cdn.redhat.com or the Red Hat Satellite server), client certificate file name, and the SSL client private key file name at each prompt.
    5. At the #Line Content display, enter R to return to the previous menu.

For more information, see Tanium Appliance Deployment Guide: Manage authentication certificates for Tanium Patch connections with Red Hat.

Configure TDownloader on Windows

  1. Copy the SSL client private key, client certificate, and satellite server certificate to your Tanium Server.
  2. Ensure that the Tanium Server can reach cdn.redhat.com or the Red Hat Satellite server by name.
    Example:
    ping cdn.redhat.com
  3. On each Tanium Server, configure TDownloader to use certificate authentication for downloads to the Red Hat Satellite server.
    Example:
    cmd-prompt>TDownloader.exe add-auth-cert --url https://cdn.redhat.com --cert C:\client-certificate.pem --key C:\client-key.pem
    where:
    • https://cdn.redhat.com is the URL prefix for the satellite server download URLs
    • C:\client-certficate.pem is the client certificate
    • C:\client-key.pem is the client certificate private key
  4. Check the TDownloader config to see that your certificate has been configured.
    cmd-prompt>TDownloader.exe config list
    Keys:
      - Auth:
    - Auth.0:
    - Auth.0.Certificate: -----BEGIN CERTIFICATE----- MIIFPTCCBCWgAwIBAgIIbY/mIdQbgMowDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNV BAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEQMA4GA1UEBwwHUmFsZWln aDEQMA4GA1UECgwHS2F0ZWxsbzEUMBIGA1UECwwLU29tZU9yZ1VuaXQxKjAoBgNV BAMMIXJoZWxwYXRjaHNhdGVsbGl0ZTAxLnByb2RxYS5sb2NhbDAeFw0xODA0MjAw NDAwMDBaFw0xOTA0MjAwMzU5NTlaMEYxGTAXBgNVBAoMEHRhbml1bV9wYXRjaF9k ZXYxKTAnBgNVBAMTIDBjYjk4NjcyZjBhNTQ0MDJhNzIzYmNjOGI5ODFjYTg3MIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtXPySC20fPzMreenmX+4mUhS s/cdArQZOeeKliCdXI7Q/ZW0ZrhsgmMZTL+BNbZKUp72e0L3GF3yj0wx/8LWRLVC S9AaZdbXmJRK7B5mwpQaLtfuE93bJIkmBbzKA49jiwFdDE0J6v+wj0NgBZ3hr0NH V2O1hAwar2xkzz9fCTwyAR6d2I9Dpcfua8nH0ybO5kR8v1Epp70vw9/uMmGM3PCe YFX81ll3wxStbHj/DznUzQ/vFE0SZxLXh9LyWy9Nq+obLaFeDxJ0DT7iXotwVqWs Qow/upQ60vuYpAT57JM5tkrP+rKcct+TVVJNS/QmJC3yOwZWf8rIISRH4cb+GQID AQABo4IB5jCCAeIwEQYJYIZIAYb4QgEBBAQDAgWgMAsGA1UdDwQEAwIEsDCBwQYD VR0jBIG5MIG2gBRNdbtnITo9NxbcUdarkRIJv464dqGBkqSBjzCBjDELMAkGA1UE BhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHDAdSYWxlaWdo MRAwDgYDVQQKDAdLYXRlbGxvMRQwEgYDVQQLDAtTb21lT3JnVW5pdDEqMCgGA1UE AwwhcmhlbHBhdGNoc2F0ZWxsaXRlMDEucHJvZHFhLmxvY2FsggkAx2ndp2OhmcYw HQYDVR0OBBYEFHX7IDsUYNAZdI5dBxckm5a8y60aMBMGA1UdJQQMMAoGCCsGAQUF BwMCMBIGCSsGAQQBkggJBgQFDAMzLjMwFAYJKwYBBAGSCAkIBAcMBUJhc2ljMIGd BgkrBgEEAZIICQcEgY8EgYx42i2MMQrDMBAE9zFukyYgfyJdHmDO8oIEis7cXYz9 e8ck1UwxjNM2GsbXj1bYsFQP6BpVuzRk7cEeSP8kYYRL3EK1OZ51NrED6f5ASK+f 97RK5DIt3KAO7mHiGIyN4rwGw/wVsVxwAp4aKvUSzZXb1epTaC96MJ25BX5rmucc vyYlbSe9CpomkcWhADANBgkqhkiG9w0BAQUFAAOCAQEAubxqAqH/IQqIODQwaX9x NrIuJp3qWIUFjxZ1Vby4lEg2xmwfBtvNKminJBWNwOMZjq40xrEz0C2sxqkr/npv cbI4MMdQX1rdxMwsntgUZK8ApRR/pPwyxqAoa8IjahVBHNdFoA4+BBjcLcvzA1PB PReiXo0GS2gQQAb8U7d/jBTG1gm3ZpJFBxv7NBM9tEey3DwzP5LWPnZZmstRrlfx 7sb5J/2zLvWuMG+dMJ5jkgUKTuNdccdBP9PEVrAKiDuoLCl4UqnP0YzMJd+e9Ktx FC1QCICFUQLhZ/QVAhh8hIw0jSxIcGN+KVJF52BGdzUxvoidfqtMsjc/8NSTRk+T /g== -----END CERTIFICATE-----
    - Auth.0.PrivateKey: (protected) - Auth.0.URL: https://rhelpatchsatellite01.prodqa.local - LogVerbosityLevel: 41 - ProxyPassword: - ProxyPort: - ProxyServer: - ProxyType: NONE - ProxyUserid: - TrustedCertPath: C:\Program Files\Tanium\Tanium Server\Certs\installedcacert.crt - TrustedHostList: localhost,tanium.local,win-2012-r2
  5. To configure TDownloader to work with the Red Hat CDN, use a text editor to append the PEM-encoded certificate for cdn.redhat.com to the end of the certificate file as referenced by the TrustedCertPath value from the previous step (Example: C:\Program Files\Tanium\Tanium Server\Certs\installedcacert.crt).
    Closed-----BEGIN CERTIFICATE-----

Manage Linux repository snapshots

Repository snapshots have the following requirements:

  • Minimum Patch version:
    • For deployments to Red Hat and CentOS Linux endpoints, Patch 2.4.1.
    • For deployments to Oracle Linux endpoints, Patch 2.4.3.
  • The Patch process must be running on all Linux endpoints. For more information, see Patch process is not running.
  • Patch must be enabled for Linux endpoints. For more information, see Enable Patch for Linux endpoints.
  • You must use the Tanium Scan for Linux scan method. For more information, see Tanium Scan.
  • You must create a scan configuration with the Deployment Snapshots option enabled. For more information, see Create a scan configuration.
  1. From the Patch Home page, click Patch Settings and then click Yum Repositories if needed.

    You can also manage snapshots by clicking Manage Linux Snapshots on the Patch Scan Management page.

  2. To create a snapshot, select a repository and then click Create Snapshot. Name the snapshot and click Create.
  3. To rename a snapshot, expand a repository, select the snapshot and click Rename Snapshots. Type a new name and click Rename.
  4. To permanently remove unneeded snapshots, select the snapshots, and click Delete Snapshots.
  5. To remove failed snapshots across all repositories; for example, those for which the environment was not properly set up, click Delete Failed Snapshots.

Initialize Patch endpoints

Patch installs a set of tools on each endpoint that you have targeted. Initializing or reinitializing Patch synchronizes static saved questions and is a common troubleshooting step.

  1. From the Patch Home page, click Initialize Endpoints to start the Patch service and begin distributing these tools to your endpoints.

    If the Initialize Endpoints section is not visible in the Patch Home page, click Manage Home Page, select Initialize Endpoints, and click Save.

  2. Enter the Tanium credentials and click Confirm.