Downloading patches in an airgap environment

When your Tanium Server is in an airgap environment, the server cannot download patches from the internet. With Patch 2.3.7, you can configure Patch to install patches from an alternate file location in the Patch Settings for Windows endpoints.

Before you begin

If you want to configure a UNC share on a Tanium Appliance, you must add an authentication user for TDownloader as described in the Tanium Appliance User Guide: Add an authentication user for TDownloader.

Configure airgap for Windows endpoints

  1. From the Patch Settings, click Airgap Configuration, and select Enable Settings for Airgap - Windows.
  2. Provide an Alternate Patch File Location where all airgap files are staged.

    To configure a UNC share on your Tanium Server, contact your TAM.

  3. Click Save and then click Yes to confirm your action.
  4. From the Main menu, click Administration > Whitelisted URLs to verify that the configured alternate Patch file location is listed.

Download airgap-downloader utility

From the Airgap Configuration tab of the Patch Settings, click Download Utility to download the airgrap-downloader.exe utility.

You must run this utility on a Windows computer that can access the internet.

Generate a list of remote package files

From the Generate Download Manifest section of the Airgap Configuration tab of the Patch Settings, select the Include CAB File and Include MS-CVEs.dat File options and click Export Download URLs to generate a list of files that the Tanium Server requires.

A urls.txt file is downloaded to your computer. For example:

http://download.windowsupdate.com/microsoftupdate/v6/wsusscan/wsusscn2.cab
https://content.tanium.com/files/hosted_dats/MS-CVEs.dat

The Patch Applicability filter options apply blacklists to the results.

Download remote package files

Use the urls.txt file that you generated from the Tanium Server to download files from a computer that is connected to the internet.

  1. Copy the urls.txt and airgap-downloader.exe files to a computer that is connected to the internet and open a command prompt to that directory.
  2. To download the package files from sources contained in urls.txt, run:
    airgap-downloader.exe download_files --no_rename

    If the urls.txt and airgap-downloader.exe files are not in the same directory, you must also include the --urls_source option.

  3. The command downloads the files in the list and generates a results.zip archive that contains:

    • The downloaded files
    • A manifest results.txt

    Extract the contents of the results.zip file to your alternate Patch file location.

Verify the airgap configuration

To verify that airgap was configured correctly, you can confirm the following things:

  1. Verify that the Tanium Server has the staged files:
    1. From the Main menu, click Content > Packages.
    2. Select the Patch - External File References - Windows package and click Edit.
    3. In the Files section, click wsusscn2.cab and verify that the SHA-256 field has a non-empty hash value.
    4. Click MS-CVEs.dat and verify that the SHA-256 field has a non-empty hash value.
  2. Verify that the Windows endpoints can scan against the staged files:
    1. From the Main menu, click Content > Packages.
    2. Select the Patch - Distribute Patch Manifests - Windows package and click Edit.
    3. In the Files section, click required-files-manifest and then click Download .
    4. Open the required-files-manifest file and verify that the <hash> value for the wsusscn2.cab file matches the non-empty hash value in step 1c.
    5. Verify that the <hash> value for the MS-CVEs.dat file matches the non-empty hash value in step 1d.

Last updated: 12/13/2019 4:54 PM | Feedback