Downloading patches in an air-gapped environment

For Tanium as a Service, the Tanium Server is not in an air-gapped environment.

When your Tanium Server is in an air-gapped environment, the server cannot download patches from the internet. You must configure Patch to install patches from an alternate file location in the Patch Settings for Windows endpoints.

Before you begin

If you want to configure a UNC share on a Tanium Appliance, you must add an authentication user for TDownloader as described in the Tanium Appliance User Guide: Add an authentication user for TDownloader.

Configure air gap for Windows endpoints

  1. From the Patch menu, go to Scan Management and then click Airgap Configuration.
  2. Select Enable Settings for Airgap - Windows.
  3. Provide an Alternate Patch File Location where all air-gapped files are staged and then click Save.

    If you select a UNC share, ensure that the account that runs the Tanium Server service on the Tanium Server has access to the UNC share. Patch does not support hidden or administrative UNC shares.

  4. From the Main menu, go to Administration > Management > Allowed URLs to verify that the configured alternate Patch file location is listed.

Download airgap-downloader utility

You must run this utility on a Windows computer that can access the internet.

  1. From the Patch menu, go to Scan Management and then click Airgap Configuration.
  2. In the Download Airgap Utility section, click Download Utility to download the airgap-downloader.exe utility.

Generate a list of remote package files

  1. From the Patch menu, go to Scan Management and then click Airgap Configuration.
  2. In the Generate Download Manifest section, select the Include CAB File and Include MS-CVEs.dat File options and click Export Download URLs to generate a list of files that the Tanium Server requires.

    A urls.txt file is downloaded to your computer. For example:

    http://download.windowsupdate.com/microsoftupdate/v6/wsusscan/wsusscn2.cab
    https://content.tanium.com/files/hosted_dats/MS-CVEs.dat

The Patch Applicability filter options apply block lists to the results.

Download remote package files

Use the urls.txt file that you generated from the Tanium Server to download files from a computer that is connected to the internet.

  1. Copy the urls.txt and airgap-downloader.exe files to a computer that is connected to the internet and open a command prompt to that directory.
  2. To download the package files from sources contained in urls.txt, run:
    airgap-downloader.exe download_files --no_rename

    If the urls.txt and airgap-downloader.exe files are not in the same directory, you must also include the --urls_source option.

  3. The command downloads the files in the list and generates a results.zip archive that contains:

    • The downloaded files
    • A manifest results.txt

    Extract the contents of the results.zip file to your alternate Patch file location.

Verify the configuration

To verify that air gap was configured correctly, you can confirm the following:

  1. Verify that the Tanium Server has the staged files:
    1. From the Main menu, go to Administration > Content > Packages.
    2. Select the Patch - External File References - Windows package and click Edit Selected .
    3. In the Files section, click wsusscn2.cab and verify that the SHA-256 field has a non-empty hash value.
    4. Click MS-CVEs.dat and verify that the SHA-256 field has a non-empty hash value.
  2. Verify that the Windows endpoints can scan against the staged files:
    1. From the Main menu, go to Modules > Patch.
    2. In the Health section, verify that the hash value in the Microsoft Offline CAB File Information chart matches the value in step 1c.