Managing patches for Windows and Linux endpoints

You can manage Windows and Linux patches with patch lists and block lists. Patch lists are groups of patches that can be applied on the targeted computer groups. Block lists are groups of patches that are specifically excluded from being downloaded or deployed to the targeted computer groups.

Default patch lists

Patch automatically includes the following patch lists. If a patch list is marked as Tanium Managed in the Patch Lists page, you cannot edit or delete it.

Patch list	Description
[Patch Baseline Deployment] - Windows for Windows endpoints	Includes security updates, update rollups, and service packs for Windows endpoints. This is a basic Windows patch list that you can use as a good starting point. If you import Patch with default settings, this patch list is automatically created.
[Tanium Patch Baseline Reporting] - Windows [Tanium Patch Baseline Reporting] - macOS [Tanium Patch Baseline Reporting] - Linux	Tanium managed. Used in the Patch section of the IT Operations Metrics board in Trends. The Windows patch list includes patches that are associated with security updates, update rollups, and service packs. The Linux patch list includes security patches, patches with a severity that is greater than none, or patches that are associated with a CVE.
All Patches	Tanium managed. Used in the Patch board in Trends. Includes all patches for all operating systems.
Tanium Patch Recommended Updates] - Windows for Windows endpoint	Tanium managed. Includes all critical, high, and important patches released 30 or more days ago. Patch updates the items in this patch list each time the list is used in a deployment.

Patch list rules

Although you can manually select patches to include in a patch list, it is more efficient to use rules to dynamically populate lists of patches. As patches are added to the Available Patches list, Tanium assesses those patches for inclusion on a list by comparing them to rules. You can create rules from customized conditions that define which part of the patch description to examine.

Consider the following example rules and conditions:

Rule	Explanation
Condition: Classification equals Security Updates AND Condition: Release Date is on or before 8/12/2022	The rule includes security updates released on or before August 12, 2022. You must update the date in this rule at a regular interval to include future security updates.
Condition: Classification equals Security Updates AND Condition: Release Date is equal to or older than 30 days	The rule includes security updates released 30 or more days ago. Each time the patch list that contains this rule is used, Patch updates the security updates in the list. You do not need to update the rule at a regular interval to include future security updates.
Condition:Classification equalsService Packs AND Condition: Release Date is equal to or older than14 days	The rule waits 14 days until after a service pack is released to include it in the patch list. Each time the patch list that contains this rule is used, Patch updates the service packs in the list. You do not need to update the rule at a regular interval to include future service packs. You might use this rule to defer installation to allow time for testing.

Rule

Explanation

Condition: Classification equals Security Updates

AND

Condition: Release Date is on or before 8/12/2022

The rule includes security updates released on or before August 12, 2022.

You must update the date in this rule at a regular interval to include future security updates.

Condition: Classification equals Security Updates

AND

Condition: Release Date is equal to or older than 30 days

The rule includes security updates released 30 or more days ago.

Each time the patch list that contains this rule is used, Patch updates the security updates in the list. You do not need to update the rule at a regular interval to include future security updates.

Condition:Classification equalsService Packs

AND

Condition: Release Date is equal to or older than14 days

The rule waits 14 days until after a service pack is released to include it in the patch list.

Each time the patch list that contains this rule is used, Patch updates the service packs in the list. You do not need to update the rule at a regular interval to include future service packs.

You might use this rule to defer installation to allow time for testing.

Include patches for the current month.
Avoid waiting longer than two weeks after a patch release to start patching production systems.
Expand endpoint diversity in patch testing groups to increase the changes of identifying newly-released problematic patches for deploying patches to production.

You can include the following options in rule conditions.

Rule condition options
Condition	Available options
Column	Title Severity Release Date Bulletins KB Articles CVE Custom Field Product Classification
Type	Contains Equals Does not contain (Release Date only) On or after (date) (Release Date only) On or before (date) (Release Date only) Equal to or newer than (age) (Release Date only) Equal to or older than (age)
Expression	The search criteria used in the expression.

Create a patch list

Sort patches into manageable patch lists for use in deployments or reporting. For example, you might create a patch list that includes security updates to use in a deployment for Windows endpoints or to generate a report for the security team. Or you might have a 30-day service level agreement (SLA) on patch installation, so you create a patch list that includes the is equal to or older than 30 days option to track your alignment with the SLA and deploy any needed patches.

You can add individual patches to the list or populate the list dynamically with rules.

For testing environments, create a patch list to deploy the latest patches. For production environments, create a patch list using the options Release Date is equal to or older than 30 days, so you can reuse this patch list each month without making any changes.

From the Patch menu, go to Patch Lists.
Click Create Patch List, name the list, select an operating system, and select a content set.

Add patches.

Adding patches dynamically	Add patches manually
Select Include superseded patches when applying rules if you want to include these patches in your patch list. By default, superseded patches are not included. Consider including superseded patches if you want to install a specific superseded patch or if you want to see installed patches where a patch has been superseded. Click Add Rule. Name the rule. Select a Condition and an Operator. Type in the expression to search. Searches are not case sensitive. Click Apply. (Optional) Add additional conditions. When a rule has more than one condition, the conditions are connected with the AND operator. Patches must meet both conditions to be included. When a list has multiple rules, the rules are connected with the OR operator, so patches that meet either rule are included on the list.	Expand Add Patches Manually. Select the patches that you want. (Optional) Click the patch title to see the details in a new browser tab. Avoid choosing specific patches based on vulnerability reports. Instead, use dynamic, rule-based patch lists. These lists should be cumulative. For example, do not create any rules that prevent patches that are older than a specific date from being included in a patch list.

Adding patches dynamically

Add patches manually

Select Include superseded patches when applying rules if you want to include these patches in your patch list.
By default, superseded patches are not included. Consider including superseded patches if you want to install a specific superseded patch or if you want to see installed patches where a patch has been superseded.
Click Add Rule.
Name the rule.
Select a Condition and an Operator.
Type in the expression to search. Searches are not case sensitive. Click Apply.
(Optional) Add additional conditions.
When a rule has more than one condition, the conditions are connected with the AND operator. Patches must meet both conditions to be included. When a list has multiple rules, the rules are connected with the OR operator, so patches that meet either rule are included on the list.

Expand Add Patches Manually.
Select the patches that you want.
(Optional) Click the patch title to see the details in a new browser tab.

Avoid choosing specific patches based on vulnerability reports. Instead, use dynamic, rule-based patch lists. These lists should be cumulative. For example, do not create any rules that prevent patches that are older than a specific date from being included in a patch list.

You can get details about the patch, visibility into the results by computer group, and the associated lists.

Preview the changes and then click Create Patch List.

To distribute the patches to endpoints, see Create a deployment to install patches.

Exclude patches with block lists

A block list is a collection of patches that are prohibited from downloading or deploying to the targeted computer groups. You can add individual patches to the list or populate the list dynamically with rules. Unlike patch lists, you do not need to create a deployment to enforce a block list. For best results, use block lists only for patches that are never deployed to one or more computer groups.

Block patches with the Title containing either "Quality Rollup" or "Security Only" to avoid redundant patch deployments.

From the Patch menu, go to Block Lists and then click Create Block List.
Name the list, select an operating system, and select a content set.

Add patches.

Adding patches dynamically	Adding patches manually
Superseded patches are automatically included in block lists. Click Add Rule. Name the rule. Select a Condition and then an Operator. Type in the expression to search against and then click Apply. Searches are case-insensitive.	Expand Add Patches Manually. Select the patches that you want. (Optional) Click the patch title to see the details in a new browser tab. If a patch is known to cause issues for a subset of endpoints, create a block list with the patch KB number and target only the computer group that contains the endpoints that are adversely affected by that patch.

Adding patches dynamically

Adding patches manually

Superseded patches are automatically included in block lists.
Click Add Rule.
Name the rule.
Select a Condition and then an Operator.
Type in the expression to search against and then click Apply. Searches are case-insensitive.

Expand Add Patches Manually.
Select the patches that you want.
(Optional) Click the patch title to see the details in a new browser tab.

If a patch is known to cause issues for a subset of endpoints, create a block list with the patch KB number and target only the computer group that contains the endpoints that are adversely affected by that patch.

You can get details about the patch, visibility into the results by computer group, and the associated lists.

Preview the changes and then click Create Block List.
On the Block List Details page, select the targeted computer groups.

The block list is distributed to the selected endpoints, blocking those patches. However, if an endpoint comes online with a blocked patch already installed, the patch remains until it is uninstalled.

yum.conf exclusions for Linux endpoints

If a Linux endpoint has excluded packages in the yum.conf file, Patch honors those exclusions and will not install them.

Tanium Patch blocking occurs on an Advisory basis. Because a Linux Advisory consists of a list of packages that need to be installed on Linux, a non-blocked Advisory might not be installed if it includes packages that are associated with a blocked Advisory.

Create lists from the Patches view

In addition to creating a list from the Patch Lists or Block Lists page, you can also select individual patches to build lists.

From the Patch menu, go to Patches.
Select one or more patches.
From the More drop-down menu, select the list type.
Complete the list.

Edit a list

When a user changes an existing list, the changes become a new version of the list. With some basic changes, such as adding a rule for each new month, you can refine your patch testing and roll up changes without creating a new list.

From the Patch menu, go to Patch Lists or Block Lists.
Click the list name and then click Edit.
You cannot edit a block list if the Allow Blocklist Editing option is disabled in the Patch Settings.
Make your changes.
Preview the changes and then click Update Patch List or Update Block List.

Check patch visibility

You can get details about the patch, the installation results by computer group, and the associated lists.

From the Patch menu, go to Patches. To see only patches that are not installed, click Applicable from the Applicability section of the Filters.
Click the patch name.

You can also click Expand next to the patch name to view additional information.
Review the sections.
- Summary shows the severity and the associated lists. Patch Details has the patch title, release date, bulletins, KB articles, CVEs, files, size, URLs, and the product and classification types.
- Visibility splits out the patch results by computer group. To filter the list of computer groups, update the selected computer groups in the Computer Groups for Patch Visibility section in the Configuration Settings tab of the Patch Settings. Only users with the Patch Settings Write permission can make changes to the Patch Settings.
- Patch Lists Including This Patch and Block Lists Including This Patch are summaries that include the number of patches on the list, rules, version, and creation details.

Copy a patch list

You can copy a patch list to use as a starting point for a new patch list. You cannot copy Tanium Managed patch lists.

From the Patch menu, go to Patch Lists.
Click the list to copy and click Save As.
Make any necessary changes, preview the changes, and then click Create Patch List.

Export a list

You can facilitate the migration of patch content by exporting lists. The exported file includes rules manually added patches. This is particularly useful in progressive deployment models where patches must be moved from a testing environment to a production environment.

From the Patch menu, go to Patch Lists or Block Lists.
Click the list name.
(Optional) Select the version.
Click Options and then click Export.

The JSON file is available in your downloads folder. The file name is the list identifier, the actual list name appears after import.

Import a list

You can import an exported list into a new environment. The import contains the latest version of the list and the version is set to 1 in the new environment.

You cannot import a list with the same name as an existing list.

From the Patch menu, go to Patch Lists or Block Lists.

Take care to only import the list as the right type.
Click Import Patch List or Import Block List and then click Choose File.
Browse to the list in .JSON extension and then click Import.

Delete a list

Deleting a list does not delete patches, it only deletes the assembled list and any previous versions.

Remove computer group enforcements before deleting a block list.

From the Patch menu, go to Patch Lists or Block Lists.
Select the list name.
Click Delete .
On the confirmation window, click Yes.

Add a custom Patch field

You can add a custom field to your patches based on the KB mapping that you provide in a CSV file. You might use this custom field to override the severity of a patch.

On the Patch Overview page, click Settings and then click Custom Field if needed.
Click Upload CSV for any of the OS types and add the CSV file.
The custom column shows up in your patch list views.

Example CSV

The following example maps the Vendor KB value to a new custom value.

KB,IAVM
KB829438,1234-A-0016
KB822362,1234-A-0016
kb828037,1234-A-0017