Managing patches

You can manage patches with patch lists and block lists. Patch lists are groups of patches that can be applied on the targeted computer groups. Block lists are groups of patches that are specifically excluded from being downloaded or deployed to the targeted computer groups.

Baseline reporting patch lists

During installation and at endpoint initialization, Patch creates a baseline reporting patch list for each supported and enabled operating system. Do not delete these patch lists. Baseline reporting patch lists are used in the Patch section of the IT Operations Metrics board in Trends. Without these patch lists, several board panels have no content.

The Windows patch list reports patches that are associated with security updates, update rollups, and service packs.

The Linux patch list reports security patches, patches with a severity that is greater than none, or patches that are associated with a CVE.

Patch list rules

Although you can manually select patches to include in a patch list, it is more efficient to use rules to dynamically populate lists of patches. As patches are added to the Available Patches list, Tanium assesses those patches for inclusion on a list by comparing them to rules. You can create rules from customized conditions that define which part of the patch description to examine.

  • Include patches for the current month.
  • Avoid waiting longer than two weeks after a patch release to start patching production systems.
  • Expand endpoint diversity in patch testing groups to increase the changes of identifying newly-released problematic patches for deploying patches to production.

By default, superseded patches are not included when you configure a patch list. You can choose to include superseded patches when you create a rule. Consider including superseded patches if you want to install a specific superseded patch or if you want to see installed patches where a patch has been superseded.

Build conditions using one option from each condition field:

Table 1:   Rule condition options
Condition Available options
Column
  • Title
  • Severity
  • Release Date
  • Bulletins
  • KB Articles
  • CVE
  • Custom Field
  • Product
  • Classification
Type
  • Contains
  • Equals
  • Does Not Contain
  • Release Date on or After
  • Release date on or Before
Expression The search criteria used in the expression.

When a rule has more than one condition, the conditions are connected with the AND operand. Patches must meet both conditions to be included. When a list has multiple rules, the rules are connected with the OR operand, so patches that meet either rule are included on the list.

Create a patch list

Sort patches into manageable patch lists for use in deployments. You can add individual patches to the list or populate the list dynamically with rules.

For testing environments, create a patch list to deploy the latest patches. For production environments, create a separate patch list for each month by using the Release Date on or Before option and specifying a date.

  1. From the Patch menu, go to Patch Lists.
  2. Click Create Patch List, name the list, and select an operating system.
  3. Add patches.
    Adding patches dynamicallyAdd patches manually
    1. Click Add Rule.
    2. Name the rule.
    3. Select Include superseded patches when applying rules if you want to include these patches in your patch list.
    4. Select a Condition and then an Operator.
    5. Type in the expression to search. Searches are not case sensitive.
    1. Expand Add Patches Manually.
    2. Select the patches that you want.
    3. (Optional) Click the patch title to see the details in a new browser tab.

    Avoid choosing specific patches based on vulnerability reports. Instead, use dynamic, rule-based patch lists. These lists should be cumulative. For example, do not create any rules that prevent patches that are older than a specific date from being included in a patch list.

    You can get details about the patch, visibility into the results by computer group, and the associated lists.

  4. Preview the changes and then click Create Patch List.

To distribute the patches to endpoints, see Create a deployment to install patches.

Exclude patches with block lists

A block list is a collection of patches that are prohibited from downloading or deploying to the targeted computer groups. You can add individual patches to the list or populate the list dynamically with rules. Unlike patch lists, you do not need to create a deployment to enforce a block list.

Use block lists only for patches that are never deployed to one or more computer groups.

Block patches with the Title containing either "Quality Rollup" or "Security Only" to avoid redundant patch deployments.

  1. From the Patch menu, go to Block Lists and then click Create Block List.
  2. Name the list, and select an operating system.
  3. Add patches.
    Adding patches dynamicallyAdding patches manually
    1. Click Add Rule.
    2. Name the rule.
    3. Superseded patches are automatically included in block lists.
    4. Select a Condition and then an Operator.
    5. Type in the expression to search against and then click Apply. Searches are case-insensitive.
    1. Expand Add Patches Manually.
    2. Select the patches that you want.
    3. (Optional) Click the patch title to see the details in a new browser tab.

    If a patch is known to cause issues for a subset of endpoints, create a block list with the patch KB number and target only the computer group that contains the endpoints that are adversely affected by that patch.

    You can get details about the patch, visibility into the results by computer group, and the associated lists.

  4. Preview the changes and then click Create Block List.
  5. On the Block List Details page, select the targeted computer groups.

The block list is distributed to the selected endpoints, blocking those patches.

If an endpoint is brought online with a patch already installed that is blocked, the patch remains until it is uninstalled.

yum.conf exclusions for Linux endpoints

If a Linux endpoint has excluded packages in the yum.conf file, Patch honors those exclusions and will not install them.

Tanium Patch blocking occurs on an Advisory basis. Because a Linux Advisory consists of a list of packages that need to be installed on Linux, a non-blocked Advisory might not be installed if it includes packages that are associated with a blocked Advisory.

Create lists from the Patches view

In addition to creating a list from the Patch Lists or Block Lists page, you can also select individual patches to build lists.

  1. From the Patch menu, go to Patches.
  2. Select one or more patches.
  3. From the More drop-down menu, select the list type.
  4. Complete the list.

Edit a list

When a user changes an existing list, the changes become a new version of the list. With some basic changes, such as adding a rule for each new month, you can refine your patch testing and roll up changes without creating a new list.

  1. From the Patch menu, go to Patch Lists or Block Lists.
  2. Click the list name and then click Edit.

    You cannot edit a block list if the Allow Blocklist Editing option is disabled in the Patch Settings.

  3. Make your changes.
  4. Preview the changes and then click Update Patch List or Update Block List.

Check patch visibility

You can get details about the patch, the installation results by computer group, and the associated lists.

  1. From the Patch menu, go to Patches. To see only patches that are not installed, expand Filters and select Applicable from the Applicability drop-down menu.
  2. Click the patch name.
  3. Review the sections.
    • Summary shows the severity and the associated lists. Patch Details has the patch title, release date, bulletins, KB articles, CVEs, files, size, URLs, and the product and classification types.
    • Visibility splits out the patch results by computer group. To filter the list of computer groups, update the selected computer groups in the Computer Groups for Patch Visibility section in the Configuration Settings tab of the Patch Settings. Only users with the Patch Settings Write permission can make changes to the Patch Settings.
    • Patch Lists Including This Patch and Block Lists Including This Patch are summaries that include the number of patches on the list, rules, version, and creation details.

Export a list

You can facilitate the migration of patch content by exporting lists. The exported file includes rules manually added patches. This is particularly useful in progressive deployment models where patches must be moved from a testing environment to a production environment.

  1. From the Patch menu, go to Patch Lists or Block Lists.
  2. Click the list name.
  3. (Optional) Select the version.
  4. Click Options and then click Export.

The JSON file is available in your downloads folder. The file name is the list identifier, the actual list name appears after import.

Import a list

You can import an exported list into a new environment. The import contains the latest version of the list and the version is set to 1 in the new environment.

You cannot import a list with the same name as an existing list.

  1. From the Patch menu, go to Patch Lists or Block Lists.

    Take care to only import the list as the right type.

  2. Click Import and then click Choose File.
  3. Browse to the list in .JSON extension and then click Import.

Delete a list

Deleting a list does not delete patches, it only deletes the assembled list and any previous versions.

Remove computer group enforcements before deleting a block list.

  1. From the Patch menu, go to Patch Lists or Block Lists.
  2. Select the list name.
  3. Click Options and then click Delete.
  4. On the confirmation window, click Yes.

Add a custom Patch field

You can add a custom field to your patches based on a mapping that you provide in a CSV file. You might use this custom field to override the severity of a patch.

  1. On the Patch Overview page, click Settings and then click Custom Field if needed.
  2. Click Upload CSV for any of the OS types and add the CSV file.
  3. The custom column shows up in your patch list views.

Example CSV

The following example maps the Vendor KB value to a new custom value.

KB,IAVM
KB829438,1234-A-0016
KB822362,1234-A-0016
kb828037,1234-A-0017