Requirements

Review the requirements before you install and use Patch.

Tanium dependencies

In addition to a license for Patch, make sure that your environment also meets the following requirements.

Component Requirement
Tanium™ Core Platform

7.2 or later (Windows endpoints)

7.2.314.3235 or later

  • Red Hat 6 or 7 and CentOS 6 or 7 Linux endpoints with Patch 2.3.5 or later
  • Oracle Linux 6 or 7 and Amazon Linux 1 or 2 endpoints with Patch 2.4.3 or later

Installing Tanium™ Interact is recommended.

To support smart card authentication, including common access cards (CAC), see Tanium Core Platform Deployment Reference Guide: Smart card authentication.

Tanium Client

6.0.314.1540 or later

  • Windows 7 Service Pack 1 or later
  • Windows Server 2008 R2 Service Pack 1 or later

7.2.314.3476 or later

  • Windows 7 Service Pack 1 or later with Patch 2.3.8 or later to use Tanium Scan for Windows
  • Windows Server 2008 R2 Service Pack 1 or later with Patch 2.3.8 or later to use Tanium Scan for Windows
  • Red Hat1 6 or 7 and CentOS 6 or 7 Linux endpoints with Patch 2.3.5 or later
  • Oracle Linux 6 or 7 and Amazon Linux 1 or 2 endpoints with Patch 2.4.3 or later

7.4 or later (requires Patch 2.3.12 or later)

Tanium products

If you clicked Install with Recommended Configurations when you installed Patch, the Tanium Server automatically installed all your licensed modules at the same time. Otherwise, you must manually install the modules that Patch requires to function, as described under Tanium Console User Guide: Manage Tanium modules.

The following modules are optional, but Patch requires the specified minimum versions to work with them:

  • Tanium Comply 2.1.0 or later
  • Tanium End-User Notifications 1.2.0.004 or later (supports Windows endpoints only)
  • Tanium Trends 2.4.4 or later
Computer groups

When you first log into the Tanium Console after installing the Tanium Server, the server automatically imports the computer groups that Patch requires:

  • All Amazon
  • All CentOS 6
  • All CentOS 7
  • All Oracle 6
  • All Oracle 7
  • All Red Hat 6
  • All Red Hat 7
  • All Windows
  • All Windows Servers

Tanium Server and Module Server computer resources

Patch is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage. You might need to tune the Tanium Server download bytes and download limit settings (DownloadBytesPerSecondLimit) for your environment.

Patch downloads and distributes updates regularly. The Tanium Server stores these packages within the Downloads directory. Adequate disk space is required on the Tanium Server.

For more information, see Tanium Core Platform Installation Guide: Host system sizing guidelines.

Endpoints

Supported operating systems

The following endpoint operating systems are supported with Patch. Specific version requirements depend on the version of Patch and components that you are using.

Operating System OS Version
Windows Version depends on Tanium Client version. For specific requirements, see Tanium dependencies.
Linux

Red Hat Enterprise Linux 6.x, 7.x

CentOS 6.x, 7.x

Oracle Linux 6.x, 7.x

Amazon Linux 1, 2

For specific requirements, see Tanium dependencies.

Resource requirements

In the Tanium Console Global Settings, set the Tanium Client cache limit (ClientCacheLimitInMB) to 2048MB and set the hot cache (HotCachePercentage) to 80%. For more information, see Configure global settings and Tanium Platform User Guide: Managing Global Settings.

If VDI is used in your environment, see the Tanium Client User Guide: VDI.

Third-party software

Patch requires that Windows endpoints have Windows Update Agent version 6.1.0022.4 or later installed. Enhanced functionality is available on Windows 7 systems with version 7.6.7601.19161 and later. See Microsoft KB313861. If you are controlling all patch deployments through Tanium, disable the Windows Update Agent automatic functions at the domain level.

Host and network security requirements

Specific processes and URLs are needed to run Patch.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.

The Tanium Client uses the Windows Update offline scan file, Wsusscn2.cab, to assess computers for installed or missing operating system and application security patches. If your endpoint security solutions scan archive files, refer to the Microsoft KB for information on how to configure those tools to interact appropriately with the Wsusscn2.cab file.

Table 1:   Patch security exclusions
Target device Notes Process
Module Server   <Module Server>\services\patch-service\node.exe
Windows endpoints   <Tanium Client>\Patch\tanium-patch.min.vbs
  <Tanium Client>\Patch\scans\Wsusscn2.cab
  <Tanium Client>\Patch\tools\active-user-sessions.exe
  <Tanium Client>\Patch\tools\run-patch-manager.min.vbs
  <Tanium Client>\Patch\tools\TaniumExecWrapper.exe
  <Tanium Client>\Patch\tools\TaniumFileInfo.exe
7.2.x clients <Tanium Client>\Python27\TPython.exe
7.2.x clients <Tanium Client>\Python27\*.dll
7.4.x clients <Tanium Client>\Python38\TPython.exe
7.4.x clients <Tanium Client>\Python38\*.dll
  <Tanium Client>\TaniumCX.exe
  <Tanium Client>\Tools\Patch\7za.exe
  <Tanium Client>\Tools\Patch\TaniumExecWrapper.exe
exclude from on-access or real-time scans <Tanium Client>
Linux endpoints 7.2.x clients <Tanium Client>/python27/bin/pybin
7.2.x clients <Tanium Client>/python27/python
7.4.x clients <Tanium Client>/python38/bin/pybin
7.4.x clients <Tanium Client>/python38/python
  <Tanium Client>/Tools/Patch/TaniumExecWrapper
Table 2:   Patch security exclusions
Target device Notes Process
Windows endpoints   <Tanium Client>\Patch\tanium-patch.min.vbs
  <Tanium Client>\Patch\scans\Wsusscn2.cab
  <Tanium Client>\Patch\tools\active-user-sessions.exe
  <Tanium Client>\Patch\tools\run-patch-manager.min.vbs
  <Tanium Client>\Patch\tools\TaniumExecWrapper.exe
  <Tanium Client>\Patch\tools\TaniumFileInfo.exe
7.4.x clients <Tanium Client>\Python38\TPython.exe
7.4.x clients <Tanium Client>\Python38\*.dll
  <Tanium Client>\TaniumCX.exe
  <Tanium Client>\Tools\Patch\7za.exe
  <Tanium Client>\Tools\Patch\TaniumExecWrapper.exe
exclude from on-access or real-time scans <Tanium Client>
Linux endpoints 7.4.x clients <Tanium Client>/python38/bin/pybin
7.4.x clients <Tanium Client>/python38/python
  <Tanium Client>/Tools/Patch/TaniumExecWrapper

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must allow the following URLs.

Operating System URL
Windows *.delivery.mp.microsoft.com
*.prod.do.dsp.mp.microsoft.com
*.update.microsoft.com
*.windowsupdate.com
*.windowsupdate.microsoft.com
http://crl.microsoft.com
http://go.microsoft.com/fwlink/?linkid=74689
http://ntservicepack.microsoft.com
http://windowsupdate.microsoft.com
http://wustat.windows.com
https://download.microsoft.com
https://sws.update.microsoft.com
Linux http://mirror.centos.org
http://yum.oracle.com
https://cdn.redhat.com

User role requirements

Patch role-based access control (RBAC) permissions control access to the Patch workbench.

Table 3:   Patch user role permissions
Permission Patch Administrator Patch Service Account Patch Operator Patch User Patch Read Only User

Show Patch

View the Patch workbench


1

1

1

1

1

Patch Use API

Perform Patch operations using the API


1

1

1

1

1

Patch Module Read

Read access to the Patch module



1



Patch Module Write

Write access to the Patch module






Patch Settings Write

Write access to all global settings in the Patch module






Patch Operator Settings Write

Write access to a subset of global settings in the Patch module






Trends Integration Service Account2

Access for module service accounts to read and write data, and to define sources and boards






Trends Api Board Read2

View boards, sections, and panels for content sets






Trends Api Board Write2

Create, edit, delete, and configure boards, sections, and panels for content sets






Trends Api Source Read2

View and list sources for content sets






Trends Api Source Write2

Create, edit, and delete sources for content sets






Trends Data Read2

Run data queries against sources for content sets






Trends Import2

Import from file or gallery






1 Denotes a provided permission.

2 Denotes a permission when Trends 2.4.4 or later is installed.

 

Table 4:   Provided Patch Micro Admin and Advanced user role permissions
Permission Role Type Content Set for
Permission
Patch Administrator Patch Service Account Patch Operator Patch User Patch Read Only User
Read User Group Micro Admin  
Read Computer Group Micro Admin  
Ask Dynamic Questions Advanced  
Read Sensor Advanced Base
Read Sensor Advanced Reserved
Read Sensor Advanced Default
Read Sensor Advanced Patch Content Set
Read Action Advanced Patch Content Set
Read Package Advanced Patch Content Set
Execute Plugin Advanced Patch Content Set
Execute Plugin1 Advanced Trends
Write Package Advanced Patch Content Set
Write Saved Question Advanced Patch Content Set
Write Action Advanced Patch Content Set
Approve Action Advanced Patch Content Set

1 Denotes a permission when Trends 2.4.4 or later is installed.

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.