Requirements

Review the requirements before you install and use Patch.

Tanium dependencies

In addition to a license for Patch, make sure that your environment also meets the following requirements.

Component Requirement
Taniumâ„¢ Core Platform

7.3.314.4250 or later

To support smart card authentication, including common access cards (CAC), see Tanium Core Platform Deployment Reference Guide: Smart card authentication.

Tanium Client

6.0.314.1540 or later

  • All supported Windows operating systems

7.2.314.3476 or later

  • All supported operating systems

7.4 or later

  • All supported operating systems
  • Requires Patch 2.3.12 or later

For more information about supported operating systems, see Supported operating systems.

Tanium products

If you clicked Install with Recommended Configurations when you installed Patch, the Tanium Server automatically installed all your licensed modules at the same time. Otherwise, you must manually install the modules that Patch requires to function, as described under Tanium Console User Guide: Manage Tanium modules.

Modules at the following minimum versions The following modules are required:

  • Tanium Interact 2.4.48 or later

The following modules are optional, but Patch requires the specified minimum versions to work with them:

  • Tanium End-User Notifications 1.2.0.004 or later (supports Windows endpoints only)
  • Tanium Trends 2.4.4 or later
Computer groups

When you first log into the Tanium Console after installing the Tanium Server, the server automatically imports the computer groups that Patch requires:

  • All Amazon
  • All CentOS 6
  • All CentOS 7
  • All Oracle 6
  • All Oracle 7
  • All Red Hat 6
  • All Red Hat 7
  • All Windows
  • All Windows Servers

Tanium Server and Module Server computer resources

Patch is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage. For Tanium Server 7.2 or earlier, you might need to tune the Tanium Server download bytes and download limit settings (DownloadBytesPerSecondLimit) for your environment. For Tanium Server 7.3 or later, you can configure global throttles from Administration > Tanium Server and then clicking Bandwith Throttling.

Patch downloads and distributes updates regularly. The Tanium Server stores these packages within the Downloads directory. An additional 500 GB of disk space is required on the Tanium Server.

For more information, see Tanium Core Platform Installation Guide: Host system sizing guidelines and Tanium Appliance Deployment Guide: Tanium Virual Appliance.

Endpoints

Supported operating systems

The following endpoint operating systems are supported with Patch. Specific version requirements depend on the version of Patch and components that you are using. For more information about Tanium Client versions, see Tanium Client User Guide: Host system requirements.

Operating System Version Notes
Microsoft Windows Server Windows Server 2003 or later Windows Server Core not supported for End-User Notifications functionality.

Tanium Scan for Windows and active user session detection not supported.

Windows Server 2008 R2 Service Pack 1 or later Windows Server Core not supported for End-User Notifications functionality.

Tanium Scan for Windows requires Patch 2.3.8 or later.

Microsoft Windows Workstation Windows XP or later Tanium Scan for Windows and active user session detection not supported.
Windows 7 Service Pack 1 or later Tanium Scan for Windows requires Patch 2.3.8 or later.
Microsoft Windows Server Windows Server 2008 R2 Service Pack 1 or later Windows Server Core not supported for End-User Notifications functionality.

Tanium Scan for Windows requires Patch 2.3.8 or later.

Microsoft Windows Workstation Windows 7 Service Pack 1 or later  
Linux Red Hat Enterprise Linux 6.x, 7.x

CentOS 6.x, 7.x

Oracle Linux 6.x, 7.x

Amazon Linux 1, 2

Requires Yum version 3.2.29-22.el6 or later.

CentOS and Red Hat Enterprise Linux requires Patch 2.3.5 or later.

Amazon and Oracle Linux requires Patch 2.4.3 or later.

Resource requirements

In the Tanium Console Global Settings, set the Tanium Client cache limit (ClientCacheLimitInMB) to 2048MB and set the hot cache (HotCachePercentage) to 80%. For more information, see Configure global settings and Tanium Platform User Guide: Managing Global Settings.

If VDI is used in your environment, see the Tanium Client User Guide: VDI.

Third-party software

Patch requires that Windows endpoints have Windows Update Agent version 6.1.0022.4 or later installed. Enhanced functionality is available on Windows 7 systems with version 7.6.7601.19161 and later. See Microsoft KB313861. If you are controlling all patch deployments through Tanium, disable the Windows Update Agent automatic functions at the domain level.

Host and network security requirements

Specific processes and URLs are needed to run Patch.

Ports

The following ports are required for Patch communication.

Source Destination Port Protocol Purpose
Module Server Module Server (loopback) 17454 TCP Internal purposes; not externally accessible

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

The Tanium Client uses the Windows Update offline scan file, Wsusscn2.cab, to assess computers for installed or missing operating system and application security patches. If your endpoint security solutions scan archive files, refer to the Microsoft KB for information on how to configure those tools to interact appropriately with the Wsusscn2.cab file.

Table 1:   Patch security exclusions
Target device Notes Process
Module Server   <Module Server>\services\patch-service\node.exe
Windows endpoints   <Tanium Client>\Patch\tanium-patch.min.vbs
  <Tanium Client>\Patch\scans\Wsusscn2.cab
  <Tanium Client>\Patch\tools\active-user-sessions.exe
  <Tanium Client>\Patch\tools\run-patch-manager.min.vbs
  <Tanium Client>\Patch\tools\TaniumExecWrapper.exe
  <Tanium Client>\Patch\tools\TaniumFileInfo.exe
  <Tanium Client>\Patch\tools\TaniumUpdateSearcher.exe
7.2.x clients <Tanium Client>\Python27\TPython.exe
7.2.x clients <Tanium Client>\Python27\*.dll
7.4.x clients <Tanium Client>\Python38\TPython.exe
7.4.x clients <Tanium Client>\Python38\*.dll
  <Tanium Client>\TaniumCX.exe
  <Tanium Client>\Tools\Patch\7za.exe
  <Tanium Client>\Tools\Patch\TaniumExecWrapper.exe
exclude from on-access or real-time scans <Tanium Client>
Linux endpoints 7.2.x clients <Tanium Client>/python27/bin/pybin
7.2.x clients <Tanium Client>/python27/python
7.4.x clients <Tanium Client>/python38/bin/pybin
7.4.x clients <Tanium Client>/python38/python
  <Tanium Client>/Tools/Patch/TaniumExecWrapper
Table 2:   Patch security exclusions
Target device Notes Process
Windows endpoints   <Tanium Client>\Patch\tanium-patch.min.vbs
  <Tanium Client>\Patch\scans\Wsusscn2.cab
  <Tanium Client>\Patch\tools\active-user-sessions.exe
  <Tanium Client>\Patch\tools\run-patch-manager.min.vbs
  <Tanium Client>\Patch\tools\TaniumExecWrapper.exe
  <Tanium Client>\Patch\tools\TaniumFileInfo.exe
  <Tanium Client>\Patch\tools\TaniumUpdateSearcher.exe
7.4.x clients <Tanium Client>\Python38\TPython.exe
7.4.x clients <Tanium Client>\Python38\*.dll
  <Tanium Client>\TaniumCX.exe
  <Tanium Client>\Tools\Patch\7za.exe
  <Tanium Client>\Tools\Patch\TaniumExecWrapper.exe
exclude from on-access or real-time scans <Tanium Client>
Linux endpoints 7.4.x clients <Tanium Client>/python38/bin/pybin
7.4.x clients <Tanium Client>/python38/python
  <Tanium Client>/Tools/Patch/TaniumExecWrapper

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must allow the following URLs.

Operating System URL
Windows *.delivery.mp.microsoft.com
*.prod.do.dsp.mp.microsoft.com
*.update.microsoft.com
*.windowsupdate.com
*.windowsupdate.microsoft.com
http://crl.microsoft.com
http://go.microsoft.com/fwlink/?linkid=74689
http://ntservicepack.microsoft.com
http://windowsupdate.microsoft.com
http://wustat.windows.com
https://download.microsoft.com
https://sws.update.microsoft.com
Linux http://mirror.centos.org
http://yum.oracle.com
https://cdn.redhat.com

User role requirements

Patch role-based access control (RBAC) permissions control access to the Patch workbench.

Table 3:   Patch user role permissions
Permission Patch Administrator1 Patch Configuration Author1 Patch Deployment Author1 Patch Operator1 Patch Read Only User1 Patch Service Account2,3 Patch Super User1

Show Patch

View the Patch workbench








Initialize Endpoints Execute

Run endpoint initialization jobs for granted content sets







4

Linux Patch User

Access to the Linux Patch content








Patch Block List Delete

Delete block lists for granted content sets


5,6

62


62


4

62

Patch Block List Execute

Create and modify enforcements in block lists for granted content sets


5,6



62


4

62

Patch Block List Read

View block lists for granted content sets


5,6

62

62

62

62

4

62

Patch Block List Write

Create and edit block lists for granted content sets


5,6

62


62


4

62

Patch Deployment Delete

Delete deployments for content sets


5,6


62

62


4

62

Patch Deployment Execute

Create and modify enforcements in deployments for granted content sets


5,6


62

62


4

62

Patch Deployment Read

View deployments for content sets


5,6

62

62

62

62

4

62

Patch Deployment Write

Create and edit deployments for granted content sets


5,6


62

62


4

62

Patch Initialize

Access to run setup tasks








Patch Maintenance Window Delete

Delete maintenance windows for granted content sets


5,6

62


62


4

62

Patch Maintenance Window Execute

Create and modify enforcements in maintenance windows for granted content sets


5,6



62


4

62

Patch Maintenance Window Read

View maintenance windows for granted content sets


5,6

62

62

62

62

4

62

Patch Maintenance Window Write

Create and edit maintenance windows for granted content sets


5,6

62


62


4

62

Patch Operator Settings Write

Write access to a subset of global settings in the Patch module








Patch Patchlist Delete

Delete patch lists for granted content sets


5,6

62


62


4

62

Patch Patchlist Execute

Create and modify enforcements in patch lists for granted content sets


5,6

62


62


4

62

Patch Patchlist Read

View patch lists for granted content sets


5,6

62

62

62

62

4

62

Patch Patchlist Write

Create and edit patch lists for granted content sets


5,6

62


62


4

62

Patch Scan Configuration Delete

Delete scan configurations








Patch Scan Configuration Execute

Create and modify enforcements for scan configurations








Patch Scan Configuration Read

View scan configurations








Patch Scan Configuration Write

Create and edit scan configurations








Patch Settings Read

Read access to all Patch Settings








Patch Settings Write

Write access to all Patch Settings








Patch Solution Upgrade

Install or uninstall Patch








Patch Statistics Logs

Access to the Patch statistics logs








Patch Trends Read

View Trends boards from the Patch workbench for granted content sets


5,6

62

62

62

62

4

62

Patch Yum Repo Delete

Delete Yum repositories








Patch Yum Repo Read

View Yum repositories








Patch Yum Repo Write

Create and edit Yum repositories








Patch Yum Repo Snapshot Delete

Delete Yum repository snapshots








Patch Yum Repo Snapshot Read

View Yum repository snapshots








Patch Yum Repo Snapshot Write

Create and edit Yum repository snapshots








Windows Patch User

Access to the Windows Patch content








1 This role is granted the following Trends permissions for the Patch Content Set:

  • Trends Api Board Read
  • Trends Api Source Read
  • Trends Data Read
For more information, see Tanium Trends User Guide: User role requirements.

2 This role is granted the following Trends permissions for the Patch Content Set:

  • Trends Api Board Read
  • Trends Api Board Write
  • Trends Api Source Read
  • Trends Api Source Write
  • Trends Data Read
  • Trends Import
  • Trends Integration Service Account
For more information, see Tanium Trends User Guide: User role requirements.

3 This role is granted the following Interact permissions:

  • Data Collection Registration Read
  • Data Collection Registration Write
For more information, see Tanium Interact User Guide: Tanium Data Service permissions.

4 Grants access to content in all content sets.

5 Grants access to content in the Patch Service Objects content set.

26 Grants access to content in the Patch Content Set content sets.

 

Table 4:   Provided Patch Micro Admin and Advanced user role permissions
Permission Role Type Content Set for
Permission
Patch Administrator Patch Configuration Author Patch Deployment Author Patch Operator Patch Read Only User Patch Service Account Patch Super User
Write Allowed Urls Micro Admin  
Ask Dynamic Questions Advanced  
Execute Plugin Advanced Patch Content Set
Execute Plugin Advanced Patch Service Objects
Execute Plugin1 Advanced Reserved
Execute Plugin2 Advanced Tanium Data Service
Execute Plugin1 Advanced Trends
Read Action Advanced All content sets
Read Plugin Advanced Patch Content Set
Read Sensor Advanced Base
Read Sensor2 Advanced Client Management
Read Sensor2 Advanced Core Content
Read Sensor Advanced Default
Read Sensor2 Advanced Interact
Read Sensor Advanced Patch Content Set
Read Sensor Advanced Patch Service Objects
Read Sensor Advanced Reserved
Write Action Advanced Patch Content Set
Write Action Advanced Patch Service Objects
Write Action Advanced Reserved
Write Action Advanced All content sets
Write Package Advanced All content sets            
Write Saved Question Advanced All content sets

1 Denotes a permission when Trends 2.4.4 or later is installed.

2 Denotes a permission when Interact 2.4.48 or later is installed.

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.