Patch requirements

Review the requirements before you install and use Patch.

Tanium dependencies

In addition to a license for Patch, make sure that your environment also meets the following requirements.

Component Requirement
Tanium™ Core Platform

7.3.314.4250 or later

To support smart card authentication, including common access cards (CAC), see Tanium Core Platform Deployment Reference Guide: Smart card authentication.

Tanium Client Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.

If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Tanium solutions

If you selected Tanium Recommended Installation when you installed Patch, the Tanium Server automatically installed all your licensed solutions at the same time. Otherwise, you must manually install the Tanium solutions that Patch requires to function, as described under Tanium Console User Guide: Import, re-import, or update specific solutions.

Tanium solutions at the following minimum versions are required:

  • Tanium Endpoint Configuration 1.2 or later (installed as part of Tanium Client Management 1.5 or later)
  • Tanium Interact 2.4.74 or later (use the latest version of Interact for best results)
  • Tanium Trends 3.6 or later

The following Tanium solutions are optional, but Patch requires the specified minimum versions to work with them:

  • Tanium End-User Notifications 1.2.0.004 or later (supports Windows endpoints only)
Computer groups

When you first log into the Tanium Console after installing the Tanium Server, the server automatically imports the computer groups that Patch requires:

  • All Amazon
  • All CentOS 6
  • All CentOS 7
  • All CentOS 8
  • All Oracle 6
  • All Oracle 7
  • All Oracle 8
  • All Red Hat 6
  • All Red Hat 7
  • All Red Hat 8
  • All OpenSLES 11
  • All OpenSLES 12
  • All OpenSLES 15
  • All SUSE
  • All Windows
  • All Windows Servers
  • Patch Supported Systems

Tanium Server and Module Server computer resources

Patch is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage. You might need to tune the Tanium Server to set bandwidth limits for your environment. You can configure global throttles from Administration > Configuration > Tanium Server and then clicking Bandwith Throttles.

Patch downloads and distributes updates regularly. The Tanium Server stores these packages within the Downloads directory. An additional 500 GB of disk space is required on the Tanium Server.

For more information, see Tanium Core Platform Installation Guide: Host system sizing guidelines and Tanium Appliance Deployment Guide: Tanium Virual Appliance.

Endpoints

Supported operating systems

The following endpoint operating systems are supported with Patch. Specific version requirements depend on the version of Patch and components that you are using. For more information about Tanium Client versions, see Tanium Client Management User Guide: Client version and host system requirements.

Operating System Version Notes
Microsoft Windows Server Windows Server 2008 R2 Service Pack 1 or later Windows Server Core not supported for End-User Notifications functionality.

Tanium Scan for Windows requires Patch 2.3.8 or later.

Microsoft Windows Workstation Windows 7 Service Pack 1 or later Windows 7 Service Pack 1 requires Microsoft KB2758857.

Tanium Scan for Windows requires Patch 2.3.8 or later.

Linux Red Hat Enterprise Linux 6.x, 7.x, 8.x

CentOS 6.x, 7.x, 8.x

Oracle Linux 6.x, 7.x, 8.x

Amazon Linux 1, 2

openSUSE Linux 11.x Service Pack 3 or later, 12.x, 15.x

SUSE Linux Enterprise Server 11.x Service Pack 3 or later, 12.x, 15.x

CentOS 6.x, 7.x, Red Hat Enterprise Linux 6.x, 7.x, Oracle Linux 6.x, 7.x, and Amazon Linux 1, 2 require Requires Yum version 3.2.29-22.el6 or later for systems using OS-based Linux distributions.

CentOS and Red Hat Enterprise Linux require Patch 2.3.5 or later.

Amazon and Oracle Linux require Patch 2.4.3 or later.

CentOS 8.x, Oracle Linux 8.x, Red Hat Linux 8.x, openSUSE 11 Service Pack 3 or later, 12, 15, and SUSE Linux Enterprise Server 11.x Service Pack 3 or later, 12.x, 15.x require Patch 3.2.160 or later.

CentOS 8.x, Oracle Linux 8.x, and Red Hat Linux 8.x require DNF.

openSUSE 11.x Service Pack 3 or later, 12.x, 15.x, and SUSE Linux Enterprise Server 11.x Service Pack 3 or later, 12.x, 15.x require Zypper.

SUSE 11.x Service Pack 3 support is limited to scanning only.

Repository snapshots are not supported for SUSE repositories.

Resource requirements

In the Tanium Console Platform Settings, set the Tanium Client cache limit (ClientCacheLimitInMB) to 2048MB and set the hot cache (HotCachePercentage) to 80%. For more information, see Configure platform settings and Tanium Platform User Guide: Managing Core Platform Settings.

If VDI is used in your environment, see the Tanium Client Management User Guide: Preparing the Tanium Client on a virtual desktop infrastructure (VDI) instance.

Third-party software

Patch requires that Windows endpoints have Windows Update Agent version 6.1.0022.4 or later installed. Enhanced functionality is available on Windows 7 systems with version 7.6.7601.19161 and later. See Microsoft KB3138612. If you are controlling all patch deployments through Tanium, disable the Windows Update Agent automatic functions at the domain level.

Host and network security requirements

Specific ports, processes, and URLs are needed to run Patch.

Ports

For Tanium as a Service ports, see Tanium as a Service Deployment Guide: Host and network security requirements.

The following ports are required for Patch communication.

Source Destination Port Protocol Purpose
Module Server Module Server (loopback) 17454 TCP Internal purposes; not externally accessible

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

The Tanium Client uses the Windows Update offline scan file, Wsusscn2.cab, to assess computers for installed or missing operating system and application security patches. If your endpoint security solutions scan archive files, refer to the Microsoft KB for information on how to configure those tools to interact appropriately with the Wsusscn2.cab file.

For Windows endpoints, review and follow the Microsoft antivirus security exclusion recommendations for enterprise computers. For more information, see Microsoft Support: Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows (KB822158).

Patch security exclusions
Target Device Notes Exclusion Type Exclusion
Module Server   Process <Module Server>\services\patch-service\node.exe
required when Endpoint Configuration is installed Process <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Windows endpoints   Process <Tanium Client>\Patch\tanium-patch.min.vbs
  Process <Tanium Client>\Patch\scans\Wsusscn2.cab
  Process <Tanium Client>\Patch\tools\active-user-sessions.exe
  Process <Tanium Client>\Patch\tools\run-patch-manager.min.vbs
  Process <Tanium Client>\Patch\tools\TaniumExecWrapper.exe
  Process <Tanium Client>\Patch\tools\TaniumFileInfo.exe
  Process <Tanium Client>\Patch\tools\TaniumUpdateSearcher.exe
7.2.x clients Process <Tanium Client>\Python27\TPython.exe
7.2.x clients Folder <Tanium Client>\Python27
7.4.x clients Process <Tanium Client>\Python38\TPython.exe
7.4.x clients Folder <Tanium Client>\Python38
  Process <Tanium Client>\TaniumCX.exe
  Process <Tanium Client>\Tools\Patch\7za.exe
  Process <Tanium Client>\Tools\Patch\TaniumExecWrapper.exe
  Process <Tanium Client>\extensions\TaniumSoftwareManager.dll
  Process <Tanium Client>\extensions\TaniumSoftwareManager.dll.sig
exclude from on-access or real-time scans Folder <Tanium Client>
Linux endpoints 7.2.x clients Process <Tanium Client>/python27/bin/pybin
7.2.x clients Process <Tanium Client>/python27/python
7.4.x clients Process <Tanium Client>/python38/bin/pybin
7.4.x clients Process <Tanium Client>/python38/python
  Process <Tanium Client>/Tools/Patch/TaniumExecWrapper
  Process <Tanium Client>/extensions/libTaniumSoftwareManager.so
  Process <Tanium Client>/extensions/libTaniumSoftwareManager.so.sig
Patch security exclusions
Target device Notes Exclusion Type Exclusion
Windows endpoints   Process <Tanium Client>\Patch\tanium-patch.min.vbs
  Process <Tanium Client>\Patch\scans\Wsusscn2.cab
  Process <Tanium Client>\Patch\tools\active-user-sessions.exe
  Process <Tanium Client>\Patch\tools\run-patch-manager.min.vbs
  Process <Tanium Client>\Patch\tools\TaniumExecWrapper.exe
  Process <Tanium Client>\Patch\tools\TaniumFileInfo.exe
  Process <Tanium Client>\Patch\tools\TaniumUpdateSearcher.exe
7.4.x clients Process <Tanium Client>\Python38\TPython.exe
7.4.x clients Folder <Tanium Client>\Python38
  Process <Tanium Client>\TaniumCX.exe
  Process <Tanium Client>\Tools\Patch\7za.exe
  Process <Tanium Client>\Tools\Patch\TaniumExecWrapper.exe
  Process <Tanium Client>\extensions\TaniumSoftwareManager.dll
  Process <Tanium Client>\extensions\TaniumSoftwareManager.dll.sig
exclude from on-access or real-time scans Folder <Tanium Client>
Linux endpoints 7.4.x clients Process <Tanium Client>/python38/bin/pybin
7.4.x clients Process <Tanium Client>/python38/python
  Process <Tanium Client>/Tools/Patch/TaniumExecWrapper
  Process <Tanium Client>/extensions/libTaniumSoftwareManager.so
  Process <Tanium Client>/extensions/libTaniumSoftwareManager.so.sig

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must allow the following URLs on both the Tanium Module Server and the Tanium Server for the Patch service.

Operating System URL
Windows *.delivery.mp.microsoft.com
*.prod.do.dsp.mp.microsoft.com
*.update.microsoft.com
*.windowsupdate.com
*.windowsupdate.microsoft.com
http://crl.microsoft.com
http://emdl.ws.microsoft.com
http://go.microsoft.com/fwlink/?linkid=74689
http://ntservicepack.microsoft.com
http://windowsupdate.microsoft.com
http://wustat.windows.com
https://download.microsoft.com
https://sws.update.microsoft.com
Linux http://mirror.centos.org
http://yum.oracle.com
https://cdn.redhat.com
http://download.opensuse.org

User role requirements

The following tables list the role permissions required to use Patch. To review a summary of the predefined roles, see Set up Patch users.

For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.

Patch user role permissions
Permission Patch Administrator1,2,3 Patch Configuration Author1,2,3 Patch Deployment Author1,2,3 Patch Endpoint Configuration Approver1 Patch Operator1,2,3 Patch Read Only User2,3 Patch Service Account1,2,3,4 Patch Super User1,2,3

Initialize Endpoints

Run endpoint initialization jobs


EXECUTE

Linux Patch

Access to the Linux Patch content


USER

USER

USER

USER

USER

USER

USER

Patch

INITIALIZE: Set up Patch activities for the granted content sets

SHOW: View the Patch workbench


INITIALIZE
SHOW

SHOW

SHOW

INITIALIZE
SHOW

SHOW

INITIALIZE
SHOW

INITIALIZE54
SHOW

Patch Block List

Create, modify, and delete block lists for the granted content sets

5,6
READ
WRITE
EXECUTE
DELETE
54
READ
WRITE
DELETE
54
READ
54
READ
WRITE
EXECUTE
DELETE
54
READ

READ
WRITE
EXECUTE
DELETE
54
READ
WRITE
EXECUTE
DELETE

Patch Deployment

Create, modify, and delete deployments for the granted content sets

5,6
READ
WRITE
EXECUTE
DELETE
54
READ
54
READ
WRITE
EXECUTE
DELETE
54
READ
WRITE
EXECUTE
DELETE
54
READ

READ
WRITE
EXECUTE
DELETE
54
READ
WRITE
EXECUTE
DELETE

Patch Maintenance Window

Create, modify, and delete enforcements in maintenance windows for the granted content sets

5,6
READ
WRITE
EXECUTE
DELETE
54
READ
WRITE
DELETE
54
READ
54
READ
WRITE
EXECUTE
DELETE
54
READ

READ
WRITE
EXECUTE
DELETE
54
READ
WRITE
EXECUTE
DELETE

Patch Module

Write access to a subset of platform settings in the Patch module


WRITE

WRITE

READ

WRITE

Patch Operator Settings

Write access to a subset of platform settings in the Patch module


WRITE

WRITE

WRITE

Patch Patchlist

Create, modify, and delete enforcements in patch lists for the granted content sets

5,6
READ
WRITE
EXECUTE
DELETE
54
READ
WRITE
EXECUTE
DELETE
54
READ
54
READ
WRITE
EXECUTE
DELETE
54
READ

READ
WRITE
EXECUTE
DELETE
54
READ
WRITE
EXECUTE
DELETE

Patch Repository

Create, modify, and delete repositories


READ
WRITE
EXECUTE
DELETE

READ

READ
WRITE
EXECUTE
DELETE

READ

READ
WRITE
EXECUTE
DELETE

READ
EXECUTE

Patch Repository Snapshot

Create, edit, and delete repository snapshots


READ
WRITE
DELETE

READ
WRITE
DELETE

READ
WRITE
DELETE

READ

READ
WRITE
DELETE

READ
WRITE
DELETE

Patch Scan Configuration

Create, modify, and delete scan configurations


READ
WRITE
EXECUTE
DELETE

READ
WRITE
DELETE

READ
WRITE
EXECUTE
DELETE

READ

READ
WRITE
EXECUTE
DELETE

READ
WRITE
EXECUTE
DELETE

Patch Settings

Write access to all Patch settings


READ
WRITE

READ

READ

READ

READ

READ
WRITE

READ

Patch Solution

Install or uninstall Patch


UPGRADE

UPGRADE

Patch Statistics

Access to the Patch statistics logs


LOGS

LOGS

Patch Trends

View Trends boards from the Patch workbench


READ

READ

READ

READ

READ

READ

READ

Patch Yum Repo

Create, edit, and delete yum repositories


WRITE
DELETE

READ

READ

READ

WRITE
DELETE

READ

Patch Yum Repo Snapshot

Create, edit, and delete yum repository snapshots


WRITE
DELETE

WRITE
DELETE

WRITE
DELETE

READ

WRITE
DELETE

WRITE
DELETE

Windows Patch

Access to the Windows Patch content


USER

USER

USER

USER

USER

USER

USER

1 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

2 This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions.

3 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

4 If you installed Tanium Client Management, Endpoint Configuration is installed, and by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

4 Grants access to content in the Patch Content Set content set.

5 Grants access to content in the Patch Content Set content set.

5 Grants access to content in the Patch Service Objects content set.

6 Grants access to content in the Patch Service Objects content set.

 

Provided Patch administration and platform content permissions
Permission Permission Type Patch Administrator1,2 Patch Configuration Author1,2 Patch Deployment Author1,2 Patch Endpoint Configuration Approver Patch Operator1,2 Patch Read Only User1,2 Patch Service Account Patch Super User1,2
Allowed Urls Administration
READ
WRITE

READ
WRITE

READ
WRITE

READ
WRITE
Computer Group Administration
READ

READ

READ
WRITE

READ
User Administration
READ
WRITE
Action Platform Content
READ
WRITE

WRITE

WRITE

READ
WRITE

READ
WRITE

READ
WRITE
Own Action Platform Content
READ

READ

READ

READ

READ

READ
Package Platform Content
READ
WRITE

READ

READ

READ
WRITE

READ
WRITE

READ
WRITE
Plugin Platform Content
READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE
Saved Question Platform Content
READ
WRITE

READ
WRITE

READ
WRITE

READ
WRITE
Sensor Platform Content
READ

READ

READ

READ

READ

READ

READ

You can view which content sets are granted to any role in the Tanium Console.

1 This role provides content set permissions for Tanium Interact. You can view which Interact content sets are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions.

2 This role provides content set permissions for Tanium Trends. You can view which Trends content sets are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.