Requirements

Review the requirements before you install and use Patch.

Tanium dependencies

In addition to a license for Patch, make sure that your environment also meets the following requirements.

Component Requirement
Tanium™ Core Platform

7.3.314.4250 or later

To support smart card authentication, including common access cards (CAC), see Tanium Core Platform Deployment Reference Guide: Smart card authentication.

Tanium Client Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.

If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Tanium products

If you clicked Install with Recommended Configurations when you installed Patch, the Tanium Server automatically installed all your licensed modules at the same time. Otherwise, you must manually install the modules that Patch requires to function, as described under Tanium Console User Guide: Manage Tanium modules.

Modules at the following minimum versions The following modules are required:

  • Tanium Endpoint Configuration 1.2 or later (installed as part of Tanium Client Management 1.5 or later)
  • Tanium Interact 2.4.74 or later (use the latest version of Interact for best results)
  • Tanium Trends 3.6 or later

The following modules are optional, but Patch requires the specified minimum versions to work with them:

  • Tanium End-User Notifications 1.2.0.004 or later (supports Windows endpoints only)
Computer groups

When you first log into the Tanium Console after installing the Tanium Server, the server automatically imports the computer groups that Patch requires:

  • All Amazon
  • All CentOS 6
  • All CentOS 7
  • All CentOS 8
  • All Oracle 6
  • All Oracle 7
  • All Oracle 8
  • All Red Hat 6
  • All Red Hat 7
  • All Red Hat 8
  • All OpenSLES 11
  • All OpenSLES 12
  • All OpenSLES 15
  • All SUSE
  • All Windows
  • All Windows Servers
  • Patch Supported Systems

Tanium Server and Module Server computer resources

Patch is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage. You might need to tune the Tanium Server to set bandwidth limits for your environment. You can configure global throttles from Administration > Configuration > Tanium Server and then clicking Bandwith Throttles.

Patch downloads and distributes updates regularly. The Tanium Server stores these packages within the Downloads directory. An additional 500 GB of disk space is required on the Tanium Server.

For more information, see Tanium Core Platform Installation Guide: Host system sizing guidelines and Tanium Appliance Deployment Guide: Tanium Virual Appliance.

Endpoints

Supported operating systems

The following endpoint operating systems are supported with Patch. Specific version requirements depend on the version of Patch and components that you are using. For more information about Tanium Client versions, see Tanium Client Management User Guide: Host system requirements.

Operating System Version Notes
Microsoft Windows Server Windows Server 2008 R2 Service Pack 1 or later Windows Server Core not supported for End-User Notifications functionality.

Tanium Scan for Windows requires Patch 2.3.8 or later.

Microsoft Windows Workstation Windows 7 Service Pack 1 or later Windows 7 Service Pack 1 requires Microsoft KB2758857.

Tanium Scan for Windows requires Patch 2.3.8 or later.

Linux Red Hat Enterprise Linux 6.x, 7.x, 8.x

CentOS 6.x, 7.x, 8.x

Oracle Linux 6.x, 7.x, 8.x

Amazon Linux 1, 2

openSUSE Linux 11.x Service Pack 3 or later, 12.x, 15.x

SUSE Linux Enterprise Server 11.x Service Pack 3 or later, 12.x, 15.x

CentOS 6.x, 7.x, Red Hat Enterprise Linux 6.x, 7.x, Oracle Linux 6.x, 7.x, and Amazon Linux 1, 2 require Requires Yum version 3.2.29-22.el6 or later for systems using OS-based Linux distributions.

CentOS and Red Hat Enterprise Linux require Patch 2.3.5 or later.

Amazon and Oracle Linux require Patch 2.4.3 or later.

CentOS 8.x, Oracle Linux 8.x, Red Hat Linux 8.x, openSUSE 11 Service Pack 3 or later, 12, 15, and SUSE Linux Enterprise Server 11.x Service Pack 3 or later, 12.x, 15.x require Patch 3.2.160 or later.

CentOS 8.x, Oracle Linux 8.x, and Red Hat Linux 8.x require DNF.

openSUSE 11.x Service Pack 3 or later, 12.x, 15.x, and SUSE Linux Enterprise Server 11.x Service Pack 3 or later, 12.x, 15.x require Zypper.

SUSE 11.x Service Pack 3 support is limited to scanning only.

Repository snapshots are not supported for SUSE repositories.

Resource requirements

In the Tanium Console Global Settings, set the Tanium Client cache limit (ClientCacheLimitInMB) to 2048MB and set the hot cache (HotCachePercentage) to 80%. For more information, see Configure global settings and Tanium Platform User Guide: Managing Global Settings.

If VDI is used in your environment, see the Tanium Client Management User Guide: VDI.

Third-party software

Patch requires that Windows endpoints have Windows Update Agent version 6.1.0022.4 or later installed. Enhanced functionality is available on Windows 7 systems with version 7.6.7601.19161 and later. See Microsoft KB313861. If you are controlling all patch deployments through Tanium, disable the Windows Update Agent automatic functions at the domain level.

Host and network security requirements

Specific ports, processes, and URLs are needed to run Patch.

Ports

For Tanium as a Service ports, see Tanium as a Service Deployment Guide: Host and network security requirements.

The following ports are required for Patch communication.

Source Destination Port Protocol Purpose
Module Server Module Server (loopback) 17454 TCP Internal purposes; not externally accessible

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

The Tanium Client uses the Windows Update offline scan file, Wsusscn2.cab, to assess computers for installed or missing operating system and application security patches. If your endpoint security solutions scan archive files, refer to the Microsoft KB for information on how to configure those tools to interact appropriately with the Wsusscn2.cab file.

Patch security exclusions
Target device Notes Process
Module Server   <Module Server>\services\patch-service\node.exe
required when Endpoint Configuration is installed <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Windows endpoints   <Tanium Client>\Patch\tanium-patch.min.vbs
  <Tanium Client>\Patch\scans\Wsusscn2.cab
  <Tanium Client>\Patch\tools\active-user-sessions.exe
  <Tanium Client>\Patch\tools\run-patch-manager.min.vbs
  <Tanium Client>\Patch\tools\TaniumExecWrapper.exe
  <Tanium Client>\Patch\tools\TaniumFileInfo.exe
  <Tanium Client>\Patch\tools\TaniumUpdateSearcher.exe
7.2.x clients <Tanium Client>\Python27\TPython.exe
7.2.x clients <Tanium Client>\Python27\*.dll
7.4.x clients <Tanium Client>\Python38\TPython.exe
7.4.x clients <Tanium Client>\Python38\*.dll
  <Tanium Client>\TaniumCX.exe
  <Tanium Client>\Tools\Patch\7za.exe
  <Tanium Client>\Tools\Patch\TaniumExecWrapper.exe
exclude from on-access or real-time scans <Tanium Client>
Linux endpoints 7.2.x clients <Tanium Client>/python27/bin/pybin
7.2.x clients <Tanium Client>/python27/python
7.4.x clients <Tanium Client>/python38/bin/pybin
7.4.x clients <Tanium Client>/python38/python
  <Tanium Client>/Tools/Patch/TaniumExecWrapper
Patch security exclusions
Target device Notes Process
Windows endpoints   <Tanium Client>\Patch\tanium-patch.min.vbs
  <Tanium Client>\Patch\scans\Wsusscn2.cab
  <Tanium Client>\Patch\tools\active-user-sessions.exe
  <Tanium Client>\Patch\tools\run-patch-manager.min.vbs
  <Tanium Client>\Patch\tools\TaniumExecWrapper.exe
  <Tanium Client>\Patch\tools\TaniumFileInfo.exe
  <Tanium Client>\Patch\tools\TaniumUpdateSearcher.exe
7.4.x clients <Tanium Client>\Python38\TPython.exe
7.4.x clients <Tanium Client>\Python38\*.dll
  <Tanium Client>\TaniumCX.exe
  <Tanium Client>\Tools\Patch\7za.exe
  <Tanium Client>\Tools\Patch\TaniumExecWrapper.exe
exclude from on-access or real-time scans <Tanium Client>
Linux endpoints 7.4.x clients <Tanium Client>/python38/bin/pybin
7.4.x clients <Tanium Client>/python38/python
  <Tanium Client>/Tools/Patch/TaniumExecWrapper

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must allow the following URLs.

Operating System URL
Windows *.delivery.mp.microsoft.com
*.prod.do.dsp.mp.microsoft.com
*.update.microsoft.com
*.windowsupdate.com
*.windowsupdate.microsoft.com
http://crl.microsoft.com
http://go.microsoft.com/fwlink/?linkid=74689
http://ntservicepack.microsoft.com
http://windowsupdate.microsoft.com
http://wustat.windows.com
https://download.microsoft.com
https://sws.update.microsoft.com
Linux http://mirror.centos.org
http://yum.oracle.com
https://cdn.redhat.com
http://download.opensuse.org

User role requirements

Patch role-based access control (RBAC) permissions control access to the Patch workbench.

Patch user role permissions
Permission Patch Administrator1,2 Patch Configuration Author1,2 Patch Deployment Author1,2 Patch Endpoint Configuration Approver2 Patch Operator1,2 Patch Read Only User1 Patch Service Account1,2,3,4 Patch Super User1,2

Show Patch

View the Patch workbench









Initialize Endpoints Execute

Run endpoint initialization jobs for granted content sets








5

Linux Patch User

Access to the Linux Patch content









Patch Block List Delete

Delete block lists for granted content sets


6,7

73



73


5

73

Patch Block List Execute

Create and modify enforcements in block lists for granted content sets


6,7




73


5

73

Patch Block List Read

View block lists for granted content sets


6,7

73

73


73

73

5

73

Patch Block List Write

Create and edit block lists for granted content sets


6,7

73



73


5

73

Patch Deployment Delete

Stop deployments for content sets


6,7


73


73


5

73

Patch Deployment Execute

Create and modify enforcements in deployments for granted content sets


6,7


73


73


5

73

Patch Deployment Read

View deployments for content sets


6,7

73

73


73

73

5

73

Patch Deployment Write

Create and edit deployments for granted content sets


6,7


73


73


5

73

Patch Initialize

Access to run setup tasks









Patch Maintenance Window Delete

Delete maintenance windows for granted content sets


6,7

73



73


5

73

Patch Maintenance Window Execute

Create and modify enforcements in maintenance windows for granted content sets


6,7




73


5

73

Patch Maintenance Window Read

View maintenance windows for granted content sets


6,7

73

73


73

73

5

73

Patch Maintenance Window Write

Create and edit maintenance windows for granted content sets


6,7

73



73


5

73

Patch Operator Settings Write

Write access to a subset of global settings in the Patch module









Patch Patchlist Delete

Delete patch lists for granted content sets


6,7

73



73


5

73

Patch Patchlist Execute

Create and modify enforcements in patch lists for granted content sets


6,7

73



73


5

73

Patch Patchlist Read

View patch lists for granted content sets


6,7

73

73


73

73

5

73

Patch Patchlist Write

Create and edit patch lists for granted content sets


6,7

73



73


5

73

Patch Scan Configuration Delete

Delete scan configurations









Patch Scan Configuration Execute

Create and modify enforcements for scan configurations









Patch Scan Configuration Read

View scan configurations









Patch Scan Configuration Write

Create and edit scan configurations









Patch Settings Read

Read access to all Patch Settings









Patch Settings Write

Write access to all Patch Settings









Patch Solution Upgrade

Install or uninstall Patch









Patch Statistics Logs

Access to the Patch statistics logs









Patch Trends Read

View Trends boards from the Patch workbench for granted content sets


6,7

73

73


73

73

5

73

Patch Repository Delete

Delete repositories









Patch Repository Read

View repositories









Patch Repository Write

Create and edit repositories









Patch Repository Snapshot Delete

Delete repository snapshots









Patch Repository Snapshot Read

View repository snapshots









Patch Repository Snapshot Write

Create and edit repository snapshots









Windows Patch User

Access to the Windows Patch content









1 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

2 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

3 This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions.

4 If you installed Tanium Client Management, Endpoint Configuration is installed, and byBy default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

5 Grants access to content in all content sets.

6 Grants access to content in the Patch Service Objects content set.

37 Grants access to content in the Patch Content Set content sets.

 

Provided Patch Micro Admin and Advanced user role permissions
Permission Role Type Content Set for
Permission
Patch Administrator Patch Configuration Author Patch Deployment Author Patch Endpoint Configuration Approver Patch Operator Patch Read Only User Patch Service Account Patch Super User
Write Allowed Urls Micro Admin  
Ask Dynamic Questions Advanced  
Execute Plugin1 Advanced Endpoint Configuration
Execute Plugin Advanced Patch Content Set
Execute Plugin Advanced Patch Service Objects
Execute Plugin1,2 Advanced Reserved
Execute Plugin3 Advanced Tanium Data Service
Execute Plugin3 Advanced Trends
Read Action Advanced All content sets
Read Plugin Advanced Patch Content Set
Read Sensor Advanced Base
Read Sensor3 Advanced Client Management
Read Sensor3 Advanced Core Content
Read Sensor Advanced Default
Read Sensor3 Advanced Interact
Read Sensor Advanced Patch Content Set
Read Sensor Advanced Patch Service Objects
Read Sensor Advanced Reserved
Write Action Advanced Patch Content Set
Write Action Advanced Patch Service Objects
Write Action Advanced Reserved
Write Action Advanced All content sets
Write Package Advanced All content sets
Write Saved Question Advanced All content sets

1 Denotes a permission when Endpoint Configuration is installed.

2 Denotes a permission when Trends is installed.

3 Denotes a permission when Interact is installed.

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.