Requirements

Review the requirements before you install and use Patch.

Tanium dependencies

In addition to a license for Patch, make sure that your environment also meets the following requirements.

Component Requirement
Taniumâ„¢ Core Platform

7.3.314.4250 or later

To support smart card authentication, including common access cards (CAC), see Tanium Core Platform Deployment Reference Guide: Smart card authentication.

Tanium Client

7.2.314.3476 or later

  • All supported operating systems

7.4 or later

  • All supported operating systems
  • Requires Patch 2.3.12 or later

For more information about supported operating systems, see Supported operating systems.

Tanium products

If you clicked Install with Recommended Configurations when you installed Patch, the Tanium Server automatically installed all your licensed modules at the same time. Otherwise, you must manually install the modules that Patch requires to function, as described under Tanium Console User Guide: Manage Tanium modules.

Modules at the following minimum versions The following modules are required:

  • Tanium Endpoint Configuration 1.0 or later (installed as part of Tanium Client Management 1.5.3 or later)
  • Tanium Interact 2.4.50 or later
  • Tanium Trends 3.6 or later

The following modules are optional, but Patch requires the specified minimum versions to work with them:

  • Tanium End-User Notifications 1.2.0.004 or later (supports Windows endpoints only)
Computer groups

When you first log into the Tanium Console after installing the Tanium Server, the server automatically imports the computer groups that Patch requires:

  • All Amazon
  • All CentOS 6
  • All CentOS 7
  • All Oracle 6
  • All Oracle 7
  • All Red Hat 6
  • All Red Hat 7
  • All Windows
  • All Windows Servers

Tanium Server and Module Server computer resources

Patch is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage. You might need to tune the Tanium Server to set bandwidth limits for your environment. You can configure global throttles from Administration > Configuration > Tanium Server and then clicking Bandwith Throttles.

Patch downloads and distributes updates regularly. The Tanium Server stores these packages within the Downloads directory. An additional 500 GB of disk space is required on the Tanium Server.

For more information, see Tanium Core Platform Installation Guide: Host system sizing guidelines and Tanium Appliance Deployment Guide: Tanium Virual Appliance.

Endpoints

Supported operating systems

The following endpoint operating systems are supported with Patch. Specific version requirements depend on the version of Patch and components that you are using. For more information about Tanium Client versions, see Tanium Client User Guide: Host system requirements.

Operating System Version Notes
Microsoft Windows Server Windows Server 2008 R2 Service Pack 1 or later Windows Server Core not supported for End-User Notifications functionality.

Tanium Scan for Windows requires Patch 2.3.8 or later.

Microsoft Windows Workstation Windows 7 Service Pack 1 or later Windows 7 Service Pack 1 requires Microsoft KB2758857.

Tanium Scan for Windows requires Patch 2.3.8 or later.

Linux Red Hat Enterprise Linux 6.x, 7.x

CentOS 6.x, 7.x

Oracle Linux 6.x, 7.x

Amazon Linux 1, 2

Requires Yum version 3.2.29-22.el6 or later.

CentOS and Red Hat Enterprise Linux requires Patch 2.3.5 or later.

Amazon and Oracle Linux requires Patch 2.4.3 or later.

Resource requirements

In the Tanium Console Global Settings, set the Tanium Client cache limit (ClientCacheLimitInMB) to 2048MB and set the hot cache (HotCachePercentage) to 80%. For more information, see Configure global settings and Tanium Platform User Guide: Managing Global Settings.

If VDI is used in your environment, see the Tanium Client User Guide: VDI.

Third-party software

Patch requires that Windows endpoints have Windows Update Agent version 6.1.0022.4 or later installed. Enhanced functionality is available on Windows 7 systems with version 7.6.7601.19161 and later. See Microsoft KB313861. If you are controlling all patch deployments through Tanium, disable the Windows Update Agent automatic functions at the domain level.

Host and network security requirements

Specific ports, processes, and URLs are needed to run Patch.

Ports

For Tanium as a Service ports, see Tanium as a Service Deployment Guide: Host and network security requirements.

The following ports are required for Patch communication.

Source Destination Port Protocol Purpose
Module Server Module Server (loopback) 17454 TCP Internal purposes; not externally accessible

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

The Tanium Client uses the Windows Update offline scan file, Wsusscn2.cab, to assess computers for installed or missing operating system and application security patches. If your endpoint security solutions scan archive files, refer to the Microsoft KB for information on how to configure those tools to interact appropriately with the Wsusscn2.cab file.

Table 1:   Patch security exclusions
Target device Notes Process
Module Server   <Module Server>\services\patch-service\node.exe
required when Endpoint Configuration is installed <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Windows endpoints   <Tanium Client>\Patch\tanium-patch.min.vbs
  <Tanium Client>\Patch\scans\Wsusscn2.cab
  <Tanium Client>\Patch\tools\active-user-sessions.exe
  <Tanium Client>\Patch\tools\run-patch-manager.min.vbs
  <Tanium Client>\Patch\tools\TaniumExecWrapper.exe
  <Tanium Client>\Patch\tools\TaniumFileInfo.exe
  <Tanium Client>\Patch\tools\TaniumUpdateSearcher.exe
7.2.x clients <Tanium Client>\Python27\TPython.exe
7.2.x clients <Tanium Client>\Python27\*.dll
7.4.x clients <Tanium Client>\Python38\TPython.exe
7.4.x clients <Tanium Client>\Python38\*.dll
  <Tanium Client>\TaniumCX.exe
  <Tanium Client>\Tools\Patch\7za.exe
  <Tanium Client>\Tools\Patch\TaniumExecWrapper.exe
exclude from on-access or real-time scans <Tanium Client>
Linux endpoints 7.2.x clients <Tanium Client>/python27/bin/pybin
7.2.x clients <Tanium Client>/python27/python
7.4.x clients <Tanium Client>/python38/bin/pybin
7.4.x clients <Tanium Client>/python38/python
  <Tanium Client>/Tools/Patch/TaniumExecWrapper
Table 2:   Patch security exclusions
Target device Notes Process
Windows endpoints   <Tanium Client>\Patch\tanium-patch.min.vbs
  <Tanium Client>\Patch\scans\Wsusscn2.cab
  <Tanium Client>\Patch\tools\active-user-sessions.exe
  <Tanium Client>\Patch\tools\run-patch-manager.min.vbs
  <Tanium Client>\Patch\tools\TaniumExecWrapper.exe
  <Tanium Client>\Patch\tools\TaniumFileInfo.exe
  <Tanium Client>\Patch\tools\TaniumUpdateSearcher.exe
7.4.x clients <Tanium Client>\Python38\TPython.exe
7.4.x clients <Tanium Client>\Python38\*.dll
  <Tanium Client>\TaniumCX.exe
  <Tanium Client>\Tools\Patch\7za.exe
  <Tanium Client>\Tools\Patch\TaniumExecWrapper.exe
exclude from on-access or real-time scans <Tanium Client>
Linux endpoints 7.4.x clients <Tanium Client>/python38/bin/pybin
7.4.x clients <Tanium Client>/python38/python
  <Tanium Client>/Tools/Patch/TaniumExecWrapper

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must allow the following URLs.

Operating System URL
Windows *.delivery.mp.microsoft.com
*.prod.do.dsp.mp.microsoft.com
*.update.microsoft.com
*.windowsupdate.com
*.windowsupdate.microsoft.com
http://crl.microsoft.com
http://go.microsoft.com/fwlink/?linkid=74689
http://ntservicepack.microsoft.com
http://windowsupdate.microsoft.com
http://wustat.windows.com
https://download.microsoft.com
https://sws.update.microsoft.com
Linux http://mirror.centos.org
http://yum.oracle.com
https://cdn.redhat.com

User role requirements

Patch role-based access control (RBAC) permissions control access to the Patch workbench.

Table 3:   Patch user role permissions
Permission Patch Administrator1,2 Patch Configuration Author1,2 Patch Deployment Author1,2 Patch Endpoint Configuration Approver2 Patch Operator1,2 Patch Read Only User1 Patch Service Account1,2,3,4 Patch Super User1,2

Show Patch

View the Patch workbench









Initialize Endpoints Execute

Run endpoint initialization jobs for granted content sets








5

Linux Patch User

Access to the Linux Patch content









Patch Block List Delete

Delete block lists for granted content sets


6,7

73



73


5

73

Patch Block List Execute

Create and modify enforcements in block lists for granted content sets


6,7




73


5

73

Patch Block List Read

View block lists for granted content sets


6,7

73

73


73

73

5

73

Patch Block List Write

Create and edit block lists for granted content sets


6,7

73



73


5

73

Patch Deployment Delete

Delete deployments for content sets


6,7


73


73


5

73

Patch Deployment Execute

Create and modify enforcements in deployments for granted content sets


6,7


73


73


5

73

Patch Deployment Read

View deployments for content sets


6,7

73

73


73

73

5

73

Patch Deployment Write

Create and edit deployments for granted content sets


6,7


73


73


5

73

Patch Initialize

Access to run setup tasks









Patch Maintenance Window Delete

Delete maintenance windows for granted content sets


6,7

73



73


5

73

Patch Maintenance Window Execute

Create and modify enforcements in maintenance windows for granted content sets


6,7




73


5

73

Patch Maintenance Window Read

View maintenance windows for granted content sets


6,7

73

73


73

73

5

73

Patch Maintenance Window Write

Create and edit maintenance windows for granted content sets


6,7

73



73


5

73

Patch Operator Settings Write

Write access to a subset of global settings in the Patch module









Patch Patchlist Delete

Delete patch lists for granted content sets


6,7

73



73


5

73

Patch Patchlist Execute

Create and modify enforcements in patch lists for granted content sets


6,7

73



73


5

73

Patch Patchlist Read

View patch lists for granted content sets


6,7

73

73


73

73

5

73

Patch Patchlist Write

Create and edit patch lists for granted content sets


6,7

73



73


5

73

Patch Scan Configuration Delete

Delete scan configurations









Patch Scan Configuration Execute

Create and modify enforcements for scan configurations









Patch Scan Configuration Read

View scan configurations









Patch Scan Configuration Write

Create and edit scan configurations









Patch Settings Read

Read access to all Patch Settings









Patch Settings Write

Write access to all Patch Settings









Patch Solution Upgrade

Install or uninstall Patch









Patch Statistics Logs

Access to the Patch statistics logs









Patch Trends Read

View Trends boards from the Patch workbench for granted content sets


6,7

73

73


73

73

5

73

Patch Yum Repo Delete

Delete Yum repositories









Patch Yum Repo Read

View Yum repositories









Patch Yum Repo Write

Create and edit Yum repositories









Patch Yum Repo Snapshot Delete

Delete Yum repository snapshots









Patch Yum Repo Snapshot Read

View Yum repository snapshots









Patch Yum Repo Snapshot Write

Create and edit Yum repository snapshots









Windows Patch User

Access to the Windows Patch content









1 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

2 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

3 This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions.

4 If you installed Tanium Client Management, this This user requires the Endpoint Configuration Service Account role. Endpoint Configuration is installed as a part of Tanium Client Management.

5 Grants access to content in all content sets.

6 Grants access to content in the Patch Service Objects content set.

37 Grants access to content in the Patch Content Set content sets.

 

Table 4:   Provided Patch Micro Admin and Advanced user role permissions
Permission Role Type Content Set for
Permission
Patch Administrator Patch Configuration Author Patch Deployment Author Patch Endpoint Configuration Approver Patch Operator Patch Read Only User Patch Service Account Patch Super User
Write Allowed Urls Micro Admin  
Ask Dynamic Questions Advanced  
Execute Plugin1 Advanced Endpoint Configuration
Execute Plugin Advanced Patch Content Set
Execute Plugin Advanced Patch Service Objects
Execute Plugin1,2 Advanced Reserved
Execute Plugin3 Advanced Tanium Data Service
Execute Plugin3 Advanced Trends
Read Action Advanced All content sets
Read Plugin Advanced Patch Content Set
Read Sensor Advanced Base
Read Sensor3 Advanced Client Management
Read Sensor3 Advanced Core Content
Read Sensor Advanced Default
Read Sensor3 Advanced Interact
Read Sensor Advanced Patch Content Set
Read Sensor Advanced Patch Service Objects
Read Sensor Advanced Reserved
Write Action Advanced Patch Content Set
Write Action Advanced Patch Service Objects
Write Action Advanced Reserved
Write Action Advanced All content sets
Write Package Advanced All content sets
Write Saved Question Advanced All content sets

1 Denotes a permission when Endpoint Configuration is installed.

2 Denotes a permission when Trends is installed.

3 Denotes a permission when Interact is installed.

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.