Succeeding with Patch
Follow these best practices to achieve maximum value and success with Tanium Patch. These steps align with the key benchmark metrics: increasing patch coverage and reducing visibility and mean time to patch.
Develop a dedicated Change management process.
Define distinct roles and responsibilities in a RACI chart.
Validate cross-functional Organizational alignment.
Track Operational metrics.
Increase the client cache size to accommodate the maximum CAB file size (2 GB).
Increase the hot cache percentage to 80%.
If you install Patch using the Apply Tanium recommended configurations option, the global settings are configured automatically.
Install Tanium End-User Notifications. See Tanium End-User Notifications User Guide: Installing End-User Notifications.
Install Tanium Patch. See Installing Patch.
Install Tanium Trends. See Tanium Trends User Guide: Installing Trends.
Import the Patch board from the Trends initial gallery. See Tanium Trends User Guide: Importing the initial gallery.
If you installed Trends using the Apply Tanium recommended configurations option, the Patch board is automatically imported after the Patch service account is configured.
Create computer groups. See Tanium Console User Guide: Create computer groups.
Additional computer groups might be required to fulfill the requirements of your organization. See Organize computer groups.
Ensure that all operating systems that are supported by Patch are included in the Patch action group.
- All Amazon
- All CentOS 6
- All Centos 7
- All Oracle 6
- All Oracle 7
- All Red Hat 6
- All Red Hat 7
- All Windows
To add computer groups to the Patch action group, click Console > Scheduled Actions from the Main menu. Then click Patch in the Action Groups section and click Edit.
If you installed Patch using the Apply Tanium recommended configurations option, Patch automatically enables itself for Linux endpoints.
If you install Patch using the Apply Tanium recommended configurations option, Tanium Scan for Windows is automatically enabled.
Create a scan configuration for each of the supported operating systems in your environment.
(Windows) Use the Tanium Scan technique. If you use other products that use WSUS technology on the same endpoints, such as SCCM, select Enable Managed WSUS Compatibility to enable an additional scan to ensure compatibility.
(Red Hat, Oracle, or CentOS) Use the Tanium Scan technique.
For Red Hat endpoints, you must contact your technical account manager (TAM) to configure TDownloader to use certificate authentication for downloads from the Red Hat Satellite server.
(Amazon) Use the Repository Scan technique.
Set the Frequency value to less than three days for all scan configurations.
Ensure that every endpoint that is supported by Patch is targeted by at least one scan configuration.
Create a patch list for each of the supported operating systems in your environment.
Avoid choosing specific patches based on vulnerability reports. Instead, use dynamic, rule-based patch lists. These lists should be cumulative. For example, do not create any rules that prevent patches that are older than a specific date from being included in a patch list.
Include patches for the current month.
Expand endpoint diversity in patch testing groups to increase the chances of identifying newly-released problematic patches prior to deploying them to production environments.
See Create a patch list.
Create a maintenance window for each of the supported operating systems in your environment.
Ensure that maintenance windows are at least four hours long, repeat at least once each month, and properly overlap with deployment times and change control process timelines.
Create a deployment to install patches for each of the supported operating systems in your environment.
Ensure that deployment windows are at least four hours and properly overlap with maintenance window times.
Use the Restart option.
Use the Notify User option and set the Deadline for restart value to less than a few days. To decrease both the Patch visibility and the mean time to patch metrics, the optimal value for this setting depends on your patching cycle. Successful customers find that setting the Deadline for restart value to less than three days is optimal. (Window endpoints only).
Begin the process of testing new monthly patches the day they are released, typically Patch Tuesday (second Tuesday of each month).
Avoid waiting longer than two weeks after a patch release to start patching production systems. The longer you wait to start patching production systems, the more aggressive the subsequent deployments need to be to complete the patching cycle in a reasonable time.
Do not stagger deployments in an attempt to distribute the load on your network or Tanium. The more endpoints that are being patched simultaneously, the more efficient Tanium becomes with overall WAN usage. For bandwidth-constrained locations, you can implement site throttles. For more information, see Tanium Console User Guide: Configure site throttles.
For deployments that are scheduled in the future, select the Download immediately option. If you find that endpoints are still not completing patch installations within the specified windows, schedule the deployments even further in advance.
See Deploying patches.
From the Trends menu, click Boards and then click Patch to view the Patch Coverage, Patch Visibility, Workstations - Mean Time to Patch, and Servers - Mean Time to Patch panels.
Last updated: 8/12/2020 10:22 AM | Feedback