Tanium™ Patch User Guide Version 3.3.183
Total Page:16
File Type:pdf, Size:1020Kb
Tanium™ Patch User Guide Version 3.3.183 June 07, 2021 The information in this document is subject to change without notice. Further, the information provided in this document is provided “as is” and is believed to be accurate, but is presented without any warranty of any kind, express or implied, except as provided in Tanium’s customer sales terms and conditions. Unless so otherwise provided, Tanium assumes no liability whatsoever, and in no event shall Tanium or its suppliers be liable for any indirect, special, consequential, or incidental damages, including without limitation, lost profits or loss or damage to data arising out of the use or inability to use this document, even if Tanium Inc. has been advised of the possibility of such damages. Any IP addresses used in this document are not intended to be actual addresses. Any examples, command display output, network topology diagrams, and other figures included in this document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Please visit https://docs.tanium.com for the most current Tanium product documentation. This documentation may provide access to or information about content, products (including hardware and software), and services provided by third parties (“Third Party Items”). With respect to such Third Party Items, Tanium Inc. and its affiliates (i) are not responsible for such items, and expressly disclaim all warranties and liability of any kind related to such Third Party Items and (ii) will not be responsible for any loss, costs, or damages incurred due to your access to or use of such Third Party Items unless expressly set forth otherwise in an applicable agreement between you and Tanium. Further, this documentation does not require or contemplate the use of or combination with Tanium products with any particular Third Party Items and neither Tanium nor its affiliates shall have any responsibility for any infringement of intellectual property rights caused by any such combination. You, and not Tanium, are responsible for determining that any combination of Third Party Items with Tanium products is appropriate and will not cause infringement of any third party intellectual property rights. Tanium is committed to the highest accessibility standards to make interaction with Tanium software more intuitive and to accelerate the time to success. To ensure high accessibility standards, Tanium complies with the U.S. Federal regulations - specifically Section 508 of the Rehabilitation Act of 1998. We have conducted third-party accessibility assessments over the course of product development for many years, and most recently a comprehensive audit against the WCAG 2.1 / VPAT 2.3 standards for all major product modules was completed in September 2019. Tanium can make available any VPAT reports on a module-by-module basis as part of a larger solution planning process for any customer or prospect. As new products and features are continuously delivered, Tanium will conduct testing to identify potential gaps in compliance with accessibility guidelines. Tanium is committed to making best efforts to address any gaps quickly, as is feasible, given the severity of the issue and scope of the changes. These objectives are factored into the ongoing delivery schedule of features and releases with our existing resources. Tanium welcomes customer input on making solutions accessible based on your Tanium modules and assistive technology requirements. Accessibility requirements are important to the Tanium customer community and we are committed to prioritizing these compliance efforts as part of our overall product roadmap. Tanium maintains transparency on our progress and milestones and welcomes any further questions or discussion around this work. Contact your sales representative, email Tanium Support at [email protected], or email [email protected] to make further inquiries. Tanium is a trademark of Tanium, Inc. in the U.S. and other countries. Third-party trademarks mentioned are the property of their respective owners. © 2021 Tanium Inc. All Rights Reserved Page 2 © 2021 Tanium Inc. All rights reserved. © 2021 Tanium Inc. All Rights Reserved Page 3 Table of contents Patch overview 10 Patch scanning options 10 Patch lists and block lists 13 Superseded patches 14 Microsoft update and servicing details 14 Deployments 14 Maintenance windows 15 Repository snapshots 15 Integration with other Tanium products 15 Tanium™ Comply 16 Tanium™ End-User Notifications 16 Tanium™ Endpoint Configuration 16 Tanium™ Trends 16 Succeeding with Patch 18 Step 1: Gain organizational effectiveness 18 Step 2: Configure global settings 18 Step 3: Install Tanium modules 19 Step 4: Organize computer groups and set the Patch action group 19 Step 5: Enable Patch features and initialize endpoints 20 Step 6: Create scan configurations 21 Step 7: Create patch lists 21 Step 8: Create maintenance windows 22 Step 9: Create deployments 22 Step 10: Monitor Patch metrics 23 Gaining organizational effectiveness 24 Change management 24 RACI chart 24 © 2021 Tanium Inc. All Rights Reserved Page 4 Organizational alignment 28 Operational metrics 29 Patch maturity 29 Benchmark metrics 29 Patch requirements 34 Tanium dependencies 34 Tanium Server and Module Server computer resources 35 Endpoints 36 Supported operating systems 36 Resource requirements 36 Third-party software 37 Host and network security requirements 37 Ports 37 Security exclusions 37 Internet URLs 38 User role requirements 39 Installing Patch 49 Before you begin 49 Import and configure Patch with default settings 49 Import and configure Patch with custom settings 51 Manage dependencies for Tanium solutions 51 Upgrade Patch 51 Verify Patch version 51 Configuring Patch 52 Configure global settings 52 Install and configure Tanium End-User Notifications 52 Disable Windows Update restart prompts 52 Install and configure Tanium Endpoint Configuration 53 Manage solution configurations with Tanium Endpoint Configuration 53 Configure Patch 54 © 2021 Tanium Inc. All Rights Reserved Page 5 Configure service account 54 Organize computer groups 54 Add computer groups to Patch action group 57 Enable and configure Windows features 57 Enable and configure Tanium Scan for Windows 57 Configure WSUS Scan 58 Enable direct patch downloads from Microsoft 58 Cautions and considerations 58 Tracking direct download status 59 Enable and configure Linux features 59 Migration of OS-based Linux configurations to RPM-based Linux configurations 60 Linux Endpoint Behavior Changes 60 Enable Patch for RPM-based Linux configurations 60 (Red Hat endpoints) Configuring TDownloader to use certificate authentication 61 Configure TDownloader on Tanium™ Appliance 61 Configure TDownloader on Windows 62 Manage Linux repository snapshots 67 Initialize Patch endpoints 68 Downloading patches in an air-gapped environment 69 Before you begin 69 Configure air gap for Windows endpoints 69 Download airgap-downloader utility 69 Generate a list of remote package files 70 Download remote package files 70 Verify the configuration 70 Enforcing scan configurations 72 Windows scan techniques 72 Offline CAB File 72 Online Microsoft Windows Update 72 Tanium Scan 73 © 2021 Tanium Inc. All Rights Reserved Page 6 WSUS 73 Linux scan techniques 74 Repository Scan 74 Tanium Scan 74 Tanium Scan incompatibility with LibZypp Services Plugins 74 Create a scan configuration 75 Scan windows 76 View enforcement status 78 Prioritize scan configurations 78 Edit a scan configuration 78 Remove a scan enforcement 78 Delete a scan configuration 79 Managing patches 80 Baseline reporting patch lists 80 Patch list rules 80 Create a patch list 81 Exclude patches with block lists 82 yum.conf exclusions for Linux endpoints 83 Create lists from the Patches view 83 Edit a list 84 Check patch visibility 84 Export a list 86 Import a list 86 Delete a list 86 Add a custom Patch field 87 Example CSV 87 Deploying patches 88 Before you begin 88 Create a deployment template 88 Set the default deployment template 88 © 2021 Tanium Inc. All Rights Reserved Page 7 Create a deployment to install patches 89 Endpoint restarts 91 Create a deployment to uninstall patches 93 Review deployment summary 94 Add targets to an existing deployment 95 Stop a deployment 96 Reissue a deployment 96 Adjust the deployment retries 97 Reference: Patch status 97 Deployment status 97 Enforcement status 99 Setting maintenance windows 100 Maintenance window options 100 Create a maintenance window 101 Edit a maintenance window 102 Override a maintenance window 102 Delete a maintenance window 102 Troubleshooting Patch 103 Collect a troubleshooting package 103 Configure endpoint logging 103 Patches are not listed in the Patches view 104 Troubleshoot scan errors 104 Scans are not completed on Linux endpoints 105 Sensors return Could not get results on Linux endpoints 105 Red Hat Linux endpoints stuck in Waiting for Initial Scan status 105 Linux repository snapshots issues 106 Warning about a failed snapshot 106 Connectivity issue 106 Patch process is not running 106 Missing Yum variables 106 © 2021 Tanium Inc. All Rights Reserved Page 8 Yum variable mismatch 107 Check and update the Windows Update Agent 107 Monitor and troubleshoot Patch coverage 107 Monitor and troubleshoot endpoints missing critical or important patches 108 Monitor and troubleshoot mean time to patch 108 Remove Patch tools from endpoints 110 Uninstall Patch 111 Restore the state of the Patch database 111 Contact Tanium