Tanium™ Patch User Guide Version 2.6.0 May 06, 2020 The information in this document is subject to change without notice. Further, the information provided in this document is provided “as is” and is believed to be accurate, but is presented without any warranty of any kind, express or implied, except as provided in Tanium’s customer sales terms and conditions. Unless so otherwise provided, Tanium assumes no liability whatsoever, and in no event shall Tanium or its suppliers be liable for any indirect, special, consequential, or incidental damages, including without limitation, lost profits or loss or damage to data arising out of the use or inability to use this document, even if Tanium Inc. has been advised of the possibility of such damages. Any IP addresses used in this document are not intended to be actual addresses. Any examples, command display output, network topology diagrams, and other figures included in this document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Please visit https://docs.tanium.com for the most current Tanium product documentation. Tanium is a trademark of Tanium, Inc. in the U.S. and other countries. Third-party trademarks mentioned are the property of their respective owners. © 2020 Tanium Inc. All rights reserved. © 2020 Tanium Inc. All Rights Reserved Page 2 Table of contents Patch overview 9 Patch scanning options 9 Patch lists and blacklists 14 Superseded patches 15 Microsoft update and servicing details 15 Deployments 16 Maintenance windows 16 Repository snapshots 17 Integration with other Tanium products 17 Comply 17 Trends 18 Succeeding with Patch 19 Step 1: Gain organizational effectiveness 19 Step 2: Configure global settings 19 Step 3: Install Tanium modules 20 Step 4: Organize computer groups and set the Patch action group 20 Step 5: Enable Patch features and initialize endpoints 20 Step 6: Create scan configurations 20 Step 7: Create patch lists 21 Step 8: Create maintenance windows 21 Step 9: Create deployments 21 Step 10: Monitor Patch metrics 22 Gaining organizational effectiveness 23 © 2020 Tanium Inc. All Rights Reserved Page 3 Change management 23 RACI chart 23 Organizational alignment 30 Operational metrics 30 Patch maturity 30 Benchmark metrics 31 Requirements 35 Tanium dependencies 35 Tanium Server and Module Server computer resources 36 Endpoints 37 Supported operating systems 37 Resource requirements 37 Third-party software 37 Host and network security requirements 37 Security exclusions 38 Internet URLs 39 User role requirements 39 Installing Patch 44 Before you begin 44 Import and configure Patch with default settings 44 Import and configure Patch with custom settings 45 Configure service account 45 Enable Patch for Linux endpoints 46 Organize computer groups 46 Add computer groups to Patch action group 48 © 2020 Tanium Inc. All Rights Reserved Page 4 Initialize Patch 49 Install the Tanium End-User Notifications solution 49 Disable Windows Update restart prompts 49 Configure global settings 50 Upgrade Patch 50 Verify Patch version 50 Configuring TDownloader for Red Hat Linux endpoints 51 Before you begin 51 Configure TDownloader on Tanium™ Appliance 51 Configure TDownloader on Windows 52 Downloading patches in an air-gapped environment 57 Before you begin 57 Configure air gap for Windows endpoints 57 Download airgap-downloader utility 57 Generate a list of remote package files 57 Download remote package files 58 Verify the configuration 58 Enforcing scan configurations 60 Windows scan techniques 60 Offline CAB file 60 Online to Microsoft Windows Update 61 Tanium Scan 61 Enable Tanium Scan for Windows 62 WSUS Scan 62 Configure WSUS Scan 63 © 2020 Tanium Inc. All Rights Reserved Page 5 Enable direct patch downloads from Microsoft 63 Tracking direct download status 64 Linux scan techniques 65 Repository Scan 65 Tanium Scan 65 Create a scan configuration (Windows and Linux scan techniques) 65 Scan windows 67 Manage Linux repository snapshots 68 View enforcement status 68 Prioritize scan configurations 69 Edit a scan configuration 69 Remove a scan enforcement 70 Delete a scan configuration 70 Managing patches 71 Baseline reporting patch lists 71 Patch list rules 71 Create a patch list 72 Exclude patches with blacklists 73 yum.conf exclusions for Linux endpoints 75 Create lists from the Patches view 75 Edit a list 75 Check patch visibility 76 Export a list 77 Import a list 77 Delete a list 78 © 2020 Tanium Inc. All Rights Reserved Page 6 Add a custom Patch field 78 Example CSV 78 Deploying patches 79 Before you begin 79 Create a deployment to install patches 79 Endpoint restarts 82 Create a deployment to uninstall patches 85 Review deployment summary 87 Add targets to an existing deployment 89 Reissue a deployment 90 Stop a deployment 90 Adjust the deployment retries 91 Create a deployment template 91 Reference: Patch status 91 Deployment status 91 Enforcement status 92 Setting maintenance windows 94 Maintenance window options 94 Create a maintenance window 95 Edit a maintenance window 96 Override a maintenance window 97 Delete a maintenance window 97 Troubleshooting Patch 98 Collect a troubleshooting package 98 Configure endpoint logging 98 © 2020 Tanium Inc. All Rights Reserved Page 7 Patches are not listed in the Patches view 99 Troubleshoot scan errors 100 Scans are not completed on Linux endpoints 100 Sensors return Could not get results on Linux endpoints 100 Red Hat Linux endpoints stuck in Waiting for Initial Scan status 101 Linux repository snapshots issues 101 Patch Home page warning 101 Connectivity issue 101 Patch process is not running 101 Snapshot controls are disabled 102 Yum variable mismatch 102 Change the patch visibility aggregation 102 Check and update the Windows Update Agent 103 Monitor and troubleshoot Patch coverage 103 Monitor and troubleshoot Patch visibility 104 Monitor and troubleshoot mean time to patch 105 Uninstall Patch 106 Restore the state of the Patch database 107 © 2020 Tanium Inc. All Rights Reserved Page 8 Patch overview Use Patch to manage operating system patching across your enterprise at the speed and scale of Tanium™. You can deploy a single patch to a computer group immediately. You can also perform more complex tasks, such as using advanced rule sets and maintenance windows to deliver groups of patches across your environment at specified times. You can define custom workflows and schedule patches based on rules or exceptions built around patch lists, blacklists, and maintenance windows. For example, you might always apply critical Microsoft patches to all machines except for datacenter servers, or always exclude .NET patches, or install patches during non-working hours. Patch generates in-depth reports and returns current patch applicability results from every endpoint. For any patch or patch list deployment, the following details are provided: l The patch details, such as severity, release date, applicable Common Vulnerabilities and Exposures (CVE), files, and links to knowledge base articles. l The status of the patch, split out by computer group. l The assigned patch lists or blacklists for the patch. Patch scanning options You can choose from several scan methods to determine the installed and missing patches across your network. Scan configurations define a scan method, scan frequency, and the computer groups that are being scanned, known as an enforcement. One scan configuration is applied to an endpoint. If an endpoint is included in multiple computer groups, the highest priority scan configuration is applied. For more information, see Enforcing scan configurations on page 60. Review the following list of scanning options to decide the best method to use for each computer group. © 2020 Tanium Inc. All Rights Reserved Page 9 Table 1: Available patch scanning options Scan Platform Updates Client Connectivity Details method OS included impact Offline Windows l Security Moderate, l The CAB file is l Requires CAB file1 Updates during stored locally by 600+MB l Service scanning the Tanium download of Packs activity Client. CAB file. l l l Update With the direct Does not Rollups download option include for isolated routine endpoints, the updates, out endpoint of band fixes, contacts hotfixes, and Microsoft enhancements directly. that are included with WSUS or Online to Microsoft scan methods. l Supports direct patch downloads from Microsoft to isolated endpoints. © 2020 Tanium Inc. All Rights Reserved Page 10 Scan Platform Updates Client Connectivity Details method OS included impact Online to Windows l Scanning: l Moderate, l The Tanium l Requires Microsoft Critical during first Client must additional Updates, scan contact Microsoft network traffic Security l Low, directly. to Microsoft Updates, subsequent l With the direct directly. Definition download option l Feature Pack Updates, for isolated and Driver Update endpoints, the updates Rollups, endpoint should be Service contacts blacklisted for Packs, Microsoft installation. Tools, directly. l Supports Feature direct patch Packs, downloads Updates, from Microsoft Upgrades, to isolated Drivers endpoints. l Installing: Critical Updates, Security Updates, Update Rollups, Service Packs, Tools, Updates © 2020 Tanium Inc. All Rights Reserved Page 11 Scan Platform Updates Client Connectivity Details method OS included impact Tanium Windows 7 l Critical l Moderate, l A client database l The Patch Scan or later Updates during first file is stored service is l Feature scan locally by the configured to Packs l Low, Tanium Client. synchronize l update l Security subsequent With the direct metadata and Updates download option for isolated detection l Service endpoints, the rules from Packs endpoint Microsoft l Tools contacts Update or a l Update Microsoft Microsoft Rollups directly. WSUS server. l Updates l Supports direct patch downloads from Microsoft to isolated endpoints. © 2020 Tanium Inc. All Rights Reserved Page 12 Scan Platform Updates Client Connectivity Details method OS included impact Windows Windows l Scanning: Low l The Tanium l Must deploy Server Critical Client must and configure Update Updates, contact the WSUS one or more Services Security server.