Patch requirements

Review the requirements before you install and use Patch.

Core platform dependencies

Make sure that your environment meets the following requirements:

Computer group dependencies

When you first sign in to the Tanium Console after a fresh installation of Tanium Server 7.4.2 or later, the server Tanium™ Cloud automatically imports the computer groups that Patch requires:

  • All Amazon
  • All Debian
  • All Debian 8
  • All Debian 9
  • All Debian 10
  • All Debian 11
  • All CentOS 6
  • All CentOS 7
  • All CentOS 8
  • All Oracle 6
  • All Oracle 7
  • All Oracle 8
  • All Red Hat 6
  • All Red Hat 7
  • All Red Hat 8
  • All OpenSLES 11
  • All OpenSLES 12
  • All OpenSLES 15
  • All SUSE
  • All Mac
  • All macOS 10.13
  • All macOS 10.14
  • All macOS 10.15
  • All macOS 11
  • All macOS 11.0
  • All macOS 11.1
  • All macOS 11.2
  • All macOS 11.3
  • All macOS 11.4
  • All macOS 11.5
  • All macOS 11.6
  • All macOS 11.7
  • All macOS 12
  • All Ubuntu 14.04 - amd64
  • All Ubuntu 14.04 - i386
  • All Ubuntu 14.04 - arm64
  • All Ubuntu 16.04 - amd64
  • All Ubuntu 16.04 - i386
  • All Ubuntu 16.04 - arm64
  • All Ubuntu 18.04 - amd64
  • All Ubuntu 18.04 - i386
  • All Ubuntu 18.04 - arm64
  • All Ubuntu 20.04 - amd64
  • All Ubuntu 20.04 - i386
  • All Ubuntu 20.04 - arm64
  • All Ubuntu 22.04 - amd64
  • All Ubuntu 22.04 - i386
  • All Ubuntu 22.04 - arm64
  • All Windows
  • All Windows Servers
  • Patch Supported Systems

For earlier versions of the Tanium Server, or after upgrading from an earlier version, you must manually create the computer groups. See Tanium Console User Guide: Create a computer group.

Solution dependencies

Other Tanium solutions are required for Patch to function (required dependencies) or for specific Patch features to work (feature-specific dependencies). The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Patch dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies and Feature-specific dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Patch requires.

Tanium recommended installation

If you select Tanium Recommended Installation when you import Patch, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.

Import specific solutions

If you select only Patch to import and are using Tanium Core Platform 7.5.2.3531 or later with Tanium Console 3.0.72 or later, the Tanium Server automatically imports the latest available versions of any required dependencies that are missing. If some required dependencies are already imported but their versions are earlier than the minimum required for Patch, the server automatically updates those dependencies to the latest available versions.

If you select only Patch to import and you are using Tanium Core Platform 7.5.2.3503 or earlier with Tanium Console 3.0.64 or earlier, you must manually import or update required dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Patch has the following required dependencies at the specified minimum versions:

Feature-specific dependencies

If you select only Patch to import, you must manually import or update its feature-specific dependencies regardless of the Tanium Console or Tanium Core Platform versions. Patch has the following feature-specific dependencies at the specified minimum versions:

  • Tanium End-User Notifications:
    • 1.2.0.004 or later (for Windows endpoints)
    • 1.10.49 or later (for macOS endpoints)

Feature-specific dependencies

The following Tanium solution is optional:

Client extensions

Tanium Endpoint Configuration installs client extensions for Patch on endpoints. Client Extensions perform tasks that are common to certain Tanium solutions. The Tanium Client uses code signatures to verify the integrity of each client extension prior to loading the extension on the endpoint. Each client extension has recommended security exclusions to allow the Tanium processes to run without interference. See Security exclusions for more information. The following client extensions perform Patch functions:

  • Config CX - Provides installation and configuration of extensions on endpoints. Tanium Client Management installs this client extension.

  • Core CX - Provides a management framework API for all other client extensions and exposes operating system metrics. Tanium Client Management installs this client extension.

  • Software Manager CX - Provides a catalog of all installed software on an endpoint. Tanium Asset or Tanium Patch installs this client extension.

Tanium Server and Module Server computer resources

Patch is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage. You might need to tune the Tanium Server to set bandwidth limits for your environment. You can configure global throttles from Administration > Configuration > Tanium Server and then clicking Bandwith Throttles.

Patch downloads and distributes updates regularly. The Tanium Server stores these packages within the Downloads directory. An additional 500 GB of disk space is required on the Tanium Server.

For more information, see Tanium Core Platform Installation Guide: Host system sizing guidelines and Tanium Appliance Deployment Guide: Tanium Virual Appliance.

Endpoints

Supported operating systems

The following endpoint operating systems are supported with Patch. Specific version requirements depend on the version of Patch and components that you are using. For more information about Tanium Client versions, see Tanium Client Management User Guide: Client version and host system requirements.

Operating SystemVersionNotes
Microsoft Windows ServerWindows Server 2008 R2 Service Pack 1 or later
  • Windows Server Core not supported for End-User Notifications functionality.

  • Windows Server 2008 R2 Service Pack 1 requires Microsoft KB2758857.

Microsoft Windows WorkstationWindows 7 Service Pack 1 or later
  • Windows 7 Service Pack 1 requires Microsoft KB2758857.

LinuxAmazon Linux 1, 2
  • Requires Yum version 3.2.29-22.el6 or later for systems using OS-based Linux distributions.

CentOS 6.x, 7.x, 8.x
  • CentOS 6.x and 7.x require Yum version 3.2.29-22.el6 or later for systems using OS-based Linux distributions.

  • Cent OS 8.x requires DNF.

openSUSE Linux 11.x Service Pack 3 or later, 12.x, 15.x

  • Requires Zypper.

  • SUSE 11.x Service Pack 3 support is limited to scanning only.

  • Repository snapshots are not supported.

Oracle Linux 6.x, 7.x, 8.x
  • Oracle Linux 6.x and 7.x require Yum version 3.2.29-22.el6 or later for systems using OS-based Linux distributions.

  • Oracle Linux 8.x requires DNF.

Red Hat Enterprise Linux 6.x, 7.x, 8.x
  • Red Hat Enterprise Linux 6.x and 7.x require Yum version 3.2.29-22.el6 or later for systems using OS-based Linux distributions.

  • Red Hat Enterprise Linux 8.x requires DNF.

  • Requires Yum version 3.2.29-22.el6 or later for systems using OS-based Linux distributions.

Rocky Linux 8.x 

SUSE Linux Enterprise Server 11.x Service Pack 3 or later, 12.x, 15.x

  • Requires Zypper.

  • Repository snapshots are not supported.

Ubuntu 14.04, 16.04, 18.04, 20.04, 22.04
  • Requires APT.

Debian 8.x, 9.x, 10.x, 11.x
  • Requires APT.

macOS

macOS 10.14, 10.15, 11, 12.0

Because of mobile device management (MDM) requirements for patching that were introduced in macOS Monterey 12.1, Tanium Patch does not support macOS Monterey 12.1 or later.

Resource requirements

Third-party software

Patch requires that Windows endpoints have Windows Update Agent version 6.1.0022.4 or later installed. Enhanced functionality is available on Windows 7 systems with version 7.6.7601.19161 and later. See Microsoft KB3138612. If you are controlling all patch deployments through Tanium, disable the Windows Update Agent automatic functions at the domain level.

Host and network security requirements

Specific ports, processes, and URLs are needed to run Patch.

Ports

For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.

The following ports are required for Patch communication.

SourceDestinationPort ProtocolPurpose
Module ServerModule Server (loopback)17454TCPInternal purposes; not externally accessible

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

The Tanium Client uses the Windows Update offline scan file, Wsusscn2.cab, to assess computers for installed or missing operating system and application security patches. If your endpoint security solutions scan archive files, refer to the Microsoft KB for information on how to configure those tools to interact appropriately with the Wsusscn2.cab file.

For Windows endpoints, review and follow the Microsoft antivirus security exclusion recommendations for enterprise computers. For more information, see Microsoft Support: Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows (KB822158).

Patch security exclusions
Target DeviceNotesExclusion TypeExclusion
Module Server Process<Module Server>\services\patch-service\node.exe
required when Endpoint Configuration is installedProcess<Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Windows endpoints Process<Tanium Client>\TaniumCX.exe
 FIle<Tanium Client>\TaniumClientExtensions.dll
 File<Tanium Client>\TaniumClientExtensions.dll.sig
 File<Tanium Client>\Patch\tanium-patch.min.vbs
 File<Tanium Client>\Patch\scans\Wsusscn2.cab
 Process<Tanium Client>\Patch\tools\active-user-sessions.exe
 File<Tanium Client>\Patch\tools\run-patch-manager.min.vbs
 Process<Tanium Client>\Patch\tools\TaniumExecWrapper.exe
 Process<Tanium Client>\Patch\tools\TaniumFileInfo.exe
 Process<Tanium Client>\Patch\tools\TaniumUpdateSearcher.exe
7.2.x clientsProcess<Tanium Client>\Python27\TPython.exe
Folder<Tanium Client>\Python27
7.4.x clientsProcess<Tanium Client>\Python38\TPython.exe
Folder<Tanium Client>\Python38
 Process<Tanium Client>\Tools\Patch\7za.exe
 Process<Tanium Client>\Patch\tools\TaniumExecWrapper.exe
 File<Tanium Client>\extensions\TaniumSoftwareManager.dll
 File<Tanium Client>\extensions\TaniumSoftwareManager.dll.sig
exclude from on-access or real-time scansFolder<Tanium Client>
Linux endpoints File<Tanium Client>/libTaniumClientExtensions.so
 File<Tanium Client>/libTaniumClientExtensions.so.sig
7.2.x clientsProcess<Tanium Client>/python27/bin/pybin
Process<Tanium Client>/python27/python
Folder<Tanium Client>/python27
7.4.x clientsProcess<Tanium Client>/python38/bin/pybin
Process<Tanium Client>/python38/python
Folder<Tanium Client>/python38
 File<Tanium Client>/extensions/libTaniumSoftwareManager.so
 File<Tanium Client>/extensions/libTaniumSoftwareManager.so.sig
macOS endpoints File<Tanium Client>/libTaniumClientExtensions.so
 File<Tanium Client>/libTaniumClientExtensions.so.sig
7.2.x clientsProcess<Tanium Client>/python27/bin/pybin
Process<Tanium Client>/python27/python
Folder<Tanium Client>/python27
7.4.x clientsProcess<Tanium Client>/python38/bin/pybin
Process<Tanium Client>/python38/python
Folder<Tanium Client>/python38
 File<Tanium Client>/extensions/libTaniumSoftwareManager.dylib
 File<Tanium Client>/extensions/libTaniumSoftwareManager.dylib.sig
Patch security exclusions
Target deviceNotesExclusion TypeExclusion
Windows endpoints Process<Tanium Client>\TaniumCX.exe
 File<Tanium Client>\TaniumClientExtensions.dll
 File<Tanium Client>\TaniumClientExtensions.dll.sig
 File<Tanium Client>\Patch\tanium-patch.min.vbs
 File<Tanium Client>\Patch\scans\Wsusscn2.cab
 Process<Tanium Client>\Patch\tools\active-user-sessions.exe
 FIle<Tanium Client>\Patch\tools\run-patch-manager.min.vbs
 Process<Tanium Client>\Patch\tools\TaniumExecWrapper.exe
 Process<Tanium Client>\Patch\tools\TaniumFileInfo.exe
 Process<Tanium Client>\Patch\tools\TaniumUpdateSearcher.exe
7.4.x clientsProcess<Tanium Client>\Python38\TPython.exe
Folder<Tanium Client>\Python38
 Process<Tanium Client>\Tools\Patch\7za.exe
 Process<Tanium Client>\Patch\tools\TaniumExecWrapper.exe
 File<Tanium Client>\extensions\TaniumSoftwareManager.dll
 File<Tanium Client>\extensions\TaniumSoftwareManager.dll.sig
exclude from on-access or real-time scansFolder<Tanium Client>
Linux endpoints File<Tanium Client>/libTaniumClientExtensions.so
 File<Tanium Client>/libTaniumClientExtensions.so.sig
7.4.x clientsProcess<Tanium Client>/python38/bin/pybin
Process<Tanium Client>/python38/python
Folder<Tanium Client>/python38
 FIle<Tanium Client>/extensions/libTaniumSoftwareManager.so
 File<Tanium Client>/extensions/libTaniumSoftwareManager.so.sig
macOS endpoints File<Tanium Client>/libTaniumClientExtensions.so
 File<Tanium Client>/libTaniumClientExtensions.so.sig
7.4.x clientsProcess<Tanium Client>/python38/bin/pybin
Process<Tanium Client>/python38/python
Folder<Tanium Client>/python38
 File<Tanium Client>/extensions/libTaniumSoftwareManager.dylib
 File<Tanium Client>/extensions/libTaniumSoftwareManager.dylib.sig

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must allow the following URLs on both the Tanium Module Server and the Tanium Server for the Patch service.

For more information about hostnames used for updating macOS, see Apple Support: Use Apple products on enterprise networks.

Operating SystemURL
Windows*.delivery.mp.microsoft.com
*.prod.do.dsp.mp.microsoft.com
*.update.microsoft.com
*.windowsupdate.com
*.windowsupdate.microsoft.com
http://crl.microsoft.com
http://emdl.ws.microsoft.com
http://go.microsoft.com/fwlink/?linkid=74689
http://ntservicepack.microsoft.com
http://windowsupdate.microsoft.com
http://wustat.windows.com
https://download.microsoft.com
https://sws.update.microsoft.com
Linuxhttp://mirror.centos.org
http://yum.oracle.com
https://cdn.redhat.com
http://download.opensuse.org
http://deb.debian.org 
http://security.debian.org 
http://archive.ubuntu.com 
http://ports.ubuntu.com
http://security.ubuntu.com 

macOS

https://swscan.apple.com
http://swcdn.apple.com

User role requirements

The following tables list the role permissions required to use Patch. To review a summary of the predefined roles, see Set up Patch users.

For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.

Patch user role permissions
PermissionPatch Administrator1,2,3Patch Configuration Author1,2,3Patch Deployment Author1,2,3Patch Endpoint Configuration Approver1Patch Operator1,2,3Patch Read Only User2,3Patch Service Account1,2,3,4Patch Super User1,2,3

Initialize Endpoints

Run endpoint initialization jobs


EXECUTE

Linux Patch

Access to the Linux Patch content


USER

USER

USER

USER

USER

USER

USER

Patch

INITIALIZE: Set up Patch activities for the granted content sets

SHOW: View the Patch workbench


INITIALIZE
SHOW

SHOW

SHOW

INITIALIZE
SHOW

SHOW

INITIALIZE
SHOW

INITIALIZE54
SHOW

Patch APT Repo

Create, edit, and delete APT repositories


WRITE
DELETE

READ

READ

READ

WRITE
DELETE

READ

Patch APT Repo Snapshot

Create, edit, and delete APT repository snapshots


WRITE
DELETE

WRITE
DELETE

WRITE
DELETE

READ

WRITE
DELETE

WRITE
DELETE

Patch Block List

Create, modify, and delete block lists for the granted content sets

5,6
READ
WRITE
EXECUTE
DELETE
54
READ
WRITE
DELETE
54
READ
54
READ
WRITE
EXECUTE
DELETE
54
READ

READ
WRITE
EXECUTE
DELETE
54
READ
WRITE
EXECUTE
DELETE

Patch Deployment

Create, modify, and delete deployments for the granted content sets

5,6
READ
WRITE
EXECUTE
DELETE
54
READ
54
READ
WRITE
EXECUTE
DELETE
54
READ
WRITE
EXECUTE
DELETE
54
READ

READ
WRITE
EXECUTE
DELETE
54
READ
WRITE
EXECUTE
DELETE

Patch Maintenance Window

Create, modify, and delete enforcements in maintenance windows for the granted content sets

5,6
READ
WRITE
EXECUTE
DELETE
54
READ
WRITE
DELETE
54
READ
54
READ
WRITE
EXECUTE
DELETE
54
READ

READ
WRITE
EXECUTE
DELETE
54
READ
WRITE
EXECUTE
DELETE

Patch Module

Write access to a subset of platform settings in the Patch module


WRITE

WRITE

READ

WRITE

Patch Operator Settings

Write access to a subset of platform settings in the Patch module


WRITE

WRITE

WRITE

Patch Patchlist

Create, modify, and delete enforcements in patch lists for the granted content sets

5,6
READ
WRITE
EXECUTE
DELETE
54
READ
WRITE
EXECUTE
DELETE
54
READ
54
READ
WRITE
EXECUTE
DELETE
54
READ

READ
WRITE
EXECUTE
DELETE
54
READ
WRITE
EXECUTE
DELETE

Patch Repository

Create, modify, and delete repositories


READ
WRITE
EXECUTE
DELETE

READ

READ
WRITE
EXECUTE
DELETE

READ

READ
WRITE
EXECUTE
DELETE

READ
EXECUTE

Patch Repository Snapshot

Create, edit, and delete repository snapshots


READ
WRITE
DELETE

READ
WRITE
DELETE

READ
WRITE
DELETE

READ

READ
WRITE
DELETE

READ
WRITE
DELETE

Patch Scan Configuration

Create, modify, and delete scan configurations


READ
WRITE
EXECUTE
DELETE

READ
WRITE
DELETE

READ
WRITE
EXECUTE
DELETE

READ

READ
WRITE
EXECUTE
DELETE

READ
WRITE
EXECUTE
DELETE

Patch Settings

Write access to all Patch settings


READ
WRITE

READ

READ

READ

READ

READ
WRITE

READ

Patch Solution

Install or uninstall Patch


UPGRADE

UPGRADE

Patch Statistics

Access to the Patch statistics logs


LOGS

LOGS

Patch Trends

View Trends boards from the Patch workbench


READ

READ

READ

READ

READ

READ

READ

Patch Yum Repo

Create, edit, and delete yum repositories


WRITE
DELETE

READ

READ

READ

WRITE
DELETE

READ

Patch Yum Repo Snapshot

Create, edit, and delete yum repository snapshots


WRITE
DELETE

WRITE
DELETE

WRITE
DELETE

READ

WRITE
DELETE

WRITE
DELETE

Windows Patch

Access to the Windows Patch content


USER

USER

USER

USER

USER

USER

USER

1 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

2 This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions.

3 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

4 If you enabled configuration approvals in Endpoint Configuration, then by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to the Patch Service Account role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements and Tanium Endpoint Configuration User Guide: Managing approvals.

4 Grants access to content in the Patch Content Set content set.

5 Grants access to content in the Patch Content Set content set.

5 Grants access to content in the Patch Service Objects content set.

6 Grants access to content in the Patch Service Objects content set.

 

Provided Patch administration and platform content permissions
PermissionPermission TypePatch Administrator1,2Patch Configuration Author1,2Patch Deployment Author1,2Patch Endpoint Configuration ApproverPatch Operator1,2Patch Read Only User1,2Patch Service AccountPatch Super User1,2
Allowed UrlsAdministration
READ
WRITE

READ
WRITE

READ
WRITE

READ
WRITE
Computer GroupAdministration
READ

READ

READ
WRITE

READ
UserAdministration
READ
WRITE
ActionPlatform Content
READ
WRITE

WRITE

WRITE

READ
WRITE

READ
WRITE

READ
WRITE
Own ActionPlatform Content
READ

READ

READ

READ

READ

READ
PackagePlatform Content
READ
WRITE

READ

READ

READ
WRITE

READ
WRITE

READ
WRITE
PluginPlatform Content
READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE
Saved QuestionPlatform Content
READ
WRITE

READ
WRITE

READ
WRITE

READ
WRITE
SensorPlatform Content
READ

READ

READ

READ

READ

READ

READ

You can view which content sets are granted to any role in the Tanium Console.

1 This role provides content set permissions for Tanium Interact. You can view which Interact content sets are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions.

2 This role provides content set permissions for Tanium Trends. You can view which Trends content sets are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.