Creating compliance assessments

You can create a new assessment on the Assessments page or create one using an existing standard on the Standards page. You must have the Comply Report Administrator role to create assessments that use client-based scanning. You must have the Comply RAS Assessment Create role to create assessments that use remote authenticated scanning. For more information about Comply roles, see User role requirements.

Run a configuration compliance assessment to check the security configuration compliance state of a group of machines on a set schedule. This will execute data collection using Security Content Automation Protocol (SCAP) Extensible Configuration Checklist Description Format (XCCDF) standards. Run a vulnerability assessment to execute Open Vulnerability and Assessment Language (OVAL) checks against your endpoints to check for the presence of identified vulnerabilities.

The results of assessments are listed in the Findings page. From the Comply menu, click Findings.

Run general assessments that address all known configuration compliance issues and vulnerabilities once a month or bi-monthly. In addition to that large, general assessment, configure a small lightweight assessment that uses only targeted compliance standards or high and critical severity vulnerability definitions from the current year so that you can run it frequently without negative performance impact. For example, you might run the lighter assessment weekly or every 3 days.

Configuration compliance assessments are supported for all endpoint operating systems that are supported by Comply: Windows, macOS, Linux, AIX, and Solaris.

Configure a client-based scan assessment

  1. Select Assessments from the Comply menu.
  2. Select Compliance from the Create Assessment drop-down button.
  3. In the Summary section:
    • Enter a Name.
    • Provide a Label.
  4. Select a Scan Method (This field is only visible to users with the Comply RAS Assessment permission. All assessments are client-based scans unless otherwise specified.):
    • Client-Based: Client-based scanning uses Tanium Clients installed on endpoints. This is the recommended method of scanning. (The following instructions are for this scan method.)
    • Remote Authenticated: Remote authenticated scanning uses Tanium Clients as satellites to scan endpoints that do not have the Tanium Client installed. This scan type is useful for obtaining information from endpoints that do not support having the Tanium Client installed. See Configure a remote authenticated scan assessment for details.
  5. In the Targeting section:
    • Select Computer Groups. Use the pulldown list to select a group. Add additional groups using the same pulldown and use the And/Or buttons to build upon or narrow your selection. Use the Row button to add a new row to the group. Click the check mark to save each selection.

      • Be sure to select the appropriate platform (AIX, Linux, Mac, or Windows) and Computer Groups containing endpoints that align with the Platform for Comply to work correctly.

    • Select a Platform.

    • Select the Engine. The Engine field displays only when more than one engine is installed.

    • Select either Low or Normal from the Comply Process Priority drop-down list.

      If you select Low, the Comply scan process yields processor utilization to other processes running on the endpoint. If you select Normal, the scan process runs with the same priority as other processes on the endpoint.

      Selecting Low might increase the duration of the scan processes on endpoints with high processor utilization.

    • Optionally, when the Tanium Scan Engine is selected, you can enable the Include network drives in scan check box. Network drives are not included in scans by default. Scanning them can be time-consuming and resource intensive.

  6. In the Standards section:
    • Select the Standard from the drop-down list. Click Add Standard to include more than one.
    • In the Profile drop-down list, select an existing profile for the selected standard.

      When standards are imported with an engine, such as CIS-CAT or SCC, they are automatically assigned the applicable category. By default, new standards are assigned the Imported category.

    • In the Advanced Settings section, optionally select a Custom ID. Custom ID mappings allow you to create a custom column on results that associates a specific tag with a CVE. Create Custom IDs from the Setup > Vulnerability page in the Custom ID tab. See Customizing compliance results for more information.

      • Custom checks should take less than a minute to run – they can output anything to standard output as long as the last line is a valid rule result string such as passfail, or error.

  7. (Optional) In the Schedule section:
    • Select Start on and End on and complete the date and time values to limit the report to run only during a specific time period.

      The date and time displayed by default is the local browser time.

    • (Optional) Select the Distribute Over option and enter values to run the report over minutes, hours or days. See Tanium Console User Guide: Deploying actions for information on how the Distribute over option works.
    • In the Repeat field, select Interval, Using report age, or Never.
      • If you choose Interval, the Reissue every field displays, and you can specify how often the report runs.
      • If you choose Using assessments age, then the Run when results are older than field displays, and you can specify how old you want the results to be before the report runs again. If a targeted endpoint comes online that has never run the report, the report runs as soon as the next age-check occurs. The age of results is checked every hour.

        • Use the Using assessments age option and set it to 7 days.

  8. Click Create & Deploy and enter your credentials. Results will display on the Findings page.

Configure a remote authenticated scan assessment

Remote authenticated scanning is useful for obtaining information from endpoints and subnets that do not support having the Tanium Client installed. For all other endpoints, you should use client-based scanning for performance reasons and to take advantage of the linear chain architecture.

Before you begin

    Review Reference: Remote authenticated scanning before configuring this feature.

  • Remote authenticated scanning requires specific versions of other Tanium solutions. See Remote authenticated scanning requirements.
  • Tanium Client operating system support for executing remote authenticated scans is the same as Tanium Client support (see Tanium Client Management User Guide: Client version and host system requirements) with the following exceptions.
  • See Host and network security requirements for remote authenticated scanning port requirements.
  • The following RBAC role is required: Comply RAS Assessment Creator. See User role requirements
  • Create satellites in Tanium Direct Connect. See Tanium Direct Connect User Guide: Managing satellites.
  • Plan your targeting. When you configure remote authenticated scans, you can manually enter IP addresses (ranges, CIDR, etc.) to be scanned by the selected satellite or you can choose to scan endpoints found by Tanium Discover (Discovered Endpoints). If you are targeting Discovered Endpoints, you must run satellite scans in Tanium Discover before you configure the assessment. See Tanium Discover User Guide: Running satellite scans.

    More information about targeting:

    • Targeting IP addresses: When using IP address targeting (the default), the addresses you enter do not have to be on the same subnet as the satellite to be scanned. They only have to be reachable by the satellite.
    • Targeting Discovered Endpoints: When targeting Discovered Endpoints, if an endpoint does not match Tanium Discover's Promote Unmanaged Interface label, that endpoint is not promoted to Tanium Data Service (TDS). If an endpoint is not promoted to TDS, it cannot be scanned by Comply. Therefore you must promote interfaces to TDS in Tanium Discover. See Tanium Discover User Guide: Managing interfaces. Note that because Tanium Discover cannot get the MAC address from endpoints that are not in the same subnet as the satellite, only endpoints in the same subnet as the satellite will be scanned.

    • WinRM 2.0 or higher must be installed on targeted Windows operating systems.

    • For ESXi endpoints, when you configure the assessment, you target the IP address of VMware vCenter managing the ESXi hosts. You cannot connect directly to an ESXi host. Once the scan completes, the Endpoint Statistics will show the ESXi endpoints. Comply does not know about those ESXi endpoints until the scan is run.

      • If you try to target ESXi endpoints directly, you may see results, but those results should not be considered reliable.

      Because ESXi endpoints are not targeted directly, their status will not change or get updated in the UI until the scan is complete and all results are received.

      Endpoint Statistics will include the VMWare vCenter in the number of scanned endpoints, but the vCenter endpoint is not scanned. Joval does not support scanning a vCenter instance (VCSA) at this time.

  • Configure credentials in Tanium Comply. See Configure credentials lists for remote-authenticated scans.
      • Do not target the same unmanaged assets with multiple remote authenticated scan assessments.
      • Target a maximum of 256 unmanaged assets per remote authenticated scan assessment or the equivalent of a /24 network.

To configure a remote authenticated scan assessment, do the following:

  1. Select Assessments from the Comply menu.
  2. Select Compliance from the Create Assessment drop-down button.
  3. In the Summary section:
    • Enter a Name.
    • Provide a Label.
  4. Select a Scan Method (This field is only visible to users with the Comply RAS Assessment permission. All assessments are client-based scans unless otherwise specified.):
    • Client-Based: Client-based scanning uses Tanium Clients installed on endpoints. This is the recommended method of scanning.
    • Remote Authenticated: Remote authenticated scanning uses Tanium Clients as satellites to scan endpoints that do not have the Tanium Client installed. This scan type is useful for obtaining information from endpoints that do not support having the Tanium Client installed. Note that remote authenticated scanning only supports using the Tanium Scan Engine. (The following instructions are for this scan method.)

      The Discover scan cannot get the MAC address from endpoints that are not in the same subnet as the satellite. Therefore only endpoints in the same subnet as the satellite will be scanned.

  5. In the Satellites section, select a satellite from the list to perform the scan.
  6. In the Targeting section, select a Targeting Type.

      If you use IP addresses (the default), the addresses you enter do not have to be on the same subnet as the satellite to be scanned. If you use discovered endpoints, because Tanium Discover cannot get the MAC address from endpoints that are not in the same subnet as the satellite, only endpoints in the same subnet as the satellite will be scanned.

    • IP Addresses:
      • In the Included Networks field, enter a comma separated list of IP addresses, IP address ranges, or CIDR addresses. You can also click the Copy button to upload a text file containing IP addresses, IP ranges, or CIDRs separated either by commas or carriage returns.
      • In the Excluded Networks field, enter IP addresses, IP address ranges, or CIDR addresses to be excluded from the scan. You can enter them manually or upload a file of addresses.



        • Be sure to enter IP addresses that the selected satellite can reach.

    • Discovered Endpoints: Click the +ROW or +Grouping button to view the Select Attribute field. Select from the following Attribute combinations to filter the list of discovered endpoints:

      • AttributeAvailable OperatorsValue
      IP Addressis equal to, is not equal to, contains, does not containEnter a single IP address or multiple addresses, each separated by a comma. For example, 192.168.1.1, 192.168.1.3
      Discover Labelsinclude one of, include all ofSelect one or more labels configured in Tanium Discover. See Tanium Discover User Guide: Labels for more information.
      IP RangeequalsEnter an IP address range. For example, 192.168.1.1 - 192.168.1.150
      CIDRequalsEnter an IP address range in CIDR format. For example, 192.168.1.0/24
      OS Platformcontains, does not containEnter text for targeting a specific OS.

      To select multiple items in the Value field, click within the field after adding an item, and you can select additional items.

      Use the And/Or buttons to build upon or narrow your selection. Use the Add Row or Add Group button to add a new target to the group. Click the check mark to save each selection.

    • In the Preview section for Discovered Endpoints, click the Show Preview button to view the list of unmanaged endpoints you selected for targeting. You can use the information in the preview grid to expand or narrow your targeting. For example, you can target a satellite initially and then add an IP range to further filter your targets based on what you observed in the preview.

  7. Select the Credential List for this assessment. You can only use one list per assessment. In order for satellites to perform secure scans of non-Tanium endpoints, the login credentials for those endpoints are required. See Configure credentials lists for remote-authenticated scans.


    8. Make sure the credential list you select matches the targeting in the assessment. If too many incorrect credentials are attempted and fail, this could trigger security alerts and cause account lockouts.

  8. Optionally but not recommended, in the Subsequent Scan Configuration section, enable the Include new endpoints found on recurring scans check box. By default, if scans are recurring, Comply only scans endpoints that were reachable during the initial scan. If new endpoints come online, they are not scanned unless you change the assessment's targeting or select this check box.

    9. If you enable the Include new endpoints found on recurring scans check box and your network is compromised at any point after the initial scan, a honeypot could be installed in your environment that matches the scan configuration requirements. If that occurs, an unmanaged endpoint could capture the credentials being passed to it and use them with malicious intent.

  9. Enabled by default and recommended when you use SSH key and SSH password credentials, use Trust on First Use for fingerprint comparison. With this feature enabled, Comply will collect the SSH fingerprint the first time an endpoint connects. For every future connection, Comply will check to make sure the endpoint presents the same SSH fingerprint. If it does not, Comply will log a Fingerprint Mismatch Error. An endpoint that fails the fingerprint check will not be logged into or scanned.


    10. If you receive a fingerprint mismatch error, you can click on the assessment error message and then click through to the endpoint to accept the new key to resolve the error.



  10. In the Standards section:
    • Select the Standard from the drop-down list. Click Add Standard to include more than one.
    • In the Profile drop-down list, select an existing profile for the selected standard.

      When standards are imported with an engine, such as CIS-CAT or SCC, they are automatically assigned the applicable category. By default, new standards are assigned the Imported category.

    • In the Advanced Settings section, optionally select a Custom ID. Custom ID mappings allow you to create a custom column on results that associates a specific tag with a CVE. Create Custom IDs from the Setup > Vulnerability page in the Custom ID tab. See Customizing compliance results for more information.

      • Custom checks should take less than a minute to run – they can output anything to standard output as long as the last line is a valid rule result string such as passfail, or error.

  11. (Optional) In the Schedule section:
    • Select Start on and End on and complete the date and time values to limit the report to run only during a specific time period.

      The date and time displayed by default is the local browser time.

    • (Optional) Select the Distribute Over option and enter values to run the report over minutes, hours, or days. See Tanium Console User Guide: Deploying actions for information on how the Distribute over option works.
    • In the Repeat field, select Interval, Using report age, or Never.
      • If you choose Interval, the Reissue every field displays, and you can specify how often the report runs.
      • If you choose Using assessments age, then the Run when results are older than field displays, and you can specify how old you want the results to be before the report runs again. If a targeted endpoint comes online that has never run the report, the report runs as soon as the next age-check occurs. The age of results is checked every hour.

        • Use the Using assessments age option and set it to 7 days.

  12. Click Create & Deploy and enter your credentials. Results will display on the Findings page.

    13. Remote authenticated scan workflow

    When a remote authenticated scan begins, it asks the Comply service for its targets and credentials. The service uses the scan’s criteria for IP inclusion to query for currently reachable targets for that satellite and sends that list to the client to execute the scan. Scheduled periodic RAS scans do not automatically include new targets as they are identified by the associated Tanium Discover scan. Reoccurring assessments will only include the unmanaged assets that were reachable at the time of the initial scan, unless you select the Include newly discovered endpoints on reoccurring scans check box, which is not recommended.

    Create a Configuration Compliance assessment from the Standards page

    On the Standards Compliance tab, click Create next to a profile to create an assessment for that profile.


Scan status

View the status of a scan in the Status column on the assessment list page. Hover over the icon to see one of the following statuses:

Loading

No statistics have been received from the Comply service for the assessment.

Pending

At least one endpoint in the assessment has not yet run the scan, but there are no scan errors.

Success

The assessment has at least one successful run with no errors and no scans not run.

Error

The assessment has at least one endpoint that produced an error during the scan.

Warning

Any issue that does not fall into the other status categories.

You must reload the page to update the status column.

Run an assessment again

On the Assessments page, select an assessment and click Deploy to run it again.

Updates to compliance assessments require a new assessment to use updated configuration compliance standards.

Run an on-demand scan

On-demand scans are only supported for client-based assessments.

An on-demand scan lets you run an assessment at the push of a button using existing targeting or with additional filters. Optionally, you can run the assessment with or without debug enabled.

To run an on-demand scan:

  1. Select the check box for an assessment or click the arrow for the fly-out window to access the Run on-demand scan button.

  2. Click the Run on-demand scan button and optionally configure the following:
    • Select the Run with Debug check box - Debug is only available for the Tanium Scan Engine. With debug enabled, scans are run with more detailed logging and additional output that the CX stores is available to view (see Client extensions). A debug zip as well as an xml file are produced in /opt/Tanium/TaniumClient/extensions/comply/data/results/joval-<assessment ID>
    • Configure additional filtering - Select Individual Endpoints and enter those endpoints into the edit field or select Computer Group and choose a group to filter by.
  3. Click the Run Scan button.




Export an assessment

The following instructions are for exporting one assessment at a time. To export findings using Tanium Connect, see Exporting findings and assessments for instructions.

  1. On the Assessments page, select an assessment and click the Export icon . You can only export one assessment at a time. If you have more than one assessment selected, the Export icon is not displayed.
  2. In the Export Assessment window, provide the following for each assessment type:
    • Compliance
      1. Enter an Assessment Name.
      2. Optionally, enter a Description.
      3. Enter a File Name.
      4. Select a Format: HTML or CSV. If you select CSV, no further information is required.
      5. Select one or more Results Types for the export.
      6. Select which Group Details to export: Description, Endpoint list, Summary.
      7. Select one or more Finding Attributes to export.
      8. Click Export.

Edit an assessment

  1. On the Assessments page, select the assessment you want edit and click the Edit icon .
  2. Edit the Name if needed.
  3. Add labels in the Labels field. Click the X next to a label to remove it.
  4. Change the Comply Process Priority if needed.
  5. Select Start at and End at and complete the date and time values to limit the assessment to run only during a specific time period. The date and time displayed by default is the local browser time. For details on how this time is used to deploy the scheduled action, see Tanium Console User Guide: Deploying actions.
  6. Select the Distribute over and enter values to run the assessment over minutes or hours.
  7. Select None, Interval, or Use assessment age for the Repeat field.
    • If you choose None, the report will run once if the Start At field is specified for a date and time in the future. Otherwise, the report will not run again.
    • If you choose Interval, the Reissue every field will appear, and you can specify how often the assessment is run. The default value for this field is 1 Days and, if you do not specify a value for Start at, the assessment will run immediately. If you choose Interval and do not enter a value for End At, the assessment will run at the specified interval forever.
    • If you choose Use assessment age, then the Run when results are older than field will appear, and you can specify how old you want the results to be before the assessment is run. The default value for this field is 1 Days and, if you do not specify a value for Start at, the assessment will run immediately. If a targeted endpoint comes online that has never run the assessment, the assessment will be run as soon as the next age-check occurs. The age of results is checked either every hour or every 3 hours. If you specify an age less than 3 hours, the age of results will be checked every hour. If do not enter a value for End At, the assessment will continue to run forever.
  8. Click Save.

Clone an assessment

You can quickly create a new assessment based on an existing assessment by using the clone feature.

  1. On the Assessments page, select the assessment you want clone and click the Clone icon .

    You can also clone an assessment from the assessment's side panel.
  2. A new assessment page opens with all fields prepopulated with settings from the original assessment. In the name field, the name of the original assessment is prepended with the text Clone -.
  3. Make necessary edits and click Create and Deploy.

Delete an assessment

When an updated version of a new configuration compliance standard is released, you must delete the configuration compliance assessment that uses the old standard and create a new assessment with the updated standard.

You cannot delete a standard, custom check, or custom ID mapping if they are associated with an assessment.

On the Assessment page, select an assessment and click the Delete icon to delete it.

Delete stale assessments from endpoints

If you delete an assessment using the procedure described in Delete an assessment, that assessment is removed from the console but it remains on the endpoint. To delete stale assessments from endpoints, do the following.

  1. From the Comply main page, click Help .

  2. On the Troubleshooting tab, click Manage Assessments.
  3. On the Stale Assessments page, select one or more and click Schedule Deletion.
  4. Select and edit the following fields to schedule the removal action:

    • Select Start On and complete the date and time value to schedule the removal to begin at a specific time. The date and time displayed by default is the local browser time. For details on how this time is used to deploy the scheduled action, see Tanium Console User Guide: Deploying actions.

    • Select the Distribute Over and enter values to run the removal over minutes, hours, or days.

    • Click Schedule Deletion.