Working with benchmarks and vulnerability sources
You must have the Comply Report Content Administrator role to read and write configuration compliance benchmarks and vulnerability sources. For more information about Comply roles, see User role requirements.
If you want to use other benchmarks or scan engines, you must import them. See Download and import the CIS engine and Download and import the SCC scan engine for instructions on how to import or upgrade benchmarks in bulk.
You can import benchmarks in Comply that have the following file formats:
- Split XCCDF format: XCCDF file, OVAL file, CPE, and CPE-dictionary
- Single SCAP 1.2 datastream single file
- Multiple ZIP files containing split XCCDF files
Use categories and labels to group the benchmarks. You can filter the list of benchmarks on the Standards > Compliance page by category and label.
- On the Standards > Compliance page, click the Import Compliance Standards button to import configuration compliance benchmarks.
- Provide a Description for the benchmark.
- In the Category drop-down list, select an existing category or click Create new category... to create a category to assign to the benchmark.
- If you created a category, enter a name for your new category in the New Benchmark Category window, and click Save.
When benchmarks are imported with an engine, such as CIS-CAT or SCC, they are automatically assigned the applicable category. By default, new benchmarks are assigned the Imported category.
- (Optional) Enter custom labels in the Labels field to describe the benchmark.
- Click Select Files and select the benchmark files.
- Click Import.
Filter standards by category
You can filter benchmarks by category on the Standards > Compliance page by selecting a category from the Filter arrow and choosing from the Label drop-down list.
Change a Standards category or label
- On the Standards > Compliance page, hover over a benchmark to show the Edit icon. Click this icon.
- In the Standard Metadata window, select a different Category and, if needed, edit the Labels for the benchmark.
- Click OK.
Create a standards category
- From the Comply Setup page, click Compliance.
- Click Create Profile.
- In the Standards Profile window, enter a title and a description.
- Select a Benchmark and click Create.
Delete Standards categories
- From the Comply Setup menu, click Compliance.
- On the Custom Profiles tab, click Deletenext to the category you want to delete.
- Click OK.
Use the Label Filter field at the top right of the Standards > Compliance page to filter the benchmarks. Begin entering text to see a list of available labels or click the X next to an existing label to remove it from the list of filters.
Benchmarks with a verified label were tested and confirmed to work with Comply. Only verified benchmarks display by default. Benchmarks with a yellow unverified label were not tested with Comply. This label does not mean that the benchmark does not work with Comply. Benchmarks with a red unsupported label do not work with Comply.
Viewing configuration compliance standard profiles and creating reports
- In Standards > Compliance, click Expand to see the details of a configuration compliance standard.
- In the Profiles section, click the Create Report link next to a benchmark profile to create a report for that profile.
Click the Create Report button at the top to create a report for the first profile listed.
The Create Configuration Compliance Report page opens. For the steps to create a configuration compliance report, see Create a configuration compliance report.
Click Standards > Vulnerability to open the Vulnerability Standards page.
Expand Tanium Vulnerability Library to see the three vulnerability sources provided by Comply:
- Tanium Vulnerability Library for Unix
- Tanium Vulnerability Library for macOS
- Tanium Vulnerability Library for Windows
Expand default vulnerability sources to view details, create a report, update them, or edit them. Click on the number of CVEs to see the full list of CVEs included in a standard. You can search the CVE list by using Filter by Name field.
Tanium maintains the Tanium Vulnerability Library daily. The new version of the Tanium Vulnerability Library is available for download by clicking Update Source in the Tanium Vulnerability Library section on the Vulnerability Standards page.
By default, the Tanium Vulnerability Library is automatically updated daily. To change this schedule, click Edit Source .
Keep the default schedule that updates the Tanium Vulnerability Library daily.
Comply checks approximately every 60 minutes to compare scheduled vulnerability reports against the most recent version of the Tanium Vulnerability Library. The report rebuilds if new definitions are available for any of the specified Vulnerability Content (Range of CVEs, CVSS Score, or Individual CVEs) and a report is scheduled to run.
Search for CVEs
Enter one or more CVEs in the Search CVEs field at the top of the Vulnerability Standards page and click Search for CVEs. You can use a search to scan all vulnerability sources to identify which sources contain the specified CVEs.
If you are working in an air-gapped environment, you must configure that setting in Comply and then upload the air gap ZIP file. For the steps to configure Comply for an air-gapped environment, see Configure Comply for an air-gapped environment.
- After you specify that you are working in an air-gapped environment in the Comply settings, click Standards > Vulnerability to open the Vulnerability Standards page.
- Click Upload Airgap Zip.
- Download the air gap ZIP file from the link indicated in the Upload TVL Airgap Zip window (https://content.tanium.com/files/published/tvl/Comply-Standards-Airgap-v1.zip) using a machine that can connect to the internet and save it on the air-gapped machine.
- Click Select File, select the Comply-TVL-Airgap-pkg.zip file from the location where you saved it on the air-gapped machine, and click Open.
- Click Upload.
- After your upload is complete, click Close on the Upload TVL Airgap Zip window. Allow approximately five minutes for Comply to update the vulnerability benchmarks. If you expand a vulnerability source, you will see the Type indicated as Local as well as a completed count of CVEs after the benchmarks are successfully updated from the uploaded air gap ZIP file.
- Click Create Source on the Vulnerability Standards page.
- In the Details section, provide a Name, Vendor, and Description.
- To schedule automatic updates, check Enable recurring updates.
- In the OVAL Definitions File section, choose
either Remote orUpload for the Location.
Enter the path for the Remote File orSelect file for Upload as appropriate.
- Click Save.
A remote source is a URL that points to an OVAL definition XML file and can be updated by clicking Update next to the benchmark on the Vulnerability Benchmarks page.
Remote sources are best suited when OVAL content is updated periodically. Uploaded sources are best suited to air-gapped environments or when you would like to manually download and provide the source feed.
This OVAL definition file from CIS provides access to all vulnerability definitions in their repository: https://oval.cisecurity.org/repository/download/5.11.1/all/oval.xml
Edit or delete a vulnerability source
On the Vulnerability Standards page, click Edit to edit a vulnerability source or Delete to delete a vulnerability source.
Perform a vulnerability scan and create a report
- Click Expand to see the details of a vulnerability standard and view information about the associated XML file and operating systems. Click Create to create a new vulnerability report.
- For more information, see Create a vulnerability report .
- Click Create & Deploy to run the vulnerability scan.
Last updated: 3/3/2021 1:21 PM | Feedback