Customizing compliance results

You must have the Comply Report Content Administrator role to customize compliance results. For more information about Comply roles, see User role requirements.

Custom profiles

A profile defines a set of rules to be evaluated and the parameters for those rules. Custom profiles allow you to specify just a subset of the checks available in a benchmark to be deployed.

  1. From the Comply menu, click Setup > Compliance.
  2. On the Compliance tab, click Create Profile.

You can either create a custom profile or upload one from a tailoring file.

Create a new custom profile

  1. Click Create Profile.
  2. On the New Custom Profile page, enter a Title and Description.
  3. In the Rules section, select a benchmark from the Benchmark drop-down list.
  4. Select each rule you would like to include in your custom profile.

    Click Advanced Filter to filter the rules by category, such as Account Policies.

  5. Click Add Selection To Profile to move the selected rules to the Selected Rules section.

    To remove a rule that you added, select the rule and click Remove Selection From Profile.

  6. Some benchmarks (for example, CIS Microsoft Windows Server 2008 and 2012) require you to choose a selector for certain rules. In the Selected Rules section, these rules have a drop-down list in the Selector column. In the CIS Windows example, set the MS (for member server) or DC (for domain controller) selector for each rule.

    To set or change the selector for multiple rules, select the rules and click Change Selector. Choose a selector.

  7. Click Create to create the new custom profile.

You can also modify some rule values within your custom profile. If a rule value is customizable, a value of true displays in the Can Customize column along with the default value for the rule in the Default Values column.

Customize a rule value
  1. Select the rule and click Modify Rule Value.
  2. In the Modify Custom Profile Value window, enter a Custom Rule Title and change the Custom value field.

  3. Rule titles occasionally include the value used in the rule. Customize the title of rules for which values have been changed. The customized rule titles will then show up in report results, question answers, and report exports. For example, If you provide a new value for the rule (L1) Ensure 'Enforce password history' is set to '24 or more password(s)', you can change 24 to match the custom value.

  4. Click Save. The new value will appear in the User-defined Values column. You can return to the Default Value of a rule by clicking Use Default.

On the Custom Profiles page, click a custom profile to view its details.

You will see the rules included in the custom profile as well as those for which the values have been modified.

Upload a new custom profile

  1. Click Import Tailoring File.
  2. In the Upload Custom Profile window, enter a Description.
  3. Select a benchmark from the Benchmark drop-down list.
  4. Click Select File and locate the tailoring file for the new profile.
  5. A custom profile can also be specified with a tailoring file, which is supported in SCAP 1.2 and later. For more information about tailoring files, see NIST's Technical Specification for the Security Content Automation Protocol (SCAP) or contact Tanium support. See Contact Tanium Support.

Cloning custom profiles

  1. Click Clone next to the custom profile.
  2. Provide a new Title and Description for the duplicate custom profile.
  3. Make any necessary changes to the rules included in the custom profile.
  4. Click Create.

Editing custom profiles

  1. Click Edit next to the custom profile.
  2. In the Details section, you can edit the Title and Description.
  3. In the Rules section, choose additional rules or select a new benchmark from the Benchmark drop-down list to select other rules.
  4. If you choose to select a new benchmark, previously selected rules might no longer be valid. If a rule is invalid, No will be displayed as the value in the Valid column of the Selected Rules list. A warning also appears below the list indicating the total number of invalid rules that have been selected.

  5. Click Update.
  6. If any of the selected rules are invalid, a confirmation window appears that invalid rules will automatically be removed from the custom profile. Click OK.
  7. If one or more reports currently use this custom profile, a confirmation window appears. If you want to redeploy these reports immediately, click Redeploy and Continue; otherwise, click Continue. Reports with changes that are not redeployed will show a Warning next to them on the Reports page.

Report results only include results from endpoints with the latest version of the custom profile. If any endpoint has an older version, the Endpoints count will indicate the number pending an update.

Custom checks

You can create custom checks in Comply to check a condition on endpoints that might not be included in any benchmark. A custom check can be either PowerShell or VBScript on Windows and bash shell scripts on Linux/macOS. PowerShell scripts should use the file extension .ps1, and VBScript files should use the .vbs extension.

You must have the Comply Custom Check Writer role to write custom checks. For more information about Comply roles, see User role requirements.

  1. In the Comply menu, select Setup > Compliance.
  2. On the Custom Checks tab, click Create Check.
  3. In the New Custom Check window, enter a Title, Description, and Identifier.
  4. Select the appropriate Severity and Platform.
  5. Click Select File and locate the file for the custom check.
  6. Click Save. Your custom check will now show under Custom Checks and be available in the Custom Checks section of the page when you create a new Configuration Compliance report.

The result of a custom check is indicated by the last line of output from the custom check. This value should appear on a line by itself after all other output and should return one of the following results:

Result Description
pass All conditions are satisfied.
fail All conditions are not satisfied.
error Compliance evaluation could not be completed; therefore, the status of the endpoint(s) compliance has not been confirmed.
unknown The result is unknown.

Custom ID mappings

Use custom ID mappings to create a custom column on results that associates a specific tag with a custom check or rule identifier.

  1. In the Comply menu, select Setup > Compliance.
  2. On the Custom ID Mappings tab, click Create Custom ID.
  3. Click Create Custom ID.
  4. In the New Custom ID window, enter a Name and Description.
  5. Click Select File and locate the custom ID mapping file.
  6. Click Save. Your custom ID will now show under Custom ID Mappings and be available in the Advanced Settings section when you create a new Compliance report.

Use the following file format for a custom ID mapping: Rule id|custom id

Example: xccdf_org.cisecurity.benchmarks_rule_1.1.1_Create_Separate_Partition_for_tmp|company_policy_rule_42

A report can only have a single custom ID mapping associated with it; however, it can have multiple benchmarks and custom checks. When selecting the benchmarks and custom checks, be aware that a report is targeted to a single action group.

View Custom IDs in Interact

  1. Obtain the hash for the custom ID for a report by clicking on the report name on the Compliance Reports page and expanding More Details. You can click to copy the hash.
  2. In Interact, ask the question that matches the engine type such as Get Comply - CIS-CAT Results from all machines and paste the hash in the Comply bundle hash field.

  3. Use the appropriate Comply sensor for the engine type:

    • Comply - CIS-CAT Results
    • Comply - JovalCM Results
    • Comply - SCC Results
  4. Click Ask Question.
  5. The Custom ID column in the results grid shows any custom IDs for compliance benchmarks.

Export custom check or ID mapping

In order to view, edit, or reuse a custom check or ID mapping, you can export it by doing the following:

  1. On the Setup > Compliance page, click the Custom Checks tab.

  2. Select a custom check and click Export . You will select this exported file from the other Tanium console.

  3. Log into the Tanium console where you want to import the custom check and navigate to the Custom Checks tab.

  4. Click the Create Check button.

  5. In the New Custom Check window, fill out the fields using the same information you entered for the exported file in the first Tanium console.

  6. Click Select File and choose the file you exported in the second step.

  7. Click Save.

If you have custom IDs to go along with the custom check, export and import them using the steps above, but from the Custom ID Mappings tab.