Configuring Comply

If you did not install Comply with the Apply All Tanium recommended configurations option, you must enable and configure certain features.

(Tanium Core Platform 7.4.5 or later only) You can set the module action group to target the No Computers filter group by enabling restricted targeting before adding the module to your Tanium licenseimporting the module. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the module action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

When you import Comply with automatic configuration, the following default settings are configured:

The following default settings are configured:

Setting Default value
Action group
  • Restricted targeting disabled (default): All Computers computer group
  • Restricted targeting enabled: No Computers computer group
Computer groups

Computer groups that Comply requires are imported:

  • All Computers
  • All Windows 10
  • All Windows Server 2012 R2
  • All Windows Server 2016
  • All Windows Server 2019
  • All Red Hat 7
  • All Red Hat 8
  • All Ubuntu 18
  • All Ubuntu 19
  • All Ubuntu 20
  • All CentOS 7
  • All CentOS 8
  • All macOS 10.14
  • All macOS 10.15
Service account

The Comply service account is set to the account that you used to import the module.

Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization. See Configure the service account.

Comply tools

Comply tools and the Tanium Scan Engine (powered by JovalCM) are deployed to endpoints.

Default configuration Compliance and vulnerability assessments are created for each operating system.

Scans begin to run after the installation completes.

Deployments begin immediately after solution installation. The Distribute over setting for the deployments is set to three minutes. After the three minute distribution window completes, reports will run. The Distribute over setting for reports is also three minutes.

Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Additionally you can use Endpoint Configuration to manage configuration approval. For example, configuration changes are not deployed to endpoints until a user with approval permission approves the configuration changes in Endpoint Configuration. For more information about the roles and permissions that are required to approve configuration changes for Comply, see User role requirements.

To use Endpoint Configuration to manage approvals, you must enable configuration approvals.

  1. From the Main menu, go to Administration > Shared Services > Endpoint Configuration to open the Endpoint Configuration Overview page.
  2. Click Settings and click the Global tab.
  3. Select Enable configuration approvals, and click Save.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

Configure Comply

Configure Comply action group

By default, the Comply action group is set to the All Computers. You can update the action group if needed.

  1. From the Tanium console, got to Administration > Actions > Action Groups.
  2. Select Tanium Comply and click Edit to update the action group.
Verify that the Tanium Comply action group is set to All Computers:
  1. Go to Administration > Actions > Action Groups.
  2. In the list of action groups, click Tanium Comply.
  3. Verify that the Computer Group Targets parameter is set to All Computers. If needed, click Edit to update the action group.

Configure the service account

You must create and configure a Comply service account to run background Comply functions.

This user must have the following roles and access configured:

  • The Comply Administrator role. For more information, see User role requirements.
  • Access granted to any computer groups that provide input to Comply reports. For more information about assigning computer groups to a user, see Tanium Core Platform User Guide: Assign computer groups to a user.
  • If you installed Tanium Client Management, Endpoint Configuration is installed, and by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

If you imported with default settings, the service account is set to the account that you used to perform the import. Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization.

  1. From the Comply Overview page, click Settings . Click the Service Account tab.
  2. Enter the Tanium credentials and click Save.
  3. Another way to configure the service account is by clicking Configure Now in the yellow banner that displays if the service account is not configured.

Set up Comply users

You can use the following set of predefined user roles to set up Comply users.

To review specific permissions for each role, see User role requirements.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Comply Administrator

Assign the Comply Administrator role to users who manage the configuration and deployment of Comply functionality to endpoints.
This role can perform the following tasks:

  • Configure Comply service settings
  • View and modify Comply configurations
  • Create deployments to endpoints and update engines
  • View and modify Comply standards

Comply Operator

Assign the Comply Operator role to users who manage the configuration and deployment of Comply functionality to endpoints.
This role can perform the following tasks:

  • Configure Comply service settings
  • View and modify Comply configurations
  • Create deployments to endpoints and update engines
  • View and modify Comply standards

Comply Deployment Administrator

Assign the Comply Deployment Administrator role to users who create and view Comply endpoint configurations.
This role can perform the following tasks:

  • Create deployments to endpoints and update engines
  • View and modify Comply standards

Comply Report Content Administrator

Assign the Comply Report Content Administrator role to users who create and manage Comply compliance and vulnerability standards. This role can view and modify Comply standards.

Comply Report Administrator

Assign the Comply Report Administrator role to users who configure and manage Comply assessments.
This role can perform the following tasks:

  • View and modify Comply assessments and reports
  • View Comply standards

Comply Report Reviewer

Assign the Comply Report Reviewer role to users who review Comply assessments and standards.
This role can perform the following tasks:

  • View Comply assessments and reports
  • View Comply standards

Comply Custom Check Writer

Assign the Comply Custom Check Writer role to users who create custom checks to review a condition on endpoints that might not be included in any standard.
This role can perform the following tasks:

  • View and modify custom checks
  • View Comply standards

Comply Service Account

Assign the Comply Service Account role to the account that configures system settings for Comply. This role can perform several background processes for Comply. For more information, see Installing Comply.

Comply Endpoint Configuration Approver

Assign the Comply Endpoint Configuration Approver role to a user who approves or rejects Comply configuration items in Tanium Endpoint Configuration. This role can approve, reject, or dismiss changes that target endpoints where Comply is installed.

Upload scan engines and JREs

A scan engine evaluates endpoints for security configuration exposures and software vulnerabilities using industry security standards, vulnerability definitions, and custom compliance checks.

In Comply, the scan engine evaluates Open Vulnerability Assessment Language (OVAL) or Security Content Automation Protocol (SCAP) content to determine endpoint compliance and vulnerability status. Comply generates findings based on the results of this evaluation by the scan engine.

At least one scan engine is required to use Comply. Comply 2.3 and later includes Tanium Scan Engine (powered by JovalCM) and Amazon Coretto Java Runtime Environment (JRE) versions 8.x and 11.x. Version 8.x is provided for use with supported Windows 32-bit endpoints, and version 11.x is provided for use with supported 64-bit endpoints. Most organizations can use the Tanium Scan Engine and Amazon Coretto JRE and do not need to upload any scan engines or JREs.

If needed, you can upload other scan engines to Comply. Comply supports the Tanium Scan Engine (which is included by default), SCC (used by the United States government), and CIS-CAT scan engines. The supported versions of the scan engines are listed in the Import Engine window and on this page: Reference: Supported engines and JREs. Typically, the most recent version plus the two previous versions are supported.

The Amazon Coretto JRE is not currently supported on some distributions of Linux, AIX, and Solaris. If you need to run a scan on an endpoint with one of these operating systems and do not want to use the existing JRE on the endpoint, you can upload it to Comply. For best results, use Comply to install a JRE (rather than using the existing JRE on the endpoint) so that you know which JRE is used to run scans.

Tanium Scan Engine and CIS-CAT also require PowerShell and do not work if PowerShell is in the ConstrainedLanguage language mode.

In the Configuration Progress section, click the Upload Engine/JRE step and then click Comply Engines to open the Manage Engines page. For more information about uploading engines and JREs from this page, see Uploading scan engines and JREs.

Create deployments

You must have the Comply Deployment Administrator role to create deployments. For more information about Comply roles, see User role requirements.

Create deployments based on the architecture and platform of the targeted endpoints to deploy engines and JREs to endpoints on a schedule. For example, you might want to create the following deployments:

  • Windows 64-bit
  • Windows 32-bit
  • macOS 64-bit
  • Linux 64-bit

  • Ensure that the computer groups targeted by each deployment include all applicable endpoints. Review the deployments to confirm that no computer groups are missing.
  • Ensure that deployment are created for all possible architectures (bitness) and platforms. For example, some environments still contain 32-bit Linux and Windows endpoints. These endpoints require specific deployments.

For steps to create a deployment, see Setting up endpoints.

Restrict assessment visibility

By default, users with the Comply Assessment Reviewer role can see all assessments, even assessments that target computer groups for which the user does not have management rights.

If you want users to only see assessments that target computer groups for which they have management rights, set the report_mr_enabled setting to true. When you enable this setting, users can only see assessments when they have management rights to all computer groups that the assessment targets. If an assessments targets multiple computer groups, but the user does not have management rights to one or more of the targeted computer groups, the user cannot see the assessment.

  1. From the Comply Overview page, click Settings .
  2. On the General tab, find the report_mr_enabled setting and click Edit.

  3. In the Edit Setting window, enter true in the Value field.

  4. Click Save.
  5. The change takes effect immediately and does not require you to restart Comply.

Create assessments

From the Comply menu, click Assessments to open the Assessments page. From this page, you can create configuration compliance assessments, vulnerability assessments, and remote vulnerability assessments. You can also view and update existing assessments.

For information on assessments, see Creating assessments.

Configure Comply for an air-gapped environment

When your Tanium Server is in an air-gapped environment, the server cannot download the Tanium Engines or Tanium Vulnerability Library files from the internet. You must configure Comply for an air-gapped environment and upload these files to Comply.

  1. From the Comply Home page, click Settings .
  2. On the General tab, find the is_airgapped setting and click Edit.

  3. In the Edit Setting window, select True in the Value field.

  4. Click Save.
  5. If you edit the is_airgapped setting back to False, you must restart Comply for the Tanium Vulnerability Library (TVL) to update properly.

Upload the Tanium Engines package

  1. From the Comply menu, click Setup > Configuration and go to the Engines tab.
  2. Click Upload Engines Package.

  3. Download the air gap ZIP file from the following link indicated in the Upload Tanium Engines Airgap Archive window (https://content.tanium.com/files/published/comply-engines/engines.cgz) using a machine that can connect to the internet and save it on the air-gapped machine.

  4. Click Select Engines Package File, select the engines.cgz file from the location where you saved it on the air-gapped machine, and click Open.
  5. Click Upload.
  6. After your upload is complete, click Close.

Upload the Tanium Vulnerability Library files

  1. From the Comply menu, click Standards > Vulnerability to open the Vulnerability Standards page.
  2. Click Upload Airgap Zip.
  3. Download the air gap ZIP file from the link indicated in the Upload TVL Airgap Zip window (https://content.tanium.com/files/published/tvl/Comply-Standards-Airgap-v1.zip) using a machine that can connect to the internet and save it on the air-gapped machine.
  4. Click Select File, select the Comply-TVL-Airgap-pkg.zip file from the location where you saved it on the air-gapped machine, and click Open.
  5. Click Upload.
  6. After your upload is complete, click Close on the Upload TVL Airgap Zip window. Allow approximately five minutes for Comply to update the vulnerability standards. If you expand a vulnerability source, you will see the Type indicated as Local as well as a completed count of CVEs after the standards are successfully updated from the uploaded air gap ZIP file.