Configuring Comply

If you did not install Comply with the Apply All Tanium recommended configurations option, you must enable and configure certain features.

(Tanium Core Platform 7.4.5 or later only) You can set the Comply action group to target the No Computers filter group by enabling restricted targeting before adding Comply to your Tanium licenseimporting Comply. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Tanium Comply action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

When you import Comply with automatic configuration, the following default settings are configured:

The following default settings are configured:

Setting Default value
Action group
  • Restricted targeting disabled (default): All Computers computer group
  • Restricted targeting enabled: No Computers computer group
Comply tools

Comply tools and the Tanium Scan Engine (powered by JovalCM) are deployed to endpoints.

Default configuration

The default configuration does the following:

  • Sets up a scheduled TVL download (by default 3am every day)

  • Downloads and imports the certified benchmarks from content.tanium.com

  • Downloads and installs the engines

  • Downloads the latest TVL

  • Creates default compliance and vulnerability assessments for each operating system

Scans begin to run after the installation completes.

Deployments begin immediately after solution installation. The Distribute over setting for the deployments is set to three minutes. After the three minute distribution window completes, reports will run. The Distribute over setting for reports is also three minutes.

Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Additionally you can use Endpoint Configuration to manage configuration approval. For example, configuration changes are not deployed to endpoints until a user with approval permission approves the configuration changes in Endpoint Configuration. For more information about the roles and permissions that are required to approve configuration changes for Comply, see User role requirements.

To use Endpoint Configuration to manage approvals, you must enable configuration approvals.

  1. From the Main menu, go to Administration > Shared Services > Endpoint Configuration to open the Endpoint Configuration Overview page.
  2. Click Settings and click the Global tab.
  3. Select Enable configuration approvals, and click Save.

For solutions to Solutions cannot perform configuration changes or tool deployment through Endpoint Configuration on endpoints with action locks turned on, you must enable the Manifest Package Ignore Action Lock and Deploy Client Configuration and Support Package Ignore Action Lock settings. To access these settings, from the Endpoint Configuration Overview page, click Settings and select Global. on. As a best practice, do not turn on action locks. For more information about action locks, see Tanium Console User Guide: Managing action locks.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

Configure Comply

Configure the Comply action group

Importing the Comply module automatically creates an action group to target specific endpoints. If you did not use automatic configuration or you enabled restricted targeting when you imported Comply, the action group targets No Computers.

If you used automatic configuration and restricted targeting was disabled when you imported Comply, configuring the Comply action group is optional.

You can update the action group if needed.

  1. From the Tanium console, go to Administration > Actions > Action Groups.
  2. Select Tanium Comply and click Edit to update the action group.

Set up Comply users

You can use the following set of predefined user roles to set up Comply users.

To review specific permissions for each role, see User role requirements.

On installation, Comply creates a Comply user to automatically manage the Comply service account. Do not delete the Comply user.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Comply Administrator

Assign the Comply Administrator role to users who manage the configuration and deployment of Comply functionality to endpoints.
This role can perform the following tasks:

  • View and modify Comply configurations
  • Create deployments to endpoints and update engines
  • View and modify Comply standards

Comply Operator

Assign the Comply Operator role to users who manage the configuration and deployment of Comply functionality to endpoints.
This role can perform the following tasks:

  • View and modify Comply configurations
  • Create deployments to endpoints and update engines
  • View and modify Comply standards

Comply Deployment Administrator

Assign the Comply Deployment Administrator role to users who create and view Comply endpoint configurations.
This role can perform the following tasks:

  • Create deployments to endpoints and update engines
  • View and modify Comply standards

Comply Report Content Administrator

Assign the Comply Report Content Administrator role to users who create and manage Comply compliance and vulnerability standards. This role can view and modify Comply standards.

Comply Report Administrator

Assign the Comply Report Administrator role to users who configure and manage Comply assessments.
This role can perform the following tasks:

  • View and modify Comply assessments and reports
  • View Comply standards

Comply Report Reviewer

Assign the Comply Report Reviewer role to users who review Comply assessments and standards.
This role can perform the following tasks:

  • View Comply assessments and reports
  • View Comply standards

Comply Custom Check Writer

Assign the Comply Custom Check Writer role to users who create custom checks to review a condition on endpoints that might not be included in any standard.
This role can perform the following tasks:

  • View and modify custom checks
  • View Comply standards

Comply Comply RAS Assessment Creator

Assign the Comply RAS Assessment Creator role to a user to users who configure and manage remote authenticated scans.
This role can perform the following tasks:

  • View and modify credentials
  • View and modify RAS assessments

Comply Endpoint Configuration Approver

Assign the Comply Endpoint Configuration Approver role to a user who approves or rejects Comply configuration items in Tanium Endpoint Configuration. This role can approve, reject, or dismiss changes that target endpoints where Comply is installed.

Do not assign the Comply Service Account and Comply Service Account - All Content Sets roles to users. These roles are for internal purposes only.

Upload scan engines and JREs

A scan engine evaluates endpoints for security configuration exposures and software vulnerabilities using industry security standards, vulnerability definitions, and custom compliance checks.

In Comply, the scan engine evaluates Open Vulnerability Assessment Language (OVAL) or Security Content Automation Protocol (SCAP) content to determine endpoint compliance and vulnerability status. Comply generates findings based on the results of this evaluation by the scan engine.

At least one scan engine is required to use Comply. Comply 2.3 and later includes Tanium Scan Engine (powered by JovalCM) and Amazon Coretto Java Runtime Environment (JRE) versions 8.x and 11.x. Version 11.x is provided for use with supported Windows, Linux, and macOS endpoints. JRE version 11.0.15.9.1 and later also support Mac M1 and Amazon Linux 2 EC2. Most organizations can use the Tanium Scan Engine and Amazon Coretto JRE and do not need to upload any scan engines or JREs.

If needed, you can upload other scan engines to Comply. Comply supports the Tanium Scan Engine (which is included by default), SCC (used by the United States government), and CIS-CAT scan engines. The supported versions of the scan engines are listed in the Import Engine window and on this page: Reference: Supported engines and JREs. Typically, the most recent version plus the two previous versions are supported.

The Amazon Coretto JRE is not currently supported on some distributions of Linux, AIX, and Solaris. If you need to run a scan on an endpoint with one of these operating systems and do not want to use the existing JRE on the endpoint, you can upload it to Comply. For best results, use Comply to install a JRE (rather than using the existing JRE on the endpoint) so that you know which JRE is used to run scans.

Tanium Scan Engine and CIS-CAT also require PowerShell and do not work if PowerShell is in the ConstrainedLanguage language mode.

In the Configuration Progress section, click the Upload Engine/JRE step and then click Comply Engines to open the Manage Engines page. For more information about uploading engines and JREs from this page, see Uploading scan engines and JREs.

Create deployments

You must have the Comply Deployment Administrator role to create deployments. For more information about Comply roles, see User role requirements.

Create deployments based on the architecture and platform of the targeted endpoints to deploy engines and JREs to endpoints on a schedule. For example, you might want to create the following deployments:

  • Windows 64-bit
  • Windows 32-bit
  • macOS 64-bit
  • Linux 64-bit

  • Ensure that the computer groups targeted by each deployment include all applicable endpoints. Review the deployments to confirm that no computer groups are missing.
  • Ensure that deployment are created for all possible architectures (bitness) and platforms. For example, some environments still contain 32-bit Linux and Windows endpoints. These endpoints require specific deployments.

For steps to create a deployment, see Setting up endpoints.

Restrict assessment visibility

By default, users with the Comply Assessment Reviewer role can see all assessments, even assessments that target computer groups for which the user does not have management rights.

If you want users to only see assessments that target computer groups for which they have management rights, set the report_mr_enabled setting to true. When you enable this setting, users can only see assessments when they have management rights to all computer groups that the assessment targets. If an assessments targets multiple computer groups, but the user does not have management rights to one or more of the targeted computer groups, the user cannot see the assessment.

  1. From the Comply Overview page, click Settings .
  2. Find the report_mr_enabled setting and click Edit.
  3. In the Edit Setting window, enter true in the Value field.

  4. Click Save.
  5. The change takes effect immediately and does not require you to restart Comply.

Create assessments

From the Comply menu, click Assessments to open the Assessments page. From this page, you can create configuration compliance assessments, vulnerability assessments, and network unauthenticated assessments. You can also view and update existing assessments.

For information on assessments, see Creating compliance assessments and Creating vulnerability assessments.

Configure Comply for an air-gapped environment

When your Tanium Server is in an air-gapped environment, the server cannot download the Tanium Engines or Tanium Vulnerability Library files from the internet. You must configure Comply for an air-gapped environment and upload these files to Comply.

Starting with Comply 2.13, Tanium Vulnerability Library files on content.tanium.com support CVSS v3. If you are upgrading from a previous version and are in airgap mode, it is recommended that you upgrade to the latest TVL prior to upgrading to Comply 2.13. See Upload the Tanium Vulnerability Library files below for instructions.

  1. From the Comply Home page, click Settings .
  2. Find the is_airgapped setting and click Edit.
  3. In the Edit Setting window, select True in the Value field.

  4. Click Save.
  5. If you edit the is_airgapped setting back to False, you must restart Comply for the Tanium Vulnerability Library (TVL) to update properly.

Upload the Tanium Engines package

  1. From the Comply menu, click Setup > Configuration and go to the Engines tab.
  2. Click Upload Engines Package.

  3. Download the air gap ZIP file from the following link indicated in the Upload Tanium Engines Airgap Archive window (https://content.tanium.com/files/published/comply-engines/engines.cgz) using a machine that can connect to the internet and save it on the air-gapped machine.

  4. Click Select Engines Package File, select the engines.cgz file from the location where you saved it on the air-gapped machine, and click Open.
  5. Click Upload.
  6. After your upload is complete, click Close.

Upload the Tanium Vulnerability Library files

  1. From the Comply menu, click Standards > Vulnerability to open the Vulnerability Standards page.
  2. Click Upload Airgap Zip.
  3. Download the air gap ZIP file from the link indicated in the Upload TVL Airgap Zip window (https://content.tanium.com/files/published/tvl/Comply-Standards-Airgap-v1.zip) using a machine that can connect to the internet and save it on the air-gapped machine.
  4. Click Select File, select the Comply-Standards-Airgap-v1.zip file from the location where you saved it on the air-gapped machine, and click Open.
  5. Click Upload.
  6. After your upload is complete, click Close on the Upload TVL Airgap Zip window. Allow approximately five minutes for Comply to update the vulnerability standards. If you expand a vulnerability source, you will see the Type indicated as Local as well as a completed count of CVEs after the standards are successfully updated from the uploaded air gap ZIP file.

Configure credentials lists for remote-authenticated scans

In order for satellites to perform secure scans of endpoints without the Tanium Client installed, the login credentials for those endpoints are required. Following the instructions detailed here, add endpoint credentials for use in remote-authenticated scans.

The Comply Credential RBAC permission is required to configure credentials.

Use as few sets of credentials as possible for any credential lists used for satellite scans. Adding more credentials can increase the time necessary to complete a task as the task attempts each set of credentials. Additionally, the more credentials you use, the greater risk you run of credentials failing and possibly triggering security alerts or account lockouts.

  1. From the Comply menu, click Setup > Credentials Lists. Click Create.
  2. In the Summary section, configure the following:
    • Enter a Name and Description for the credentials list.

    • The Content Set is Comply. (This cannot be changed at this time.)
  3. In the Credentials section, click Add.
    • Create separate lists for Windows and non-Windows credentials.

  4. In the Platform section, select Window or Non-Windows.
    • If you are using Windows credentials, do the following

      • (Optionally) Enter a Domain name.
      • Enter a Username.
      • Enter the corresponding Password.
      • Click Save.
    • If you are using Non-Windows credentials, do the following:
      • Select a Credential Type: SSH (recommended) or Password.
        • For SSH, a Username and SSH Private Key are required. A Keyphrase is optional.
        • For Password, a Username and Password are required.

          For ESXi endpoints, you must select Password as the Credential type. SSH using a private key does not work with Joval 6.4.2 on ESXi.

      • Expand Advanced Settings to optionally configure one or more of the following:

          The fields provided here allow the Tanium Scan Engine to perform compliance and vulnerability checks that require elevated privileges. The engine knows when it needs to use these additional privileges to gain access to endpoints. For example, on a Cisco Systems endpoint, there are configuration settings that require elevated privileges in order to read the value so that the Tanium Scan Engine can evaluate a compliance rule. If the Tanium Scan Engine requires these privileges for an endpoint and they are not provided here, it will return an error status for those rules, instead of pass or fail.

        • For Sudo Escalation, select the check box to indicate that the sudo command should be used for privilege escalation. If you enable the check box, and the authentication type is SSH Key, you must also enter a Password here.
        • For Cisco IOS Enable Password, enter the password for privilege elevation on Cisco IOS devices.
        • Under Substitute Credentials, enter a Substitute Name and Substitute Password, for su-based privilege escalation.
    • Click Add.
  5. Click Save on the Credentials page to preserve the endpoint credential criteria you added.

Prioritize credentials

Set the priority of credentials within a credentials list. This determines the order in which credentials are attempted on endpoints.

  1. Click the Prioritize button.
  2. Drag and drop items in the list to set their priority.

Once configured, select a credential list in the Assessments page when you choose Remote Authenticated as the Scan Method.

You cannot delete credentials that are used in an assessment.

Credentials list view

Once credentials are created, you can click the Additional data arrow from the list view to see information about the credentials such as date they were created or updated and the assessments in which the credentials are used.