Working with scan engines and JREs

A scan engine evaluates endpoints for security configuration exposures and software vulnerabilities using industry security standards, vulnerability definitions, and custom compliance checks.

In Comply, the scan engine evaluates Open Vulnerability Assessment Language (OVAL) or Security Content Automation Protocol (SCAP) content to determine endpoint compliance and vulnerability status. Comply generates findings based on the results of this evaluation by the scan engine.

At least one scan engine is required to use Comply. Comply 2.3 and later includes Tanium Scan Engine (powered by JovalCM) and Amazon Coretto Java Runtime Environment (JRE) versions 8.x and 11.x. Version 11.x is provided for use with supported Windows, Linux, and macOS endpoints. JRE version 11.0.15.9.1 and later also support Mac M1 and Amazon Linux 2 EC2. Most organizations can use the Tanium Scan Engine and Amazon Coretto JRE and do not need to upload any scan engines or JREs.

If needed, you can upload other scan engines to Comply. Comply supports the Tanium Scan Engine (which is included by default), SCC (used by the United States government), and CIS-CAT scan engines. The supported versions of the scan engines are listed in the Import Engine window and on this page: Reference: Supported engines and JREs. Typically, the most recent version plus the two previous versions are supported.

The Amazon Coretto JRE is not currently supported on some distributions of Linux, AIX, and Solaris. If you need to run a scan on an endpoint with one of these operating systems and do not want to use the existing JRE on the endpoint, you can upload it to Comply. For best results, use Comply to install a JRE (rather than using the existing JRE on the endpoint) so that you know which JRE is used to run scans.

Tanium Scan Engine and CIS-CAT also require PowerShell and do not work if PowerShell is in the ConstrainedLanguage language mode.

You must have the Comply Deployment Administrator role to import scan engines. For more information about Comply roles, see User role requirements.

Default targeting

When first setting up Comply, you are prompted to choose one of the following on the Engines page:

  • Use Default Targeting - If you select this option, engines are deployed to all endpoints in the Comply action group.

    • If you are upgrading Comply and select Use Default Targeting, old engines will not be removed.

    Note that the engine selection is for the latest Corretto version. Comply will use version 11 for the platforms that support it and version 8 for platforms that do not support version 11.

  • Do Not Use Default Targeting - If you select this option, you must manually choose computer groups for each engine.

Download and import the CIS engine

Comply 2.3 and later includes Tanium Scan Engine (powered by JovalCM). Most organizations can use the Tanium Scan Engine and do not need to upload the CIS engine.

  1. In Comply, select Configuration under the Setup menu.
  2. On the Engines tab, click Import Engine.
  3. In the Engine Type drop-down menu, select CIS-CAT.
  4. Check Standards to import the standards in the bundle into Comply. For best results, check this option. This option is enabled by default the first time you upload the CIS-CAT bundle.
  5. Uncheck Engine if you have already imported the required scan engine and you only want to import standards (see note below).
  6. Click Select File to select the ZIP file you downloaded.
  7. Click Import.

For the CIS-CAT scan engine to work, you must also install the JRE package. See Upload a Java Runtime Environment (JRE) package.

To upgrade your standards when CIS releases a new version of the bundle, select Standards only. This is how new, updated standards are imported into Comply in bulk. Existing reports and standards will not be affected by this process, and the standards used in these reports are not automatically upgraded to the new versions of the respective standards.

If you are using CIS-CAT with Comply 1.3.2 or older, you must upgrade to Comply 1.3.3 or later for the CIS-CAT engine to work properly. See Troubleshooting.

Download and import the SCC scan engine

SCC is the scan engine generally used by the United States government.

Within each SCC ZIP file, there is another ZIP file (on Windows) or a TGZ file (on Linux/macOS). Comply will accept these inner ZIP or TGZ files as well as the original ZIP archive. This reduces the amount of data in half that you must upload.

  1. Select Setup > Configuration .
  2. On the Engines tab, click Import Engine.
  3. In the Engine Type drop-down menu, select SCC.
  4. Select content: Standards and/or Engines.
  5. Click Browse to select the SCC bundle that you would like to upload.
  6. Click Import.

Some SCC bundles come packaged with DISA STIG standards. To import these, be sure to check Standards. Not all SCC bundles include this content.

Target Computer groups

  1. On the Engines tab, hover over an engine and click the Edit icon that appears.

  2. Select endpoints to receive this engine by choosing one of the following:

    • Default: Default targeting uses the Comply action group.

    • Custom Targeting: Choose this option to build your own groupings. Use the And/Or buttons to build upon or narrow your selection. Use the Row button to add a new row to the group. Use the Grouping button to build another And/Or combination for targeting. When finished, click Apply for each selection and then click Save.

    • Do not distribute to endpoints: Choose this option to prevent the engine from being distributed to endpoint systems.

Upload a Java Runtime Environment (JRE) package

The Amazon Coretto Java Runtime Environment (JRE) is included with Comply 2.3 and later. The zip file on the endpoint that contains the JRE is encrypted to prevent access to the JRE. This JRE is supported on Windows, macOS, and most distributions of Linux. If you use this JRE, you do not need to upload any JREs to Comply.

The Amazon Coretto JRE is not currently supported on some distributions of Linux, AIX, and Solaris. If you need to run a scan on an endpoint with one of these operating systems and do not want to use the existing JRE on the endpoint, you can upload it to Comply. For best results on these operating systems, upload a JRE and use Comply to install that JRE (rather than using the existing JRE on the endpoint) so that you know which JRE is used to run scans.

If you need to upload a JRE to Comply, download the appropriate JRE package for each platform and architecture required for the endpoints in your environment. For a list of the supported JRE distributions and versions, see Java Runtime Environment.

If you upload an Oracle JRE, both the standard JRE and server JRE packages are supported. Because the underlying binary files that Comply uses are the same for both packages, you can upload only one package (standard JRE or server JRE) for a particular platform/architecture. Either package can be used for scanning all endpoints (workstations and servers) on the associated platform. You can upload only the TGZ or ZIP packages to Comply. Be sure to download the TGZ or ZIP packages, not the EXE, RPM, or DMG files. Download the JRE packages from the following URL: http://www.oracle.com/technetwork/java/javase/downloads/index.

Import JREs

  1. From the Comply menu, select Setup > Configuration.
  2. On the JREs tab, click Import JRE.
  3. Click Browse to select one of the TAR, GZ, or ZIP files that you downloaded earlier.
  4. Click Import.

To remove a scan engine or JRE, select it and click Remove. You cannot remove the Tanium Scan Engine (powered by JovalCM) or the JREs that are included with Comply.

Target Computer groups

  1. On the JREs tab, hover over an engine and click the Edit icon that appears.

  2. Select endpoints to receive this engine by choosing one of the following:

    • Default: Default targeting uses the Comply action group.

    • Custom Targeting: Choose this option to build your own groupings. Use the And/Or buttons to build upon or narrow your selection. Use the Row button to add a new row to the group. Use the Grouping button to build another And/Or combination for targeting. When finished, click Apply for each selection and then click Save.

    • Do not distribute to endpoints: Choose this option to prevent the engine from being distributed to endpoint systems.

Import custom settings

  1. From the Comply menu, select Setup > Configuration.
  2. In the Custom Settings tab, click Customize or Add Custom Settings.
  3. In the Create Custom Settings window, set the following: 
    • Resource mode: The default setting is Normal. Change this setting to Low, and the Tanium scan engine will utilize fewer resources on the endpoint.

      • CPU Utilization (Windows OS types only) can be set as low as 10%. If other resources are using CPU, the scan will pause until the set amount of CPU is available.

      • Note the following about Low Resource Mode:

      • It only applies to the Tanium scan engine.

      • The CPU Count automatically defaults to 1 and the Max Java Heap size is set to 128 MB.

      • Scans take more time to complete.

      • Scans produce simplified JSON result files instead of XML.

      • Running a low resource mode scan with debug enabled does not produce any additional scan debug output files. The debug JSON configuration state files are captured in the support subdirectory: <Tanium Client>\extensions\comply\data\results\<scan name>\support

    • CPU Count: Set a maximum number of CPUs for scanning. The default recommendation is 1 CPU.
    • Java Heap Size: Set the maximum amount of Java heap memory used for scanning. The default recommendation is 768 MB.
    • SBOM: (SBOM requires a Tanium SBOM license) If you are creating an SBOM assessment, you must select the Enable SBOM check box and choose at least one file ecosystem. See Custom settings.
    • Targeting: Select endpoints to receive these customized settings. Select Default or Custom Targeting.
      • Custom Targeting: Choose this option to build your own groupings. Use the And/Or buttons to build upon or narrow your selection. Use the Row button to add a new row to the group. Use the Grouping button to build another And/Or combination for targeting. When finished, click the check for each selection.
  4. Click Save.

Prioritize endpoint configurations

Endpoint configurations can contain overlapping targeting settings. For example, you can have one configuration that targets all computer groups and a second configuration that targets of subset of computers within all computer groups. Without setting a prioritization for the configuration, you cannot be sure which settings are applied to that subset of computers. Designating a prioritization determines which setting is applied if a conflict exists.

The setting with the highest priority has the lowest priority number. For example, an engine with a priority of 1 takes precedence over an engine with a priority of 10.

For engines, prioritization only occurs for engines of the same name. Prioritization does not block different engines from being installed on an endpoint.

  1. From the Comply menu, navigate to Settings > Configuration. Changing the priority is available for Engines, JREs, and Custom Settings.

  2. Click the Prioritize button to make configurations moveable.

  3. Select the configuration you want to change the priority of and drag it up or down.
  4. Click Save to keep the new priorities or Cancel to undo them and revert back to the original priorities. When you click Save, the priority for all items is reordered based on your change.

Updating the Tanium Engines

The Tanium Scan Engine is automatically updated when a new version is available.

If updates are available for the Tanium Scan Engine (powered by JovalCM) or Amazon Coretto JREs that are included with Comply, a yellow banner displays on the Comply Main page that says Updates are available for one or more engines. Click the Update Now link to open the Engines page.

Click the Download Engine Update button on the Engines page to update the engines to the latest version.

Upload the Tanium Engines package for air-gapped environments

Tanium Scan Engine (powered by JovalCM) and Amazon Coretto Java Runtime Environment (JRE) are included with Comply. If you are working in an air-gapped environment and you want to use these engines, you must configure that setting in Comply and then upload the Tanium Engines file. For the steps to configure Comply for an air-gapped environment, see Configure Comply for an air-gapped environment.

  1. After you specify that you are working in an air-gapped environment (in Setttings , set is_airgapped to True), click Setup > Configuration to open the Engines page.
  2. Click Upload Engines Package.
  3. Download the air gap ZIP file from the link indicated in the Upload Tanium Engines Airgap Archive window (https://content.tanium.com/files/published/comply-engines/engines2.cgz) using a machine that can connect to the internet and save it on the air-gapped machine.
  4. Click Select File, select the engines2.cgz file from the location where you saved it on the air-gapped machine, and click Open.
  5. Click Upload.
  6. After your upload is complete, click Close.

    7. Starting with Comply 2.20.x, the file name has been updated to engines2.cgz. In previous versions, the file was called engines.cgz.