Working with scan engines and JREs

Scan engines are used to evaluate OVAL or SCAP content and generate configuration compliance and vulnerability reports. At least one scan engine is required to use Comply.

Tanium Scan Engine (powered by JovalCM) and Amazon Coretto Java Runtime Environment (JRE) are included with Comply 2.3 and later. If you want to use this scan engine and JRE (or the existing JREs on endpoints), you do not need to upload any engines.

If you want to use a different scan engine or JRE, you can upload them to Comply. Tanium Scan Engine (which is included by default), CIS-CAT, and SCC scan engines are currently supported by Comply.

The supported versions of the scan engines are listed in the Import Engine window. Typically the most recent version plus the two previous versions are supported.

CIS-CAT and Tanium Scan Engine also require PowerShell and do not work if PowerShell is in the ConstrainedLanguage language mode.

You must have the Comply Deployment Administrator role to import scan engines. For more information about Comply roles, see User role requirements.

Download and import the CIS engine

  1. Go to https://workbench.cisecurity.org and log in or register if this is the first time you are using CIS Security benchmarks.
  2. After you log in, click Downloads to go to the Downloads page to download the latest ciscat-full-bundle.zip file. See Reference: Comply supported engines for the latest version of this file supported by Comply.
  3. In Comply, select Engines under the Setup menu.
  4. On the Manage Engines page, click Upload Engine/JRE on the top right.
  5. In the Engine Type drop-down menu, select CIS-CAT.
  6. Click Select File to select the ZIP file you downloaded from CIS.
  7. Check Import Benchmarks to import the benchmarks in the bundle into Comply. Tanium recommends that you check this option. This option will be enabled by default the first time you upload the CIS-CAT bundle.
  8. Uncheck Import Engine if you have already imported the required engine and you only want to import benchmarks (see note below).
  9. Click Upload.

In order for the CIS-CAT engine to work, you must also install the JRE package. See Download and import the Java Runtime Environment (JRE) package.

In order to upgrade your benchmarks when CIS releases a new version of the bundle, select Import Benchmarks only. This is how new, updated benchmarks are imported into Comply in bulk. Existing reports and benchmarks will not be affected by this process, and the benchmarks used in these reports are not automatically upgraded to the new versions of the respective benchmarks.

If you are using CIS-CAT with Comply 1.3.2 or older, you must upgrade to Comply 1.3.3 or later for the CIS-CAT engine to work properly. See Issues with CIS-CAT for Comply 1.3.2 or older.

Download and import the SCC scan engine

SCC is the scan engine used by the United States government; it is not available to the general public. If you are part of a government organization, consult with your TAM on how to obtain the appropriate SCC bundles.

Within each SCC ZIP file, there is another ZIP file (on Windows) or a TGZ file (on Linux/macOS). Comply will accept these inner ZIP or TGZ files as well as the original ZIP archive. This reduces the amount of data in half that you must upload.

  1. Select Engines under the Setup menu.
  2. On the Manage Engines page, click Upload Engine/JRE on the top right.
  3. In the Engine Type drop-down menu, select SCC.
  4. Click Select File to select the SCC bundle that you would like to upload.
  5. Click Upload.

Some SCC bundles come packaged with DISA STIG benchmarks. To import these, be sure to check Import Benchmarks. Not all SCC bundles include this content.

Download and import the Java Runtime Environment (JRE) package

Tanium Scan Engine (powered by JovalCM) and Amazon Coretto Java Runtime Environment (JRE) are included with Comply 2.3 and later. If you want to use this scan engine and JRE (or the existing JREs on endpoints), you do not need to upload any engines.

If you do not want to use the JRE that is included with Comply, download the appropriate JRE package for each platform and architecture required for the endpoints in your environment.

Both the standard JRE and server JRE packages from Oracle are supported. Because the underlying binary files that Comply uses are the same for both packages, you can upload only one package (standard JRE or server JRE) for a particular platform/architecture. Either package can be used for scanning all endpoints (workstations and servers) on the associated platform. Be sure to download the TGZ or ZIP packages, not the EXE, RPM, or DMG files. Download the JRE packages from the following URL: http://www.oracle.com/technetwork/java/javase/downloads/index.

If you already have the appropriate JRE packages installed, you might not need to download additional JRE packages. As a best practice, use Comply to install a JRE (rather than using a pre-installed JRE) so that you know which JRE is used to run scans.

  1. Select Engines under the Setup menu.
  2. On the Manage Engines page, click Upload Engine/JRE on the top right.
  3. In the Engine Type drop-down menu, select Java runtime.
  4. Click Select File to select one of the JRE, TGZ, or ZIP files that you downloaded earlier.
  5. Click Upload.

You can remove engines and JREs from the Manage Engines page by clicking Remove.

Updating the Tanium Engines

If an update is available to the Tanium Engines that are included with Comply, Tanium Scan Engine (powered by JovalCM) and Amazon Coretto JRE, a yellow banner displays on the Comply Home page that says Updates are available for one or more engines. Click the Fix Now link to open the Manage Engines page.

Click the Download Engine Update button on the Manage Engines page to update the engines to the latest version.

Upload the Tanium Engines package for air-gapped environments

Tanium Scan Engine (powered by JovalCM) and Amazon Coretto Java Runtime Environment (JRE) are included with Comply 2.3 and later. If you are working in an air-gapped environment and you want to use these engines, you must configure that setting in Comply and then upload the Tanium Engines file. For the steps to configure Comply for an air-gapped environment, see Configure Comply for an air-gapped environment.

  1. After you specify that you are working in an air-gapped environment in the Comply settings, click Setup > Engines to open the Manage Engines page.
  2. Click Upload Engines Package.
  3. Download the air gap ZIP file from the link indicated in the Upload Tanium Engines Airgap Archive window (https://content.tanium.com/files/published/comply-engines/engines.cgz) using a machine that can connect to the internet and save it on the air-gapped machine.
  4. Click Select File, select the engines.cgz file from the location where you saved it on the air-gapped machine, and click Open.
  5. Click Upload.
  6. After your upload is complete, click Close.

Last updated: 12/3/2019 6:22 PM | Feedback