Importing scan engines

At least one scan engine is required to use Comply, but more than one can be uploaded and used if desired. Scan engines are used to evaluate OVAL or SCAP content and generate configuration compliance and vulnerability reports. Comply 1.7.4 and later ships with the Joval engine; however, there is no content included with that engine.

You can upload other engines if required. CIS-CAT, Joval, and SCC engines are currently supported by Comply. To use CIS-CAT or Joval, a JRE (Java Runtime Environment) must also be provided. You must have the Comply Deployment Administrator role to import scan engines. For more information about Comply roles, see User role requirements.

Download and import the CIS engine

  1. Go to https://workbench.cisecurity.org and log in or register if this is the first time you are using CIS Security benchmarks.
  2. After you log in, click Downloads to go to the Downloads page to download the latest ciscat-full-bundle.zip file. See Reference: Comply supported engines for the latest version of this file supported by Comply.
  3. In Comply, select Engines under the Setup menu.
  4. On the Manage Engines page, click Upload Engine/JRE on the top right.
  5. In the Engine Type drop-down, select CIS-CAT.
  6. Click Select File to select the zip file you downloaded from CIS.
  7. Check Import Benchmarks to import the benchmarks in the bundle into Comply. Tanium recommends that you check this option. This option will be enabled by default the first time you upload the CIS-CAT bundle.
  8. Uncheck Import Engine if you have already imported the required engine and you only want to import benchmarks (see note below).
  9. Click Upload.

In order for the CIS-CAT engine to work, you must also install the JRE package. See Download and import the Java Runtime Environment (JRE) package.

In order to upgrade your benchmarks when CIS releases a new version of the bundle, select Import Benchmarks only. This is how new, updated benchmarks are imported into Comply in bulk. Existing reports and benchmarks will not be affected by this process, and the benchmarks used in these reports are not automatically upgraded to the new versions of the respective benchmarks.

If you are using CIS-CAT with Comply 1.3.2 or older, you must upgrade to Comply 1.3.3 or later in order for the CIS-CAT engine to work properly. See Issues with CIS-CAT for Comply 1.3.2 or older.

Download and import the Joval engine

Note: Comply 1.7.4 and later ships with the Joval engine; however, there is no content included with that engine. If you have your own Joval license, you can choose to upload your own version of Joval. You must also install the JRE package. See Download and import the Java Runtime Environment (JRE) package.

  1. Select Engines under the Setup menu.
  2. On the Manage Engines page, click Upload Engine/JRE on the top right.
  3. In the Engine Type drop-down, select JovalCM.
  4. Click Select File to select the Joval engine and license files.
  5. Click Upload.

Download and import the SCC scan engine

SCC is the scan engine used by the United States government; it is not available to the general public. If you are part of a government organization, consult with your TAM on how to obtain the appropriate SCC bundles.

Note: Within each SCC zip file, there is another zip (on Windows) or a tar.gz file (on Linux/OS X). Comply will accept these inner zip or tar.gz files as well as the original zip archive. This reduces the amount of data in half that you must upload.

  1. Select Engines under the Setup menu.
  2. On the Manage Engines page, click Upload Engine/JRE on the top right.
  3. In the Engine Type drop-down, select SCC.
  4. Click Select File to select the the SCC bundle that you would like to upload.
  5. Click Upload.

Note: Some SCC bundles come packaged with DISA STIG benchmarks. To import these, be sure to check Import Benchmarks. Not all SCC bundles include this content.

Download and import the Java Runtime Environment (JRE) package

Comply supports Java version 8 Update . Comply does not support Java 9 or 10.

Go http://www.oracle.com/technetwork/java/javase/downloads/index and download the appropriate Java Runtime Environment (JRE) package for each platform and architecture required for the endpoints in your environment. The standard JRE and server JRE are supported. JDK packages are not supported. Be sure to download the tar.gz packages, not the exe, rpm, or dmg files.

Note: If you already have the appropriate JRE package(s) installed, you may not need to download additional JRE packages. Tanium recommends using Comply to install a JRE and not using a pre-installed JRE so that you know which JRE is being used to run scans.

  1. Select Engines under the Setup menu.
  2. On the Manage Engines page, click Upload Engine/JRE on the top right.
  3. In the Engine Type drop-down, select Java runtime.
  4. Click Select File to select one of the JRE tar.gz files that you downloaded earlier.
  5. Click Upload.

You can remove engines and JREs from the Manage Engines page by clicking Remove.

Last updated: 12/4/2018 5:48 PM | Feedback