Working with scan engines and JREs

A scan engine evaluates endpoints for security configuration exposures and software vulnerabilities using industry standard security benchmarks, vulnerability definitions, and custom compliance checks.

In Comply, the scan engine evaluates Open Vulnerability Assessment Language (OVAL) or Security Content Automation Protocol (SCAP) content to determine endpoint compliance and vulnerability status. Comply generates reports based on the results of this evaluation by the scan engine.

At least one scan engine is required to use Comply. Comply 2.3 and later includes Tanium Scan Engine (powered by JovalCM) and Amazon Coretto Java Runtime Environment (JRE) versions 8.x and 11.x. Version 8.x is provided for use with supported Windows 32-bit endpoints, and version 11.x is provided for use with supported 64-bit endpoints. Most organizations can use the Tanium Scan Engine and Amazon Coretto JRE and do not need to upload any scan engines or JREs.

If needed, you can upload other scan engines to Comply. Comply supports the Tanium Scan Engine (which is included by default), SCC (used by the United States government), and CIS-CAT scan engines. The supported versions of the scan engines are listed in the Import Engine window and on this page: Reference: Supported engines and JREs. Typically the most recent version plus the two previous versions are supported.

The Amazon Coretto JRE is not currently supported on some distributions of Linux, AIX, and Solaris. If you need to run a scan on an endpoint with one of these operating systems and do not want to use the existing JRE on the endpoint, you can upload it to Comply. For best results, use Comply to install a JRE (rather than using the existing JRE on the endpoint) so that you know which JRE is used to run scans.

Tanium Scan Engine and CIS-CAT also require PowerShell and do not work if PowerShell is in the ConstrainedLanguage language mode.

You must have the Comply Deployment Administrator role to import scan engines. For more information about Comply roles, see User role requirements.

Download and import the CIS engine

Comply 2.3 and later includes Tanium Scan Engine (powered by JovalCM). Most organizations can use the Tanium Scan Engine and do not need to upload the CIS engine.

  1. Go to https://workbench.cisecurity.org and log in or register if this is the first time you are using CIS Security benchmarks.
  2. After you log in, click Downloads to go to the Downloads page to download the latest ciscat-full-bundle-<version>.zip file. See Reference: Supported engines and JREs for the latest version of this file supported by Comply.
  3. In Comply, select Configuration under the Setup menu.
  4. On the Engines tab, click Import Engine.
  5. In the Engine Type drop-down menu, select CIS-CAT.
  6. Check Benchmarks to import the benchmarks in the bundle into Comply. For best results, check this option. This option is enabled by default the first time you upload the CIS-CAT bundle.
  7. Uncheck Engine if you have already imported the required scan engine and you only want to import benchmarks (see note below).
  8. Click Select File to select the ZIP file you downloaded from CIS.
  9. Click Import.

For the CIS-CAT scan engine to work, you must also install the JRE package. See Upload a Java Runtime Environment (JRE) package.

To upgrade your benchmarks when CIS releases a new version of the bundle, select Benchmarks only. This is how new, updated benchmarks are imported into Comply in bulk. Existing reports and benchmarks will not be affected by this process, and the benchmarks used in these reports are not automatically upgraded to the new versions of the respective benchmarks.

If you are using CIS-CAT with Comply 1.3.2 or older, you must upgrade to Comply 1.3.3 or later for the CIS-CAT engine to work properly. See Issues with CIS-CAT for Comply 1.3.2 or earlier.

Download and import the SCC scan engine

SCC is the scan engine used by the United States government; it is not available to the general public. If you are part of a government organization, consult with your TAM on how to obtain the appropriate SCC bundles.

Within each SCC ZIP file, there is another ZIP file (on Windows) or a TGZ file (on Linux/macOS). Comply will accept these inner ZIP or TGZ files as well as the original ZIP archive. This reduces the amount of data in half that you must upload.

  1. Select Setup > Configuration .
  2. On the Engines tab, click Import Engine.
  3. In the Engine Type drop-down menu, select SCC.
  4. Click Select File to select the SCC bundle that you would like to upload.
  5. Click Import.

Some SCC bundles come packaged with DISA STIG benchmarks. To import these, be sure to check Benchmarks. Not all SCC bundles include this content.

Upload a Java Runtime Environment (JRE) package

The Amazon Coretto Java Runtime Environment (JRE) is included with Comply 2.3 and later. This JRE is supported on Windows, macOS, and most distributions of Linux. If you use this JRE, you do not need to upload any JREs to Comply.

The Amazon Coretto JRE is not currently supported on some distributions of Linux, AIX, and Solaris. If you need to run a scan on an endpoint with one of these operating systems and do not want to use the existing JRE on the endpoint, you can upload it to Comply. For best results on these operating systems, upload a JRE and use Comply to install that JRE (rather than using the existing JRE on the endpoint) so that you know which JRE is used to run scans.

If you need to upload a JRE to Comply, download the appropriate JRE package for each platform and architecture required for the endpoints in your environment. For a list of the supported JRE distributions and versions, see Java Runtime Environment.

If you upload an Oracle JRE, both the standard JRE and server JRE packages are supported. Because the underlying binary files that Comply uses are the same for both packages, you can upload only one package (standard JRE or server JRE) for a particular platform/architecture. Either package can be used for scanning all endpoints (workstations and servers) on the associated platform. You can upload only the TGZ or ZIP packages to Comply. Be sure to download the TGZ or ZIP packages, not the EXE, RPM, or DMG files. Download the JRE packages from the following URL: http://www.oracle.com/technetwork/java/javase/downloads/index.

Import JREs

  1. From the Comply menu, select Setup > Configuration.
  2. On the JREs tab, click Import Engine.
  3. In the Engine Type drop-down menu, select Java runtime.
  4. Click Select File to select one of the JRE, TGZ, or ZIP files that you downloaded earlier.
  5. Click Upload.

To remove a scan engine or JRE, select it and click Remove. You cannot remove the Tanium Scan Engine (powered by JovalCM) or the JREs that are included with Comply.

Import Custom Settings

  1. From the Comply menu, select Setup > Configuration.
  2. On the Custom Settings tab, click Customize.
  3. In the Custom Settings window, set the following
    • CPU Count: Set a maximum number of CPUs for scanning. The default recommendation is 1 CPU.
    • Java Heap Size: Set the maximum amount of Java heap memory used for scanning. The default recommendation is 512 MB.
    • Distribute Downloads Over (Minutes): To distribute network load, set a delay time-frame. By default, this is set to zero, which disables the setting.
    • Targeting: Select endpoints to receive these customized settings. Select Default or Custom Targeting.
      • Custom Targeting: Choose this option to build your own groupings. Use the And/Or buttons to build upon or narrow your selection. Use the Row button to add a new row to the group. Use the Grouping button to build another And/Or combination for targeting. When finished, click Apply for each selection and then click Save.

Updating the Tanium Engines

If updates are available for the Tanium Scan Engine (powered by JovalCM) or Amazon Coretto JREs that are included with Comply, a yellow banner displays on the Comply Main page that says Updates are available for one or more engines. Click the Update Now link to open the Manage Engines page.

Click the Download Engine Update button on the Manage Engines page to update the engines to the latest version.

Upload the Tanium Engines package for air-gapped environments

Tanium Scan Engine (powered by JovalCM) and Amazon Coretto Java Runtime Environment (JRE) are included with Comply 2.3 and later. If you are working in an air-gapped environment and you want to use these engines, you must configure that setting in Comply and then upload the Tanium Engines file. For the steps to configure Comply for an air-gapped environment, see Configure Comply for an air-gapped environment.

  1. After you specify that you are working in an air-gapped environment, click Setup > Configuration to open the Engines page.
  2. Click Upload Engines Package.
  3. Download the air gap ZIP file from the link indicated in the Upload Tanium Engines Airgap Archive window (https://content.tanium.com/files/published/comply-engines/engines.cgz) using a machine that can connect to the internet and save it on the air-gapped machine.
  4. Click Select File, select the engines.cgz file from the location where you saved it on the air-gapped machine, and click Open.
  5. Click Upload.
  6. After your upload is complete, click Close.