Importing scan engines

Comply does not ship with its own scan engine, so you must upload a scan engine before using Comply. Scan engines are used to evaluate OVAL or SCAP content and generate configuration compliance and vulnerability reports.

At least one scan engine is required to use Comply, but more than one can be uploaded and used if desired. You must have the Comply Deployment Administrator role to import scan engines. For more information about Comply roles, see User roles.

Download and import the CIS engine

  1. Go to https://workbench.cisecurity.org and log in or register if this is the first time you are using CIS Security benchmarks.
  2. After you log in, click Downloads to go to the Downloads page to download the latest ciscat-full-bundle.zip file. See Reference: Comply supported engines for the latest version of this file supported by Comply.
  3. In Comply, select Engines under the Setup menu.
  4. On the Manage Engines page, click Upload Engine/JRE on the top right.
  5. In the Engine Type drop-down, select CIS-CAT.
  6. Click Select File to select the zip file you downloaded from CIS.
  7. Check Import Benchmarks to import the benchmarks in the bundle into Comply. Tanium recommends that you check this option. This option will be enabled by default the first time you upload the CIS-CAT bundle.
  8. Uncheck Import Engine if you have already imported the required engine and you only want to import benchmarks (see note below).
  9. Click Upload.

In order for the CIS-CAT engine to work, you must also install the JRE package. See Download and import the Java Runtime Environment (JRE) package.

In order to upgrade your benchmarks when CIS releases a new version of the bundle, select Import Benchmarks only. This is how new, updated benchmarks are imported into Comply in bulk. Existing reports and benchmarks will be not affected by this process, and the benchmarks used in these reports are not automatically upgraded to the new versions of the respective benchmarks.

If you are using CIS-CAT with Comply 1.3.2 or older, you must upgrade to Comply 1.3.3 or later in order for the CIS-CAT engine to work properly. See Issues with CIS-CAT for Comply 1.3.2 or older.

Download and import the Joval engine

Note: In order to use Joval, you must have a license and the Joval engine zip file downloaded. Go to Joval Add-on for Tanium Comply to register for an evaluation or purchase the JovalCM engine for Tanium Comply. After registering for an evaluation or purchasing JovalCM, follow instructions received via email to download a copy of the latest JovalCM engine and accompanying license.

You must also install the JRE package. See Download and import the Java Runtime Environment (JRE) package.

  1. Select Engines under the Setup menu.
  2. On the Manage Engines page, click Upload Engine/JRE on the top right.
  3. In the Engine Type drop-down, select JovalCM.
  4. Click Select File to select the Joval engine and license files.
  5. Click Upload.

Download and import the SCC scan engine

SCC is the scan engine used by the United States government; it is not available to the general public. If you are part of a government organization, consult with your TAM on how to obtain the appropriate SCC bundles.

Note: Within each SCC zip file, there is another zip (on Windows) or a tar.gz file (on Linux/OS X). Comply will accept these inner zip or tar.gz files as well as the original zip archive. This reduces the amount of data in half that you must upload.

  1. Select Engines under the Setup menu.
  2. On the Manage Engines page, click Upload Engine/JRE on the top right.
  3. In the Engine Type drop-down, select SCC.
  4. Click Select File to select the the SCC bundle that you would like to upload.
  5. Click Upload.

Note: Some SCC bundles come packaged with DISA STIG benchmarks. To import these, be sure to check Import Benchmarks. Not all SCC bundles include this content.

Download and import the Java Runtime Environment (JRE) package

Comply supports Java version 8 Update . Comply does not support Java 9 or 10.

Go http://www.oracle.com/technetwork/java/javase/downloads/index and download the appropriate Java Runtime Environment (JRE) package for each platform and architecture required for the endpoints in your environment. The standard JRE and server JRE are supported. JDK packages are not supported. Be sure to download the tar.gz packages, not the exe, rpm, or dmg files.

Note: If you already have the appropriate JRE package(s) installed, you may not need to download additional JRE packages. Tanium recommends using Comply to install a JRE and not using a pre-installed JRE so that you know which JRE is being used to run scans.

  1. Select Engines under the Setup menu.
  2. On the Manage Engines page, click Upload Engine/JRE on the top right.
  3. In the Engine Type drop-down, select Java runtime.
  4. Click Select File to select one of the JRE tar.gz files that you downloaded earlier.
  5. Click Upload.

You can remove engines and JREs from the Manage Engines page by clicking Remove.

Last updated: 7/31/2018 7:34 PM | Feedback