Installing Comply

You can install Comply from the Tanium Solutions page.

Before you begin

Import Comply

Import Comply from the Tanium Solutions page.

  1. From the Main menu , click Tanium Solutions.
  2. Under Comply, click Import Version.
  3. In the Content Import Preview window, you can expand the package to review the Tanium content that is being installed. Click Import.
  4. Depending on your Tanium Server configuration, either enter your password or click Yes to proceed.
  5. After the installation process completes, refresh your browser.
  6. From the Main menu, click Comply. The Comply Home page displays.

Verify the installation

To verify that Comply is installed, go to the Tanium Solutions page and check the installed version. To check the installed version on the Comply Home page, click Info .

Configure Comply

If the Configuration Progress: section is not visible in the Comply Home page, click Manage Home Page, select Configuration Progress, and click Save.

Reports and statistics on the Comply Home page might not be updated immediately with current results since this data is updated every 10 minutes.

Configure Comply for an air-gapped environment

  1. From the Comply Home page, click Settings .
  2. On the Application Settings tab, find the the is_airgapped setting and click Edit.
  3. In the Edit Setting window, enter true in the Value field.
  4. Click Save.
  5. If you edit the is_airgapped setting back to false, you must restart Comply for the Tanium Vulnerability Library (TVL) to update properly.

If you configure Comply for an air-gapped environment, you must upload the Tanium Engines and Tanium Vulnerability Library files. For more information, see:

Create a service account

You must create and configure a Comply service account to run background Comply functions, such as populating Home page data.

This user must have the following roles and access configured:

  1. From the Comply Home page, in the Configuration Progress section, click the Configure Service Account step and click Configure Service Account.
  2. Enter the Tanium credentials and click Save.
  3. Another way to configure the service account is by clicking Configure Now in the yellow banner that displays if the service account is not configured. You can also set or update the service account from the Comply settings. Click Settings and update the service account settings in the Service Account section. Click Save.

Upload scan engines and JREs

Scan engines are used to evaluate OVAL or SCAP content and generate configuration compliance and vulnerability reports. At least one scan engine is required to use Comply.

Comply 2.3 and later includes Tanium Scan Engine (powered by JovalCM) and Amazon Coretto Java Runtime Environment (JRE). If you want to use this scan engine and JRE (or the existing JREs on endpoints), you do not need to upload any engines.

If you want to use a different scan engine or JRE, you can upload them to Comply. Tanium Scan Engine (which is included by default), CIS-CAT, and SCC scan engines are currently supported by Comply.

The supported versions of the scan engines are listed in the Import Engine window. Typically the most recent version plus the two previous versions are supported.

CIS-CAT and Tanium Scan Engine also require PowerShell and do not work if PowerShell is in the ConstrainedLanguage language mode.

Table 1:   Supported JREs
Operating systemOperating system versionSupported JRE distributions and versionsCan deploy using Comply?
Microsoft Windows Server

Microsoft Windows Server 2008 and later

  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon.
Yes
Microsoft Windows WorkstationMicrosoft Windows 7 and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon.
Yes
macOSOS X 10.11 El Capitan and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon.
Yes
LinuxDebian 5, 6, 7Java version 7 or 8 (preferred) distributions provided by OracleYes5
Debian 8 and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon.
Yes
Red Hat Enterprise Linux (RHEL) 5.xJava version 7 or 8 (preferred) distributions provided by OracleYes5
Red Hat Enterprise Linux (RHEL) 6.x and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon.
Yes
CentOS 5.xJava version 7 or 8 (preferred) distributions provided by OracleYes5
CentOS 6.x and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon.
Yes
Ubuntu 12.04 - 13.xJava version 7 or 8 distributions provided by OracleYes5
Ubuntu 14.x and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon.
Yes
AIX1IBM AIX 6.1 TL7SP10 and later2IBM JRE version 7.x or 8 (preferred)No3
IBM AIX 7.1 TL1SP10 and later2
  • IBM JRE version 7.x or 8 (preferred)
  • OpenJDK JRE with the HotSpot JVM
Yes5
IBM AIX 7.2
  • IBM JRE version 7.x or 8 (preferred)
  • OpenJDK JRE with the HotSpot JVM
Yes5
Solaris4Oracle Solaris 10 SPARCOracle JRE 7 or 8 (preferred)No
Oracle Solaris 10 x862Oracle JRE 7 or 8 (preferred)Yes5
Oracle Solaris 11 SPARCOracle JRE 7 or 8 (preferred)No
Oracle Solaris 11 x862Oracle JRE 7 or 8 (preferred)Yes5

1The IBM JRE is usually already installed on AIX endpoints. Supported versions can be used with Comply scans.

2 64-bit only.

3 This JRE is usually already installed on the endpoint and the OpenJDK JRE is not supported with AIX 6.1; therefore, Comply does not deploy JREs to AIX 6.1 endpoints.

4The Oracle JRE is usually already installed on Solaris endpoints. Supported versions can be used with Comply scans.

5 Only version 8 is supported for deployment through Comply.

In the Configuration Progress section, click the Upload Engine/JRE step and then click Comply Engines to open the Manage Engines page. For more information about uploading engines and JREs from this page, see Uploading scan engines and JREs.

Create a remote scan profile

You can find vulnerabilities on unmanaged endpoints in your environment by creating a remote vulnerability report.

To create remote vulnerability reports in Comply, you must use Discover 2.9.0 or later. Before you can run a remote vulnerability report, you must configure a remote scan profile.

The steps vary based on the version of Discover in your environment.

Remote scans are not supported with the CIS-CAT

Discover 2.9.0 - 2.11.1

Complete the following steps in Discover.

  1. From the Discover Home page, click Settings . Go to Global Settings > Advanced Settings and add a setting named ComplyVulnScanEnabled with a value of true.
  2. Enable Nmap scan discovery using the Comply Vulnerability Scan configuration in the Discovery Method. For more information, see Tanium Discover User Guide: Nmap scan discovery.

    Setting changes in Discover can take up to five minutes to be applied.

Discover 3.0.0 and later

Before you begin

Confirm that the Discover configuration is complete. For more information, see Discover User Guide: Installing Discover.

To create or edit a remote scanning profile, you must have either the Discover Administrator role or the Discover Profile Write privilege.

Create a remote scanning profile

Create a remote scanning profile to specify the computer groups that you want to target with the scan and how often the scan runs.

  1. From the Comply Home page, in the Configuration Progress section, click the Create Remote Scan step and click Create Remote Scan.

    The Remote Vulnerability tab in the Comply settings displays.

  2. Click Create Profile.
  3. Configure the profile.
    1. Name: Specify a name for the profile.
    2. Targeting: Select the computer group that you want to target with this profile. Targeting determines the networks to include and exclude from the scan.

      For best results, do not create multiple profiles that target the same or overlapping computer groups.

    3. Scan Frequency: Specify how often you want the scan to run.
    4. Port Specification:

      By default, the Network Mapper utility (Nmap) scans the top 1000 most commonly used TCP ports. If needed, you can customize the ports that are scanned during the discovery process and the source ports from which clients run scans.

      • Target Ports: Specify the TCP ports that you want to scan: Top 1000 Ports, Top 1000 Ports plus specified ports, or Only Specified Ports.
      • Excluded Ports: Specify a list of TCP ports to exclude from the ports scanned. These ports are excluded from all types of scans.
      • Requested Source Port: Specify a source port from which Nmap on clients attempts to run scans.

        Nmap honors this request if possible, but might use other ports when necessary.

  4. Click Create Profile.
  5. You can edit or delete existing remote scanning profiles from the Remote Vulnerability tab in the Comply settings.

Create the report

Comply is now configured to run a remote vulnerability report. For more information about creating a remote vulnerability report, see Create a remote vulnerability report.

Restrict report visibility

By default, users with the Comply Report Reviewer role can see all reports, even reports that target computer groups for which the user does not have management rights.

If you want users to only see reports that target computer groups for which they have management rights, set the report_mr_enabled setting to true. When you enable this setting, users can only see reports when they have management rights to all computer groups that the report targets. If a report targets multiple computer groups, but the user does not have management rights to one or more of the targeted computer groups, the user cannot see the report.

  1. From the Comply Home page, click Settings .
  2. On the Application Settings tab, find the the report_mr_enabled setting and click Edit.
  3. In the Edit Setting window, enter true in the Value field.
  4. Click Save.
  5. The change takes effect immediately and does not require you to restart Comply.

Create deployments

Use deployments to deploy engines and JREs to endpoints on a schedule. You must have the Comply Deployment Administrator role to create deployments.

  1. From the Comply Home page, in the Configuration Progress section, click the Create Deployments step and click Comply Deployments.
  2. The Manage Deployments page opens. Click Create Deployment.

    For more information about creating deployments, see Creating deployments.

Create reports

From the Comply Home page, in the Configuration Progress section, click the Create Reports step and click View reports.

The Reports page opens. From this page, you can create configuration compliance reports, vulnerability reports, and remote vulnerability reports. You can also view and update existing reports.

For more information about reports, see:

Upgrade Comply

  1. From the Main menu, click Tanium Solutions.
  2. Locate Comply and click Upgrade to <version>.
  3. Click OK.

    The Import Solution window opens with a list of all the changes and import options.

  4. Click Proceed with Import.
  5. Depending on your Tanium Server configuration, either enter your password or click Yes to proceed.
  6. To confirm the upgrade, return to the Tanium Solutions page and check the Installed: X.X.X.XX version for Comply.

When you upgrade Comply, an error message displays if the tools for a deployment are out of date. Click Redeploy to deploy the latest tools to deployments with this error the next time the tools installation action runs.



What to do next

See Getting started for more information about using Comply.