Installing Comply

You can install Comply from the Tanium Solutions page.

Before you begin

Import Comply

Import Comply from the Tanium Solutions page.

  1. From the Main menu , click Tanium Solutions.
  2. Under Comply, click Import Version.
  3. In the Content Import Preview window, you can expand the package to review the Tanium content that is being installed. Click Import.
  4. Depending on your Tanium Server configuration, either enter your password or click Yes to proceed.
  5. After the installation process completes, refresh your browser.
  6. From the Main menu, click Comply. The Comply Home page displays.

Verify the installation

To verify that Comply is installed, go to the Tanium Solutions page and check the installed version. To check the installed version on the Comply Home page, click Info .

Configure Comply

If the Configuration Progress: section is not visible in the Comply Home page, click Manage Home Page, select Configuration Progress, and click Save.

Reports and statistics on the Comply Home page might not be updated immediately with current results since this data is updated every 10 minutes.

Configure Comply for an air-gapped environment

  1. From the Comply Home page, click Settings .
  2. On the Application Settings tab, find the the is_airgapped setting and click Edit.
  3. In the Edit Setting window, enter true in the Value field.
  4. Click Save.
  5. If you edit the is_airgapped setting back to false, you must restart Comply for the Tanium Vulnerability Library (TVL) to update properly.

If you configure Comply for an air-gapped environment, you must upload the Tanium Engines and Tanium Vulnerability Library files. For more information, see:

Create a service account

You must create and configure a Comply service account to run background Comply functions, such as populating Home page data.

This user must have the following roles and access configured:

  1. From the Comply Home page, in the Configuration Progress section, click the Configure Service Account step and click Configure Service Account.
  2. Enter the Tanium credentials and click Save.
  3. Another way to configure the service account is by clicking Configure Now in the yellow banner that displays if the service account is not configured. You can also set or update the service account from the Comply settings. Click Settings and update the service account settings in the Service Account section. Click Save.

Upload scan engines and JREs

Scan engines are used to evaluate OVAL or SCAP content and generate configuration compliance and vulnerability reports. At least one scan engine is required to use Comply, but more than one can be uploaded and used if needed.

Scan engines are used to evaluate OVAL or SCAP content and generate configuration compliance and vulnerability reports. At least one scan engine is required to use Comply.

Tanium Scan Engine (powered by JovalCM) and Amazon Coretto Java Runtime Environment (JRE) are included with Comply 2.3 and later. If you want to use this scan engine and JRE (or the existing JREs on endpoints), you do not need to upload any engines.

If you want to use a different scan engine or JRE, you can upload them to Comply. Tanium Scan Engine (which is included by default), CIS-CAT, and SCC scan engines are currently supported by Comply.

The supported versions of the scan engines are listed in the Import Engine window. Typically the most recent version plus the two previous versions are supported.

CIS-CAT and Tanium Scan Engine also require PowerShell and do not work if PowerShell is in the ConstrainedLanguage language mode.

The following JREs are supported in addition to the JREs that are provided with Comply:

  • Windows, macOS, and Linux endpoints: Java version 8 distributions provided by either Oracle or Amazon.
  • AIX endpoints: IBM JRE version 7.x or 8 (preferred). The IBM JRE is usually already installed on AIX endpoints and can be used with Comply scans.
    • AIX 7.x endpoints can also use the OpenJDK JRE with the HotSpot JVM. For more information about this package, see AdoptOpenJDK: Releases.
    • AIX 6.1 endpoints must use the IBM JRE. This JRE is usually already installed on the endpoint and the OpenJDK JRE is not supported with AIX 6.1; therefore, Comply does not deploy JREs to AIX 6.1 endpoints.
  • Solaris endpoints: Oracle JRE 7 or 8 (preferred). The Oracle JRE is usually already installed on Solaris endpoints and can be used with Comply scans.
    • You can use Comply to deploy JRE 8 only to Solaris 64-bit endpoints (only version 8 is supported for deployment through Comply).
    • You cannot use Comply to deploy a JRE to Solaris 32-bit or Solaris SPARC endpoints.

In the Configuration Progress section, click the Upload Engine/JRE step and then click Comply Engines to open the Manage Engines page. For more information about uploading engines and JREs from this page, see Uploading scan engines and JREs.

Create a remote scan profile

You can find vulnerabilities on unmanaged endpoints in your environment by creating a remote vulnerability report.

To create remote vulnerability reports in Comply, you must use Discover 2.9.0 or later. Before you can run a remote vulnerability report, you must configure a remote scan profile.

The steps vary based on the version of Discover in your environment.

Discover 2.9.0 - 2.11.1

Complete the following steps in Discover.

  1. From the Discover Home page, click Settings . Go to Global Settings > Advanced Settings and add a setting named ComplyVulnScanEnabled with a value of true.
  2. Enable Nmap scan discovery using the Comply Vulnerability Scan configuration in the Discovery Method. For more information, see Tanium Discover User Guide: Nmap scan discovery.

    Setting changes in Discover can take up to five minutes to be applied.

Discover 3.0.0 and later

Before you begin

Confirm that the Discover configuration is complete. For more information, see Discover User Guide: Installing Discover.

To create or edit a remote scanning profile, you must have either the Discover Administrator role or the Discover Profile Write privilege.

Create a remote scanning profile

Create a remote scanning profile to specify the computer groups that you want to target with the scan and how often the scan runs.

  1. From the Comply Home page, in the Configuration Progress section, click the Create Remote Scan step and click Create Remote Scan.

    The Remote Vulnerability tab in the Comply settings displays.

  2. Click Create Profile.
  3. Configure the profile.
    1. Name: Specify a name for the profile.
    2. Targeting: Select the computer group that you want to target with this profile. Targeting determines the networks to include and exclude from the scan.

      For best results, do not create multiple profiles that target the same or overlapping computer groups.

    3. Scan Frequency: Specify how often you want the scan to run.
    4. Port Specification:

      By default, the Network Mapper utility (Nmap) scans the top 1000 most commonly used TCP ports. If needed, you can customize the ports that are scanned during the discovery process and the source ports from which clients run scans.

      • Target Ports: Specify the TCP ports that you want to scan: Top 1000 Ports, Top 1000 Ports plus specified ports, or Only Specified Ports.
      • Excluded Ports: Specify a list of TCP ports to exclude from the ports scanned. These ports are excluded from all types of scans.
      • Requested Source Port: Specify a source port from which Nmap on clients attempts to run scans.

        Nmap honors this request if possible, but might use other ports when necessary.

  4. Click Create Profile.
  5. You can edit or delete existing remote scanning profiles from the Remote Vulnerability tab in the Comply settings.

Create the report

Comply is now configured to run a remote vulnerability report. For more information about creating a remote vulnerability report, see Create a remote vulnerability report.

Create deployments

Use deployments to deploy engines and JREs to endpoints on a schedule. You must have the Comply Deployment Administrator role to create deployments.

  1. From the Comply Home page, in the Configuration Progress section, click the Create Deployments step and click Comply Deployments.
  2. The Manage Deployments page opens. Click Create Deployment.

    For more information about creating deployments, see Creating deployments.

Create reports

From the Comply Home page, in the Configuration Progress section, click the Create Reports step and click View reports.

The Reports page opens. From this page, you can create configuration compliance reports, vulnerability reports, and remote vulnerability reports. You can also view and update existing reports.

For more information about reports, see:

Upgrade Comply

  1. From the Main menu, click Tanium Solutions.
  2. Locate Comply and click Upgrade to <version>.
  3. Click OK.

    The Import Solution window opens with a list of all the changes and import options.

  4. Click Proceed with Import.
  5. Depending on your Tanium Server configuration, either enter your password or click Yes to proceed.
  6. To confirm the upgrade, return to the Tanium Solutions page and check the Installed: X.X.X.XX version for Comply.

When you upgrade Comply, an error message displays if the tools for a deployment are out of date. Click Redeploy to deploy the latest tools to deployments with this error the next time the tools installation action runs.



What to do next

See Getting started for more information about using Comply.

Last updated: 12/3/2019 6:22 PM | Feedback