Tanium as a Service automatically handles module installations and upgrades.
Use the Tanium Solutions page to install Comply and choose either automatic or manual configuration:
- Automatic configuration with default settings (Tanium Core Platform 7.4.2 or later only): Comply is installed with any required dependencies and other selected products. After installation, the Tanium Server automatically configures the recommended default settings. This option is the best practice for most deployments. For details about the automatic configuration for Comply, see Import and configure Comply with default settings.
- Manual configuration with custom settings: After installing Comply, you must manually configure required settings. Select this option only if Comply requires settings that differ from the recommended default settings. For more information, see Import and configure Comply with custom settings.
Use the Automatic configuration with default settings option.
- Read the release notes.
- Review the Comply requirements.
- If you are upgrading from a previous version, see Upgrade Comply.
When you import Comply with automatic configuration, the following default settings are configured:
- The Comply service account is set to the account that you used to import the module.
- Computer groups that Comply requires are imported:
- All Computers
- All Windows 10
- All Windows Server 2012 R2
- All Windows Server 2016
- All Windows Server 2019
- All Red Hat 7
- All Red Hat 8
- All Ubuntu 18
- All Ubuntu 19
- All CentOS 7
- All CentOS 8
- All macOS 10.14
- All macOS 10.15
- The Comply action group is set to the computer group All Computers.
- Comply tools and the Tanium Scan Engine (powered by JovalCM) are deployed to endpoints.
- Default configuration compliance and vulnerability reports are created for each operating system.
- Scans begin to run after the installation completes.
Deployments begin immediately after module installation. The Distribute over setting for the deployments is set to three minutes. After the three minute distribution window completes, reports will run. The Distribute over setting for reports is also three minutes.
To import Comply and configure default settings, be sure to select the Apply Tanium recommended configurations check box while performing the steps in Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Comply version.
To import Comply without automatically configuring default settings, be sure to clear the Apply Tanium recommended configurations check box while performing the steps in Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Comply version.
Reports and statistics on the Comply Home page might not be updated immediately with current results since this data is updated every 10 minutes.
- From the Main menu, click Actions > Scheduled Actions.
- In the list of action groups, click Tanium Comply.
- Verify that the Computer Group Targets parameter is set to All Computers. If needed, click Edit to update the action group.
When your Tanium Server is in an air-gapped environment, the server cannot download the Tanium Engines or Tanium Vulnerability Library files from the internet. You must configure Comply for an air-gapped environment and upload these files to Comply.
- From the Comply Home page, click Settings .
- On the Application Settings tab, find the is_airgapped setting and click Edit.
- In the Edit Setting window, enter true in the Value field.
- Click Save.
If you edit the is_airgapped setting back to false, you must restart Comply for the Tanium Vulnerability Library (TVL) to update properly.
- From the Comply menu, click Setup > Engines.
- Click Upload Engines Package.
- Download the air gap ZIP file from the link indicated in the Upload Tanium Engines Airgap Archive window (https://content.tanium.com/files/published/comply-engines/engines.cgz) using a machine that can connect to the internet and save it on the air-gapped machine.
- Click Select File, select the engines.cgz file from the location where you saved it on the air-gapped machine, and click Open.
- Click Upload.
- After your upload is complete, click Close.
- Click Benchmarks > Vulnerability to open the Vulnerability Benchmarks page.
- Click Upload Airgap Zip.
- Download the air gap ZIP file from the link indicated in the Upload TVL Airgap Zip window (https://content.tanium.com/files/published/tvl/Comply-Standards-Airgap-v1.zip) using a machine that can connect to the internet and save it on the air-gapped machine.
- Click Select File, select the Comply-TVL-Airgap-pkg.zip file from the location where you saved it on the air-gapped machine, and click Open.
- Click Upload.
- After your upload is complete, click Close on the Upload TVL Airgap Zip window. Allow approximately five minutes for Comply to update the vulnerability benchmarks. If you expand a vulnerability source, you will see the Type indicated as Local as well as a completed count of CVEs after the benchmarks are successfully updated from the uploaded air gap ZIP file.
You must create and configure a Comply service account to run background Comply functions, such as populating Home page data.
This user must have the following roles and access configured:
- The Comply Administrator role. For more information, see User role requirements.
- Access granted to any computer groups that provide input to Comply reports. For more information about assigning computer groups to a user, see Tanium Core Platform User Guide: Assign computer groups to a user.
If you installed Tanium Client Management, Endpoint Configuration is installed, and by Bydefault, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.
- From the Comply Overview page, click Settings . Click the Service Account tab.
- Enter the Tanium credentials and click Save.
Another way to configure the service account is by clicking Configure Now in the yellow banner that displays if the service account is not configured.
A scan engine evaluates endpoints for security configuration exposures and software vulnerabilities using industry standard security benchmarks, vulnerability definitions, and custom compliance checks.
In Comply, the scan engine evaluates Open Vulnerability Assessment Language (OVAL) or Security Content Automation Protocol (SCAP) content to determine endpoint compliance and vulnerability status. Comply generates reports based on the results of this evaluation by the scan engine.
At least one scan engine is required to use Comply. Comply
If needed, you can upload other scan engines to Comply. Comply supports the Tanium Scan Engine (which is included by default), SCC (used by the United States government), and CIS-CAT scan engines. The supported versions of the scan engines are listed in the Import Engine window and on this page: Reference: Supported engines and JREs. Typically the most recent version plus the two previous versions are supported.
The Amazon Coretto JRE is not currently supported on some distributions of Linux
Tanium Scan Engine and CIS-CAT also require PowerShell and do not work if PowerShell is in the ConstrainedLanguage language mode.
In the Configuration Progress section, click the Upload Engine/JRE step and then click Comply Engines to open the Manage Engines page. For more information about uploading engines and JREs from this page, see Uploading scan engines and JREs.
You must have the Comply Deployment Administrator role to create deployments. For more information about Comply roles, see User role requirements.
Create deployments based on the architecture and platform of the targeted endpoints to deploy engines and JREs to endpoints on a schedule. For example, you might want to create the following deployments:
- Windows 64-bit
- Windows 32-bit
- macOS 64-bit
- Linux 64-bit
- Ensure that the computer groups targeted by each deployment include all applicable endpoints. Review the deployments to confirm that no computer groups are missing.
- Ensure that deployment are created for all possible architectures (bitness) and platforms. For example, some environments still contain 32-bit Linux and Windows endpoints. These endpoints require specific deployments.
For steps to create a deployment, see Working with deployments.
You can find vulnerabilities on unmanaged endpoints in your environment by creating a remote vulnerability report.
For Comply 2.7 or later, you must use Discover 4.0 or later.
If you are using Discover 3.0 or later with Comply 2.6 or earlier, proceed to the subsequent steps. If you are using Discover 2.9.0 - 2.11.1, complete these steps before you proceed to the subsequent steps: Configuring Discover 2.9.0 - 2.11.1 for use with Comply.
Remote vulnerability reports are not supported with the CIS-CAT scan engine.
Before you begin
Confirm that the Discover configuration is complete. For more information, see Discover User Guide: Installing Discover.
To create or edit a remote scanning profile, you must have either the Discover Administrator role or the Discover Profile Write privilege.
Create a remote scanning profile
Create a remote scanning profile to specify the computer groups that you want to target with the scan and how often the scan runs.
- From the Comply Home page, click Settings . Click Remote Vulnerability tab in the Comply settings displays.
- Click Create Profile.
- Configure the profile.
- Name: Specify a name for the profile.
- Targeting: Select the computer group that you want to target with this profile. Targeting determines the networks to include and exclude from the scan.
- Isolated Subnets/Systems: Select this check box to prevent devices that have no peers from performing scans.
- Specific Exclusions: Enter IP addresses to be excluded from scans. These can be single addresses, address ranges, or comma-separated CIDRs.
- VPN Exclusions: Enter VPN networks to be excluded from scans. These can be single addresses, address ranges, or comma-separated CIDRs.
- Zone Exclusions: Enter zone servers to be excluded from scans. These can be IP addresses or host names separated by commas.
- Scan Frequency: Specify how often you want the scan to run.
- Port Specification:
By default, the Network Mapper utility (Nmap) scans the top 1000 most commonly used TCP ports. If needed, you can customize the ports that are scanned during the discovery process and the source ports from which clients run scans.
- Target Ports: Specify the TCP ports that you want to scan: Top 1000 Ports, Top 1000 Ports plus specified ports, or Only Specified Ports.
- Excluded Ports: Specify a list of TCP ports to exclude from the ports scanned. These ports are excluded from all types of scans.
- Requested Source Port: Specify a source port from which Nmap on clients attempts to run scans.
Nmap honors this request if possible, but might use other ports when necessary.
- Click Create Profile.
You can edit or delete existing remote scanning profiles from the Remote Vulnerability tab in the Comply settings.
Create the report
Comply is now configured to run a remote vulnerability report. For more information about creating a remote vulnerability report, see Create a remote vulnerability report.
By default, users with the Comply Report Reviewer role can see all reports, even reports that target computer groups for which the user does not have management rights.
If you want users to only see reports that target computer groups for which they have management rights, set the report_mr_enabled setting to true. When you enable this setting, users can only see reports when they have management rights to all computer groups that the report targets. If a report targets multiple computer groups, but the user does not have management rights to one or more of the targeted computer groups, the user cannot see the report.
- From the Comply Overview page, click Settings .
- On the Application Settings tab, find the the report_mr_enabled setting and click Edit.
- In the Edit Setting window, enter true in the Value field.
- Click Save.
The change takes effect immediately and does not require you to restart Comply.
From the Comply menu, click Reports to open the Reports page. From this page, you can create configuration compliance reports, vulnerability reports, and remote vulnerability reports. You can also view and update existing reports.
For more information about reports, see:
Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.
Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.
Additionally you can use Endpoint Configuration to manage configuration approval. For example, configuration changes are not deployed to endpoints until a user with approval permission approves the configuration changes in Endpoint Configuration. For more information about the roles and permissions that are required to approve configuration changes for Comply, see User role requirements.
To use Endpoint Configuration to manage approvals, you must enable configuration approvals.
- From the Main menu, go to Administration > Shared Services > Endpoint Configuration to open the Endpoint Configuration Overview page.
- Click Settings and click the Global tab.
- Select Enable configuration approvals, and click Save.
For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.
When you start the Comply workbench for the first time, the Tanium console ensures that all of the required dependencies for Comply are installed at the required version. You must install all required Tanium dependencies before the Comply workbench can load. A banner appears if one or more Tanium dependencies are not installed in the environment. The Tanium Console lists the required Tanium dependencies and the required versions.
- From the Main menu, go to Administration > Configuration > Solutions.
- Select the required solutions, click Import Selected, and then click Begin Import. When the import is complete, you are returned to the Tanium Solutions page.
- From the Main menu, go to Modules > Comply to open the Comply Overview page after you import all of the required Tanium dependencies.
After you import or upgrade Comply, verify that the correct version is installed:
- Refresh your browser.
- From the Main menu, go to Modules > Comply to open the Comply Overview page.
- To display version information, click Info .
Last updated: 1/25/2021 10:02 AM | Feedback