Installing Comply

Use the Tanium Solutions page to install Comply and choose either automatic or manual configuration:

  • Automatic configuration with default settings (Tanium Core Platform 7.4.2 or later only): Comply is installed with any required dependencies and other selected products. After installation, the Tanium Server automatically configures the recommended default settings. This option is the best practice for most deployments. For details about the automatic configuration for Comply, see Import and configure Comply with default settings.
  • Manual configuration with custom settings: After installing Comply, you must manually configure required settings. Select this option only if Comply requires settings that differ from the recommended default settings. For more information, see Import and configure Comply with custom settings.

Before you begin

Import and configure Comply with default settings

When you import Comply with automatic configuration, the following default settings are configured:

  • The Comply service account is set to the account that you used to import the module.
  • The Comply action group is set to the computer group All Computers.
  • Comply tools and the Tanium Scan Engine (powered by JovalCM) are deployed to endpoints.
  • Default vulnerability reports are created for each operating system.
  • An initial scan runs at 1:00 AM after the installation completes.

    The Distribute Over setting in the deployment is set to 4 hours. Therefore, if you import the module 4 hours or more before 1:00 AM, the initial scan runs at 1:00 AM. If you import the module less than 4 hours before 1:00 AM, the initial scan is scheduled to start at 1:00 AM plus one day.

To import Comply and configure default settings, be sure to select the Apply Tanium recommended configurations check box while performing the steps in Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Comply version.

Import and configure Comply with custom settings

To import Comply without automatically configuring default settings, be sure to clear the Apply Tanium recommended configurations check box while performing the steps in Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Comply version.

Reports and statistics on the Comply Home page might not be updated immediately with current results since this data is updated every 10 minutes.

Configure Comply for an air-gapped environment

  1. From the Comply Home page, click Settings .
  2. On the Application Settings tab, find the the is_airgapped setting and click Edit.
  3. In the Edit Setting window, enter true in the Value field.
  4. Click Save.
  5. If you edit the is_airgapped setting back to false, you must restart Comply for the Tanium Vulnerability Library (TVL) to update properly.

If you configure Comply for an air-gapped environment, you must upload the Tanium Engines and Tanium Vulnerability Library files. For more information, see:

Create a service account

You must create and configure a Comply service account to run background Comply functions, such as populating Home page data.

This user must have the following roles and access configured:

  1. From the Comply Home page, in the Configuration Progress section, click the Configure Service Account step and click Configure Service Account.
  2. Enter the Tanium credentials and click Save.
  3. Another way to configure the service account is by clicking Configure Now in the yellow banner that displays if the service account is not configured. You can also set or update the service account from the Comply settings. Click Settings and update the service account settings in the Service Account section. Click Save.

Upload scan engines and JREs

Scan engines are used to evaluate OVAL or SCAP content and generate configuration compliance and vulnerability reports. At least one scan engine is required to use Comply.

Comply 2.3 and later includes Tanium Scan Engine (powered by JovalCM) and Amazon Coretto Java Runtime Environment (JRE). If you want to use this scan engine and JRE (or the existing JREs on endpoints), you do not need to upload any engines.

If you want to use a different scan engine or JRE, you can upload them to Comply. Tanium Scan Engine (which is included by default), CIS-CAT, and SCC scan engines are currently supported by Comply.

The supported versions of the scan engines are listed in the Import Engine window. Typically the most recent version plus the two previous versions are supported.

CIS-CAT and Tanium Scan Engine also require PowerShell and do not work if PowerShell is in the ConstrainedLanguage language mode.

Operating system Operating system version Supported JRE distributions and versions Can deploy using Comply?
Microsoft Windows Server Microsoft Windows Server 2008 and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon.
Yes
Microsoft Windows Workstation Microsoft Windows 7 and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon.
Yes
macOS OS X 10.11 El Capitan and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon.
Yes
Linux Debian 5, 6, 7 Java version 7 or 8 (preferred) distributions provided by Oracle Yes4
Debian 8 and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon.
Yes
Red Hat Enterprise Linux (RHEL) 5.x Java version 7 or 8 (preferred) distributions provided by Oracle Yes4
Red Hat Enterprise Linux (RHEL) 6.x and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon.
Yes
CentOS 5.x Java version 7 or 8 (preferred) distributions provided by Oracle Yes4
CentOS 6.x and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon.
Yes
Ubuntu 12.04 - 13.x Java version 7 or 8 distributions provided by Oracle Yes4
Ubuntu 14.x and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon.
Yes
AIX1 IBM AIX 6.1 TL7SP10 and later2 IBM JRE version 7.x or 8 (preferred) Yes3
IBM AIX 7.1 TL1SP10 and later2 IBM JRE version 7.x or 8 (preferred) No
OpenJDK JRE version 7 or 8 with the HotSpot JVM. Yes4
IBM AIX 7.2 IBM JRE version 7.x or 8 (preferred) No
OpenJDK JRE version 7 or 8 with the HotSpot JVM. Yes4
Solaris5 Oracle Solaris 10 SPARC Oracle JRE 7 or 8 (preferred) No
Oracle Solaris 10 x862 Oracle JRE 7 or 8 (preferred) Yes6
Oracle Solaris 11 SPARC Oracle JRE 7 or 8 (preferred) No
Oracle Solaris 11 x862 Oracle JRE 7 or 8 (preferred) Yes6

1The IBM JRE is usually already installed on AIX endpoints. Supported versions can be used with Comply scans.

264-bit only.

3Only IBM JRE 8 64-bit is supported for deployment through Comply. You must repackage the JRE before it can be deployed through Comply. For details, see Repackage the IBM JRE for deployment to AIX 6.1 endpoints.

4Only version 8 is supported for deployment through Comply. Check the OpenJDK release site for supported service pack levels for a particular OpenJDK JRE release: AdoptOpenJDK: Latest release.

5The Oracle JRE is usually already installed on Solaris endpoints. Supported versions can be used with Comply scans.

6Only version 8 is supported for deployment through Comply.

In the Configuration Progress section, click the Upload Engine/JRE step and then click Comply Engines to open the Manage Engines page. For more information about uploading engines and JREs from this page, see Uploading scan engines and JREs.

Create a remote scan profile

You can find vulnerabilities on unmanaged endpoints in your environment by creating a remote vulnerability report.

To create remote vulnerability reports in Comply, you must use Discover 2.9.0 or later. Before you can run a remote vulnerability report, you must configure a remote scan profile.

The steps vary based on the version of Discover in your environment.

Remote scans are not supported with the CIS-CAT scan engine.

Discover 2.9.0 - 2.11.1

Complete the following steps in Discover.

  1. From the Discover Home page, click Settings . Go to Global Settings > Advanced Settings and add a setting named ComplyVulnScanEnabled with a value of true.
  2. Enable Nmap scan discovery using the Comply Vulnerability Scan configuration in the Discovery Method. For more information, see Tanium Discover User Guide: Nmap scan discovery.

    Setting changes in Discover can take up to five minutes to be applied.

Discover 3.0.0 and later

Before you begin

Confirm that the Discover configuration is complete. For more information, see Discover User Guide: Installing Discover.

To create or edit a remote scanning profile, you must have either the Discover Administrator role or the Discover Profile Write privilege.

Create a remote scanning profile

Create a remote scanning profile to specify the computer groups that you want to target with the scan and how often the scan runs.

  1. From the Comply Home page, in the Configuration Progress section, click the Create Remote Scan step and click Create Remote Scan.

    The Remote Vulnerability tab in the Comply settings displays.

  2. Click Create Profile.
  3. Configure the profile.
    1. Name: Specify a name for the profile.
    2. Targeting: Select the computer group that you want to target with this profile. Targeting determines the networks to include and exclude from the scan.

      For best results, do not create multiple profiles that target the same or overlapping computer groups.

    3. Scan Frequency: Specify how often you want the scan to run.
    4. Port Specification:

      By default, the Network Mapper utility (Nmap) scans the top 1000 most commonly used TCP ports. If needed, you can customize the ports that are scanned during the discovery process and the source ports from which clients run scans.

      • Target Ports: Specify the TCP ports that you want to scan: Top 1000 Ports, Top 1000 Ports plus specified ports, or Only Specified Ports.
      • Excluded Ports: Specify a list of TCP ports to exclude from the ports scanned. These ports are excluded from all types of scans.
      • Requested Source Port: Specify a source port from which Nmap on clients attempts to run scans.

        Nmap honors this request if possible, but might use other ports when necessary.

  4. Click Create Profile.
  5. You can edit or delete existing remote scanning profiles from the Remote Vulnerability tab in the Comply settings.

Create the report

Comply is now configured to run a remote vulnerability report. For more information about creating a remote vulnerability report, see Create a remote vulnerability report.

Restrict report visibility

By default, users with the Comply Report Reviewer role can see all reports, even reports that target computer groups for which the user does not have management rights.

If you want users to only see reports that target computer groups for which they have management rights, set the report_mr_enabled setting to true. When you enable this setting, users can only see reports when they have management rights to all computer groups that the report targets. If a report targets multiple computer groups, but the user does not have management rights to one or more of the targeted computer groups, the user cannot see the report.

  1. From the Comply Home page, click Settings .
  2. On the Application Settings tab, find the the report_mr_enabled setting and click Edit.
  3. In the Edit Setting window, enter true in the Value field.
  4. Click Save.
  5. The change takes effect immediately and does not require you to restart Comply.

Create deployments

Use deployments to deploy engines and JREs to endpoints on a schedule. You must have the Comply Deployment Administrator role to create deployments.

  1. From the Comply Home page, in the Configuration Progress section, click the Create Deployments step and click Comply Deployments.
  2. The Manage Deployments page opens. Click Create Deployment.

    For more information about creating deployments, see Creating deployments.

Create reports

From the Comply Home page, in the Configuration Progress section, click the Create Reports step and click View reports.

The Reports page opens. From this page, you can create configuration compliance reports, vulnerability reports, and remote vulnerability reports. You can also view and update existing reports.

For more information about reports, see:

Upgrade Comply

For the steps to upgrade Comply, see Tanium Console User Guide: Manage Tanium modules. After the upgrade, verify that the correct version is installed: see Verify Comply version.

When you upgrade Comply, an error message displays if the tools for a deployment are out of date. Click Redeploy to deploy the latest tools to deployments with this error the next time the tools installation action runs.



Verify Comply version

After you import or upgrade Comply, verify that the correct version is installed:

  1. Refresh your browser.
  2. From the Main menu, click Comply to open the Comply Home page.
  3. To display version information, click Info Info.

What to do next

See Getting started for more information about using Comply.