Installing Comply

Tanium as a Service automatically handles module installations and upgrades.

Use the Tanium Solutions page to install Comply and choose either automatic or manual configuration:

  • Automatic configuration with default settings (Tanium Core Platform 7.4.2 or later only): Comply is installed with any required dependencies and other selected products. After installation, the Tanium Server automatically configures the recommended default settings. This option is the best practice for most deployments. For details about the automatic configuration for Comply, see Import and configure Comply with default settings.
  • Manual configuration with custom settings: After installing Comply, you must manually configure required settings. Select this option only if Comply requires settings that differ from the recommended default settings. For more information, see Import and configure Comply with custom settings.

Use the Automatic configuration with default settings option.

Before you begin

Import and configure Comply with default settings

When you import Comply with automatic configuration, the following default settings are configured:

  • The Comply service account is set to the account that you used to import the module.
  • Computer groups that Comply requires are imported:
    • All Computers
    • All Windows 10
    • All Windows Server 2012 R2
    • All Windows Server 2016
    • All Windows Server 2019
    • All Red Hat 7
    • All Red Hat 8
    • All Ubuntu 18
    • All Ubuntu 19
    • All CentOS 7
    • All CentOS 8
    • All macOS 10.14
    • All macOS 10.15
  • The Comply action group is set to the computer group All Computers.
  • Comply tools and the Tanium Scan Engine (powered by JovalCM) are deployed to endpoints.
  • Default configuration compliance and vulnerability reports are created for each operating system.
  • An initial scan runs at 1:00 AM after the installation completes.

    Deployments begin immediately after module installation. The Distribute over setting for the deployments is set to two hours. After the two-hour distribution window completes, reports will run. The Distribute over setting for reports is one hour.

To import Comply and configure default settings, be sure to select the Apply Tanium recommended configurations check box while performing the steps in Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Comply version.

Import and configure Comply with custom settings

To import Comply without automatically configuring default settings, be sure to clear the Apply Tanium recommended configurations check box while performing the steps in Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Comply version.

Reports and statistics on the Comply Home page might not be updated immediately with current results since this data is updated every 10 minutes.

Verify that the Tanium Comply action group is set to All Computers:
  1. From the Main menu, click Actions > Scheduled Actions.
  2. In the list of action groups, click Tanium Comply.
  3. Verify that the Computer Group Targets parameter is set to All Computers. If needed, click Edit to update the action group.

Configure Comply for an air-gapped environment

When your Tanium Server is in an air-gapped environment, the server cannot download the Tanium Engines or Tanium Vulnerability Library files from the internet. You must configure Comply for an air-gapped environment and upload these files to Comply.

  1. From the Comply Home page, click Settings .
  2. On the Application Settings tab, find the is_airgapped setting and click Edit.
  3. In the Edit Setting window, enter true in the Value field.
  4. Click Save.
  5. If you edit the is_airgapped setting back to false, you must restart Comply for the Tanium Vulnerability Library (TVL) to update properly.

Upload the Tanium Engines package

  1. From the Comply menu, click Setup > Engines.
  2. Click Upload Engines Package.
  3. Download the air gap ZIP file from the link indicated in the Upload Tanium Engines Airgap Archive window (https://content.tanium.com/files/published/comply-engines/engines.cgz) using a machine that can connect to the internet and save it on the air-gapped machine.
  4. Click Select File, select the engines.cgz file from the location where you saved it on the air-gapped machine, and click Open.
  5. Click Upload.
  6. After your upload is complete, click Close.

Upload the Tanium Vulnerability Library files

  1. Click Benchmarks > Vulnerability to open the Vulnerability Benchmarks page.
  2. Click Upload Airgap Zip.
  3. Download the air gap ZIP file from the link indicated in the Upload TVL Airgap Zip window (https://content.tanium.com/files/published/tvl/Comply-TVL-Airgap-pkg.zip) using a machine that can connect to the internet and save it on the air-gapped machine.
  4. Click Select File, select the Comply-TVL-Airgap-pkg.zip file from the location where you saved it on the air-gapped machine, and click Open.
  5. Click Upload.
  6. After your upload is complete, click Close on the Upload TVL Airgap Zip window. Allow approximately five minutes for Comply to update the vulnerability benchmarks. If you expand a vulnerability source, you will see the Type indicated as Local as well as a completed count of CVEs after the benchmarks are successfully updated from the uploaded air gap ZIP file.

Configure the service account

You must create and configure a Comply service account to run background Comply functions, such as populating Home page data.

This user must have the following roles and access configured:

  1. From the Comply Home page, click Settings . Click the Service Account tab.
  2. Enter the Tanium credentials and click Save.
  3. Another way to configure the service account is by clicking Configure Now in the yellow banner that displays if the service account is not configured.

Upload scan engines and JREs

A scan engine evaluates endpoints for security configuration exposures and software vulnerabilities using industry standard security benchmarks, vulnerability definitions, and custom compliance checks.

In Comply, the scan engine evaluates Open Vulnerability Assessment Language (OVAL) or Security Content Automation Protocol (SCAP) content to determine endpoint compliance and vulnerability status. Comply generates reports based on the results of this evaluation by the scan engine.

At least one scan engine is required to use Comply. Comply 2.3 and later includes Tanium Scan Engine (powered by JovalCM) and Amazon Coretto Java Runtime Environment (JRE). Most organizations can use the Tanium Scan Engine and Amazon Coretto JRE and do not need to upload any scan engines or JREs.

If needed, you can upload other scan engines to Comply. Comply supports the Tanium Scan Engine (which is included by default), SCC (used by the United States government), and CIS-CAT scan engines. The supported versions of the scan engines are listed in the Import Engine window and on this page: Reference: Supported engines and JREs. Typically the most recent version plus the two previous versions are supported.

The Amazon Coretto JRE is not currently supported on some distributions of Linux, AIX, and Solaris. If you need to run a scan on an endpoint with one of these operating systems and do not want to use the existing JRE on the endpoint, you can upload it to Comply. For best results, use Comply to install a JRE (rather than using the existing JRE on the endpoint) so that you know which JRE is used to run scans.

Tanium Scan Engine and CIS-CAT also require PowerShell and do not work if PowerShell is in the ConstrainedLanguage language mode.

In the Configuration Progress section, click the Upload Engine/JRE step and then click Comply Engines to open the Manage Engines page. For more information about uploading engines and JREs from this page, see Uploading scan engines and JREs.

Create deployments

You must have the Comply Deployment Administrator role to create deployments. For more information about Comply roles, see User role requirements.

Create deployments based on the architecture and platform of the targeted endpoints to deploy engines and JREs to endpoints on a schedule. For example, you might want to create the following deployments:

  • Windows 64-bit
  • Windows 32-bit
  • macOS 64-bit
  • Linux 64-bit

  • Ensure that the computer groups targeted by each deployment include all applicable endpoints. Review the deployments to confirm that no computer groups are missing.
  • Ensure that deployment are created for all possible architectures (bitness) and platforms. For example, some environments still contain 32-bit Linux and Windows endpoints. These endpoints require specific deployments.

For steps to create a deployment, see Working with deployments.

Create a remote scan profile

You can find vulnerabilities on unmanaged endpoints in your environment by creating a remote vulnerability report. To create remote vulnerability reports in Comply, you must use Discover 2.9.0 or later. Before you can run a remote vulnerability report, you must configure a remote scan profile.

The steps vary based on the version of Discover in your environment. If you are using Discover 3.0 or later, proceed to the subsequent steps. If you are using Discover 2.9.0 - 2.11.1, complete these steps before you proceed to the subsequent steps: Configuring Discover 2.9.0 - 2.11.1 for use with Comply.

Remote vulnerability reports are not supported with the CIS-CAT scan engine.

Before you begin

Confirm that the Discover configuration is complete. For more information, see Discover User Guide: Installing Discover.

To create or edit a remote scanning profile, you must have either the Discover Administrator role or the Discover Profile Write privilege.

Create a remote scanning profile

Create a remote scanning profile to specify the computer groups that you want to target with the scan and how often the scan runs.

  1. From the Comply Home page, click Settings . Click Remote Vulnerability tab in the Comply settings displays.
  2. Click Create Profile.
  3. Configure the profile.
    1. Name: Specify a name for the profile.
    2. Targeting: Select the computer group that you want to target with this profile. Targeting determines the networks to include and exclude from the scan.
      • Isolated Subnets/Systems: Select this check box to prevent devices that have no peers from performing scans.
      • Specific Exclusions: Enter IP addresses to be excluded from scans. These can be single addresses, address ranges, or comma-separated CIDRs.
      • VPN Exclusions: Enter VPN networks to be excluded from scans. These can be single addresses, address ranges, or comma-separated CIDRs.
      • Zone Exclusions: Enter zone servers to be excluded from scans. These can be IP addresses or host names separated by commas.
    3. Scan Frequency: Specify how often you want the scan to run.
    4. Port Specification:

      By default, the Network Mapper utility (Nmap) scans the top 1000 most commonly used TCP ports. If needed, you can customize the ports that are scanned during the discovery process and the source ports from which clients run scans.

      • Target Ports: Specify the TCP ports that you want to scan: Top 1000 Ports, Top 1000 Ports plus specified ports, or Only Specified Ports.
      • Excluded Ports: Specify a list of TCP ports to exclude from the ports scanned. These ports are excluded from all types of scans.
      • Requested Source Port: Specify a source port from which Nmap on clients attempts to run scans.

        Nmap honors this request if possible, but might use other ports when necessary.

  4. Click Create Profile.
  5. You can edit or delete existing remote scanning profiles from the Remote Vulnerability tab in the Comply settings.

Create the report

Comply is now configured to run a remote vulnerability report. For more information about creating a remote vulnerability report, see Create a remote vulnerability report.

Restrict report visibility

By default, users with the Comply Report Reviewer role can see all reports, even reports that target computer groups for which the user does not have management rights.

If you want users to only see reports that target computer groups for which they have management rights, set the report_mr_enabled setting to true. When you enable this setting, users can only see reports when they have management rights to all computer groups that the report targets. If a report targets multiple computer groups, but the user does not have management rights to one or more of the targeted computer groups, the user cannot see the report.

  1. From the Comply Home page, click Settings .
  2. On the Application Settings tab, find the the report_mr_enabled setting and click Edit.
  3. In the Edit Setting window, enter true in the Value field.
  4. Click Save.
  5. The change takes effect immediately and does not require you to restart Comply.

Create reports

From the Comply menu, click Reports to open the Reports page. From this page, you can create configuration compliance reports, vulnerability reports, and remote vulnerability reports. You can also view and update existing reports.

For more information about reports, see:

Upgrade Comply

For the steps to upgrade Comply, see Tanium Console User Guide: Manage Tanium modules. After the upgrade, verify that the correct version is installed: see Verify Comply version.

Verify Comply version

After you import or upgrade Comply, verify that the correct version is installed:

  1. Refresh your browser.
  2. From the Main menu, click Comply to open the Comply Home page.
  3. To display version information, click Info Info.