Maintaining Comply

Perform regular maintenance tasks to ensure that Comply successfully performs scheduled activities on all the targeted endpoints and does not overuse endpoint or network resources. If Comply is not performing as expected, you might need to troubleshoot issues or change settings. See Troubleshooting for related procedures.

Perform monthly maintenance

  1. From the Main menu, go to Modules > Comply > Overview.

  2. Scroll to the Health dashboard to review any Comply health check errors on endpoints.

    The Comply Health Checks panel shows a bar for each type of error, such as outdated tools, scan failures, or insufficient disk space. The number above each bar indicates how many endpoints are affected.

  3. To investigate a health check error, click the number above the error bar. Tanium CloudThe Tanium Server issues a question that returns the computer name, operating system, IP address, coverage status, and client extensions status for the affected endpoints.
  4. To troubleshoot health check errors, see Reference: Common errors.

Perform quarterly maintenance

  1. Go to Modules > Comply > Assessments and review the Status of assessments for errors or warnings. See Scan status.
  2. Investigate the error for each assessment.

    To issue a question that returns details about all the endpoints associated with scan errors, click the Scan Errors value above the grid.

    1. In the assessment row, click Additional Data Additional data, scroll to Endpoint Statistics, and click the Scan Errors value.

    2. Click the Endpoints value to issue a question that returns details about the affected endpoints. You can then review the results and, optionally, issue a drill-down question to investigate the errors. See Tanium Console User Guide: Managing question results.
  3. Troubleshoot assessments if necessary to resolve issues related to endpoint compliance distribution. See Troubleshooting.
  4. Edit assessments if necessary to resolve issues. See Edit an assessment.
  5. Delete outdated assessments and create new assessments if updated versions of configuration compliance standards are released. See Creating compliance assessments.

    Assessments that you delete on the Assessments page are removed from Tanium Cloudthe Tanium Server but not from endpoints. Delete stale assessments from endpoints whenever you delete them from Tanium Cloudthe server if retaining the associated data is no longer necessary. Otherwise, delete assessments from endpoints at intervals that preserve the data for a useful period without allowing the assessments to use too much disk space on endpoints. Base the intervals on how often users delete assessments from Tanium Cloudthe server.

Monitor and troubleshoot Comply coverage

The following table lists contributing factors into why the Comply coverage metric reports endpoints as Needs Attention, and corrective actions you can make.

Contributing factor Corrective action
Endpoints do not have the latest scan engine installed
  • Ensure that the computer groups targeted by each deployment include all applicable endpoints. Review the deployments to confirm that no computer groups are missing.
  • Ensure the latest engine is installed. When updates are available for the Tanium Scan Engine (powered by JovalCM) or Amazon Coretto JREs that are included with Comply, a yellow banner displays on the Comply Main page that says Updates are available for one or more engines.
Endpoints do not have the latest Comply tools installed Ensure that the Comply Action Group targets All Computers.
Specific endpoints missing Comply tools, scan engines, or JREs Ensure that existing deployments include all possible architectures (bitness) and platforms. For example, some environments still contain 32-bit Linux and Windows endpoints. These endpoints require specific deployments.
Issue with a specific endpoint that might prevent Comply from running successfully Check for issues with the endpoint that might prevent Comply from running successfully, such as having less than the minimum required available disk space (200 MB).
Comply tools are not successfully deployed to endpoints Ensure that the Comply Action Group targets All Computers. Comply actions are always explicit, so the action group targeting does not need to be restrictive.

Monitor and troubleshoot endpoint compliance distribution

The following table lists contributing factors into why the endpoint compliance distribution metric might be lower than expected, and corrective actions you can make.

Contributing factor Corrective action
Endpoints are missing from compliance reports Ensure that those endpoints exist in correctly targeted computer groups and that those computer groups are explicitly targeted for compliance reports. Make sure that compliance reports run on a periodic schedule.
Configuration compliance assessments do not include endpoints that were offline at the time of the initial report schedule Change your configuration compliance assessment scheduling to use Using report age, and instead of running a weekly report, set the assessment result maximum age to 7 days. For more information, see Creating compliance assessments.

With this configuration, Comply continuously checks for and attempts to assess endpoints as they come online, as long as they do not already have findings that are newer than 7 days. This setting allows global organizations and "follow the sun" models to continuously scan managed endpoints as they come online around the world, regardless of timezone or the original scan execution time.

Systems that were included in the original report do not have any results Make sure that the targeted endpoints are the correct operating system and platform for the configured report. For example, some compliance standards are specific to Windows Server 2008 and not Windows Server 2008 R2. Compliance standards can be specifically developed for the targeted operating systems, and in some cases will not function if the wrong operating system is targeted.
Standards content does not meet local requirements
  • Use custom profiles or import a tailoring file to customize compliance checks to meet your business needs.
  • Develop custom checks to assess things not covered by an existing standard.
  • Use custom ID mapping to align checks to local guidance or frameworks.

For more information, see Customizing compliance results and Customizing vulnerability results.

Third-party content compatibilities and bugs Ensure any imported content meets the defined requirements, such as:

Monitor and troubleshoot endpoints with critical or high vulnerabilities

The following table lists contributing factors into why the Comply endpoints with critical or high vulnerabilities metric might be lower than expected, and corrective actions you can make.

Contributing factor Corrective action
Endpoints are missing from vulnerability reports Ensure that those endpoints exist in correctly targeted computer groups and that those computer groups are explicitly targeted for vulnerability reports. Make sure that vulnerability reports run on a periodic schedule.
OVAL checks do not align with locally developed guides or industry frameworks Use custom ID mapping and custom scoring to align CVEs to the frameworks on which you report.

For more information, see Customizing vulnerability results.

Monitor and troubleshoot mean time to identify vulnerability findings

The following table lists contributing factors into why the Comply mean time to identify vulnerability findings metric might be higher than expected, and corrective actions you can make.

Contributing factor Corrective action
Newly released or discovered vulnerabilities are not being detected in vulnerability assessments Ensure that the Tanium Vulnerability Library (TVL) is configured to automatically update. For more information, see Default vulnerability sources.

Comply automatically updates assessments to use new definitions, but those assessments must run again using the new definitions.

Newly released or discovered vulnerabilities are being detected, but not as quickly as needed For best results, run general assessments that address all known vulnerabilities once a month or bi-monthly. In addition to that large general assessment, configure a small lightweight assessment that uses only high and critical severity vulnerability definitions from the current year so that you can run it frequently without negative performance impact. For example, you might run the lighter assessment weekly or every 3 days.
Vulnerability assessments are not targeting the desired vulnerabilities Verify that the assessment configuration includes the appropriate severity, CVE years, and computer group targeting that was intended for the assessment.
CVEs have been published, but no OVAL definition is available Check the Tanium Community for guidance on using Tanium to find and remediate a particular CVE. For example, Use Tanium to Find and Remediate CVE-2020-0796 (SMBv3 Remote Code Execution Vulnerability).