Comply requirements

Review the requirements before you install and use Comply.

Tanium dependencies

In addition to a license for the Comply product module, make sure that your environment meets the following requirements.

ComponentRequirement
Platform7.2.314.2831 or later
Tanium ClientSee Tanium Client Deployment Guide: Requirements for the supported Tanium Client versions for each operating system.

Endpoints

Table 1:   Supported OS versions for Tanium Comply endpoints
Operating systemOS version
Microsoft Windows Server

Microsoft Windows Server 2008 and later

Microsoft Windows Workstation

Microsoft Windows 7 and later

macOSOS X 10.11 El Capitan and later
Linux
Debian 6 and later
Red Hat Enterprise Linux (RHEL) 5.x and later
CentOS 5.x and later
Ubuntu 12.04 and later
AIX1IBM AIX 6.1 TL7SP10 and later2
IBM AIX 7.1 TL1SP10 and later2
IBM AIX 7.2
Solaris1Oracle Solaris 11 SPARC3
Oracle Solaris 11 x863

1 Only Configuration Compliance reports are supported on AIX and Solaris endpoints.

2 64-bit only.

3 Requires SUNWgccruntime. You must use the CIS-CAT engine to run a compliance report that uses CIS benchmarks. You can use the Tanium Scan Engine (powered by JovalCM) to run a compliance report that uses the DISA SCAP Solaris benchmarks.

Scan engines

Scan engines are used to evaluate OVAL or SCAP content and generate configuration compliance and vulnerability reports. At least one scan engine is required to use Comply.

Tanium Scan Engine (powered by JovalCM) and Amazon Coretto Java Runtime Environment (JRE) are included with Comply 2.3 and later. If you want to use this scan engine and JRE (or the existing JREs on endpoints), you do not need to upload any engines.

If you want to use a different scan engine or JRE, you can upload them to Comply. Tanium Scan Engine (which is included by default), CIS-CAT, and SCC scan engines are currently supported by Comply.

The supported versions of the scan engines are listed in the Import Engine window. Typically the most recent version plus the two previous versions are supported.

CIS-CAT and Tanium Scan Engine also require PowerShell and do not work if PowerShell is in the ConstrainedLanguage language mode.

The following JREs are supported in addition to the JREs that are provided with Comply:

  • Windows, macOS, and Linux endpoints: Java version 8 distributions provided by either Oracle or Amazon.
  • AIX endpoints: IBM JRE version 7.x or 8 (preferred). The IBM JRE is usually already installed on AIX endpoints and can be used with Comply scans.
    • AIX 7.x endpoints can also use the OpenJDK JRE with the HotSpot JVM. For more information about this package, see AdoptOpenJDK: Releases.
    • AIX 6.1 endpoints must use the IBM JRE. This JRE is usually already installed on the endpoint and the OpenJDK JRE is not supported with AIX 6.1; therefore, Comply does not deploy JREs to AIX 6.1 endpoints.
  • Solaris endpoints: Oracle JRE 7 or 8 (preferred). The Oracle JRE is usually already installed on Solaris endpoints and can be used with Comply scans.
    • You can use Comply to deploy JRE 8 only to Solaris 64-bit endpoints (only version 8 is supported for deployment through Comply).
    • You cannot use Comply to deploy a JRE to Solaris 32-bit or Solaris SPARC endpoints.

For more information, see Working with scan engines and JREs.

Security exclusions

Specific ports and processes are needed to run Comply. If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference. Comply leverages third-party compliance engines to conduct compliance and vulnerability scans against supported endpoints.

Table 2:   Comply security exclusions
Target DeviceProcess
Module Server<Module Server>\services\comply-service\node.exe
<Module Server>\services\comply-service\node_modules\ovalindex\ovalindex.exe
Windows endpoints<Tanium Client>\Tools\Comply\TaniumExecWrapper.exe
<Tanium Client>\Tools\Comply\jre\bin\java.exe
<Tanium Client>\Tools\Comply\7za.exe
Linux/macOS/AIX endpoints <Tanium Client>/Tools/Comply/TaniumExecWrapper
<Tanium Client>/Tools/Comply/jre/bin/java
<Tanium Client>/Tools/Comply/7za
<Tanium Client>/Tools/Comply/xsltproc
Tanium Scan Engine<Tanium Client>/Tools/Comply/joval/Joval4Tanium.jar
<Tanium Client>/Tools/Comply/joval/Joval-Utilities.jar
CIS-CAT engine<Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.jar
<Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.sh (Linux only)
<Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.BAT (Windows only)
SCC engine - Windows endpoints<Tanium Client>\Tools\Comply\scc\cscc.exe
<Tanium Client>\Tools\Comply\scc\cscc32.exe
<Tanium Client>\Tools\Comply\scc\cscc64.exe
<Tanium Client>\Tools\Comply\scc\scc.exe
<Tanium Client>\Tools\Comply\scc\scc32.exe
<Tanium Client>\Tools\Comply\scc\scc64.exe
SCC engine - Linux/macOS endpoints<Tanium Client>/Tools/Comply/scc/cscc
<Tanium Client>/Tools/Comply/scc/cscc.bin
<Tanium Client>/Tools/Comply/scc/scc
<Tanium Client>/Tools/Comply/scc/scc.bin

For remote vulnerability reports, see Tanium Discover User Guide: Host and network security requirements for Nmap security exclusions.

For best results, add a recursive security exclusion for the Tanium Client directory:

  • Windows endpoints: <Tanium Client>

    This path is usually C:\Program Files (x86)\Tanium\Tanium Client.

  • Linux endpoints: /opt/Tanium/TaniumClient

If a recursive exclusion is not possible, ensure that your exclusion for the TaniumExecWrapper process includes child processes. The path to this process is listed for each operating system in the preceding table. Some engines use child processes to run scans, and those child processes must be allowed for Comply to function.

Consult your Technical Account Manager (TAM) to confirm that the appropriate security exclusions are in place in your environment.

User role requirements

Role-based access control (RBAC) permissions control access to the Comply workbench. Comply provides these predefined roles:

Comply Administrator

Has all privileges in Comply, including collecting support bundles and managing Comply Application Settings.

Comply Deployment Administrator

Can upload engines and distribute them via deployment; can read and write report content.

Comply Report Content Administrator

Can read and write the following:

  • Configuration compliance benchmarks
  • Vulnerability sources
  • All custom compliance and vulnerability content except custom checks

Comply Report Administrator

Can read custom report content including benchmarks, vulnerability sources, and all custom content; can read report results; only role (other than Comply Administrator) that can create and delete reports.

Comply Report Reviewer

Can read custom content, reports, and report results.

Comply Custom Check Writer

Only role (other than Comply Administrator) that can create and delete custom checks; can read custom content.

Table 3:   Comply user role privileges for Tanium 7.1.314.3071 or later
PrivilegeComply AdministratorComply Deployment AdministratorComply Report Content AdministratorComply Report AdministratorComply Report ReviewerComply Custom Check Writer
Show Comply1
View the Comply workbench

2

2

2

2

2

2
Comply Admin
Comply Report Read
Review report results.

2



2


Comply Report Write
Manage reports.

2





Comply Report Content Read
Read benchmarks, custom checks, custom ID mappings, custom profiles, and vulnerability sources.

2

2

2

2

2

Comply Report Content Write
Manage benchmarks, vulnerability sources, custom ID mappings, and custom profiles.

2





Comply Deployment Read
22
Comply Deployment Write
Manage deployments and engines.

2





Comply Custom Check Write
Manage custom checks.

2





1 To install Comply, you must have the reserved role of Administrator.

2 Denotes an implicit permission that is provided by a privilege with a higher permission level. For example, a write permission provides an implicit read permission.




Table 4:   Provided Comply Advanced user role permissions for Tanium 7.1.314.3071 or later
PermissionContent Set for PermissionComply AdministratorComply Deployment AdministratorComply Report Content AdministratorComply Report AdministratorComply Report ReviewerComply Custom Check Writer
Ask Dynamic Questions 
Read SensorReserved
Read SensorComply Deployment
Read SensorComply Reporting
Read ActionComply Deployment
Read ActionComply Reporting
Write ActionComply Deployment
Write ActionComply Reporting
Write Action For Saved QuestionComply Reporting
Execute PluginComply
Write PackageComply Deployment
Write PackageComply Reporting
Read Saved QuestionComply Reporting
Write Saved QuestionComply Deployment
Write Saved QuestionComply Reporting

Last updated: 11/20/2019 8:32 PM | Feedback