Requirements

Licensing

Comply is licensed for installation as a component of the Tanium Server. To obtain a license, see your Tanium Technical Account Manager (TAM).

System requirements

  • Microsoft Windows 7 or later
  • Microsoft Windows Server 2008 or later
  • Red Hat Enterprise Linux and CentOS 5 through 7
  • Debian 6
  • Ubuntu 12.04, 14.04, and 16.04
  • Apple Mac OS X 10.11 and 10.12

Installation prerequisites

Before installing Comply, you need to have a service account with Tanium Administrator credentials. You must also have the Tanium Module server running.

At least one scan engine is required to use Comply, but more than one can be uploaded and used if desired. Comply 1.7.4 and later ships with the Joval engine; however, there is no content included with that engine. You can upload other engines if required. See Importing scan engines. CIS-CAT, Joval, and SCC engines are currently supported by Comply. To use CIS-CAT or Joval, a JRE (Java Runtime Environment) must also be provided.

Host and network security requirements

Specific ports and processes are needed to run Comply.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.

Target Device Process
Module Server
  • <Tanium Module Server>\services\comply-service\node.exe
  • <Tanium Module Server>\services\comply-service\node_modules\ovalindex\ovalindex
Windows x86 endpoints

<Tanium Client>\Tools\comply\TaniumExecWrapper.exe

Windows x64 endpoints

<Tanium Client>\Tools\comply\TaniumExecWrapper.exe

Linux x86 endpoints

/opt/Tanium/TaniumClient/Tools/comply/TaniumExecWrapper

Linux x64 endpoints

/opt/Tanium/TaniumClient/Tools/comply/TaniumExecWrapper


Comply leverages third-party compliance engines to conduct compliance and vulnerability scans against supported endpoints. For details about third-party files that should be included in file and process exceptions, see Reference: Comply engine security exceptions.

User role requirements

Tanium Server 7.0

The following user roles are supported in Comply on Tanium Server 7.0:

Administrator

Has all privileges in Comply, including installing or uninstalling Comply.

Content Administrator

Has all privileges in Comply with the exception of installing or uninstalling Comply.

Question Author

Can view reports, drill down into reports, and create report exports.

Tanium Server 7.1 and later

Comply 1.4 introduces role-based access control (RBAC) permissions that control access to Comply functions.

Comply Administrator

Has all privileges in Comply, including collecting support bundles and managing Comply Application Settings.

Comply Deployment Administrator

Can upload engines and distribute them via deployment; can read and write report content.

Comply Report Content Administrator

Can read and write the following:

  • Configuration compliance benchmarks
  • Vulnerability sources
  • All custom compliance and vulnerability content except custom checks

Comply Report Administrator

Can read custom report content including benchmarks, vulnerability sources, and all custom content; can read report results; only role (other than Comply Administrator) that can create and delete reports.

Comply Report Reviewer

Can read custom content, reports, and report results.

Comply Custom Check Writer

Only role (other than Comply Administrator) that can create and delete custom checks; can read custom content.

Table 1:   Comply user role privileges for Tanium 7.1.314.3071 or later
Privilege Comply Administrator Comply Deployment Administrator Comply Report Content Administrator Comply Report Administrator Comply Report Reviewer Comply Custom Check Writer
Show Comply1
View the Comply workbench

2

2

2

2

2

2
Comply Admin
Comply Report Read
Review report results.

2



2


Comply Report Write
Manage reports.

2





Comply Report Content Read
Read benchmarks, custom checks, custom ID mappings, custom profiles, and vulnerability sources.

2

2

2

2

2

Comply Report Content Write
Manage benchmarks, vulnerability sources, custom ID mappings, and custom profiles.

2





Comply Deployment Read
2 2
Comply Deployment Write
Manage deployments and engines.

2





Comply Custom Check Write
Manage custom checks.

2





1 To install Comply, you must have the reserved role of Administrator.

2 Denotes an implicit permission that is provided by a privilege with a higher permission level. For example, a write permission provides an implicit read permission.




Table 2:   Provided Comply Advanced user role permissions for Tanium 7.1.314.3071 or later
Permission Content Set for Permission Comply Administrator Comply Deployment Administrator Comply Report Content Administrator Comply Report Administrator Comply Report Reviewer Comply Custom Check Writer
Ask Dynamic Questions  
Read Sensor Reserved
Read Sensor Comply Deployment
Read Sensor Comply Reporting
Read Action Comply Deployment
Read Action Comply Reporting
Write Action Comply Deployment
Write Action Comply Reporting
Write Action For Saved Question Comply Reporting
Execute Plugin Comply
Write Package Comply Deployment
Write Package Comply Reporting
Read Saved Question Comply Reporting
Write Saved Question Comply Deployment
Write Saved Question Comply Reporting

Last updated: 1/8/2019 4:51 PM | Feedback