Comply requirementsReview the requirements before you install and use Comply.
In addition to a license for Comply, make sure that your environment meets the following requirements.
|Tanium Core Platform|
|Tanium™ Client||See Tanium Client User Guide: Requirements for the supported Tanium Client versions for each operating system.|
|Computer groups|| (Tanium Core Platform 7.4.2 or later only) When you first log into the Tanium Console after installing the Tanium Server, the server automatically imports the computer groups that Comply requires:
Supported operating systems
The following endpoint operating systems are supported with Comply.
|Operating system||OS version|
|Microsoft Windows Server||Microsoft Windows Server 2008 and later|
|Microsoft Windows Workstation||Microsoft Windows 7 and later|
|macOS||OS X 10.11 El Capitan and later|
|Debian 6 and later|
|Red Hat Enterprise Linux (RHEL) 5.x and later|
|CentOS 5.x and later|
|Ubuntu 12.04 and later|
|AIX1||IBM AIX 6.1 TL7SP10 and later2|
|IBM AIX 7.1 TL1SP10 and later2|
|IBM AIX 7.2|
|Solaris1||Oracle Solaris 10 SPARC3|
|Oracle Solaris 10 x863|
|Oracle Solaris 11 SPARC3|
|Oracle Solaris 11 x863|
1 Only Configuration Compliance reports are supported on AIX and Solaris endpoints.
2 64-bit only.
3 Requires SUNWgccruntime. You must use the CIS-CAT engine to run a compliance report that uses CIS benchmarks. You can use the Tanium Scan Engine (powered by JovalCM) to run a compliance report that uses the DISA SCAP Solaris benchmarks.
Scan engines are used to evaluate OVAL or SCAP content and generate configuration compliance and vulnerability reports. At least one scan engine is required to use Comply.
Comply 2.3 and later includes Tanium Scan Engine (powered by JovalCM) and Amazon Coretto Java Runtime Environment (JRE). If you want to use this scan engine and JRE (or the existing JREs on endpoints), you do not need to upload any engines.
If you want to use a different scan engine or JRE, you can upload them to Comply. Tanium Scan Engine (which is included by default), CIS-CAT, and SCC scan engines are currently supported by Comply.
The supported versions of the scan engines are listed in the Import Engine window. Typically the most recent version plus the two previous versions are supported.
CIS-CAT and Tanium Scan Engine also require PowerShell and do not work if PowerShell is in the ConstrainedLanguage language mode.
|Operating system||Operating system version||Supported JRE distributions and versions||Can deploy using Comply?|
|Microsoft Windows Server||Microsoft Windows Server 2008||Java version 8 distributions provided by Oracle.||Yes|
|Microsoft Windows Server 2012 and later||Yes|
|Microsoft Windows Workstation||Microsoft Windows 7 and later||Yes|
|macOS||OS X 10.11 El Capitan and later||Yes|
|Linux||Debian 5, 6, 7||Java version 7 or 8 (preferred) distributions provided by Oracle||Yes4|
|Debian 8 and later||Yes|
|Red Hat Enterprise Linux (RHEL) 5.x||Java version 7 or 8 (preferred) distributions provided by Oracle||Yes4|
|Red Hat Enterprise Linux (RHEL) 6.x and later||Yes|
|CentOS 5.x||Java version 7 or 8 (preferred) distributions provided by Oracle||Yes4|
|CentOS 6.x and later||Yes|
|Ubuntu 12.04 - 13.x||Java version 7 or 8 distributions provided by Oracle||Yes4|
|Ubuntu 14.x and later||Yes|
|AIX1||IBM AIX 6.1 TL7SP10 and later2||IBM JRE version 7.x or 8 (preferred)||Yes3|
|IBM AIX 7.1 TL1SP10 and later2||IBM JRE version 7.x or 8 (preferred)||Yes3|
|OpenJDK JRE version 7 or 8 with the HotSpot JVM.||Yes4|
|IBM AIX 7.2||IBM JRE version 7.x or 8 (preferred)||Yes3|
|OpenJDK JRE version 7 or 8 with the HotSpot JVM.||Yes4|
|Solaris5||Oracle Solaris 10 SPARC||Oracle JRE 7 or 8 (preferred)||No|
|Oracle Solaris 10 x862||Oracle JRE 7 or 8 (preferred)||Yes6|
|Oracle Solaris 11 SPARC||Oracle JRE 7 or 8 (preferred)||No|
|Oracle Solaris 11 x862||Oracle JRE 7 or 8 (preferred)||Yes6|
1The IBM JRE is usually already installed on AIX endpoints. Supported versions can be used with Comply scans.
3Only IBM JRE 8 64-bit is supported for deployment through Comply. You must repackage the JRE before it can be deployed through Comply. For details, see Repackage the IBM JRE for deployment to AIX endpoints.
4Only version 8 is supported for deployment through Comply. Check the OpenJDK release site for supported service pack levels for a particular OpenJDK JRE release: AdoptOpenJDK: Latest release.
5The Oracle JRE is usually already installed on Solaris endpoints. Supported versions can be used with Comply scans.
6Only version 8 is supported for deployment through Comply.
For more information, see Working with scan engines and JREs.
Specific ports and processes are needed to run Comply.
If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.
|Module Server||<Module Server>\services\comply-service\node.exe|
|Windows endpoints||<Tanium Client>\Tools\Comply\TaniumExecWrapper.exe|
|Linux/macOS/AIX endpoints||<Tanium Client>/Tools/Comply/TaniumExecWrapper|
|Tanium Scan Engine||<Tanium Client>/Tools/Comply/joval/Joval4Tanium.jar|
|CIS-CAT engine||<Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.jar|
|<Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.sh (Linux only)|
|<Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.BAT (Windows only)|
|SCC engine - Windows endpoints||<Tanium Client>\Tools\Comply\scc\cscc.exe|
|SCC engine - Linux/macOS endpoints||<Tanium Client>/Tools/Comply/scc/cscc|
For remote vulnerability reports, see Tanium Discover User Guide: Host and network security requirements for Nmap security exclusions.
For best results, add a recursive security exclusion for the Tanium Client directory:
- Windows endpoints: <Tanium Client>
This path is usually C:\Program Files (x86)\Tanium\Tanium Client.
- Linux endpoints: /opt/Tanium/TaniumClient
If a recursive exclusion is not possible, ensure that your exclusion for the TaniumExecWrapper process includes child processes. The path to this process is listed for each operating system in the preceding table. Some engines use child processes to run scans, and those child processes must be allowed for Comply to function.
Consult your Technical Account Manager (TAM) to confirm that the appropriate security exclusions are in place in your environment.
|Privilege||Comply Administrator||Comply Deployment Administrator||Comply Report Content Administrator||Comply Report Administrator||Comply Report Reviewer||Comply Custom Check Writer|
View the Comply workbench
Comply Report Read
Review report results.
Comply Report Write
Comply Report Content Read
Read benchmarks, custom checks, custom ID mappings, custom profiles, and vulnerability sources.
Comply Report Content Write
Manage benchmarks, vulnerability sources, custom ID mappings, and custom profiles.
Comply Deployment Read
Comply Deployment Write
Manage deployments and engines.
Comply Custom Check Write
Manage custom checks.
1 Denotes an implicit permission that is provided by a privilege with a higher permission level. For example, a write permission provides an implicit read permission.
|Permission||Content Set for Permission||Comply Administrator||Comply Deployment Administrator||Comply Report Content Administrator||Comply Report Administrator||Comply Report Reviewer||Comply Custom Check Writer|
|Ask Dynamic Questions|
|Read Sensor||Comply Deployment|
|Read Sensor||Comply Reporting|
|Read Action||Comply Deployment|
|Read Action||Comply Reporting|
|Write Action||Comply Deployment|
|Write Action||Comply Reporting|
|Write Action For Saved Question||Comply Reporting|
|Write Package||Comply Deployment|
|Write Package||Comply Reporting|
|Read Saved Question||Comply Reporting|
|Write Saved Question||Comply Deployment|
|Write Saved Question||Comply Reporting|
Last updated: 4/9/2020 10:53 AM | Feedback