Comply requirements

Review the requirements before you install and use Comply.

Tanium dependencies

In addition to a license for Comply, make sure that your environment meets the following requirements.

ComponentRequirement
Tanium Core Platform
  • 7.2.314.2831 or later
  • 7.3.314.3668 or later
  • 7.4.1.1939 or later
Taniumâ„¢ Client

  • Windows, macOS, Linux, and Solaris endpoints: Any of the supported Tanium Client versions for the operating system.

    For specific client versions, see Tanium Client User Guide: Requirements

  • AIX endpoints: 7.2.314.3518 or later

Any of the supported Tanium Client versions for the operating system.

For specific client versions, see Tanium Client User Guide: Requirements

Computer groups (Tanium Core Platform 7.4.2 or later only) When you first log into the Tanium Console after installing the Tanium Server, the server automatically imports the computer groups that Comply requires:
  • All Computers
  • All Windows 10
  • All Windows Server 2012 R2
  • All Windows Server 2016
  • All Windows Server 2019
  • All Red Hat 7
  • All Red Hat 8
  • All Ubuntu 18
  • All Ubuntu 19
  • All CentOS 7
  • All CentOS 8
  • All macOS 10.14
  • All macOS 10.15

Endpoints

Supported operating systems

The following endpoint operating systems are supported with Comply.

Operating systemOS version
Microsoft Windows ServerMicrosoft Windows Server 2008 and later
Microsoft Windows WorkstationMicrosoft Windows 7 and later
macOSOS X 10.11 El Capitan and later
Linux
Amazon Linux 1 AMI (2016.09, 2017.12, 2018.03)
Amazon Linux 2 LTS
Debian 5 and later
Oracle Enterprise Linux 5.x and later
Red Hat Enterprise Linux (RHEL) 5.x and later
CentOS 5.x and later
SUSE Linux Enterprise Server (SLES) 11.x and later
Ubuntu 12.04 and later
AIX1IBM AIX 6.1 TL7SP10 and later2
IBM AIX 7.1 TL1SP10 and later2
IBM AIX 7.2
Solaris1Oracle Solaris 10 SPARC32
Oracle Solaris 10 x8632
Oracle Solaris 11 SPARC32
Oracle Solaris 11 x8632

1 Only Configuration Compliance reports are supported on AIX and Solaris endpoints.

2 64-bit only.

32 Requires SUNWgccruntime. You must use the CIS-CAT engine to run a compliance report that uses CIS benchmarks. You can use the Tanium Scan Engine (powered by JovalCM) to run a compliance report that uses the DISA SCAP Solaris benchmarks.

Disk space requirements

Endpoints must have at least 200 megabytes (MB) available in free disk space.

Scan engines

A scan engine evaluates endpoints for security configuration exposures and software vulnerabilities using industry standard security benchmarks, vulnerability definitions, and custom compliance checks.

In Comply, the scan engine evaluates Open Vulnerability Assessment Language (OVAL) or Security Content Automation Protocol (SCAP) content to determine endpoint compliance and vulnerability status. Comply generates reports based on the results of this evaluation by the scan engine.

At least one scan engine is required to use Comply. Comply 2.3 and later includes Tanium Scan Engine (powered by JovalCM) and Amazon Coretto Java Runtime Environment (JRE). Most organizations can use the Tanium Scan Engine and Amazon Coretto JRE and do not need to upload any scan engines or JREs.

If needed, you can upload other scan engines to Comply. Comply supports the Tanium Scan Engine (which is included by default), SCC (used by the United States government), and CIS-CAT scan engines. The supported versions of the scan engines are listed in the Import Engine window and on this page: Reference: Supported engines and JREs. Typically the most recent version plus the two previous versions are supported.

The Amazon Coretto JRE is not currently supported on some distributions of Linux, AIX, and Solaris. If you need to run a scan on an endpoint with one of these operating systems and do not want to use the existing JRE on the endpoint, you can upload it to Comply. For best results, use Comply to install a JRE (rather than using the existing JRE on the endpoint) so that you know which JRE is used to run scans.

Tanium Scan Engine and CIS-CAT also require PowerShell and do not work if PowerShell is in the ConstrainedLanguage language mode.

Operating systemOperating system versionSupported JRE distributions and versionsCan deploy using Comply?
Microsoft Windows ServerMicrosoft Windows Server 2008 and 2008 R2Java version 8 distribution provided with ComplyYes
Microsoft Windows Server 2012 and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
Microsoft Windows WorkstationMicrosoft Windows 7 and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
macOSOS X 10.11 El Capitan and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
LinuxAmazon Linux 1 AMI (2016.09, 2017.12, 2018.03)
  • JRE provided with Comply
  • Java version 8 distributions provided by Amazon
Yes
Amazon Linux 2 LTS
  • JRE provided with Comply
  • Java version 8 distributions provided by Amazon
Yes
Debian 5.x, 6.x, 7.xJava version 7 or 8 (preferred) distributions provided by OracleYes63
Debian 8.x and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
Oracle Enterprise Linux 5.x and laterJava version 7 or 8 (preferred) distributions provided by OracleYes63
Red Hat Enterprise Linux (RHEL) 5.xJava version 7 or 8 (preferred) distributions provided by OracleYes63
Red Hat Enterprise Linux (RHEL) 6.x and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
CentOS 5.xJava version 7 or 8 (preferred) distributions provided by OracleYes63
CentOS 6.x and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
SUSE Linux Enterprise Server (SLES) 11.xJava version 7 or 8 distributions provided by OracleYes63
SUSE Linux Enterprise Server (SLES) 12.x and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
Ubuntu 12.04 - 13.xJava version 7 or 8 distributions provided by OracleYes63
Ubuntu 14.x and later
  • JRE provided with Comply
  • Java version 8 distributions provided by either Oracle or Amazon
Yes
AIX1IBM AIX 6.1 TL7SP10 and later2IBM JRE version 7.x or 8 (preferred)Yes3
IBM AIX 7.1 TL1SP10 and later2IBM JRE version 7.x or 8 (preferred)Yes3
OpenJDK JRE version 7 or 8 with the HotSpot JVMYes4
IBM AIX 7.2IBM JRE version 7.x or 8 (preferred)Yes3
OpenJDK JRE version 7 or 8 with the HotSpot JVM Yes4
Solaris52Oracle Solaris 10 SPARCOracle JRE 7 or 8 (preferred)Yes63
Oracle Solaris 10 x8621Oracle JRE 7 or 8 (preferred)Yes63
Oracle Solaris 11 SPARCOracle JRE 7 or 8 (preferred)Yes63
Oracle Solaris 11 x8621Oracle JRE 7 or 8 (preferred)Yes63

1The IBM JRE is usually already installed on AIX endpoints. Supported versions can be used with Comply scans.

2164-bit only.

3Only IBM JRE 8 64-bit is supported for deployment through Comply. You must repackage the JRE before it can be deployed through Comply. For details, see Repackage the IBM JRE for deployment to AIX endpoints.

4Only version 8 is supported for deployment through Comply. Check the OpenJDK release site for supported service pack levels for a particular OpenJDK JRE release: AdoptOpenJDK: Latest release.

52The Oracle JRE is usually already installed on Solaris endpoints. Supported versions can be used with Comply scans.

63Only version 8 is supported for deployment through Comply.

For more information, see Working with scan engines and JREs.

Host and network security requirements

Specific processes are needed to run Comply.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.

Table 1:   Comply security exclusions
Target DeviceNotesProcess
Module Server <Module Server>\services\comply-service\node.exe
 <Module Server>\services\comply-service\node_modules\ovalindex\ovalindex.exe
Windows endpoints <Tanium Client>\Tools\Comply\TaniumExecWrapper.exe
 <Tanium Client>\Tools\Comply\jre\bin\java.exe
 <Tanium Client>\Tools\Comply\7za.exe
Linux/macOS/AIX endpoints  <Tanium Client>/Tools/Comply/TaniumExecWrapper
 <Tanium Client>/Tools/Comply/jre/bin/java
 <Tanium Client>/Tools/Comply/7za
 <Tanium Client>/Tools/Comply/xsltproc
Tanium Scan Engine <Tanium Client>/Tools/Comply/joval/Joval4Tanium.jar
 <Tanium Client>/Tools/Comply/joval/Joval-Utilities.jar
CIS-CAT engine <Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.jar
Linux only<Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.sh
Windows only<Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.BAT
SCC engine - Windows endpoints <Tanium Client>\Tools\Comply\scc\cscc.exe
 <Tanium Client>\Tools\Comply\scc\cscc32.exe
 <Tanium Client>\Tools\Comply\scc\cscc64.exe
 <Tanium Client>\Tools\Comply\scc\scc.exe
 <Tanium Client>\Tools\Comply\scc\scc32.exe
 <Tanium Client>\Tools\Comply\scc\scc64.exe
SCC engine - Linux/macOS endpoints <Tanium Client>/Tools/Comply/scc/cscc
 <Tanium Client>/Tools/Comply/scc/cscc.bin
 <Tanium Client>/Tools/Comply/scc/scc
 <Tanium Client>/Tools/Comply/scc/scc.bin
Table 2:   Comply security exclusions
Target DeviceNotesProcess
Windows endpoints <Tanium Client>\Tools\Comply\TaniumExecWrapper.exe
 <Tanium Client>\Tools\Comply\jre\bin\java.exe
 <Tanium Client>\Tools\Comply\7za.exe
Linux/macOS endpoints  <Tanium Client>/Tools/Comply/TaniumExecWrapper
 <Tanium Client>/Tools/Comply/jre/bin/java
 <Tanium Client>/Tools/Comply/7za
 <Tanium Client>/Tools/Comply/xsltproc
Tanium Scan Engine <Tanium Client>/Tools/Comply/joval/Joval4Tanium.jar
 <Tanium Client>/Tools/Comply/joval/Joval-Utilities.jar
CIS-CAT engine <Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.jar
Linux only<Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.sh
Windows only<Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.BAT
SCC engine - Windows endpoints <Tanium Client>\Tools\Comply\scc\cscc.exe
 <Tanium Client>\Tools\Comply\scc\cscc32.exe
 <Tanium Client>\Tools\Comply\scc\cscc64.exe
 <Tanium Client>\Tools\Comply\scc\scc.exe
 <Tanium Client>\Tools\Comply\scc\scc32.exe
 <Tanium Client>\Tools\Comply\scc\scc64.exe
SCC engine - Linux/macOS endpoints <Tanium Client>/Tools/Comply/scc/cscc
 <Tanium Client>/Tools/Comply/scc/cscc.bin
 <Tanium Client>/Tools/Comply/scc/scc
 <Tanium Client>/Tools/Comply/scc/scc.bin

For remote vulnerability reports, see Tanium Discover User Guide: Host and network security requirements for Nmap security exclusions.

For best results, add a recursive security exclusion for the Tanium Client directory:

  • Windows endpoints: <Tanium Client>

    This path is usually C:\Program Files (x86)\Tanium\Tanium Client.

  • Linux endpoints: /opt/Tanium/TaniumClient

If a recursive exclusion is not possible, ensure that your exclusion for the TaniumExecWrapper process includes child processes. The path to this process is listed for each operating system in the preceding table. Some engines use child processes to run scans, and those child processes must be allowed for Comply to function.

User role requirements

The following tables list the role permissions required to use Comply. For more information about role-based access control (RBAC), role permissions, and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.

Table 3:   Comply user role permissions
PrivilegeComply AdministratorComply OperatorComply Deployment AdministratorComply Report Content AdministratorComply Report AdministratorComply Report ReviewerComply Custom Check Writer
Show Comply
View the Comply workbench

1

1

1

1

1

1

1
Comply Report Read
Review report results.

1

1



1


Comply Report Write
Manage reports.

1

1





Comply Report Content Read
Read benchmarks, custom checks, custom ID mappings, custom profiles, and vulnerability sources.

1

1

1

1

1

1

Comply Report Content Write
Manage benchmarks, vulnerability sources, custom ID mappings, and custom profiles.

1

1





Comply Deployment Read
111
Comply Deployment Write
Manage deployments and engines.

1

1





Comply Custom Check Write
Manage custom checks.

1

1





Trends API Board Read
View boards, sections, and panels for specified content sets.

1






Trends API Board Write
Create, edit, delete, and configure boards, sections, and panels for specified content sets.

1






Trends API Source Read
View boards, sections, and panels for specified content sets.

1






Trends API Source Write
View boards, sections, and panels for specified content sets.

1






Trends Data Read
Run data queries against sources.

1






Trends Integration Service Account
Provides access for module service accounts to read and write data, and to define sources and boards.







Trends Import
Import from file or gallery.

1






1 Denotes an implicit permission that is provided by a privilege with a higher permission level. For example, a write permission provides an implicit read permission.




Table 4:   Provided Comply Advanced user role permissions for Tanium 7.1.314.3071 or later
PermissionContent Set for PermissionComply AdministratorComply OperatorComply Deployment AdministratorComply Report Content AdministratorComply Report AdministratorComply Report ReviewerComply Custom Check Writer
Ask Dynamic Questions 
Read SensorReserved
Read SensorComply Deployment
Read SensorComply Reporting
Read ActionComply Deployment
Read ActionComply Reporting
Write ActionComply Deployment
Write ActionComply Reporting
Write Action For Saved QuestionComply Reporting
Execute PluginComply
Write PackageComply Deployment
Write PackageComply Reporting
Read Saved QuestionComply Reporting
Write Saved QuestionComply Deployment
Write Saved QuestionComply Reporting