Requirements

Licensing

Comply is licensed for installation as a component of the Tanium Server. To obtain a license, see your Tanium Technical Account Manager (TAM).

System requirements

  • Microsoft Windows 7 or later
  • Microsoft Windows Server 2008 or later
  • Red Hat Enterprise Linux and CentOS 5 through 7
  • Debian 6
  • Ubuntu 12.04, 14.04, and 16.04
  • Mac OS X El Capitan 10.11 and macOS Sierra 10.2

Installation prerequisites

Before installing Comply, you need to have a service account with Tanium Administrator credentials. You must also have the Tanium Module server running.

At least one scan engine is required to use Comply, but more than one can be uploaded and used if desired. Comply 1.7.4 and later ships with the Joval engine; however, there is no content included with that engine. You can upload other engines if required. See Importing scan engines. CIS-CAT, Joval, and SCC engines are currently supported by Comply. To use CIS-CAT or Joval, a JRE (Java Runtime Environment) must also be provided.

Security exclusions

Specific ports and processes are needed to run Comply. If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference. Comply leverages third-party compliance engines to conduct compliance and vulnerability scans against supported endpoints.

Table 1:   Comply security exclusions
Target Device Process
Windows Module Server
  • <TMS>\services\comply-service\node.exe
  • <TMS>\services\comply-service\node_modules\ovalindex\ovalindex
Windows endpoint computers
  • <Tanium Client>\Tools\Comply\TaniumExecWrapper.exe
  • <Tanium Client>\Tools\Comply\jre<version>\bin\java.exe
  • <Tanium Client>\Tools\Comply\7za.exe
Linux/macOS endpoint computers
  • <Tanium Client>/Tools/Comply/TaniumExecWrapper
  • <Tanium Client>/Tools/Comply/jre<version>/bin/java
  • <Tanium Client>/Tools/Comply/7za
JovalCM engine
  • <Tanium Client>/Tools/Comply/joval/Joval4Tanium.jar
  • <Tanium Client>/Tools/Comply/joval/Joval-Utilities.jar
CIS-CAT engine
  • <Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.jar
  • <Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.sh (Linux only)
  • <Tanium Client>/Tools/Comply/cis-cat/CIS-CAT.BAT (Windows only)
SCC engine

Windows endpoint computers

  • <Tanium Client>\Tools\Comply\scc\cscc.exe
  • <Tanium Client>\Tools\Comply\scc\cscc32.exe
  • <Tanium Client>\Tools\Comply\scc\cscc64.exe
  • <Tanium Client>\Tools\Comply\scc\scc.exe
  • <Tanium Client>\Tools\Comply\scc\scc32.exe
  • <Tanium Client>\Tools\Comply\scc\scc64.exe

Linux/macOS endpoint computers

  • <Tanium Client>/Tools/Comply/scc/cscc
  • <Tanium Client>/Tools/Comply/scc/cscc.bin
  • <Tanium Client>/Tools/Comply/scc/scc
  • <Tanium Client>/Tools/Comply/scc/scc.bin

For remote vulnerability reports, see Tanium Discover User Guide: Host and network security requirements for Nmap security exclusions.

User role requirements

Tanium Server 7.0

The following user roles are supported in Comply on Tanium Server 7.0:

Administrator

Has all privileges in Comply, including installing or uninstalling Comply.

Content Administrator

Has all privileges in Comply with the exception of installing or uninstalling Comply.

Question Author

Can view reports, drill down into reports, and create report exports.

Tanium Server 7.1 and later

Comply 1.4 introduces role-based access control (RBAC) permissions that control access to Comply functions.

Comply Administrator

Has all privileges in Comply, including collecting support bundles and managing Comply Application Settings.

Comply Deployment Administrator

Can upload engines and distribute them via deployment; can read and write report content.

Comply Report Content Administrator

Can read and write the following:

  • Configuration compliance benchmarks
  • Vulnerability sources
  • All custom compliance and vulnerability content except custom checks

Comply Report Administrator

Can read custom report content including benchmarks, vulnerability sources, and all custom content; can read report results; only role (other than Comply Administrator) that can create and delete reports.

Comply Report Reviewer

Can read custom content, reports, and report results.

Comply Custom Check Writer

Only role (other than Comply Administrator) that can create and delete custom checks; can read custom content.

Table 2:   Comply user role privileges for Tanium 7.1.314.3071 or later
Privilege Comply Administrator Comply Deployment Administrator Comply Report Content Administrator Comply Report Administrator Comply Report Reviewer Comply Custom Check Writer
Show Comply1
View the Comply workbench

2

2

2

2

2

2
Comply Admin
Comply Report Read
Review report results.

2



2


Comply Report Write
Manage reports.

2





Comply Report Content Read
Read benchmarks, custom checks, custom ID mappings, custom profiles, and vulnerability sources.

2

2

2

2

2

Comply Report Content Write
Manage benchmarks, vulnerability sources, custom ID mappings, and custom profiles.

2





Comply Deployment Read
2 2
Comply Deployment Write
Manage deployments and engines.

2





Comply Custom Check Write
Manage custom checks.

2





1 To install Comply, you must have the reserved role of Administrator.

2 Denotes an implicit permission that is provided by a privilege with a higher permission level. For example, a write permission provides an implicit read permission.




Table 3:   Provided Comply Advanced user role permissions for Tanium 7.1.314.3071 or later
Permission Content Set for Permission Comply Administrator Comply Deployment Administrator Comply Report Content Administrator Comply Report Administrator Comply Report Reviewer Comply Custom Check Writer
Ask Dynamic Questions  
Read Sensor Reserved
Read Sensor Comply Deployment
Read Sensor Comply Reporting
Read Action Comply Deployment
Read Action Comply Reporting
Write Action Comply Deployment
Write Action Comply Reporting
Write Action For Saved Question Comply Reporting
Execute Plugin Comply
Write Package Comply Deployment
Write Package Comply Reporting
Read Saved Question Comply Reporting
Write Saved Question Comply Deployment
Write Saved Question Comply Reporting

Last updated: 5/7/2019 6:16 PM | Feedback