Succeeding with Comply
Follow these best practices to achieve maximum value and success with Tanium Comply. These steps align with the key standards metrics: Comply coverage across endpoints and decreasing the number of endpoints with critical or high vulnerabilities.
Complete the key organizational governance steps to maximize Comply value. For more information about each task, see Gaining organizational effectiveness.
Develop a dedicated change management process.
Define distinct roles and responsibilities in a RACI chart.
Validate cross-functional organizational alignment.
Track operational metrics.
Install Tanium Connect. See Tanium Connect User Guide: Installing Connect.
Install Tanium Patch. See Tanium Patch User Guide: Installing Patch.
Install Tanium Comply. See Installing Comply.
Install Tanium Trends. See Tanium Trends User Guide: Installing Trends.
Install Tanium Client Management and Tanium Endpoint Configuration. See Tanium Client Management User Guide: Installing.
Import the Comply board from the Trends initial gallery. See Tanium Trends User Guide: Importing the initial gallery. If you installed Trends using the Apply Tanium recommended configurations option, the Comply board is automatically imported after the Comply service account is configured.
Create computer groups for use in reports that include your supported Windows, macOS, Linux, AIX, and Solaris endpoints. See Tanium Console User Guide: Create computer groups.
Configure the Comply service account. See Configure the service account.
If you install Comply using Tanium Recommended Installation workflow, the service account is automatically set to the account that you used to install Comply.
Define the criteria for testing groups, which can be the computer groups that you created when you configured Comply or that were created automatically if you installed Comply using the Apply All Tanium recommended configurations option.
Define the success criteria and timelines for your testing.
Define your production rollout of Comply. Do you want a phased rollout, or do you want to target all of your production endpoints at the same time?
Create deployments based on the architecture and platform of the targeted endpoints. Deploy each new deployment to begin distributing the Comply tools and scan engines to targeted endpoints. See Setting up endpoints.
If needed, upload additional supported configuration compliance standards. See Importing individual standards and assigning categories.
If needed, configure additional vulnerability sources. See Create a new vulnerability source.
Create a configuration compliance assessment that uses the Tanium Certified Standards and targets enterprise endpoints. See Creating compliance assessments.
Create a vulnerability assessment that uses the Tanium Vulnerability Library vulnerability definitions and targets enterprise endpoints. See Creating vulnerability assessments.
Wait for the assessments to complete.
Remote authenticated scanning uses Tanium Clients as satellites to scan endpoints that do not have the Tanium Client installed. This scan type is useful for obtaining information from endpoints and subnets that do not support having the Tanium Client installed.
Install all Tanium solutions required for remote authenticated scanning. See Remote authenticated scanning requirements.
Configure RBAC permissions for creating remote authenticated scans. The Comply RAS Assessment Creator RBAC role is required. See User role requirements
Create satellites in Tanium Direct Connect. See Tanium Direct Connect User Guide: Managing satellites.
It is recommended that endpoints that are used as satellites have 16 gigabytes (GB) RAM and 4 CPUs.
Running remote authenticated scans from AIX or Solaris satellites is not supported at this time.
Using a zone server as a satellite is not supported at this time.
Create Tanium Discover satellite scans. See Tanium Discover User Guide: Running satellite scans
Promote interfaces to Tanium Data Service (TDS) in Tanium Discover. See Tanium Discover User Guide: Managing interfaces.
If an endpoint does not match Tanium Discover's Promote Unmanaged Interface label, that endpoint is not promoted to TDS. If an endpoint is not promoted to TDS, it cannot be scanned by Comply.
Configure credentials in Tanium Comply. See Configure credentials lists for remote-authenticated scans.
Use as few sets of credentials as possible for any credential lists used for satellite scans. The more credentials you use, the greater risk you run of credentials failing and possibly triggering security alerts or account lockouts.
Create compliance and vulnerability remote authenticated scan assessments that use satellites to scan unmanaged endpoints. See Configure a remote-authenticated scan assessment.
Wait for the assessments to complete.
Create a configuration compliance report that uses the Tanium Certified Standards and targets enterprise endpoints. See Create reports from findings.
Create a vulnerability report that uses the Tanium Vulnerability Library vulnerability definitions and targets enterprise endpoints. See Create reports from findings.
Wait for the reports to complete.
If needed, use Tanium Connect to export data from vulnerability reports. See Documentation Home > Tanium Modules > Tanium Comply User Guide.
From the Trends menu, click Boards and then click Comply to view the Coverage, Is Compliant, and Is Vulnerable panel.
Last updated: 5/12/2022 2:35 PM | Feedback