Troubleshooting

Do not manually delete any Tanium content that includes Comply in the name for any reason. Deleting Tanium content can cause Comply to stop working correctly.

Collect logs

The information is saved as a ZIP file that you can download with your browser.

  1. From the Comply Home page, click Help , then the Troubleshooting tab. Select the solutions for which to gather troubleshooting packages. All available solutions are selected by default.
  2. Click Create Package.
  3. When the packages are ready, click Download Support Bundle.
    A productname-support.[timestamp].zip file downloads to the local download directory for each selected package.

    Some browsers might block multiple downloads by default. Make sure to configure your browser to permit multiple downloads from the Tanium Console.

  4. Contact Tanium Support to determine the best option to send the ZIP file(s). For more information, see Contact Tanium Support.

Locate log files

You might need to locate log files on your endpoint or on the Tanium Module Server for troubleshooting purposes when working with technical support.

Endpoint log files

Comply log files are created on endpoints at the following path: <Tanium Client>\extensions\comply\data\results\<scan name>\*-stdout.txt

Tanium Module Server log files

Comply log files are created on the Tanium Module Server at the following path: <Module Server>\services\comply-service\logs

Service log files are found here.

Java tool options when executing java

Starting with Comply 2.14, JAVA_TOOL_OPTIONS has the following config setting.

CX.comply.UseSystemJavaToolsOption Use the system environment variable JAVA_TOOL_OPTIONS when executing java. The default is 1. Set to 0 and ComplyCX will ignore any system set JAVA_TOOL_OPTIONS environment variable.

Scans do not run as expected

Comply cannot run scans or clean up old results on endpoints with actions locks turned on. See Tanium Console User Guide: Managing action locks.

Update the Tanium Vulnerability Library for CVSS v3 support

Starting with Comply 2.13, Tanium Vulnerability Library files on content.tanium.com now support CVSS v3. If you are upgrading from a previous version, and If you have disabled recurring updates or are running in airgap mode, you must manually upgrade to the latest TVL for Comply features to function properly. See Upload the Tanium Vulnerability Library files for instructions.

After upgrading to Comply 2.13, uUntil the TVL is updated based on the configured update schedule, a message may appear in the Tanium Console instructing you to upgrade to the latest TVL.

Restart Connect service after upgrade

It is recommended that you restart the Connect service after upgrading to Comply 2.13.

RBAC synchronization with SUS adoption after upgrade

In Comply 2.12, the steps required to configure the service account are no longer necessary due to the adoption of the System User Service, which performs these tasks automatically. Consequently, after upgrading to Comply 2.12, it might take time for the database migration to complete and for RBAC privileges and other updates to sync properly. This could lead to issues and error messages when first querying the Tanium Console. These issues should resolve on their own after a few minutes, but could take longer depending on system resources and the amount of data to migrate.

Remote authenticated scans fail on ESXi devices

With Joval 6.4.2, RAS scans of ESXi devices fail when using a self-signed certificate that is not from a trusted certificate authority. In previous versions of Joval, the TLS certificate provided by the endpoint was not authenticated. This behavior changed in Joval 6.4.2 and now trusted certificates must be used.

If RAS scans are failing on ESXI devices for this reason, you have the option to disable TLS validation. You can accomplish this by deploying a package to modify Tanium client settings on the satellite or by logging into the satellite directly and using a command line flag to restore the previous Joval behavior.

  • Option 1: Disable Joval TLS validation on the satellite by deploying the Modify Tanium Client Setting package and setting CX.comply.RasDisableTlsValidation to 1

  • Option 2: Log into the satellite performing the RAS scan and enter the following from a command line: ./TaniumClient config set CX.comply.RasDisableTlsValidation 1

Results directory on endpoint after upgrade

When upgrading to Comply 2.11, the Tools/Comply/results directory on the endpoint is migrated to extensions/comply/data/results.

By default the legacy results will remain for 7 days unless they are migrated by the service and there is an ECF configuration

Note that the Tools/Comply/results and Tools/Comply/benchmarks folders are automatically deleted after 30 days.

Incomplete findings for endpoints after upgrade

After upgrading Tanium Comply, while tools are deploying and data is migrating, it may take time for Findings to be complete.

Incorrect or missing findings for reports with custom profiles after upgrade

After upgrading Tanium Comply, compliance reports from previous versions are automatically migrated to assessments. If you had compliance reports that used custom profiles or tailoring files, you must re-deploy those assessments after upgrading. Otherwise, the corresponding findings may be missing or displayed correctly.

You may need to disable Hide error results from questions in User Preferences to validate that you have missing or incorrect findings.

Ensure Comply tools on the endpoints have been upgraded to the latest version before re-deploying assessments.

Missing vulnerability reports after upgrade

After upgrading from Comply 2.9 to a later version of Comply, compliance reports are migrated to the new version but vulnerability reports are not. This is intended due to the inability to ensure that query filters would provide the same results in newer versions of Comply that were seen in Comply 2.9 and earlier reports. Instead, there are some high-level, OS-based vulnerability reports provided with Comply 2.10 and later.

Deployments do not run as expected

Check for the following error messages if a deployment does not run as expected:

Some machines included in this deployment cannot be deployed to.

Ensure that targeted endpoints have enough disk space to accommodate deployments.

Some machines included in this deployment don't have the system utilities required to complete a scan.

Linux or macOS endpoints do not have the UNIX utilities installed that are required for Comply to work correctly.

License expiration impact

Comply will not operate with an expired license. Update the license to restore functionality.

There is a 30 day grace period before Comply stops operating.

Identify and resolve issues with client extensions

Use the following steps to troubleshoot issues with the client extensions that Comply installs and uses. During troubleshooting, consider environmental factors such as security exclusions, file locks, CPU usage, RAM usage, and disk failures.

To review the client extensions that Comply installs and uses, see Client extensions.

  1. To review the health of client extensions or to start an investigation into an existing error, ask a question using the Client Extensions - Status or Comply - Tools Version sensor.

    The results of these questions help to identify endpoints with errors and provide a starting point to deploy actions that might help correct the issue. Filter the results and drill down as necessary to investigate results that indicate errors.

    Consider whether endpoints with errors share common characteristics, such as operating system, domain or organization unit, or the antivirus software that is installed.

  2. Target one or more endpoints with errors, and uninstall tools that report errors without blocking reinstallation: see Remove Comply tools from endpoints and Endpoint Configuration User Guide: Uninstall a tool installed by Endpoint Configuration.

    When you perform a hard uninstallation of some tools, the uninstallation also removes data that is associated with the tool from the endpoint. This data might include important historical or environmental data. If data that you want to keep is associated with the tool, make sure you perform only a soft uninstallation of the tool.

    Wait for automatic reinstallation of the tool. If the reinstallation does not resolve the issue, continue to the next step.

  3. Ask a question using the Endpoint Configuration - Tools Status Details sensor, and include filters to limit the results to the tool that you are investigating. For example:

    Get Endpoint Configuration - Tools Status Details having Endpoint Configuration - Tools Status Details:Tool Name contains Comply from all machines with Endpoint Configuration - Tools Status:Tool Name contains Comply

    Review the columns in the results for specific information about errors. The following table provides guidance for some common error conditions:

    Error ConditionPossible Resolution
    No error appears, but an available new version has not been installed

    Review the Targeted Version column to make sure that the endpoint has received the latest manifest. If the targeted version does not yet show the updated version, the Endpoint Configuration manifest has not updated on the endpoint, usually for one of the following reasons:

    Installation Blocker:Unmet Dependencies: [Tool name]If no Failure Message or Failure Step appears, the endpoint might be waiting for the dependencies to install. Wait to see if the condition resolves on its own. If this condition remains for an extended period, ask the question again and review any error information in other columns, especially the Failing Dependency column.
    Failing Dependency:[Tool name]

    Ask the question: Endpoint Configuration - Tools Status Details having Endpoint Configuration - Tools Status Details:Tool Name contains [Tool name] from all machines with Endpoint Configuration - Tools Status:Tool Name contains [Tool name]

    Investigate further errors with the tool.

    If the dependency has not been installed on an endpoint, ask the question: Get Endpoint Configuration - Tools Retry Status from all machines with Computer Name equals Computer_Name to review the retry status for the tool installation. For more information, see Endpoint Configuration User Guide: Review tool installations that are scheduled for a retry.

    Manually Blocked:blockedThe tool was previously blocked, either manually or during a previous uninstallation. Unblock the tool: see Endpoint Configuration User Guide: Block or unblock tools from installing on an endpoint.
  4. Review the Extensions logs on the endpoint. Take note of entries that include fail or error: see Review the Extensions log for an endpoint.

For additional help, collect all logs for Tanium Comply, and contact Tanium Support.

Review the Extensions log for an endpoint

Use Client Management to directly connect to an endpoint and view and download extension logs.

  1. From the Main menu, go to Administration > Shared Services > Client Management.

  2. From the Client Management menu, click Client Health.

  3. In the Direct Connect search box, enter all or part of an IP address or a computer name.

    Matching results are displayed after the search completes.

  4. From the search results, click the computer name to connect to the endpoint.
  5. Click the Logs tab, and select an extensions[#].log file.

  6. (Optional) To download the log, click Download.

For additional help, collect all logs for Tanium Comply, and contact Tanium Support.

Monitor and troubleshoot Comply coverage

The following table lists contributing factors into why the Comply coverage metric report endpoints as Needs Attention, and corrective actions you can make.

Contributing factor Corrective action
Endpoints do not have the latest scan engine installed
  • Ensure that the computer groups targeted by each deployment include all applicable endpoints. Review the deployments to confirm that no computer groups are missing.
  • Ensure the latest engine is installed. When updates are available for the Tanium Scan Engine (powered by JovalCM) or Amazon Coretto JREs that are included with Comply, a yellow banner displays on the Comply Main page that says Updates are available for one or more engines.
Endpoints do not have the latest Comply tools installed Ensure that the Comply Action Group targets All Computers.
Specific endpoints missing Comply tools, scan engines, or JREs Ensure that existing deployments include all possible architectures (bitness) and platforms. For example, some environments still contain 32-bit Linux and Windows endpoints. These endpoints require specific deployments.
Issue with a specific endpoint that might prevent Comply from running successfully Check for issues with the endpoint that might prevent Comply from running successfully, such as having less than the minimum required available disk space (200 MB).
Comply tools are not successfully deployed to endpoints Ensure that the Comply Action Group targets All Computers. Comply actions are always explicit, so the action group targeting does not need to be restrictive.

Monitor and troubleshoot endpoint compliance distribution

The following table lists contributing factors into why the endpoint compliance distribution metric might be lower than expected, and corrective actions you can make.

Contributing factor Corrective action
Endpoints are missing from compliance reports Ensure that those endpoints exist in correctly targeted computer groups and that those computer groups are explicitly targeted for compliance reports. Make sure that compliance reports run on a periodic schedule.
Configuration compliance assessments do not include endpoints that were offline at the time of the initial report schedule Change your configuration compliance assessment scheduling to use Using report age, and instead of running a weekly report, set the assessment result maximum age to 7 days. For more information, see Creating compliance assessments.

With this configuration, Comply continuously checks for and attempts to assess endpoints as they come online, as long as they do not already have findings that are newer than 7 days. This setting allows global organizations and "follow the sun" models to continuously scan managed endpoints as they come online around the world, regardless of timezone or the original scan execution time.

Systems that were included in the original report do not have any results Make sure that the targeted endpoints are the correct operating system and platform for the configured report. For example, some compliance standards are specific to Windows Server 2008 and not Windows Server 2008 R2. Compliance standards can be specifically developed for the targeted operating systems, and in some cases will not function if the wrong operating system is targeted.
Standards content does not meet local requirements
  • Use custom profiles or import a tailoring file to customize compliance checks to meet your business needs.
  • Develop custom checks to assess things not covered by an existing standard.
  • Use custom ID mapping to align checks to local guidance or frameworks.

For more information, see Customizing compliance results and Customizing vulnerability results.

Third-party content compatibilities and bugs Ensure any imported content meets the defined requirements, such as:

Monitor and troubleshoot endpoints with critical or high vulnerabilities

The following table lists contributing factors into why the Comply endpoints with critical or high vulnerabilities metric might be lower than expected, and corrective actions you can make.

Contributing factor Corrective action
Endpoints are missing from vulnerability reports Ensure that those endpoints exist in correctly targeted computer groups and that those computer groups are explicitly targeted for vulnerability reports. Make sure that vulnerability reports run on a periodic schedule.
OVAL checks do not align with locally developed guides or industry frameworks Use custom ID mapping and custom scoring to align CVEs to the frameworks on which you report.

For more information, see Customizing vulnerability results.

Monitor and troubleshoot mean time to identify vulnerability findings

The following table lists contributing factors into why the Comply mean time to identify vulnerability findings metric might be higher than expected, and corrective actions you can make.

Contributing factor Corrective action
Newly released or discovered vulnerabilities are not being detected in vulnerability assessments Ensure that the Tanium Vulnerability Library (TVL) is configured to automatically update. For more information, see Default vulnerability sources.

Comply automatically updates assessments to use new definitions, but those assessments must run again using the new definitions.

Newly released or discovered vulnerabilities are being detected, but not as quickly as needed For best results, run general assessments that address all known vulnerabilities once a month or bi-monthly. In addition to that large general assessment, configure a small lightweight assessment that uses only high and critical severity vulnerability definitions from the current year so that you can run it frequently without negative performance impact. For example, you might run the lighter assessment weekly or every 3 days.
Vulnerability assessments are not targeting the desired vulnerabilities Verify that the assessment configuration includes the appropriate severity, CVE years, and computer group targeting that was intended for the assessment.
CVEs have been published, but no OVAL definition is available Check the Tanium Community for guidance on using Tanium to find and remediate a particular CVE. For example, Use Tanium to Find and Remediate CVE-2020-0796 (SMBv3 Remote Code Execution Vulnerability).

Remove Comply tools from endpoints

You can deploy an action to remove Comply tools from an endpoint or computer group. Separate actions are available for Windows and non-Windows endpoints.

  1. In Interact, target the endpoints from which you want to remove the tools. For example, ask a question that targets a specific operating system:
    Get Endpoint Configuration - Tools Status from all machines with Is Windows equals true
  2. In the results, select the row for Comply, drill down as necessary, and select the targets from which you want to remove Comply tools. For more information, see Tanium Interact User Guide: Drill Down.
  3. Click Deploy Action.
  4. For the Deployment Package, select Endpoint Configuration - Uninstall Tool [Windows] or Endpoint Configuration - Uninstall Tool [Non-Windows], depending on the endpoints you are targeting.
  5. For Tool Name, select Comply.

  6. (Optional) By default, after the tools are removed they cannot be reinstalled. To allow tools to be automatically reinstalled, clear the selection for Block reinstallation. Re-installation occurs almost immediately.

    If reinstallation is blocked, you must unblock it manually:

    • To allow Comply to reinstall tools, deploy the Endpoint Configuration - Unblock Tool [Windows] or Endpoint Configuration - Unblock Tool [Non-Windows] package (depending on the targeted endpoints).

    • If you reinstall tools manually, select Unblock Tool when you deploy the Endpoint Configuration - Reinstall Tool [Windows] or Endpoint Configuration - Reinstall Tool [Non-Windows] package.

  7. (Optional) To remove all Comply databases and logs from the endpoints, clear the selection for Soft uninstall.

    When you perform a hard uninstallation of some tools, such as Recorder or Index, the uninstallation also removes data that is associated with the tool from the endpoint. This data might include important historical or environmental data, such as recorded events (in the case of Recorder) or file indexes (in the case of Index). If data that you want to keep is associated with the tool, make sure you perform only a soft uninstallation of the tool. To help determine what data a tool stores on endpoints, go to https://docs.tanium.com/ and review the documentation for the tool or for the Tanium solution that installed it, and contact Tanium Support for additional help.

  8. (Optional) To also remove any tools that were dependencies of the Comply tools that are not dependencies for tools from other solutions, select Remove unreferenced dependencies.

  9. (Optional) In the Deployment Schedule section, configure a schedule for the action.

    If some target endpoints might be offline when you initially deploy the action, select Recurring Deployment and set a reissue interval.

  10. Click Show preview to continue.
  11. A results grid appears at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.

If you have enabled Endpoint Configuration approval, tool removal must be approved in Endpoint Configuration before tools are removed from endpoints.

Uninstall Comply

If you need to uninstall Comply, first clean up the Comply artifacts on endpoints and then uninstall Comply from the server.

Remove Comply content from endpoints

  1. From the Main menu, click Interact.
  2. Ask a question to target the endpoints from which you want to remove Comply content and tools. For example, Get Comply - Tools Version from all machines returns all endpoints with the Comply tools installed.
  3. Select the endpoints from which you want to remove Comply content and tools.
  4. Click Deploy Action.
  5. On the Deploy Action page, enter Comply - Remove in the Enter package name here field.
  6. Select either the Comply - Remove Client Files - Windows or Comply - Remove Client Files - Unix action, as appropriate. For more information, see Tanium Platform User Guide: Managing Scheduled Actions.
  7. Check Remove ALL Comply files if you want to remove all Comply content and tools or select only the content and tools you want to remove.
  8. Click Show preview to continue.
  9. A results grid displays at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.

Remove the Comply solution from the Tanium Module Server

  1. From the Main menu, go to Administration > Configuration > Solutions.
  2. In the Comply section, click Uninstall.
  3. Review the content that will be removed and click Uninstall.
  4. Depending on your configuration, enter your password or click Yes to start the uninstall process.
  5. Return to the Solutions page and verify that the Import button is available for Comply.

Contact Tanium Support

To contact Tanium Support for help, sign in to https://support.tanium.com.