Troubleshooting

Do not manually delete any Tanium content that includes Comply in the name for any reason. Deleting Tanium content can cause Comply to stop working correctly.

Issues with CIS-CAT for Comply 1.3.2 or earlier

Due to an expired CIS certificate, all CIS-CAT engines supported by Comply 1.3.2 or earlier will fail signature validation, which causes the engine not to run.

To resolve this issue, upgrade to Comply 1.3.3 or later. The tools in Comply 1.3.3 and later provide a work-around for this issue. After deploying these tools, all versions of CIS-CAT will work correctly. Comply 1.3.3 and later also adds support for CIS-CAT 3.0.43, which contains code signed with a valid certificate.

If you are unable to upgrade Comply, contact your TAM.

Issues with CIS-CAT v4.0.19 or later

Comply 2.6 includes preliminary support for CIS-CAT v4.0.19 or later. In this preliminary support stage, the CIS-CAT v4 engine should be used only for testing purposes in a lab environment. The CIS-CAT v4 engine does not successfully assess multiple supported operating systems. Therefore, it is strongly recommended that the CIS-CAT v4 engine is not deployed or used in any production environments.

Deployments do not run as expected

Check for the following error messages if a deployment does not run as expected:

Some machines included in this deployment cannot be deployed to.

Ensure that targeted endpoints have enough disk space to accommodate deployments.

Some machines included in this deployment don't have the system utilities required to complete a scan.

Linux or macOS endpoints do not have the UNIX utilities installed that are required for Comply to work correctly.

Collect support bundle

You might need to collect a support bundle that includes logs associated with Comply for troubleshooting purposes when working with technical support or your TAM.

You must have the Comply Administrator role to collect the support bundle. For more information about Comply roles, see User role requirements.

  1. On the Comply Home page, click Help .
  2. On the Troubleshooting tab, in the Support Request section, click Create Package to download a support bundle of files to provide to your TAM or technical support.

Locate log files

You might need to locate log files on your endpoint or on the Tanium Module Server for troubleshooting purposes when working with technical support or your TAM.

Endpoint log files

Comply log files are created on endpoints at the following path: <Tanium Client>\Tools\Comply\logs

Log files for each scan are keyed by report hash. Only the most recent file is kept.

Tanium Module Server log files

Comply log files are created on the Tanium Module Server at the following path: <Module Server>\services\comply-service\logs

Service log files are found here.

Recreate JRE encryption key

If a JRE encryption key is lost or overwritten, you can recreate the JRE encryption key.

  1. On the Comply Home page, click Settings .
  2. On the JRE Encryption Key tab, click Generate Random Key to generate a new JRE encryption key.




  3. You can provide your own encryption key; however, as a best practice you should generate a random key.

  4. Enter your credentials and click OK.
  5. If you have existing reports on endpoints with an encrypted JRE, those reports must be redeployed. In addition, all existing encrypted deployments must be redeployed so they are updated with the new key.

Monitor and troubleshoot Comply coverage

The following table lists contributing factors into why the Comply coverage metric report endpoints as Needs Attention, and corrective actions you can make.

Contributing factor Corrective action
Endpoints do not have the latest scan engine installed
  • Go to Setup > Deployments and click Show Status for the deployment that is targeting the endpoint to check the current status.
  • Ensure that the computer groups targeted by each deployment include all applicable endpoints. Review the deployments to confirm that no computer groups are missing.
  • Ensure that deployments are created for all possible architectures (bitness) and platforms. For example, some environments still contain 32-bit Linux and Windows endpoints. These endpoints require specific deployments.
Endpoints do not have the latest Comply tools installed Ensure that the Comply Action Group targets All Computers.
Specific endpoints missing Comply tools, scan engines, or JREs Ensure that existing deployments include all possible architectures (bitness) and platforms. For example, some environments still contain 32-bit Linux and Windows endpoints. These endpoints require specific deployments.
Issue with a specific endpoint that might prevent Comply from running successfully Check for issues with the endpoint that might prevent Comply from running successfully, such as having less than the minimum required available disk space (200 MB).
Comply tools are not successfully deployed to endpoints Ensure that the Comply Action Group targets All Computers. Comply actions are always explicit, so the action group targeting does not need to be restrictive.

Monitor and troubleshoot endpoint compliance distribution

The following table lists contributing factors into why the endpoint compliance distribution metric might be lower than expected, and corrective actions you can make.

Contributing factor Corrective action
Endpoints are missing from compliance reports Ensure that those endpoints exist in correctly targeted computer groups and that those computer groups are explicitly targeted for compliance reports. Make sure that compliance reports run on a periodic schedule.
Configuration compliance reports do not include endpoints that were offline at the time of the initial report schedule Change your configuration compliance report scheduling to use Using report age, and instead of running a weekly report, set the report result maximum age to 7 days. For more information, see Create a configuration compliance report.

With this configuration, Comply continuously checks for and attempts to assess endpoints as they come online, as long as they do not already have findings that are newer than 7 days. This setting allows global organizations and "follow the sun" models to continuously scan managed endpoints as they come online around the world, regardless of timezone or the original scan execution time.

Systems that were included in the original report do not have any results Make sure that the targeted endpoints are the correct operating system and platform for the configured report. For example, some compliance standards are specific to Windows Server 2008 and not Windows Server 2008 R2. Compliance benchmarks can be specifically developed for the targeted operating systems, and in some cases will not function if the wrong operating system is targeted.
Benchmark content does not meet local requirements
  • Use custom profiles or import a tailoring file to customize compliance checks to meet your business needs.
  • Develop custom checks to assess things not covered by an existing benchmark.
  • Use custom ID mapping to align checks to local guidance or frameworks.

For more information, see Customizing compliance results and Customizing vulnerability results.

Third-party content compatibilities and bugs Ensure any imported content meets the defined requirements, such as:

Monitor and troubleshoot endpoints with critical or high vulnerabilities

The following table lists contributing factors into why the Comply endpoints with critical or high vulnerabilities metric might be lower than expected, and corrective actions you can make.

Contributing factor Corrective action
Endpoints are missing from vulnerability reports Ensure that those endpoints exist in correctly targeted computer groups and that those computer groups are explicitly targeted for vulnerability reports. Make sure that vulnerability reports run on a periodic schedule.
Vulnerability reports do not include endpoints that were offline at the time of the initial report schedule Change your vulnerability report scheduling to use Using report age, and instead of running a weekly report, set the report result maximum age to 7 days. For more information, see Create a vulnerability report.

With this configuration, Comply continuously checks for and attempts to assess endpoints as they come online, as long as they do not already have findings that are newer than 7 days. This setting allows global organizations and "follow the sun" models to continuously scan managed endpoints as they come online around the world, regardless of timezone or the original scan execution time.

OVAL checks do not align with locally developed guides or industry frameworks Use custom ID mapping and custom scoring to align CVEs to the frameworks on which you report.

For more information, see Customizing vulnerability results.

Monitor and troubleshoot mean time to identify vulnerability findings

The following table lists contributing factors into why the Comply mean time to identify vulnerability findings metric might be higher than expected, and corrective actions you can make.

Contributing factor Corrective action
Newly released or discovered vulnerabilities are not being detected in vulnerability reports Ensure that the Tanium Vulnerability Library (TVL) is configured to automatically update. For more information, see Default vulnerability sources.

Comply automatically updates reports to use new definitions, but those reports must run again using the new definitions.

Newly released or discovered vulnerabilities are being detected, but not as quickly as needed For best results, run general reports that address all known vulnerabilities once a month or bi-monthly. In addition to that large general report, configure a small lightweight report that uses only high and critical severity vulnerability definitions from the current year so that you can run it frequently without negative performance impact. For example, you might run the lighter report weekly or every 3 days.
Vulnerability reports are not targeting the desired vulnerabilities Verify that the report configuration includes the appropriate severity, CVE years, and computer group targeting that was intended for the report.
CVEs have been published, but no OVAL definition is available Check the Tanium Community for guidance on using Tanium to find and remediate a particular CVE. For example, Use Tanium to Find and Remediate CVE-2020-0796 (SMBv3 Remote Code Execution Vulnerability).

Monitor and troubleshoot mean time to remediate compliance findings

The following table lists contributing factors into why the Comply mean time to remediate compliance findings metric might be higher than expected, and corrective actions you can make.

Contributing factor Corrective action
Configuration compliance findings are taking too long to address, or longer than required by the organization Review your organizational policy regarding policy enforcement, and consider Tanium Protect as a mechanism to prevent enterprise endpoints from going out of compliance.
Organizational endpoints are going out of compliance, and the organization does not know about it until a compliance report identifies the changes Consider monitoring critical configuration compliance issues in near real-time by either implementing Tanium Integrity Monitor or by configuring much more frequent, targeted compliance reports with Comply.

Monitor and troubleshoot mean time to remediate vulnerability findings

The following table lists contributing factors into why the Comply mean time to remediate vulnerability findings metric might be higher than expected, and corrective actions you can make.

Contributing factor Corrective action
Vulnerability findings are taking too long to address or remediate Consider using Tanium Patch and Tanium Deploy to rapidly deploy operating system patches and software updates to remediate and eliminate software and operating system vulnerabilities.
Endpoints are consistently identified with vulnerabilities for too long before remediation Consider taking a more aggressive scanning approach for recent high and critical severity vulnerabilities.

Configure automated reporting for appropriate stakeholders using Tanium Connect. For more information, see Exporting vulnerability reports.

Uninstall Comply

If you need to uninstall Comply, first clean up the Comply artifacts on endpoints and then uninstall Comply from the server.

Remove Comply content and tools from endpoints

  1. From the Main menu, click Interact.
  2. Ask a question to target the endpoints from which you want to remove Comply content and tools. For example, Get Comply - Tools Version from all machines returns all endpoints with the Comply tools installed.
  3. Select the endpoints from which you want to remove Comply content and tools.
  4. Click Deploy Action.
  5. On the Deploy Action page, enter Comply - Remove in the Enter package name here field.
  6. Select either the Comply - Remove Client Files - Windows or Comply - Remove Client Files - Unix action, as appropriate. For more information, see Tanium Platform User Guide: Managing Scheduled Actions.
  7. Check Remove ALL Comply files if you want to remove all Comply content and tools or select only the content and tools you want to remove.
  8. Click Show preview to continue.
  9. A results grid displays at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.

Remove the Comply solution from the Tanium Module Server

  1. From the Main menu, click Tanium Solutions.
  2. In the Comply section, click Uninstall.
  3. Review the content that will be removed and click Uninstall.
  4. Depending on your configuration, enter your password or click Yes to start the uninstall process.
  5. Return to the Tanium Solutions page and verify that the Import button is available for Comply.

Contact Support

To contact Tanium support for help, send an email to [email protected].